Unified Gateway FAQ
What is Unified Gateway? **
Unified Gateway is a new feature in the NetScaler 11.0 release, providing the ability to receive traffic on a single virtual server (called a Unified Gateway virtual server) and then internally direct that traffic, as appropriate, to virtual servers that are bound to the Unified Gateway virtual server.
The Unified Gateway feature allows end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). Administrators can free up IP addresses and simplify the configuration of the NetScaler Gateway deployment.
Each Unified Gateway virtual server can front-end one NetScaler Gateway virtual server along with zero or more load balancing virtual servers as part of a formation. Unified Gateway works by leveraging the content switching feature of the NetScaler appliance.
Some examples of Unified Gateway deployments:
- Unified Gateway Virtual server -> [one NetScaler Gateway virtual server]
- Unified Gateway Virtual server -> [one NetScaler Gateway virtual server, one load balancing virtual server]
- Unified Gateway Virtual server -> [one NetScaler Gateway virtual server, two load balancing virtual servers]
- Unified Gateway Virtual server -> [one NetScaler Gateway virtual server, three load balancing virtual servers]
Each of the load balancing virtual servers can be any standard load balancing server that a hosts a backend service, such as Microsoft Exchange or Citrix ShareFile.
Why use Unified Gateway? **
The Unified Gateway feature enables end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). For administrators, the advantage is that they can free up IP addresses and simplify the configuration of the NetScaler Gateway deployment.
Can there be more than one Unified Gateway virtual server? **
Yes. There can be as many Unified Gateway virtual servers as you need.
Why is content switching needed for Unified Gateway? **
The content switching feature is required because the content switching virtual server is the one that receives traffic and internally directs it to the appropriate virtual server. The content switching virtual server is the primary component of the Unified Gateway feature.
In releases previous to 11.0, content switching can be used to receive traffic for multiple virtual servers. Is that use also called Unified Gateway? **
Use of a content switching virtual server for receiving traffic for multiple virtual servers is supported in releases earlier than 11.0. However, content switching could not direct traffic to a NetScaler Gateway virtual server.
The enhancements in 11.0 enable a content switching virtual server to direct traffic to any virtual server, including a NetScaler Gateway virtual server.
What has changed with content switching policies in Unified Gateway? **
1. A new command line parameter “-targetVserver” is added for the content switching action. The new parameter is used to specify the target NetScaler Gateway virtual server. Example:
> add cs action UG_CSACT_MyUG -targetVserver UG_VPN_MyUG
In the NetScaler Gateway configuration utility, the content switching action has a new option, Target Virtual Server, which can reference a NetScaler Gateway virtual server.
2. A new advanced policy expression, is_vpn_url, can be used to match NetScaler Gateway and authentication-specific requests.
What NetScaler Gateway features are not currently supported in Unified Gateway? **
All features are supported in Unified Gateway. However, a minor issue (issue ID 544325) has been reported with native logon through the VPN plugin. In this case, seamless single sign-on (SSO) does not work.
With Unified Gateway, what is the behavior of EPA scans? **
With Unified Gateway, endpoint analysis is triggered only for NetScaler Gateway access methods, not for AAA-TM access. If a user tries to access a AAA-TM virtual server even though the authentication is done on the NetScaler Gateway virtual server, the EPA scan is not triggered. However, if the user is trying to gain clientless VPN/Full VPN access, the configured EPA scan is triggered. In that case, either authentication or seamless SSO is done.
What are the license requirements for Unified Gateway? **
Unified Gateway is supported only for Enterprise and Platinum licenses. It will not be available for NetScaler Gateway only or Standard license editions.
Does the NetScaler Gateway virtual server used with Unified Gateway need an IP/Port/SSL configuration? **
For a NetScaler Gateway virtual server used with Unified Gateway virtual server, an IP/Port/SSL configuration is not needed on the NetScaler Gateway virtual server. However, for RDP proxy functionality you can bind the same SSL/TLS server certificate to the NetScaler Gateway virtual server.
Do I need to re-provision SSL/TLS certificates that are on NetScaler Gateway virtual server for use with a Unified Gateway virtual server? **
You do not need to re-provision certificates that are currently bound to your NetScaler Gateway virtual server. You are free to reuse any existing SSL certificate(s) and to bind those to the Unified Gateway virtual server.
What is the difference between a single URL and a multi-host deployment? Which one do I need? **
Single URL refers to the ability of the Unified Gateway virtual server handle traffic for one fully qualified domain name (FQDN). This restriction exists when Unified Gateway uses an SSL/TLS server certificate that has the certificate subject populated with the FQDN. For example: ug.citrix.com
If, however, Unified Gateway is using a wildcard server certificate, it can handle traffic for multiple sub-domains. For example: *.citrix.com
Another option is SSL/TLS configuration with Server Name Indicator (SNI) functionality to allow binding of multiple SSL/TLS server certificates. Examples: auth.citrix.com, auth.citrix.de, auth.citrix.co.uk, auth.citrix.co.jp
Single host versus multiple hosts is analogous to the way websites are typically hosted on a webserver (for example Apache HTTP server or Microsoft Internet Information Services (IIS)). If there is a single host, you can use site path to switch traffic the same way you use alias or “virtual directory” in Apache. If there are multiple hosts, you use a host header to switch traffic similarly to the way you use Virtual Hosts in Apache.
What authentication mechanisms can be used with Unified Gateway? **
All existing authentication mechanisms that work with NetScaler Gateway work with Unified Gateway.
These include LDAP, RADIUS, SAML, Kerberos, Certificate based Authentication, and so on.
Whatever authentication mechanism is configured on NetScaler Gateway virtual server before the upgrade is used automatically used when the NetScaler Gateway virtual server is placed behind the Unified Gateway virtual server. There are no additional configuration steps involved, other than assigning a non-addressable IP address (0.0.0.0) to NetScaler Gateway virtual server.
What is ”SelfAuth”’ Authentication? **
SelfAuth is not an authentication type per se. SelfAuth describes how a URL is created. A new command line parameter, ssotype, is available for VPN URL configuration. Example:
\> add vpn url RGB RGB "http://blue.citrix.lab/" -vServerName Blue -ssotype selfauth
SelfAuth is one of the values of the ssotype parameter. This type of URL can be used to access resources that are not in the same domain as the Unified Gateway virtual server. The setting can be seen in the configuration utility when configuring a Bookmark.
What is ”StepUp” Authentication’? **
When additional, more secure levels of authentication are required for accessing a AAA-TM resource, you can use StepUp authentication. On the command line, use an authnProfile command to set the authenticationLevel parameter. Example:
> add authentication authnProfile AuthProfile -authnVsName AAATMVserver -AuthenticationHost auth.citrix.lab -AuthenticationDomain citrix.lab -AuthenticationLevel 100
This authentication profile is bound to the load balancing virtual server.
Is StepUp authentication supported for AAA-TM virtual servers? **
Yes, it is supported.
What is login once/logout once? **
Login Once: VPN users login once to either a AAA-TM or a NetScaler Gateway virtual server. And from then on, VPN users have seamless access to all the Enterprise/Cloud/Web Applications. The user need not be reauthenticated. However, reauthentication is done for special cases, such as AAA-TM StepUp.
Logout Once: After the first AAA-TM or NetScaler Gateway session is created, it is used to create subsequent AAA-TM or NetScaler Gateway sessions for that user. If any of those sessions are logged out, the NetScaler appliance also logs out the user’s other applications or sessions.
Can common authentication policies be specified at the Unified Gateway level with AAA-TM load balancing virtual server specific authenticated bound at the load balancing virtual server level? What are the configuration steps to support this use case? **
If you need to specify separate authentication policies for AAA-TM virtual server behind Unified Gateway, you will need to have a separate, independently addressable authentication virtual server (similar to ordinary AAA-TM configuration). The authentication host setting on load balancing virtual server has to point to this authentication virtual server.
How do you configure Unified Gateway so that bound AAA-TM virtual server(s) have their own authentication policies? **
In this scenario, the load balancing server must have the authentication FQDN option set to point to the AAA-TM virtual server. The AAA-TM virtual server must have an independent IP address and be reachable from NetScaler and clients.
Is a AAA-TM Authentication Virtual server required for authenticating users coming through a Unified Gateway virtual server? **
No. The NetScaler Gateway virtual server will authentication even the AAA-TM users.
Where do you specify NetScaler Gateway Authentication policies—at the Unified Gateway virtual server or at the NetScaler Gateway virtual server? **
Authentication policies are to be bound to NetScaler Gateway virtual server.
How do you enable authentication on AAA-TM Virtual servers behind a Unified Gateway content switching virtual server? **
Enable authentication on AAA-TM and point the authentication host to the Unified Gateway content switching FQDN.
How do I add TM Virtual servers behind content switching (single URL vs. multi-host)? **
There is no difference between adding AAA-TM virtual servers for a single URL and adding it for multiple hosts. In either case, the virtual server is added as a target in a content switching action. The difference between single URL vs multi-host is implemented by content-switching policy rules.
What happens to authentication policies bound to a AAA-TM load balancing virtual server if that virtual server is moved behind a Unified Gateway virtual server? **
Authentication policies are bound to authentication virtual server, and the authentication virtual server is bound to the load balancing virtual server. For the Unified Gateway virtual server, Citrix recommends having the NetScaler Gateway virtual server as the single authentication point, which negates the need to perform authentication on an authentication virtual server (or even the need for a specific authentication virtual server). Pointing the authentication host to the Unified Gateway virtual server FQDN ensures that authentication is done by NetScaler Gateway virtual server. If you point the authentication host to content switching for Unified Gateway and still have an authentication virtual server bound, the authentication policies bound to the authentication virtual server are ignored. However, if you point an authentication host to an independent addressable authentication virtual server, the bound authentication policies bound take effect.
How do you configure session policies for AAA-TM sessions? **
If, in Unified Gateway, no authentication virtual server is specified for the AAA-TM virtual server, the AAA-TM sessions inherit the NetScaler Gateway session policies. If the authentication virtual server is specified, the AAA-TM session policies bound to that virtual server are applied.
What are the changes to NetScaler Gateway portal in NetScaler 11.0? **
In NetScaler releases earlier than 11.0, a single portal customization can be set up at the global level. Every gateway virtual server in a given NetScaler appliance uses the global portal customization.
In NetScaler 11.0, with the portal themes feature, you can set up multiple portal themes. Themes can be bound globally or to specific virtual servers.
Does NetScaler 11.0 support NetScaler Gateway portal customization? **
Using the configuration utility, you can use the new portal themes feature to customize and create the new portal themes completely. You can upload different images, set color schemes, change text labels and so on.
The portal pages that can be customized are:
- Login Page
- Endpoint Analysis Page
- Endpoint Analysis Error Page
- Post Endpoint Analysis Page
- VPN Connection Page
- Portal Home Page
With this release, you can customize NetScaler Gateway virtual servers with unique portal designs.
Are portal themes supported in NetScaler high availability or cluster deployments? **
Yes. Portal Themes are supported in NetScaler high availability and cluster deployments.
Will my customizations be migrated as part of the NetScaler 11.0 upgrade process? **
No. Existing customizations to the NetScaler Gateway portal page that are invoked through rc.conf/rc.netscaler file modification or by using custom theme functionality in 10.1/10.5 will not be automatically migrated upon upgrade to NetScaler 11.0.
Are there any pre-upgrade steps to follow to be ready for portal themes in NetScaler 11.0? **
Any existing customizations have to be removed from the rc.conf or rc.netscaler file(s).
The other option is that if custom themes are used, they have to be assigned the Default setting:
Navigate to Configuration > NetScaler Gateway > Global Settings
Click Change Global Settings. Click Client Experience and select Default from UI Theme drop-down list.
I have customizations that are stored on the NetScaler instance, invoked by rc.conf or rc.netscaler. How do I move to portal themes? **
Citrix Knowledge Center article CTX126206 details such a configuration for NetScaler 9.3 and 10.0 releases up to 10.0 build 73.5001.e. Since NetScaler 10.0 build 10.0 73.5002.e (including 10.1 and 10.5), the UITHEME CUSTOM parameter has been available to help customers retain their customizations across reboots. If customizations are stored on the NetScaler hard drive and you would like to continue using these customizations, back up the 11.0 GUI files and insert them into the existing custom theme file. If you want to move to portal themes, you must first unset the UITHEME parameter in the Global Settings or the Session profile, under Client Experience. Or, you can set it to DEFAULT or GREENBUBBLE. Then you are able to start to create and bind a Portal Theme.
How can I export my current customizations and save them before upgrading to NetScaler 11.0? Can I move the exported files to a different NetScaler appliance? **
The customized files that were uploaded to the ns_gui_custom folder are on the disk and persist across upgrades. However, these files might not be entirely compatible with the new NetScaler 11.0 kernel and other GUI files that are part of the kernel. Therefore, Citrix recommends backing up the 11.0 GUI files and customizing the backups.
Moreover, there is no utility in the configuration utility to export the ns_custom_gui folder to another NetScaler appliance. You have to use SSH or a file transfer utility such as WinSCP to take the files off of the NetScaler instance.
Are portal themes supported for AAA-TM virtual servers? **
Yes. Portal Themes are supported for AAA-TM virtual servers.
What changed in RDP Proxy for NetScaler Gateway 11.0? **
Many enhancements have been made to RDP Proxy since the NetScaler 10.5.e enhancement release. In NetScaler 11.0 this feature is available from the first released build.
The RDP Proxy feature in NetScaler 11.0 can be used only with Platinum and Enterprise editions. Citrix Concurrent User (CCU) licenses must be obtained for each user.
In NetScaler 10.5.e there was no command to enable RDP Proxy. In NetScaler 11.0, the enable command has been added:
> enable feature rdpproxy
The feature must be licensed to run this command.
Other RDP Proxy Changes
A Pre-shared Key (PSK) attribute on the server profile has been made mandatory.
To migrate existing NetScaler 10.5.e configurations for RDP proxy to NetScaler 11.0, the following details should be understood and addressed.
If an administrator wants to add an existing RDP proxy configuration to a chosen Unified Gateway deployment:
- The NetScaler Gateway virtual server’s IP address must be edited and set to a non-addressable IP address (0.0.0.0).
- Any SSL/TLS server certificates, authentication policies must be bound to the NetScaler Gateway virtual server that is part of the chosen Unified Gateway formation.
How do you migrate a Remote Desktop Protocol (RDP) Proxy configuration based on NetScaler 10.5.e to NetScaler 11.0? **
Option 1: Keep the existing NetScaler Gateway virtual server with RDP Proxy configuration as is, with a Platinum or Enterprise license.
Option 2: Move the existing NetScaler Gateway virtual server with RDP Proxy configuration, placing it behind a Unified Gateway virtual server.
Option 3: Add a standalone NetScaler Gateway virtual server with RDP Proxy configuration to an existing Standard Edition appliance.
How do you set up NetScaler Gateway for RDP proxy configuration using the NetScaler 11.0 release? **
There are two options for deploying RDP proxy using the NS 11.0 release:
1) Using an externally facing NetScaler Gateway virtual server. This requires one externally visible IP address/FQDN for the NetScaler Gateway virtual server. This option is what is available in NetScaler 10.5.e.
2) Using a Unified Gateway virtual server front-ending the NetScaler Gateway virtual server.
With Option 2 the NetScaler Gateway virtual server does not require its own IP address/FQDN, because it uses a non-addressable IP address (0.0.0.0).
Integrating with other Citrix Software
Will HDX Insight work with Unified Gateway? **
When NetScaler Gateway is deployed with Unified Gateway, the NetScaler Gateway virtual server must have a valid SSL certificate bound to it, and it must be in an UP state in order to generate AppFlow records for NetScaler Insight Center for the purposes of HDX Insight reporting.
How do I migrate my existing HDX Insight configuration? **
No migration is needed. AppFlow policies bound to a NetScaler Gateway virtual server carry over if that NetScaler Gateway virtual server is put behind a Unified Gateway virtual server.
For existing data in NetScaler Insight Center for the NetScaler Gateway virtual server, there are two possibilities:
- If the IP Address of the NetScaler Gateway virtual server is assigned to a Unified Gateway virtual server as part of migration to Unified Gateway, the data remains linked to the NetScaler Gateway virtual server
- If the Unified Gateway virtual server is assigned a separate IP address, AppFlow data from the NetScaler Gateway virtual server will be linked to that new IP address. Therefore, existing data will not be part of new data.