OR
Combine NetScaler session policies and profiles into a single NetScaler Gateway virtual server:
Combine NetScaler session policies and profiles into a single NetScaler Gateway virtual server so that the same external URL is used for the Secure Hub app and Citrix Receiver for Windows or Mac clients.
Instructions
Configuration on NetScaler
Create the clientless access policies required:
- Create the clientless access policy and profile for Citrix Receiver and Secure Hub. For more information refer to Citrix Documentation - Configuring Custom Clientless Access Policies for Receiver.
- Create the clientless access policy and profile for Receiver for Web. For more information, refer to Citrix Documentation - Configuring Custom Clientless Access Policies for Receiver for Web.
Create the session policy/profile for Secure Hub on iOS and Android.
Session Policy
Session Profile
Network Configuration Tab
Client Experience Tab
Security Tab
Published Applications Tab
Note: The URL entered in the Account Services Address field in the Published Applications tab must match the App Controller’s configured Host name available in the App Controller’s Control Point > Settings > Network Connectivity section.
Create the session policy/profile for Citrix Receiver for Windows/Mac.
Session Policy
Session Profile
Network Configuration Tab
Client Experience Tab
Security Tab
Published Applications Tab
Note: The Web Interface Address and Account Services Address in the Published Applications tab must match the StoreFront Base URL which can be found on the StoreFront server’s management console. Ensure that a forward slash “/” is not added at the end of the URL.
Create the session policy/profile for web browsers.
Session Policy
Session Profile
Network Configuration Tab
Client Experience Tab
Security Tab
Published Applications Tab
Note: Use the Receiver for Web URL on the StoreFront Management console for the Web Interface Address field in the Published Applications tab and for the Home Page field, under the Client Experience tab.
Select one of the following options (explained in the Background section of this article). With either option, the clientless access policies created in Step 1 must be bound to all NetScaler Gateway virtual servers.
Option 1: Create two NetScaler Gateway virtual servers in Smart Access mode and bind the following session policies with their associated profiles:
Virtual Server 1 for Secure Hub
- Bind the clientless access policy created for Secure Hub in Step 1.
- Bind the Secure Hub session policy created in Step 2.
Virtual Server 2 for Citrix Receiver and Web Browser
- Bind both clientless access policies created in Step 1 – the Receiver clientless access policy must have a higher priority than the web browser clientless access policy .
- Bind the Citrix Receiver session policy created in Step 3.
- Bind the web browser session policy created in Step 4.
OR
Option 2: Bind all the session policies created to a single NetScaler Gateway virtual server in Smart Access mode.
Virtual Server for Secure Hub, Citrix Receiver, and Web Browser
- Bind both clientless access policies created in Step 1.
- Bind the Secure Hub session policy from Step 2 – this must have the highest priority.
- Bind the Citrix Receiver session policy from Step 3 – this must have the second highest priority.
- Bind the web browser session policy from Step 4 – this must have the third highest priority.
Clientless Access Policies
Note:The clientless access policy for Citrix Receiver/Secure Hub must have a higher priority. These clientless policies must be bound directly to the NetScaler Gateway virtual servers.
Configuration on StoreFront
Enable access to Web/SaaS apps to Citrix Receiver or Receiver for Web by adding App Controller as a Delivery Controller on StoreFront. For more information, refer to Citrix Documentation - To manage the resources made available in stores.
Note:Use the host name of the App Controller in the Server field when configuring the StoreFront Delivery Controller. The StoreFront server must trust the issuer of the App Controller’s server certificate (Root and/or Intermediate certificates) because the protocol used by StoreFront to communicate to the App Controller is HTTPS.Establish the trust between StoreFront and App Controller. For more information, refer to Citrix Documentation - To configure App Controller to connect to StoreFront.
Note: Set the StoreFront as an auth server option to OFF. Set the Use the StoreFront Base URL on the Web Address field. At this point, you can access Web/SaaS apps through StoreFront, without the NetScaler Gateway. Test this before proceeding to integrate the NetScaler Gateway.Enable Pass-through from NetScaler Gateway on StoreFront. For more information, refer to Citrix Documentation - Configure the authentication service.
Note:StoreFront must trust the issuer of the NetScaler Gateway virtual server’s bound certificate (Root and/or Intermediate certificates) for the Authentication Callback service.Add NetScaler Gateway to StoreFront. For more information, refer to Citrix Documentation - To add a NetScaler Gateway connection.
Note: The Gateway URL must match exactly what the users are typing into the web browser address bar.Enable remote access on the StoreFront store. For more information, refer to Citrix Documentation - To manage remote access to stores through NetScaler Gateway.
Configuration on App Controller
Enable access to Windows based apps for Secure Hub on the App Controller. For more information, refer to Citrix Documentation - Enabling Access to Windows-Based Apps from Secure Hub or Receiver.
Configure the trust settings for NetScaler Gateway on App Controller. For more information, refer to Citrix Documentation - Configuring Applications and Trust Settings for NetScaler Gateway.
Note: The NetScaler Gateway URL must match exactly what the users are typing into the web browser address bar.
Additional Configuration Steps
To use MicroVPN with MDX wrapped apps, refer to CTX136914 - FAQ: Secure Hub for Mobile Devices and MicroVPN Technology for the list of requirements.
On the NetScaler, the App Controller host name and StoreFront Base URL must be included in the Allow Domains list found in NetScaler Gateway > Global Settings > Configure Domains for Clientless Access. For more information, refer to Citrix Documentation - Configuring Domains for Clientless Access for Access Gateway and StoreFront.
A DNS server must be configured on the NetScaler that can resolve the App Controller and StoreFront FQDNs to their respective IP address.
On the NetScaler, if Citrix Secure Mail is being deployed from the App Controller, add the App Controller as an STA. For more information, refer Citrix Blog - Improving Battery Life with Secure Mail – STA to the Rescue! and Citrix Documentation - Configuring App Controller to Provide STA Tickets for Secure Mail.
(Optional) If you plan to deploy internal websites through the App Controller, ensure to add the following VPN Session policy and profile for Windows/Mac Receiver clients. This will only apply for Citrix Receiver, mobile devices will use MicroVPN.
Session Policy
Session Profile
Network Configuration Tab
Client Experience Tab
Security Tab
Published Applications Tab
Note:The Home Page field in the Client Experience tab must have the full path to the Receiver for website on StoreFront.
Additional Resources
For assistance with the initial configuration of NetScaler, including licensing, SSL certificates, authentication, and an overview of how the component works, see NetScaler for the XenDesktopXenApp Dummy. Though this blog refers to an older version of the NetScaler, all of the basic concepts still apply to version 10.1.
Refer to the following links for configuration utility changes in NetScaler 10.1 and NetScaler 10.5:
Citrix Documentation - NetScaler 10.1 Configuration Utility Changes
Citrix Documentation - NetScaler 10.5 Configuration Utility Changes