Centric connect.engage.succeed

Citrix NetScaler Unified Gateway: a cloud workspace delivery controller for all your cloud and enterprise applications

Geschreven door Randolph Widjaja - 14 april 2016

Randolph Widjaja
Nowadays customers run their data centres from multiple cloud or on-premise locations and in some cases every location has its own web-based portals. The use of different portals creates confusion for customers and makes it more difficult for end users to choose the right portal. Citrix has come up with a cloud workspace delivery controller solution –Citrix NetScaler Unified Gateway– to tackle the issue raised in this example. Citrix delivers solutions that make it possible to provide different web-based applications on a single portal.

Citrix NetScaler Unified Gateway high-level design

The main features of Citrix NetScaler Unified Gateway are:

  • Access to cloud and enterprise applications through a single URL
    • NetScaler with Unified Gateway provides a single point of entry for all users and devices. All devices can connect to the portal, so the user experience is the same for all users.
  • Unified Remote Access infrastructure
    • Remote access is consolidated into a single end-to-end solution for all enterprise, web, mobile, cloud and SaaS applications, as well as Citrix applications, on any device.
  • Single Sign-On
    • NetScaler provides federation identity based on SAML 2.0 standards for Single Sign-On to cloud and enterprise applications

The Citrix NetScaler Unified Gateway feature is provided on Citrix NetScaler 11 appliances and you need at least a Citrix NetScaler Enterprise or Platinum licence in order to use it.

Any enterprise web-based application, such as Microsoft Exchange webmail, Microsoft SharePoint or Microsoft Skype for Business, can be published on Citrix NetScaler Unified Gateway. Citrix NetScaler also has seamless integration with Citrix XenApp and XenDesktop and can be published in the Citrix Unified Gateway feature. For cloud-based applications like Microsoft Office 365, Citrix NetScaler can be used as an ADFS Proxy, enabling access to the applications from the Citrix NetScaler Unified Gateway portal.

The connection has SSL security, while a standard or micro VPN connection can easily be made to ensure end-to-end encryption. On top of that, Citrix NetScaler provides endpoint analysis (EPA) to ensure that connected devices are compliant and secure. To manage the different enterprise and user-owned devices that connect to Citrix Unified Gateway, an extra management layer can be created by integrating Citrix XenMobile. Citrix XenMobile is an Enterprise Mobility Management (EMM) solution for managing different mobile devices and the enterprise apps for these devices.

In the next section, I will show you the look and feel of Citrix Unified Gateway and explain how to change certain settings.

Configuration Citrix NetScaler Unified Gateway


The initial log-on page in the cloud

It is possible to customise the log-on page and import a special theme for your portal, but I will explain how to do that in another blog.

Citrix NetScaler Unified Gateway log-on page

Citrix NetScaler Unified Gateway log-on page

Functionality page

After logging on to the Unified Gateway portal, the function page appears, with three options. First of all, the user can select a full VPN connection, provided a Citrix Receiver plug-in has been installed on the client device; this is automatically pushed when this option is selected. The second option is Clientless Access, whereby the user does not need any client software to access the different web-based applications. The third option lets users connect to the Citrix XenApp and XenDesktop enterprise environment.

Citrix Unified Gateway function page

Citrix NetScaler Unified Gateway function page

It can be hard for users to know which function they need in order to access applications. In my case, I want the Clientless Access page to appear immediately after log-on. I have therefore investigated which page is called when you select Clientless Access. This can be done by pressing F12 in the web browser.

Analysing the web pages when pressing F12 in the browser

Analysing the web pages when pressing F12 in the browser

Access the NetScaler appliance console using SSH and create the following responder policy rules.

Enter the following commands in the console:

  • add responder action cug_redirect_ac redirect "\"https://portal.mydomain.nl/cgi/setclient?cvpn\"" -responseStatusCode 302
  • add responder policy cug_redirect_pol "HTTP.REQ.HOSTNAME.EQ(\"portal.mydomain.nl\") && HTTP.REQ.URL.CONTAINS(\"vpns/choices.htnl\")" cug_redirect_ac
  • bind responder global cug_redirect_pol 100 END -type REQ_DEFAULT

Users will be redirected straight to the Citrix NetScaler Unified Gateway Clientless Access page.

Citrix Unified Gateway Clientless Access page

Citrix NetScaler Unified Gateway Clientless Access page

The first tab is the Web Apps page, which contains the enterprise applications and any personal websites added by the user. The second tab, Applications, gives access to Citrix XenDesktop and the XenApp environment.

Citrix XenApp and XenDesktop integration

Citrix XenApp and XenDesktop integration

The Citrix XenApp and XenDesktop infrastructure is not available on the Clientless Access page by default, but can be added in a few extra steps, which I will explain in the last section of this blog.

The third tab, File Transfer, enables users to upload files from the client device to the corporate environment and vice versa. Enterprise shares can be defined here, but it is also possible for users to add their own file shares to this page.

File Transfer page

File Transfer page

Integration Citrix XenApp/XenDesktop in the clientless access page

In the next section, I will explain how to integrate XenApp and XenDesktop into the Citrix NetScaler Unified Gateway.

On the Citrix StoreFront servers, change the following parameters in the web.config file in c:\inetpub\wwwroot\citrix\<store>web (note that there are three instances of the parameters in the file and that they must all be changed):

<add name="X-Frame-Options" value="deny" />
<add name="Content-Security-Policy" value="frame-ancestors 'none'" />

<add name="X-Frame-Options" value="allow" />
<add name="Content-Security-Policy" value="frame-ancestors 'self'" />

Add your domain to the Citrix NetScaler Gateway global settings under:

"Configure Domains for Clientless Access"

You will need to change the "Web Interface Portal Mode" from normal to compact. This option can be found in one of the Citrix NetScaler Unified Gateway session policies starting with AC_WB_. Save your running config on the Citrix NetScaler appliances. Read more information about the integration of Citrix XenApp and XenDesktop.

About Randolph

Craft Expert Randolph Widjaja is part of the Cloud team within Craft, the development programme for IT professionals (powered by Centric). If you would like to follow his blog, sign up for the monthly Craft update.

Want to know more about Craft, the development programme for IT professionals? Check out the website.

Tags:Cloud

     
Reacties
    Schrijf een reactie
    • Captcha image
    • Verzenden