Import a NetScaler Gateway

Remote access settings configured within the NetScaler administration console have to be identical to those configured in StoreFront. This article shows you how to import a NetScaler Gateway so that NetScaler and StoreFront are configured correctly to work together.

Requirements

  • NetScaler 11.1.51.21 or higher is required to export multiple gateway vServers to a ZIP file.

    Note:

    NetScaler can only export gateway vServers created using the XenApp and XenDesktop wizard.

  • It must be possible for DNS to resolve, and for StoreFront to contact, all STA (Secure Ticket Authority) server URLs in the GatewayConfig.json file within the ZIP file generated by NetScaler.
  • The GatewayConfig.json file within the ZIP file generated by NetScaler has to contain the URL of an existing Citrix Receiver for Web site on the StoreFront server. NetScaler 11.1 and higher takes care of this by contacting the StoreFront server and enumerating all existing stores and Citrix Receiver for Web sites before generating the ZIP file for export.
  • StoreFront must be able to resolve the callback URL in DNS to the gateway VPN vServer IP address for authentication using the imported gateway to succeed.

    The callback URL and port combination you use is usually the same as the gateway URL and port combination, as long as StoreFront can resolve this URL.

    or

    The callback URL and port combination may be different from the gateway URL and port combination if you use different external and internal DNS namespaces in your environment. If your gateway is located in a DMZ and uses an <example.com> URL and StoreFront is on your private corporate network and uses an <example.local> URL you may use an <example.local> callback URL to point back to the gateway vServer in the DMZ.

Import a NetScaler Gateway using the console

You can import one or multiple NetScaler Gateway appliances by importing a NetScaler configuration file.

Important:

Citrix does not support manual editing of the configuration file exported from NetScaler.

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage NetScaler Gateways.
  2. On the Manage NetScaler Gateways screen, click the imported from file link.

    localized image

  3. Browse to the NetScaler Configuration ZIP file.

  4. A list of gateway vServers from the selected ZIP file is displayed. Select the gateway vServer you want to import and click Import. If you are repeating an import of a vServer, the Import button displays as Update. If you choose Update, you will have the option later to overwrite or create a new gateway.

    localized image

  5. Review the logon type for the selected gateway and specify a callback URL if required. The logon type is the authentication method that you configured on the NetScaler Gateway appliance for Citrix Receiver users. Some logon types require callback URLs (see table).

    • Click Verify to check that the Callback URL is valid and reachable from the StoreFront server.

    localized image

    Logon type in console LogonType in JSON file Callback URL required
    Domain Domain No
    Domain and security token DomainAndRSA No
    Security token RSA Yes
    Smart card - no fallback SmartCard Yes
    Smart card - domain SmartCardDomain Yes
    Smart card - domain and security token SmartCardDomainAndRSA Yes
    Smart card - security token SmartCardRSA Yes
    Smart card - SMS authentication SmartCardSMS Yes
    SMS authentication SMS Yes

    If a callback URL is required, StoreFront will autofill Callback URL based on the gateway URL found in the ZIP file. You can change this to any valid URL that points back to the NetScaler Gateway vServer IP.

    If you want to use Smart Access, a Callback URL is required.

  6. Click Next.

  7. StoreFront contacts all the STA (Secure Ticket Authorities) server URLs listed in the ZIP file using DNS, and validates that they are functional STA ticketing servers. The import will not continue if one or more of the STA URLs is invalid.

    localized image

  8. Click Next.

  9. Review the details of the import. If a gateway with the same gateway URL and port combination (Gateway:port) already exists, use the drop-down to select a gateway to overwrite it, or create a new gateway.

    localized image

    StoreFront uses the GatewayURL:port combination to determine whether a gateway you are trying to import matches an existing gateway that you may wish to update. If a gateway has a different GatewayURL:port combination then StoreFront treats this as a new gateway. This table of gateway settings shows which settings you can update.

    Gateway Setting Can be updated
    Gateway URL:Port Combination No
    GSLB URL Yes
    Netscaler Trust Certificate & Thumbprint Yes
    Callback URL Yes
    Receiver for Web Site URL Yes
    Gateway Address/VIP Yes
    STA URL and STA ID Yes
    All Logon Types Yes
  10. Click Import. If the StoreFront server is part of a server group, a message is displayed reminding you to propagate the imported gateway settings to the other servers in the group.

  11. Click Finish.

To import another vServer configuration, repeat the steps above.

Note:

The default gateway for a store is the gateway that native Citrix Receivers try to connect through unless they are configured to use a different gateway. If no gateways are configured for the store, the first gateway imported from the ZIP file will become the default gateway used by native Citrix Receivers. Importing subsequent gateways does not change the default gateway already set for the store.

Import multiple NetScaler Gateways using PowerShell

Read-STFNetScalerConfiguration

  • Copy the ZIP file to the desktop of the currently logged on StoreFront administrator.
  • Read the contents of the NetScaler ZIP file into memory and look at the three gateways it contains using their index values.

     $ImportedGateways = Read-STFNetScalerConfiguration -path "$env:USERPROFILE\desktop\GatewayConfig.zip"
    

    View the three gateway objects in memory which were read in from the Netscaler ZIP import package using the Read-STFNetScalerConfiguration cmdlet.

     $ImportedGateways.Document.Gateways[0]
     $ImportedGateways.Document.Gateways[1]
     $ImportedGateways.Document.Gateways[2]
    
     GatewayMode            : CVPN
     CallbackUrl            :
     GslbAddressUri         : https://gslb.example.com/
     AddressUri             : https://emeagateway.example.com/
     Address                : https://emeagateway.example.com:443
     GslbAddress            : https://gslb.example.com:443
     VipAddress             : 10.0.0.1
     Stas                   : {STA298854503, STA909374257}
     StaLoadBalance         : True
     CertificateThumbprints : {F549AFAA29EBF61E8709F2316B3981AD503AF387}
     GatewayAuthType        : Domain
     GatewayEdition         : Enterprise
     ReceiverForWebSites    : {Citrix.StoreFront.Model.Roaming.NetScalerConfiguration.ReceiverForWebSite}
    
     GatewayMode            : CVPN
     CallbackUrl            :
     GslbAddressUri         : https://gslb.example.com/
     AddressUri             : https://emeagateway.example.com/
     Address                : https://emeagateway.example.com:444
     GslbAddress            : https://gslb.example.com:443
     VipAddress             : 10.0.0.2
     Stas                   : {STA298854503, STA909374257}
     StaLoadBalance         : True
     CertificateThumbprints : {F549AFAA29EBF61E8709F2316B3981AD503AF387}
     GatewayAuthType        : DomainAndRSA
     GatewayEdition         : Enterprise
     ReceiverForWebSites    : {Citrix.StoreFront.Model.Roaming.NetScalerConfiguration.ReceiverForWebSite}
    
     GatewayMode            : CVPN
     CallbackUrl            : https://emeagateway.example.com:445
     GslbAddressUri         : https://gslb.example.com/
     AddressUri             : https://emeagateway.example.com/
     Address                : https://emeagateway.example.com:445
     GslbAddress            : https://gslb.example.com:443
     VipAddress             : 10.0.0.2
     Stas                   : {STA298854503, STA909374257}
     StaLoadBalance         : True
     CertificateThumbprints : {F549AFAA29EBF61E8709F2316B3981AD503AF387}
     GatewayAuthType        :SmartCard
     GatewayEdition         : Enterprise
     ReceiverForWebSites    : {Citrix.StoreFront.Model.Roaming.NetScalerConfiguration.ReceiverForWebSite}
    

Import-STFNetScalerConfiguration without specifying a CallbackURL

Copy the ZIP file to the desktop of the currently logged in StoreFront administrator. Read in the NetScaler ZIP import package into memory and look at the three gateways it contains using their index values.

$ImportedGateways = Read-STFNetScalerConfiguration -path "$env:USERPROFILE\desktop\GatewayConfig.zip"

Import three new gateways into StoreFront using the Import-STFNetScalerConfiguration cmdlet and specifying the gateway indexes you require. Using the -Confirm:$False parameter prevents the Powershell GUI from prompting you to allow every gateway to be imported. Remove this if you wish to carefully import one gateway at a time.

```
Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 0 -Confirm:$False
Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 1 -Confirm:$False
Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 2 -Confirm:$False
```

Import-STFNetScalerConfiguration specifying your own CallbackURL

Import three new gateways into StoreFront using the Import-STFNetScalerConfiguration cmdlet and specify a callback URL of your choice using the -callbackURL parameter.

$ImportedGateways = Read-STFNetScalerConfiguration -path "$env:USERPROFILE\desktop\GatewayConfig.zip"

Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 0 -CallbackUrl "https://emeagatewaycb.example.com:443 -Confirm:$False

Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 1 -CallbackUrl "https://emeagatewaycb.example.com:444 -Confirm:$False

Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 2 -CallbackUrl "https://emeagatewaycb.example.com:445 -Confirm:$False

Import-STFNetScalerConfiguration override the authentication method stored in the import file and specify your own CallbackURL

Import three new gateways into StoreFront using the Import-STFNetScalerConfiguration cmdlet and specify a callback URL of your choice using the -callbackURL parameter.

$ImportedGateways = Read-STFNetScalerConfiguration -path "$env:USERPROFILE\desktop\GatewayConfig.zip"

Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 0 -LogonType "SmartCard" -CallbackUrl "https://emeagatewaycb.example.com:443" -Confirm:$False

Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 1 -LogonType "SmartCard" -CallbackUrl "https://emeagatewaycb.example.com:444" -Confirm:$False

Import-STFNetScalerConfiguration -Configuration $ImportedGateways -GatewayIndex 2 -LogonType "SmartCard" -CallbackUrl "https://emeagatewaycb.example.com:445" -Confirm:$False