Product Documentation

Creating Policies with the Quick Configuration Wizard

You can configure settings in NetScaler Gateway to enable communication with App Controller, StoreFront, or the Web Interface by using the Quick Configuration wizard. When you complete the configuration, the wizard creates the correct policies for communication between NetScaler Gateway, App Controller, StoreFront, or the Web Interface. These policies include authentication, session, and clientless access policies. When the wizard completes, the policies are bound to the virtual server that the wizard creates.

When you complete the Quick Configuration wizard, NetScaler Gateway can communicate with App Controller or StoreFront, and users can access their Windows-based applications and virtual desktops and web, SaaS, and mobile apps. Users can then connect directly to App Controller.

During the wizard, you configure the following settings:

  • Virtual server name, IP address, and port
  • Redirection from an unsecure to a secure port
  • Certificates
  • LDAP server
  • RADIUS server
  • Client certificate for authentication (only for two-factor authentication)
  • App Controller, StoreFront, or Web Interface

You can configure certificates for NetScaler Gateway in the Quick Configuration wizard by using the following methods:

  • Select a certificate that is installed on the appliance.
  • Install a certificate and private key.
  • Select a test certificate. Note: If you use a test certificate, you must add the fully qualified domain name (FQDN) that is in the certificate.

The Quick Configuration wizard supports LDAP, RADIUS, and client certificate authentication. You can configure two-factor authentication in the wizard by following these guidelines:

  • If you select LDAP as your primary authentication type, you can configure RADIUS as the secondary authentication type.
  • If you select RADIUS as your primary authentication type, you can configure LDAP as the secondary authentication type.
  • If you select client certificates as your primary authentication type, you can configure LDAP or RADIUS as the secondary authentication type.

You can only configure one LDAP authentication policy by using the Quick Configuration wizard. The wizard does not allow you to configure multiple LDAP authentication policies. If you run the wizard more than one time and want to use a different LDAP policy, you must configure the additional policies manually. For example, you want to configure one policy that uses sAMAccountName in the Server Logon Name Attribute field and a second LDAP policy that uses the User Principal Name (UPN) in the Server Logon Name Attribute field. To configure these separate policies, use the configuration utility to create the authentication policies. For more information about configuring NetScaler Gateway to authenticate user access with one or more LDAP servers, see Configuring LDAP Authentication.

When you create a virtual server by using the Quick Configuration wizard, if you want to remove the virtual server at a later time, Citrix recommends removing it by using the Home tab. When you use this method to remove the virtual server, the policies and profiles configured through the wizard are removed. If you remove the virtual server by using the Configuration tab, the policies and profiles are not removed. The wizard does not remove the following items:

  • Certificate key pair created during the wizard are not removed, even if the certificate is not bound to a virtual server
  • LDAP authentication policy and profile remains if the policy is bound to another virtual server. NetScaler Gateway removes the LDAP policy only if the policy is not bound to a virtual server.

The following tables describe the policies and profiles that the Quick Configuration wizard creates. As described in the tables, the policies and profiles that are configured depend on how users connect - with either the NetScaler Gateway Plug-in, Citrix Receiver, or Worx Home. The policies that are enforced depend on the XenMobile Universal or Platform license that is used when users connect. When you purchased NetScaler Gateway, you also purchased a set number of Universal licenses; for example, 100. If users connect with the NetScaler Gateway Plug-in, the session uses one Universal license. If users connect with Receiver to access Windows-based applications or XenDesktop, the session uses the Platform license. If users connect from a mobile device by using micro VPN, and connect with Worx Home, or start apps, such as WorxMail or WorxWeb, the session uses a Universal license.

Session Policies, Expressions, and Profiles for the Universal License

The Quick Configuration wizard creates the following session policies and expressions that are enforced when the session uses the Universal license.

Policy type Expression
Session - Worx Home or Receiver REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
Session - Receiver for Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
Session - NetScaler Gateway REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS

The following table shows the session profile settings that the Quick Configuration wizard creates for each session policy type in the preceding table. The first column describes where to find the profile setting or the tab in the session profile in the configuration utility.

The StoreFront URL you enter depends on how users connect. If users connect by using Receiver for Web or by using a web browser, you use the URL form https://SF-FQDN/Citrix/StoreWeb. If users connect by using Receiver on Windows, Mac, or mobile devices, you use the URL form https://SF-FQDN/Citrix/Store.

Profile location Profile setting Receiver Receiver for Web NetScaler Gateway
Resources > Intranet Applications Transparent interception N/A Off On
Session >Client Experience tab Clientless access On On Off
Session >Published Applications tab ICA Proxy Off Off Off
Session >Client Experience tab Single sign-on to Web applications On On On
Session >Published Applications tab Single sign-on domain App Controller StoreWeb URL App Controller StoreWeb URL App Controller StoreWeb URL
Session >Published Applications tab Web Interface Address App Controller StoreWeb URL App Controller StoreWeb URL App Controller StoreWeb URL
Session >Published Applications tab Account Services Address StoreFront URL N/A StoreFront URL
Session >Client Experiences tab Split Tunnel Off N/A Off
Session >Client Experiences tab Clientless Access URL Encoding Clear N/A Clear
Session >Client Experiences tab Home Page N/A App Controller StoreWeb URL App Controller StoreWeb URL
Session >Client Experiences tab and then click the Advanced Settings > General tab Client Choices Off Off Off
Session >Security tab Default Authorization Action Allow Allow Allow
Session >Client Experiences tab Session Time-out (mins) 24 hours N/A N/A
Session >Client Experiences tab Client Idle Time-out (mins) (0) disabled N/A N/A
Session >Network Configuration tab and then click Advanced Settings Forced Time-out (mins) 24 hours N/A N/A

Clientless Access Profile Settings for the Universal License

The Quick Configuration wizard creates the following clientless access profile settings for the Universal license:

  • Configure Domains for Clientless Access to allow access. Configures the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
  • App Controller URL. Configures the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
  • ShareFile. Allows for up to five bindings. Configure the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com

Clientless Access Settings and Rules for the Universal License

The following table lists the clientless access policy settings that are enforced when the session uses the Universal license.

Policy name Rule Profile URL rewrite label Javascript rewrite label Pattern set Comments
CLT_LESS_VIP Receiver_NoRewrite NO_RW_VIP Default Default Default Receiver_NoRewrite
CLT_LESS_RF_VIPCLT_LESS_RF_VIP True ST_WB_RW_VIP ns_cvpn_default_inet_url_label Default STORE_WEB_COOKIES<VIP> RfWeb_Rewrite

The pattern set STORE_WEB_COOKIES for Receiver for Web appends the NetScaler Gateway virtual IP address to the name, as shown in the next figure:

Figure 1. Pattern Set for Receiver for Web

Cookie pattern set

Session Policies, Rules, and Profiles for the Platform License

The Platform license with NetScaler Gateway allows for an unlimited number of ICA connections to Windows-based applications and desktops hosted by XenApp and XenDesktop. The following tables show the session rules and session policy settings for users who connect with Citrix Receiver.

Policy type Rule    
Session - Operating System and NetScaler Gateway REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver   REQ.HTTP.HEADER Referer NOTEXISTS
Session - Receiver for Web ns_true    
Profile location Profile setting Operating system/NetScaler Gateway Web
Resources > Intranet Applications Transparent interception N/A Off
Session >Client Experience tab Clientless Access Off Off
Session >Published Applications tab ICA Proxy On On
Session >Client Experience tab Single Sign-on to Web Applications On On
Session >Published Applications tab Single Sign-on Domain Set Set
Session >Published Applications tab Web Interface Address config.xml if Web Interface  
StoreFront URL with StoreWeb StoreFront URL    
Session >Published Applications tab Account Services Address StoreFront URL with StoreWeb N/A
Session >Client Experiences tab Split Tunnel Off N/A
Session >Client Experiences tab Clientless Access URL Encoding N/A N/A
Session >Client Experiences tab Home Page N/A N/A
Session >Client Experiences tab and then click the Advanced Settings > General tab Client Choices Off Off
Session >Security tab Default Authorization Action Allow Allow
Session >Client Experiences tab Session Time-out (mins) N/A N/A
Session >Client Experiences tab Client Idle Time-out (mins) N/A N/A
Session >Network Configuration tab and then click Advanced Settings Forced Time-out (mins) N/A N/A