NetScaler Gateway and Citrix Endpoint Management
When integrated with Citrix Endpoint Management, NetScaler Gateway provides remote device access to your internal network and resources. Citrix Endpoint Management creates a micro VPN from the apps on the device to NetScaler Gateway.
You can use the Citrix Gateway service (Preview) or on-premises NetScaler Gateway, also known as NetScaler Gateway. For an overview of the two NetScaler Gateway solutions, see Configure NetScaler Gateway use with Citrix Endpoint Management.
Configure authentication for remote device access to the internal network
-
In the Citrix Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.
-
Under Server, click NetScaler Gateway. The NetScaler Gateway page appears. In the following example, a NetScaler Gateway instance exists.
-
Configure these settings:
- Authentication: Select whether to enable authentication. The default is On.
- Deliver user certificate for authentication: Select whether you want Citrix Endpoint Management to share the authentication certificate with Citrix Secure Hub. Sharing the certificate enables NetScaler Gateway to handle the client certificate authentication. The default is Off.
- Credential Provider: Click the credential provider to use fin the drop-down list. For more information, see Credential providers.
-
Click Save.
Add a Citrix Gateway service instance (Preview)
After you save the authentication settings, you add a NetScaler Gateway instance to Citrix Endpoint Management.
-
In the Citrix Endpoint Management console, click the gear icon in the upper-right corner. The Settings page opens.
-
On the Settings page, scroll to the NetScaler Gateway tile and then click Start setup. The NetScaler Gateway page appears.
-
Select Citrix Gateway service (cloud) and specify the resource location for the Gateway service.
- Resource location for Gateway service: is required if you use Citrix Secure Mail. Specify the resource location for the STA service. The resource location must include a configured NetScaler Gateway. If you later want to remove a resource location that’s configured for the Gateway service, update this setting.
After you complete those settings, click Connect to establish the connection. The new NetScaler Gateway is added. The Citrix Gateway service (cloud) tile appears on the Settings page. To edit an instance, click See More. If Gateway Connectors are not available in the selected resource location, click Add Gateway Connector. Follow the on-screen guidance to install Gateway Connectors. You can also add Gateway Connectors later.
-
Click Save and Export Script.
- Save and Export Script. Click the button to save your settings and export a configuration bundle. You can upload a script from the bundle to NetScaler Gateway to configure it with Citrix Endpoint Management settings. For information, see “Configure an on-premises NetScaler Gateway for use with Citrix Endpoint Management” after these steps.
You’ve added the new NetScaler Gateway. The NetScaler Gateway tile appears on the Settings page. To edit an instance, click See More.
Configure on-premises NetScaler Gateway for use with Citrix Endpoint Management
To configure an on-premises NetScaler Gateway for use with Citrix Endpoint Management, do the following general steps as detailed in the following sections.
-
Verify that your environment meets the prerequisites.
-
Export the script bundle from the Citrix Endpoint Management console.
-
Extract the files from the bundle. If you’re only using classic policies on NetScaler Gateway and you’re running Citrix ADC 13.0 or earlier, use the script with “Classic” in the file name. If you’re using any advanced policies or you’re running Citrix ADC 13.1 or later, use the script with “Advanced” in the file name.
-
Run the appropriate script on the NetScaler Gateway. See the readme file provided with the scripts for the latest detailed instructions.
-
Test the configuration.
The scripts configure these NetScaler Gateway settings required by Citrix Endpoint Management:
- NetScaler Gateway virtual servers needed for MDM and MAM
- Session policies for the NetScaler Gateway virtual servers
- Citrix Endpoint Management server details
- Proxy load balancer for certificate validation
- Authentication Policies and Actions for the NetScaler Gateway virtual server. The scripts describe the LDAP configuration settings.
- Traffic actions and policies for the proxy server
- Clientless access profile
- Static local DNS record on NetScaler Gateway
- Other bindings: Service policy, CA certificate
The scripts don’t handle the following configuration:
- Exchange load balancing
- Citrix Files load balancing
- ICA Proxy configuration
- SSL Offload
Prerequisites for using the NetScaler Gateway configuration scripts
Citrix Endpoint Management requirements:
- Complete the LDAP and NetScaler Gateway configuration in Citrix Endpoint Management before exporting the script bundle. If you change the settings, export the script bundle again.
NetScaler Gateway requirements:
- When using certificate-based authentication at the NetScaler Gateway, you must create SSL certificates on a Citrix ADC Appliance. See Create and Use SSL Certificates on a Citrix ADC Appliance.
- NetScaler Gateway (minimum version 11.0, Build 70.12).
- The NetScaler Gateway IP address is configured and has connectivity to the LDAP server, unless LDAP is load balanced.
- NetScaler Gateway Subnet (SNIP) IP address is configured, has connectivity to the necessary back end servers, and has public network access over port 8443/TCP.
- DNS can resolve public domains.
- NetScaler Gateway is licensed with Platform/Universal or Trial licenses. For information, see https://support.citrix.com/article/CTX126049.
Export the script bundle from Citrix Endpoint Management
After you save the authentication settings, you add a NetScaler Gateway instance to Citrix Endpoint Management.
-
In the Citrix Endpoint Management console, click the gear icon in the upper-right corner. The Settings page opens.
-
On the Settings page, scroll to the NetScaler Gateway tile and then click Start setup. The NetScaler Gateway page appears.
-
Select NetScaler Gateway (On-premises) and configure these settings:
- Name: Type a name for the NetScaler Gateway instance.
-
External URL: Type the publicly accessible URL for NetScaler Gateway. For example,
https://receiver.com
. - Logon Type: Choose a logon type. Types include: Domain, Security token only, Domain and security token, Certificate, Certificate and domain, and Certificate and security token. The default is Domain.
If you have multiple domains, use Certificate and domain. For more information, see Configure authentication for multiple domains.
Certificate-based authentication at the NetScaler Gateway requires extra configuration. For example, you must upload your root CA certificate to your Citrix ADC Appliance. See Create and Use SSL Certificates on a Citrix ADC Appliance.
For more information, see Authentication in the Deployment Handbook.
-
Click Save and Export Script.
- Save and Export Script. Click the button to save your settings and export a configuration bundle. You can upload a script from the bundle to NetScaler Gateway to configure it with Citrix Endpoint Management settings. For information, see “Configure an on-premises NetScaler Gateway for use with Citrix Endpoint Management” after these steps.
You’ve added the new NetScaler Gateway. The NetScaler Gateway tile appears on the Settings page. To edit an instance, click See More.
Install the script in your environment
The script bundle includes the following.
- Readme file with detailed instructions
- Scripts that have the NetScaler CLI commands used to configure the required components in NetScaler
- Public Root CA certificate and the Intermediate CA certificate
- Scripts that have the NetScaler CLI commands used to remove the NetScaler configuration
-
Upload and install the certificate files (provided in the script bundle) on the Citrix ADC appliance in the /nsconfig/ssl/ directory. See Create and Use SSL Certificates on a Citrix ADC Appliance.
The following examples show how to install the root certificate.
Make sure that you install both the root and intermediate certificates.
-
Edit the script (ConfigureCitrixGatewayScript_Classic.txt or ConfigureCitrixGatewayScript_Advanced.txt) to replace all placeholders with details from your environment.
-
Run your edited script in the NetScaler bash shell, as described in the readme file included in the script bundle. For example:
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/OfflineNSGConfigtBundle_CREATESCRIPT.txt"
When the script completes, the following lines appear.
Test the configuration
To validate the configuration:
-
Validate that NetScaler Gateway Virtual Server shows a state of UP.
-
Validate that the Proxy Load Balancing Virtual Server shows a state of UP.
-
Open a web browser, connect to the NetScaler Gateway URL, and try to authenticate. If the authentication succeeds, you are redirected to an “HTTP Status 404 - Not Found” message.
-
Enroll a device and make sure that it gets both MDM and MAM enrollment.
Configure authentication for multiple domains
If you have multiple Citrix Endpoint Management instances, such as for test, development, and production environments, you configure NetScaler Gateway for the additional environments manually. (You can use the NetScaler for XenMobile wizard only one time.)
NetScaler Gateway configuration
To configure NetScaler Gateway authentication policies and a session policy for a multi-domain environment:
- In the NetScaler Gateway configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies > Authentication.
- In the navigation pane, click LDAP.
-
Click to edit the LDAP profile. Change the Server Logon Name Attribute to userPrincipalName or the attribute that you want to use for searches. Make a note of the attributes that you specify. You provide it when configuring LDAP settings in the Citrix Endpoint Management console.
- Repeat those steps for each LDAP policy. A separate LDAP policy is required for each domain.
- In the session policy bound to the NetScaler Gateway virtual server, navigate to Edit session profile > Published Applications. Make sure that Single Sign-On Domain is blank.
Citrix Endpoint Management configuration
To configure Citrix Endpoint Management LDAP for a multi-domain environment:
-
In the Citrix Endpoint Management console, go to Settings > LDAP and add or edit a directory.
-
Provide the information.
-
In Domain Alias, specify each domain to use for user authentication. Separate the domains with a comma and don’t use spaces between the domains. For example: domain1.com,domain2.com,domain3.com
-
Make sure that the User search by field matches the Server Logon Name Attribute specified in the NetScaler Gateway LDAP policy.
-
Drop inbound connection requests to specific URLs
If the NetScaler Gateway in your environment is configured for SSL offload, you might prefer that the gateway drop inbound connection requests for specific URLs. If you prefer that extra security, contact Citrix Cloud Operations and request that they allow your IP to your on-premises data centers.