How to Migrate Existing NetScaler Gateway to Unified Gateway on NetScaler Gateway 11.1

book

Article ID: CTX220370

calendar_today

Updated On:

Description

This article describes how to migrate existing NetScaler Gateway to Unified Gateway on NetScaler Gateway 11.1.

Background

User-added image

Since NetScaler 11.1 build 49 there is a built-in Gateway Universal license which brings upto unlimited* user licenses and the full Unified Gateway feature set. So why not use a NetScaler Gateway for more than just as an ICA Proxy? This article will show how to migrate an existing NetScaler Gateway with all policies, actions, etc. to an Unified Gateway, which provides remote access from any device to any application.
*(NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler Platinum Edition = unlimited licenses)

Instead of using the Unified Gateway wizard, we will complete the configuration manually which provides the following advantages:

Reuse existing NetScaler Gateway instead of configuring a new one from the scratch.
Using the StoreFront instead of NetScaler landing page.
- Access to all apps via native Citrix Receiver.
- Consolidates all resources.
Browse a web application directly via dedicated hostname, leveraging the NetScaler Gateway only for authentication.

NetScaler Login Page

User-added image

StoreFront including webapps

User-added image

Requirements

NetScaler with firmware 11.1 build 49 or higher.
Wildcard SSL Certificate or one SAN per application.

One external facing IP Address with one DNS record per application.
In this example, we will use the following URLs:

URL	Backend	Description
portal.nw.lab	Storefront	NetScaler Gateway
basic.nw.lab	Webserver 1	Webserver with NTML / Basic auth
kcd.nw.lab	Webserver 2	Webserver with Kerberos Constrained Delegation auth
owa.nw.lab	Webserver 3	Outlook Web Access Server

User-added image

One central external facing Content Switch VServer instead of Gateway VServer.
Each application has one dedicated hostname.
Each application has one Content Switch Policy / Action which matches the FQDN.
Each application has one non-addressable Load balancing VServer.
The existing Gateway VServer for ICA Proxy and authentication will be moved from direct to non-addressable as well.
The policy for the non-addressable Gateway VServer must match the dedicated hostname and "is_vpn_url", for matching on all NetScaler Gateway and authentication-specific requests.

Authentication Flow for Basic Web Application

User-added image

Instructions

Configuration Elements

VPN VServer

add vpn vserver vpn-ug -ipAddress 0.0.0.0 -loginOnce ON

Add a new VPN VServer as non-addressable, and make sure to set loginOnce to ON for seamless SSO.
Replicate all the "bind" and "set" configuration lines from existing VPN Vserver which you want to migrate
Make sure to enable SSO in session profile - if nor already done

Content Switch VServer

add cs vserver csv-ug SSL 192.168.10.20 443 -cltTimeout 180
bind ssl vserver csv-ug -certkeyName wildcard.nw.lab

Add SSL Content Switch VServer with the external facing IP Address (can reuse the former VPN VServer IP address).
Bind wildcard SSL Certificate.
Edit SSL Parameters and cipher groups according to your companies specifications.

Load Balancing VServer / Service (exemplary for one application)

add lb vserver lbv-ug-basic HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost portal.nw.lab -Authentication ON -authnVsName vpn-ug
add service lbs-ug-basic 192.168.10.15 HTTP 81 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
bind lb vserver lbv-ug-basic lbs-ug-basic

Add non-addressable Load balancing VServer of type HTTP.
Enable Authentication, set the AuthenticationHost to Gateway FQDN, and choose the VPN VServer.
Add service or servicegroup with backend server, and bind it to Load balancing VServer.

Content Switch Policy / Action (exemplary for one application)

add cs action csa-ug-basic -targetLBVserver lbv-ug-basic
add cs policy csp-ug-basic -rule "HTTP.REQ.HOSTNAME.EQ(\"basic.nw.lab\")" -action csa-ug-basic
bind cs vserver csv-ug -policyName csp-ug-basic -priority 90

Add Content Switch Action with matching targetLBVserver.
Add Content Switch Policy with a rule matching on the FQDN of the respective application.
Bind the policy to the Content Switch VServer, and make sure to set the priority lower than 100.

Content Switch Policy / Action for VPN VServer

add cs action csa-ug-portal -targetVserver vpn-ug
add cs policy csp-ug-portal -rule "HTTP.REQ.HOSTNAME.EQ(\"portal.nw.lab\") || is_vpn_url" -action csa-ug-portal
bind cs vserver csv-ug -policyName csp-ug-portal -priority 100

Add Content Switch Action with VPN VServer as target LBVserver.
Add Content Switch Policy with a rule matching on the VPN VServer FQDN and on the expression "is_vpn_url".
Bind the policy to the Content Switch VServer, and make sure to set the priority to 100.

Traffic Policy / Action for Single Logout

To enable Single Logout on all applications, we will use a Traffic Policy and Action. The policy should match when a user logs out in any of our applications. After that the traffic action will initiate the logout. The NetScaler forces the logout by expiring all session cookies. For more information refer to CTX133537.

In this example, the policy will get triggered when the URL contains the string "logout".
add tm trafficAction traffic-act-logout -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE
add tm trafficPolicy traffic-pol-logout "HTTP.REQ.URL.CONTAINS(\"logout\")" traffic-act-logout
bind cs vserver csv-ug -policyName traffic-pol-logout -priority 100 -gotoPriorityExpression END -type REQUEST

Add Traffic Action, and make sure to set InitiateLogout to ON.
Add Traffic Policy, and match the URL that should initiate the logout (these rule must be tuned for all applications).
Bind the policy to the Content Switch VServer.

Published Content

To have access to all our applications in StoreFront beside XenApp/XenDesktop apps, we can publish these URLs in StoreFront. For this we need the following requirements:

Powershell access on StoreFront Server
Citrix PowerShell Plugin
Administrative access to StoreFront

Import Icon

XenApp/XenDesktop Prior to 7.13

PS C:\Windows\system32> asnp citrix.*
PS C:\Windows\system32> $ctxIcon = Get-CtxIcon -FileName "C:\Program Files\Internet Explorer\iexplore.exe" -index 0
PS C:\Windows\system32> $brokerIcon = New-BrokerIcon -EncodedIconData $ctxIcon.EncodedIconData
PS C:\Windows\system32> $brokerIcon.Uid

XenApp/XenDesktop 7.13 and Later

PS C:\Windows\system32> asnp citrix.*
PS C:\Windows\system32> $ctxIcon = Get-BrokerIcon -FileName "C:\Program Files\Internet Explorer\iexplore.exe" -index 0
PS C:\Windows\system32> $brokerIcon = New-BrokerIcon -EncodedIconData $ctxIcon.EncodedIconData
PS C:\Windows\system32> $brokerIcon.Uid

Choose icon path that should be imported.
Note Uid return type.

Publishing URL in StoreFront

New-BrokerApplication -Name "Basic" -PublishedName "Basic Auth" -ApplicationType PublishedContent -CommandLineExecutable https://basic.nw.lab -DesktopGroup dg01 -IconUid 8

Edit the URL and all name fields for each application.
Set IconUid to the return value of the icon import.

Issue/Introduction

This article describes how to migrate existing NetScaler Gateway to Unified Gateway on NetScaler Gateway 11.1.

Additional Information

Traces

Access https://basic.nw.lab from client over NetScaler.
NetScaler tries to access the webserver and gets an 401 Unauthorized response.
on the LBV configured, the authentication triggers and NetScaler sends a redirect to the login page.
Client initiates logout with "GET /logout.html"
Traffic Policy triggers and NetScaler expires the session cookies.