Product Documentation

Gateway Connector

Web apps support and Gateway Connector support is currently under technical preview release.

Gateway Connector is a Citrix component which serves as a channel of communication between Cloud Services (Citrix Gateway service, MAS etc.) and on-premise components such as Web Servers. It is a virtual appliance compatible with Citrix Hypervisor VMware ESXi, and Microsoft Hyper-V with a small form factor. Gateway connector facilitates remote access to Web apps.

Set-up resource location and install Gateway Connector using Citrix Cloud user interface

The following are the steps to set-up a resource location and install Gateway Connector using Citrix Cloud user interface:

  1. On top left of the Citrix Cloud screen, click the hamburger icon and select Resource Locations. Click the plus icon next to Resource Locations.

    localized image

  2. Provide a name for the resource location and click Save.

    localized image

  3. Click on the plus icon next to Gateway Connectors under the newly created resource location.

    localized image

  4. Select the hypervisor and click Download Image. Import the locally downloaded image to your hypervisor and create a new virtual machine (NetScaler Connector).

    localized image

  5. Click Get Activation Code.

    localized image

  6. The activation code is generated as follows.

    localized image

  7. Now look for the following message on the newly installed VM (NetScaler Connector). Type the mentioned URL in a browser to access the Gateway Connector user interface.

    localized image

  8. The username and password for the following screen is “administrator” for the first time user.

    localized image

  9. Change the Password by providing a password of your choice in Set administrator password section and click Continue.

    localized image

  10. Enter the following configuration details in System settings section and click Continue.
    • Connector IP Address – IP address of connector.
    • Subnet Mask – Subnet mask of the connector IP address.
    • Default Gateway – IP address of Default Gateway.
    • DNS Server – IP address DNS Server.
    • Proxy IP – Your internal proxy server IP address.
    • Proxy Port - Port of the proxy server.

      localized image

  11. In the Single sign on section, check Enable Kerberos Single Sign On for capabilities beyond basic authentication. Enter the following Kerberos configuration details and click Continue.
    • Active Directory Domain – Active Directory domain for the users to be granted access.
    • Service Account Name – Delegated username for authentication.
    • Service Account Password – Delegated password for Service Account.

      localized image

  12. Finally enter the activation code generated in step 6 to register the connector with Citrix Cloud and click Save and Finish.

    localized image

  13. Installed Gateway Connector dashboard appears as follows.

    localized image

Set-up resource location and download Gateway Connector while adding Web app

While adding Web app using the Citrix Gateway service user interface, you can setup a new resource location and download connectors. To setup a resource location and download connectors, perform the following steps:

  1. In the Web app connectivity section, select the Create New radio button. Provide a name for the resource location and click Save.

    localized image

  2. Click Install Gateway Connector.

    localized image

  3. Select the required hypervisor from the Hypervisor drop-down menu, click Download Image.

    localized image

  4. Click Get Activation Code.

    localized image

  5. The activation code is generated as follows.

    localized image

  6. To install the connector, follow steps 7 to 12 in the above section named Setup resource location and install Gateway Connector using Citrix Cloud user interface.

Gateway Connector communication

Gateway Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. All communication between the Gateway Connector and Citrix Cloud are outbound. All connections are established from the Gateway Connector to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are accepted. TCP port 443, with the following FQDNs are permitted out-bound:

  • *.nssvc.net
  • *.netscalermgmt.net
  • *.citrixworkspacesapi.net
  • *.cloud.com

Gateway Connector availability

For continuous availability, install multiple Gateway Connectors in each of your resource locations. Citrix recommends at least two (2) Gateway Connectors in each resource location. If one Gateway Connector is unavailable for any period of time, the other Gateway Connectors can maintain the connection. As long as there is one Gateway Connector available, there will be no loss in communication with Citrix Cloud. Gateway Connectors can be restricted to upgrade during a specified maintenance window every 24 hour, controlled per Resource Location.

Load management

Manage load by installing multiple Gateway Connectors in each resource location. Since each Gateway Connector is stateless, the load can be distributed across all available Gateway Connectors. There is no need to configure this load balancing function. It is completely automated.

Support for Gateway Connector

As long as you ensure continuous availability of the Gateway Connector in each resource location, you can manage the machines where they are installed one at a time to avoid outage periods.

System requirements

Gateway Connector is a virtual appliance. The VM specification must have at least:

  • 3 vCPU (The appliance will fail to boot with less than 2 vCPU). A maximum of 6 vCPU can be installed. 4 GB memory per vCPU is recommended for optimum performance.

  • 6 GB RAM

  • 1 Network Adapter (virtual NIC). You can add an additional virtual NIC upon requirement.

  • Firewall:

    • UDP port 53 to DNS server
    • (optional1) TCP&UDP port 389 to Active Directory Domain Controllers
    • (optional1) TCP port 636 to Active Directory Domain Controllers
    • (optional1) TCP port 3268 to Active Directory Domain Controllers
    • (optional1) TCP port 3269 to Active Directory Domain Controllers
    • TCP port 443, with the following FQDNs are permitted out-bound:
      • *.nssvc.net
      • *.netscalermgmt.net
      • *.citrixworkspacesapi.net
      • *.cloud.com
    • TCP ports2 to Web Servers accessed via Gateway Connector
    • Port 8443 open in-bound for web-based management

Recommended: Network with DHCP enabled to simplify initial configuration.

1 Required to perform domain-based single sign-on to web applications

2 Ports determined by the customers environment – ports 80 and 443 are typical