Configuration for Controlled Access to Different VPN Plugin Through NetScaler Gateway for XenMobile Deployments
Article ID: CTX201129
Updated On:
Description
Requirement 1: Disable VPN Access for the iOS VPN Client
If you configure NetScaler Gateway for use with XenMobile, it includes configuration to enable Secure Web and approved Citrix Apps-enabled applications to access the corporate network. The access is enabled for authenticated users by tunneling connections through NetScaler Gateway. The NetScaler Gateway iOS VPN client uses a similar access path, enabling similar access. We recognize that for some customers this level of access might not be desirable – depending on your needs, you might want to institute the following policies on NetScaler Gateway:
Associated Configurations
CLI:
set vpn param -transparentInterception OFF
UI (NetScaler 10.5):
Navigate to Configuration tab > NetScaler Gateway > Global Settings > Change Global Settings > Client Experience > Select Plug-in Type as Java.
Note: Remember to save the configuration either through CLI or UI.
Requirement 2: Disable VPN Access for Windows and MAC Clients
In addition to the preceding steps, you would need to unbind the session policy "PL_AG_PLG_<IP_ADDRESS>" which might have been auto created through XenMobile wizard on NetScaler.
Associated Configurations
-
Disable the Global "Transparent Interception" setting.
CLI:set vpn param -transparentInterception OFF
UI (NetScaler 10.5):
Navigate to Configuration tab > NetScaler Gateway > Global Settings > Change Global Settings > Client Experience > Select Plug-in Type as Java. -
Unbind the associated XenMobile wizard created Session Policy.
CLI:unbind vpn vserver <VSERVER_NAME> -policy PL_AG_PLG_<IP_ADDRESS>
UI (NetScaler 10.5):
-
Navigate to Configuration tab > NetScaler Gateway > Virtual Servers.
-
Select the Virtual Server and click Edit.
-
Click the Session Policies under Policies section such that "VPN Virtual Server Session Policy Binding" page is displayed.
-
Select the "PL_AG_PLG_<IP_ADDRESS>" policy and click Unbind and Confirm the action when prompted.
-
Click CLOSE > DONE.
-
Note: Remember to save the configuration either through CLI or UI.
Requirement 3: Disable Access of XenMobile Store Through Gateway from Any Web Browsers from Any Devices
Unbind the XenMobile wizard created Session Policy with the name - PL_WB_<IP_ADDRESS>.
Associated Configurations
CLI:
unbind vpn vserver <VSERVER_NAME> -policy PL_WB_<IP_ADDRESS>
UI (NetScaler 10.5):
-
Navigate to Configuration tab > NetScaler Gateway > Virtual Servers.
-
Select the Virtual Server and click Edit.
-
Navigate to the Session Policies under Policies section such that "VPN Virtual Server Session Policy Binding" page is displayed.
-
Select the "PL_WB_<IP_ADDRESS>" policy and click Unbind and Confirm the action when prompted.
-
Click CLOSE > DONE.
Note: Remember to save the configuration either through CLI or UI.
Requirement 4: To Enable VPN Access for the iOS VPN and Android Clients
Disable the Global "Transparent Interception" setting and explicitly allow the access by creating a Session Policy and bind it to the NetScaler Gateway Virtual Server created for XenMobile deployments.
Associated Configurations
-
Disable the Global "Transparent Interception" setting.
CLI:set vpn param -transparentInterception OFF
UI (NetScaler 10.5): Navigate to Configuration tab > NetScaler Gateway > Global Settings > Change Global Settings > Client Experience > select Plug-in Type as Java.
-
Create explicit session policy to allow the iOS/Android VPN plugin and bind it to NetScaler Gateway Virtual Server.
CLI: iOSadd vpn sessionAction AC_iOS_VPN -transparentInterception ON -defaultAuthorizationAction ALLOW -icaProxy OFF -clientlessVpnMode DISABLED add vpn sessionPolicy PL_iOS_VPN "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver/NSGiOSplugin && REQ.HTTP.HEADER Referer NOTEXISTS" AC_iOS_VPN bind vpn vserver <VSERVER_NAME> -policy PL_iOS_VPN -priority 100
Android
add vpn sessionAction AC_Android_VPN -transparentInterception ON -defaultAuthorizationAction ALLOW -icaProxy OFF -clientlessVpnMode DISABLED
add vpn sessionPolicy PL_Android_VPN "REQ.HTTP.HEADER User-Agent CONTAINS Android && REQ.HTTP.HEADER Referer NOTEXISTS" AC_Android_VPN
bind vpn vserver <VSERVER_NAME> -policy PL_Android_VPN -priority 100
UI (NetScaler 10.5 and above):Step 1: Create Session Profile:
-
Navigate to Configuration tab > NetScaler Gateway > Policies > Session.
-
Navigate to Session Profiles tab and click Add.
-
Enter a name of your choice in the Name field, say AC_iOS_VPN or AC_Android_VPN.
-
Navigate to Client Experience tab.
-
Select Plug-in Type as Windows/MAC OS X.
-
Select Clientless Access as OFF.
-
Navigate to Security tab.
-
Select Default Authorization Action as Allow.
-
Navigate to Published Applications tab.
-
Select ICA Proxy as OFF.
-
Click Create button.
Step 2: Create Session Policy:
-
Navigate to Configuration tab > NetScaler Gateway > Policies > Session.
-
Navigate to Session Policies tab and click Add.
-
Enter a name of your choice in the Name field, say PL_iOS_VPN or PL_Android_VPN.
-
Select the Action as the Session Profile created in the preceding step (AC_iOS_VPN/AC_Android_VPN).
-
In the Expression field enter:
iOS
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver/NSGiOSplugin && REQ.HTTP.HEADER Referer NOTEXISTS
Android
REQ.HTTP.HEADER User-Agent CONTAINS Android && REQ.HTTP.HEADER Referer NOTEXISTS -
Click Create button.
Step 3: Binding the Session Policy to NetScaler Gateway Virtual Server:
-
Navigate to Configuration tab > NetScaler Gateway > Virtual Servers.
-
Select the Virtual Server and click Edit.
-
Click the Session Policies under Policies section such that "VPN Virtual Server Session Policy Binding" page is displayed.
-
Click Add Binding button.
-
Select the Session Policy created in the preceding step by clicking Click to Select button and click OK button.
-
Enter the priority as 100 and click the Bind button.
-
Click CLOSE > DONE.
-
Note: Remember to save the configuration either through CLI or UI.
Issue/Introduction
