NetScaler Gateway 10 VPX Configuration

NetScaler Gateway (10.1) – Formerly Access Gateway (10.0)
The below is an outline of the key settings to get connected to published applications on XenApp 6.5, served up through StoreFront. (Cloud Gateway Express). This is work in progress, and each time I make a significant step, I’ll update this page. To start with, I’m setting up CloudGateway Express, to be followed by CG Enterprise. I aim to eventually turn on SMS authentication (PIN + OTP) in place of using a password.

Session Policies and Profiles for different Citrix Receivers and clients:

Common Settings
AD domain name:
walker.uk.com
Public domain name:
walker.uk.com
Publicly accessible Access Gateway Virtual Server:
Storefront server FQDN:
wsf01.walker.uk.com, wsf02.walker.uk.com
Storefront NS Virtual Server FQDN:
wcg.walker.uk.com
StoreFront URL:
Store Name:
WStore
Store URL:
Web Store URL:

The storefront NS vServer has a bound AD signed certificated (PEM (PKCS-7)). This certificate was exported and imported into IIS on both StoreFront servers. In IIS, the “wcg.walker.uk.com” certificate was imported as a Server Certificate and then bound to the IIS Default Website. I couldn’t get the key to work for the export / import with a DER type.

Netscaler VPX (Express) 10.0 build 74.4nc

Access Gateway Virtual Server

Name: wcloud_AG_vip

Certificate

GoDaddy public certificate (wcloud.walker.uk.com).

Global Settings

Tab
Property
Value
Network Configuration
DNS Server (Active Directory DNS servers)
192.168.5.5
192.168.5.6
Client Experience
Home Page
{Blank}
Display Home Page
þ
URL for Web-Based Email
{Blank}
Split Tunnel
OFF
Session Time-out (mins)
30
Client Idle Time-out (mins)
{Blank}
Plug-in Type
Windows/Mac OS X
Clientless Access
Allow
Clientless Access URL Encoding
Clear
Clientless Access Persistent Co…
DENY
Single Sign-on to Web Applications
¨
Credential Index
PRIMARY
Single Sign-on with Windows
¨
Client Cleanup Prompt
þ
Advanced
                General
Login Script
{Blank}
Logout Scripts
{Blank}
Client Debug
OFF
Split DNS
REMOTE
Application Token Time-out (sec)
100
Local LAN Access
¨
Allow access to private network IP addresses only
¨
Client Choices
¨
                Client Options
Client Options
Service
þ
File Transfer
þ
Configuration
þ
Client Configuration
General
þ
Tunnel
þ
Trace
þ
Compression
þ
                Client Cleanup
Force Cleanup
Cookie
¨
Addressbar
¨
Plug-in
¨
File System Application
¨
Application
¨
Client Certificate
¨
Application Data
¨
Auto Complete
¨
Cache
¨
                Proxy
Proxy Settings
Off
{All blank}
Security
Default Authorization Action
DENY
Client Security Encryption
¨
Secure Browse
¨
Published Applications
ICA Proxy
OFF
Web Interface Address
{Blank}
Web Interface Portal Mode
NORMAL
Single Sign-on Domain
walker
Citrix Receiver Home Page
{Blank}
Account Service Address
{Blank}

Authentication Policy – All

Priority
Policy Name
Expression
Profile
100
LDAP_Policy
NS_TRUE
LDAP_Profile

Authentication Profile – All

Area
Property
Value
Name
LDAP_Profile
Authentication Type
LDAP
Server
IP Address
192.168.5.5
IPv6
¨
Port
389
Type
AD
Time-out (seconds)
3
Connection Settings
Base DN (Location of Users)
OU=Users,OU=walker,DC=walker,DC=uk,DC=com
Administrator Bind DN
CN=SA-QueryAD,OU=Service Accounts,OU=Users,OU=walker,DC=walker,DC=uk,DC=com
Administrator Password
{Password for Administrator Bind DN account}
Confirm Administrator Pass…
{Password for Administrator Bind DN account}
Retrieve Attributes Confirms above settings are correct.
Other Settings
Server Logon Name Attribute
sAMAccountName
Search Filter
{Blank}
Group Attribute
{Blank}
Sub Attribute Name
{Blank}
SSO Name Attribute
{Blank}
Security Type
PLAINTEXT
Authentication
þ
User Required
þ
Allow Password Change
¨
Nested Group Extraction
Disabled
N.B: “Allow password change” required secure LDAP.

Published Applications (STA) – All

Two STA servers added, running XenApp 6.5:
N.B.
·         The XML service is running on port 8080.
·         When adding a server, only the FQDN is required as the full ../Scripts/CtxSta.dll URL is added in the background.

Session Policies and Profiles for different Citrix Receivers and clients:

StoreFront 1.2

Watch this space…

3 thoughts on “NetScaler Gateway 10 VPX Configuration

  1. Woter

    Have you tried running “nsconmsg -d current -g pol_hits” (without quotes) from the shell prompt and tried logging in from said PC? Is the PC getting the correct policy? Does the PC have anything strange set in C:WindowsSystem32Driversetchosts?

Please feel free to leave a comment...