Product Documentation

Pre-Installation Checklist

Mar 25, 2014

The checklist consists of a list of tasks and planning information you should complete before you install NetScaler Gateway.

Space is provided so that you can check off each task as you complete it and make notes. Citrix recommends that you make note of the configuration values that you need to enter during the installation process and while configuring NetScaler Gateway.

For steps to install and configure NetScaler Gateway, see Installing the Model MPX Appliance and Installing NetScaler Gateway.

User Devices

Ensure that user devices meet the installation prerequisites described in NetScaler Gateway Plug-in System Requirements.

 

Identify the mobile devices with which users connect.

Note: If users connect with an iOS device, you need to enable Secure Browse in a session profile.

NetScaler Gateway Basic Network Connectivity

Citrix recommends that you obtain licenses and signed server certificates before you start to configure the appliance.

Identify and write down the NetScaler Gateway host name.

Note: This is not the fully qualified domain name (FQDN). The FQDN is contained in the signed server certificate that is bound to the virtual server.
 

Obtain Universal licenses from the Citrix web site.

 

Generate a Certificate Signing Request (CSR) and send to a Certificate Authority (CA). Enter the date you send the CSR to the CA.

 

Write down the system IP address and subnet mask.

 

Write down the mapped IP address and subnet mask.

 

Write down the subnet IP address and subnet mask (optional).

 

Write down the administrator password.

The default password that comes with NetScaler Gateway is nsroot.

 

Write down the port number.

This is the port on which NetScaler Gateway listens for secure user connections. The default is TCP port 443. This port must be open on the firewall between the unsecured network (Internet) and the DMZ.

 

Write down the default gateway IP address.

 

Write down the DNS server IP address and port number.

The default port number is 53. In addition, if you are adding the DNS server directly, you must also configure ICMP (ping) on the appliance.

 

Write down the first virtual server IP address and host name.

 

Write down the second virtual server IP address and host name (if applicable).

 

Write down the WINS server IP address (if applicable).

 

Internal Networks Accessible Through NetScaler Gateway

Write down the internal networks that users can access through NetScaler Gateway.

Example: 10.10.0.0/24

Enter all internal networks and network segments that users need access to when they connect through NetScaler Gateway by using the NetScaler Gateway Plug-in.

 

High Availability

If you have two NetScaler Gateway appliances, you can deploy them in a high availability configuration in which one NetScaler Gateway accepts and manages connections, while a second NetScaler Gateway monitors the first appliance. If the first NetScaler Gateway stops accepting connections for any reason, the second NetScaler Gateway takes over and begins actively accepting connections.

Write down the NetScaler Gateway software version number.

The version number must be the same on both NetScaler Gateway appliances.

 

Write down the administrator password (nsroot).

The password must be the same on both appliances.

 

Write down the primary NetScaler Gateway IP address and ID.

The maximum ID number is 64.

 

Write down the secondary NetScaler Gateway IP address and ID.

 

Obtain and install the Universal license on both appliances.

You must install the same Universal license on both appliances.

 

Write down the RPC node password.

 

Authentication and Authorization

NetScaler Gateway supports several different authentication and authorization types that can be used in a variety of combinations. For detailed information about authentication and authorization, see Authentication and Authorization.

LDAP Authentication

If your environment includes an LDAP server, you can use LDAP for authentication.

Write down the LDAP server IP address and port.

If you allow unsecure connections to the LDAP server, the default is port 389. If you encrypt connections to the LDAP server with SSL, the default is port 636.

 

Write down the security type.

You can configure security with or without encryption.

 

Write down the administrator bind DN.

If your LDAP server requires authentication, enter the administrator DN that NetScaler Gateway should use to authenticate when making queries to the LDAP directory. An example is cn=administrator,cn=Users,dc=ace, dc=com.

 

Write down the administrator password.

This is the password associated with the administrator bind DN.

 

Write down the Base DN.

DN (or directory level) under which users are located; for example, ou=users,dc=ace,dc=com.

 

Write down the server logon name attribute.

Enter the LDAP directory person object attribute that specifies a user’s logon name. The default is sAMAccountName. If you are not using Active Directory, common values for this setting are cn or uid.

For more information about LDAP directory settings, see Configuring LDAP Authentication.

 

Write down the group attribute.

Enter the LDAP directory person object attribute that specifies the groups to which a user belongs. The default is memberOf. This attribute enables NetScaler Gateway to identify the directory groups to which a user belongs.

 

Write down the subattribute name.

 

RADIUS Authentication and Authorization

If your environment includes a RADIUS server, you can use RADIUS for authentication.

RADIUS authentication includes RSA SecurID, SafeWord, and Gemalto Protiva products.

Write down the primary RADIUS server IP address and port.

The default port is 1812.

 

Write down the primary RADIUS server secret (shared secret).

 

Write down the secondary RADIUS server IP address and port.

The default port is 1812.

 

Write down the secondary RADIUS server secret (shared secret).

 

Write down the type of password encoding (PAP, CHAP, MS-CHAP v1, MSCHAP v2).

 

SAML Authentication

The Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization between Identity Providers (IdP) and Service Providers.

Obtain and install on NetScaler Gateway a secure IdP certificate.

 

Write down the redirect URL.

 

Write down the user field.

 

Write down the signing certificate name.

 

Write down the SAML issuer name.

 

Write down the default authentication group.

Opening Ports Through the Firewalls (Single-Hop DMZ)

If your organization protects the internal network with a single DMZ and you deploy the NetScaler Gateway in the DMZ, open the following ports through the firewalls. If you are installing two NetScaler Gateway appliances in a double-hop DMZ deployment, see Opening the Appropriate Ports on the Firewalls.

On the Firewall Between the Unsecured Network and the DMZ

Open a TCP/SSL port (default 443) on the firewall between the Internet and NetScaler Gateway. User devices connect to NetScaler Gateway on this port.

 

On the Firewall Between the Secured Network

Open one or more appropriate ports on the firewall between the DMZ and the secured network. NetScaler Gateway connects to one or more authentication servers or to computers running XenApp or XenDesktop in the secured network on these ports.

 

Write down the authentication ports.

Open only the port appropriate for your NetScaler Gateway configuration.

  • For LDAP connections, the default is TCP port 389.
  • For a RADIUS connection, the default is UDP port 1812.
 

Write down the XenApp or XenDesktop ports.

If you are using NetScaler Gateway with XenApp or XenDesktop, open TCP port 1494. If you enable session reliability, open TCP port 2598 instead of 1494.

Citrix recommends keeping both of these ports open.

 

XenDesktop, XenApp, the Web Interface, or StoreFront

Complete the following tasks if you are deploying NetScaler Gateway to provide access to XenApp or XenDesktop through the Web Interface or StoreFront. The NetScaler Gateway Plug-in is not required for this deployment. Users access published applications and desktops through NetScaler Gateway by using only web browsers and Citrix Receiver.

Write down the FQDN or IP address of the server running the Web Interface or StoreFront.

 

Write down the FQDN or IP address of the server running the Secure Ticket Authority (STA) (for Web Interface only).

 

XenMobile App Edition

Complete the following tasks if you deploy App Controller in your internal network. If users connect to App Controller from an external network, such as the Internet, users must connect to NetScaler Gateway before accessing mobile, web, and SaaS apps.

Write down the FQDN or IP address of App Controller.

 

Identify web, SaaS, and mobile iOS or Android applications users can access.

 

Double-Hop DMZ Deployment with XenApp

Complete the following tasks if you are deploying two NetScaler Gateway appliances in a double-hop DMZ configuration to support access to servers running XenApp.

NetScaler Gateway in the First DMZ

The first DMZ is the DMZ at the outermost edge of your internal network (closest to the Internet or unsecure network). Clients connect to NetScaler Gateway in the first DMZ through the firewall separating the Internet from the DMZ. Collect this information before installing NetScaler Gateway in the first DMZ.

Complete the items in the NetScaler Gateway Basic Network Connectivity section of this checklist for this NetScaler Gateway.

When completing those items, note that Interface 0 connects this NetScaler Gateway to the Internet and Interface 1 connects this NetScaler Gateway to NetScaler Gateway in the second DMZ.

 

Configure the second DMZ appliance information on the primary appliance.

To configure NetScaler Gateway as the first hop in the double-hop DMZ, you must specify the host name or IP address of NetScaler Gateway in the second DMZ on the appliance in the first DMZ. After specifying when the NetScaler Gateway proxy is configured on the appliance in the first hop, bind it to NetScaler Gateway globally or to a virtual server.

 

Write down the connection protocol and port between appliances.

To configure NetScaler Gateway as the first hop in the double DMZ, you must specify the connection protocol and port on which NetScaler Gateway in the second DMZ listens for connections. The connection protocol and port is SOCKS with SSL (default port 443). The protocol and port must be open through the firewall that separates the first DMZ and the second DMZ.

 

NetScaler Gateway in the Second DMZ

The second DMZ is the DMZ closest to your internal, secure network. NetScaler Gateway deployed in the second DMZ serves as a proxy for ICA traffic, traversing the second DMZ between the external user devices and the servers on the internal network.

Complete the tasks in the NetScaler Gateway Basic Network Connectivity section of this checklist for this NetScaler Gateway.

When completing those items, note that Interface 0 connects this NetScaler Gateway to NetScaler Gateway in the first DMZ. Interface 1 connects this NetScaler Gateway to the secured network.