Citrix Access Gateway (based on the NetScaler platform) provides the best secure application access for Citrix XenApp and Citrix XenDesktop virtual desktops and applications. It is also the remote access component of Citrix CloudGateway, which offers secure delivery of Web, SaaS and iOS apps, along with ShareFile data. With all the prowess of the proven NetScaler platform, comes a standard tradeoff of simplicity vs. power. With all the features and control that an Access Gateway offers, it can be intimidating for some of us. At Citrix, we take the end user experience very seriously, and want to make sure that you get the job done, with the least effort possible, without compromising on the capabilities that our products can offer! With this vision, in our (just released) Z3 release, we have created a new Simplified Configuration Wizard in Access Gateway. This Remote Access wizard is meant to assist our most common use cases – Remote Access to Published Apps & Desktops, as well as CloudGateway. On the new Access Gateways (or NetScalers), based on 10.0.69.6+ release, you will be able to access this wizard, in the following ways:

  1. On an appliance, licensed as purely an Access Gateway (does not provide any additional NS service), you will see a new Access Gateway Home Tab, next to the Dashboard Tab. Clicking on this Home tab will take you to the new AGEE home page, which shows basic monitoring information, specific to Access Gateway. More importantly, in the top right corner, you will see a link called ‘Create New Access Gateway’. Clicking this link launches the new Remote Access Wizard.
  2. On NetScaler appliances / VPX, you will be able to reach the same Access Gateway Home page by clicking the Access Gateway Configuration summary node. Exact Location: Configuration -> Access Gateway -> Getting Started -> Create/Monitor Access Gateway. This will take you to the same Access Gateway Home page as described above. Once there, you will see a link called ‘Create New Access Gateway’. Clicking this link launches the new Remote Access Wizard.

This wizard is split into following configuration blocks:

  • Access Gateway Settings
  • Authentication
  • Certificate
  • DNS
  • Remote Access configuration for Web Interface / CloudGateway

Running this wizard automatically creates for you, various policies (authentication, session, …), and binds them to an AG vServer.   Lets take a look at the various policies created:

  • Authentication policies

Based on the LDAP / RADIUS configuration you provide during the wizard, 1 / 2 authentication policies will be created for you. E.g.

Authentication Policy automatically created by the wizard

Authentication Policy automatically created by the wizard

What you see above is a sample LDAP Authentication policy & profile created automatically by the wizard.

  • Session policies

The wizard also creates 4 session policies for you. Session Policies define the parameters that apply for the current user session and generally consist of a condition (based on the end user device) and a corresponding action. These help you provide relevant experiences for different kinds of platforms. Here’s a screenshot of the 4 session policies that are automatically configured, based on the inputs provided to the wizard:

Session Policies created by the Wizard

Session Policies created by the Wizard

Lets get into some details around these policies. The four policies configured are used to identify the four different access scenarios that Citrix provides for the end user. So before we get into the policies, lets first understand these access scenarios:

Access Method

Versions

How to identify

(REQ.HTTP.HEADER)

Pre CG 2.0 Receivers
  • RfWin < 3.3
  • RfMac < 11.6
  • RfAndroid < 3.1.170
  • RfIOS < 5.6.1
User-Agent CONTAINS CitrixReceiver&&X-Citrix-Gateway NOTEXISTS
CG 2.0  Receivers
  • RfWin >= 3.3
  • RfMac >= 11.6
  • RfAndroid >= 3.1.170
  • RfIOS >= 5.6.1
User-Agent CONTAINS CitrixReceiver&&X-Citrix-Gateway EXISTS
Receiver for Web NA User-Agent NOTCONTAINS CitrixReceiver&&Referer EXISTS
AG Secure Access Plug-in All User-Agent NOTCONTAINS CitrixReceiver&&Referer NOTEXISTS

So, as should be evident by the above table, one can look at the incoming Request HTTP Header for certain strings, to identify the access method. And since different receivers / AG plug-in need different session profiles, the same can be enforced based on the above rules. Here are the points to keep in mind:

  • All Native Citrix Receivers (mobile & desktop) contain the string User-Agent = CitrixReceiver
  • Receiver for Web does not contain this string (since it is not a native receiver). Instead, since it is run on the browser, it contains the string Referer.
  • AG Secure Access Plug-in doesn’t contain either of the strings

All right, having identified the different access methods, it is important to look at the session profiles that must be enforced for each of these:

Access Method

Session Profiles

Pre CG 2.0 Receivers ICAProxy = ONSSO = ONWI Home = PNAgent Site
CG 2.0 Receivers ICAProxy = OFFCVPN = ONSSO = ONWI Home = Storefront Site
Receiver for Web ICAProxy = OFFCVPN = ONSSO = ONWI Home = Storefront Site
AG Secure Access Plug-in ICAProxy = OFFCVPN = OFFSplit Tunnel = ON

So here are the things to note:

  • Old Desktop and Mobile Receivers connect to the PNAgent Site, using ICAProxy
  • New Desktop and Mobile Receivers connect to the Storefront site, using CVPN
  • Receiver for Web provides access to Storefront site, using CVPN
  • AG Secure Access Plug-in provides full tunnel access to the corporate network
  • Clientless Access policies

In addition to the session policies, the wizard also creates relevant clientless access policies. Clientless access policies are essentially rewrite policies, which are hit for all traffic in a session. There are two main policies that are configured:

Client-less Access Policies created by the Wizard

Client-less Access Policies created by the Wizard

  • RfWeb Rewrite Policy – This policy hits for all RfWeb traffic and essentially turns Server side Rewrite ON.
  • No Rewrite policy – This policy is hit for all non-RfWeb traffic, and essentially turns off server side Rewrite. This is done since, Receivers will provide Client side rewrite.

As you can see, once these policies are configured, you are good to go. You already have all the required configuration, for the end users to connect over their IPADs / Android phones / Windows-Mac Laptops and even Kiosk (with Receiver for Web). All this is a basic configuration to get you going. Beyond this, you can do much more advanced configuration to truly leverage the power that Access Gateway offers. Smart Access is something you must use, to granularly control access to all your end users.