Product Documentation

Allowing Access from Mobile Devices with Worx Apps

May 07, 2015

When users connect from a mobile device with Worx Apps, NetScaler Gateway needs to discover the platform of the device, Android or iOS. You can allow users to connect from Android or iOS devices through NetScaler Gateway to mobile apps and resources in the internal network. Users connect by using Worx Home.

Android and iOS devices connect by using Worx Home that establishes a Micro VPN tunnel. When users connect, a VPN tunnel opens to NetScaler Gateway and then is passed to App Controller in the internal network. Users can then access their web, mobile, and SaaS apps from App Controller.

If users connect from an Android device, you must configure DNS settings on NetScaler Gateway. For details, see Supporting DNS Queries by Using DNS Suffixes for Android Devices.

Secure Browse allows users of iOS devices to connect through NetScaler Gateway to network resources from Worx Home or Receiver for iOS, Version 5.6.x. Users do not need to establish a full VPN tunnel to access resources in the secure network. Secure Browse is enabled by default.

When you run the Quick Configuration wizard, the settings for connections from Android and iOS mobile devices are configured by the wizard. Citrix recommends using the Quick Configuration wizard to configure settings for mobile devices. For more information about running the Quick Configuration wizard, see Configuring Settings with the Quick Configuration Wizard.

How Licensing Works for Mobile Devices

Users who connect with Micro VPN consume a Universal license installed on NetScaler Gateway. The Quick Configuration wizard sets the virtual server for SmartAccess that allows for Micro VPN connections. To ensure that users consume a single Universal license when connecting to NetScaler Gateway with multiple devices simultaneously, you can enable session transfer on the virtual server. For details, see Configuring Connection Types on the Virtual Server. Users who connect with Receiver from mobile devices use the Platform license.

If a user connects by using Worx Home, a Universal license is used. Users can also connect with Receiver for Android or Receiver for iOS. When users connect by using either of these methods, the Platform license is used.

Configuring Secure Browse by Using the Configuration Utility

You enable Secure Browse as part of global settings or as part of a session profile. You can bind the session policy to users, groups, or virtual servers. When you configure Secure Browse, you must also enable clientless access. However, clientless access does not require you to enable Secure Browse. When you configure clientless access, set the Clientless Access URL Encoding to Clear.

How Secure Browse Connections Work

When users log on from an iOS device, the request from the mobile device contains a session cookie. When NetScaler Gateway and Receiver respond, the response body contains prefixes that indicate that Secure Browse and clientless access are enabled.

When you enable Secure Browse, URL rewriting occurs on the mobile device. Receiver uses the prefix to rewrite the URL when accessing internal resources. For example, if the internal resource being accessed is and the fully qualified domain name (FQDN) of NetScaler Gateway is, the rewritten request looks like

If you enable Client Choices and Secure Browse as part of the session profile, when users log on from an iOS device, Secure Browse disables the client choices page. When users log on, they do not receive a choice to select the NetScaler Gateway Plug-in, clientless access, or an ICA connection as they would if logging on from a Windows-based or Mac OS X computer.