NetScaler Gateway configuration for TCP/UDP applications
You can use the procedure outlined in NetScaler Gateway configuration for Web/SaaS applications to configure TCP/UDP applications. To configure gateway for TCP/UDP applications, you must enable the TCP/UDP support by entering Y for the Enable TCP/UDP App type support parameter in the script.
The following figure displays the Enable TCP/UDP App type support parameter enabled for TCP/UDP support.
Update existing NetScaler Gateway configuration for TCP/UDP apps
If you are updating the configuration from earlier versions to 2407, it is recommended that you update the configuration manually. For details, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.
NetScaler Gateway virtual server settings
When you add or update the existing NetScaler Gateway virtual server, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.
Add a virtual server:
- tcpProfileName: nstcp_default_XA_XD_profile
- deploymentType: ICA_STOREFRONT (available only with the
add vpn vserver
command) - icaOnly: OFF
Update a virtual server:
- tcpProfileName: nstcp_default_XA_XD_profile
- icaOnly: OFF
For details on the virtual server parameters, see vpn-sessionAction.
NetScaler Gateway session policy settings
Session action is bound to a gateway virtual server with session policies. When you create or update a session action, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.
-
transparentInterception
: ON -
SSO
: ON -
ssoCredential
: PRIMARY -
useMIP
: NS -
useIIP
: OFF -
icaProxy
: OFF -
ClientChoices
: ON -
ntDomain
: mydomain.com - used for SSO (optional) -
defaultAuthorizationAction
: ALLOW -
authorizationGroup
: SecureAccessGroup -
clientlessVpnMode
: OFF -
clientlessModeUrlEncoding
: TRANSPARENT -
SecureBrowse
: ENABLED
Example commands to update an existing NetScaler Gateway configuration
Note:
If you are manually updating the existing configuration, then in addition to the following commands, you must update the /nsconfig/rc.netscaler file with the command
nsapimgr_wr.sh -ys ns_vpn_enable_spa_tcp_udp_apps=3
.
-
Add a VPN session action to support Citrix Secure Access-based connections.
add vpn sessionAction AC_AG_PLGspaonprem -splitDns BOTH -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -ClientChoices ON -ntDomain example.corp -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED
-
Add a VPN session policy to support Citrix Secure Access-based connections.
add vpn sessionPolicy PL_AG_PLUGINspaonprem "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && (HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"plugin\") || HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixSecureAccess\"))" AC_AG_PLGspaonprem
-
Bind the session policy to the VPN virtual server to support Citrix Secure Access-based connections.
bind vpn vserver spaonprem -policy PL_AG_PLUGINspaonprem -priority 105 -gotoPriorityExpression NEXT -type REQUEST
-
Add an HTTP callout policy to support authorization validation for TCP/UDP based connections.
Note:
This step is required only if your NetScaler Gateway version is lower than 14.1-29.x.
add policy httpCallout SecureAccess_httpCallout_TCP -IPAddress 192.0.2.24 -port 443 -returnType BOOL -httpMethod POST -hostExpr "\"spa.example.corp\"" -urlStemExpr "\"/secureAccess/authorize\"" -headers Content-Type("application/json") X-Citrix-SecureAccess-Cache("dstip="+HTTP.REQ.HEADER("CSIP").VALUE(0)+"&sessid="+aaa.user.sessionid) -bodyExpr q/"{"+"\"userName\":\""+aaa.USER.NAME.REGEX_REPLACE(re#\\#,"\\\\",ALL)+"\","+"\"domain\":\""+aaa.USER.DOMAIN+"\","+"\"customTags\":\""+http.REQ.HEADER("X-Citrix-AccessSecurity").VALUE(0)+"\","+"\"gatewayAddress\":\"ns224158.example.corp\","+"\"userAgent\":\"CitrixSecureAccess\","+"\"applicationDomain\":\""+http.REQ.HEADER("CSHOST").VALUE(0)+"\","+"\"smartAccessTags\":\""+aaa.user.attribute("smartaccess_tags")+"\",\"applicationType\":\"ztna\",\"applicationDetails\":{\"destinationIp\":\""+HTTP.REQ.HEADER("CSIP").VALUE(0)+"\",\"destinationPort\":\""+HTTP.REQ.HEADER("PORT").VALUE(0)+"\",\"protocol\":\"TCP\"}}"/ -scheme https -resultExpr "http.RES.HEADER(\"X-Citrix-SecureAccess-Decision\").contains(\"ALLOW\")"
where
- 192.0.2.24 is the Secure Private Access plug-in IP address
- spa.example.corp is the FQDN of the Secure Private Access plug-in
- ns224158.example.corp is the FQDN of the gateway VPN virtual server
-
Add an authorization policy to support TCP/UDP based connections.
add authorization policy SECUREACCESS_AUTHORIZATION_TCP "HTTP.REQ.URL.EQ(\"/cs\") && HTTP.REQ.HEADER(\"PRTCL\").EQ(\"TCP\") && sys.HTTP_CALLOUT(SecureAccess_httpCallout_TCP)" ALLOW
-
Bind the authorization policy to the authentication and authorization group to support TCP/UDP based applications.
bind aaa group SecureAccessGroup -policy SECUREACCESS_AUTHORIZATION_TCP -priority 1010 -gotoPriorityExpression END
-
Bind the Secure Private Access plug-in to the VPN virtual server.
bind vpn vserver spaonprem -appController "https://spa.example.corp"
Additional information
For additional information on the NetScaler Gateway for Secure Private Access, see the following topics: