How to Configure NetScaler Gateway with Citrix Receiver for Mobile Devices and Web Interface Backend
Article ID: CTX124937
Updated On:
Description
This article is intended for Citrix administrators and technical teams only.
Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.
This article describes how to configure NetScaler Gateway for use with Citrix Receiver for Mobile Devices when using Web Interface as backend.
Background
The Citrix Receiver supports SSL connections to NetScaler Gateway. The process to enable connections from the Citrix Receiver is similar to configuring NetScaler Gateway to accept the Citrix XenApp connections, but with a minor difference.
When configuring a NetScaler Gateway for XenApp connections, a Web Interface site contains information about the published applications that a user has rights to access. The Web Interface site displays a web page, which has icons to start the applications.
The Citrix Receiver uses a XenApp services site, which was earlier known as the "Program Neighborhood Agent" site, to gather information and enable the site to appear on the application list of the Citrix Receiver. Both configurations, the traditional Citrix XenApp connections using a Web Interface and the Citrix Receiver using XenApp Services, can exist within the same NetScaler Gateway Virtual Server.
Instructions
Overview diagram to configure a NetScaler Gateway Virtual Server for use with Citrix Receiver
To configure a NetScaler Gateway Virtual Server for use with Citrix Receiver, complete the following set of procedures:
-
Configure Session Policy and Corresponding Session Profile for Use with Citrix Receiver
-
Bind Session Policy to User Group or Virtual Server
Note: This Session Policy needs to be configured with a higher priority than the other configured Session Policies. The lower the number, the higher the priority. The default value of zero is applied last. Example, a policy configured with a priority of 100 is greater than a policy configured with a priority of 200. The policy with a priority of 200 is greater than a priority of 0, as it is applied last.
Configure XenApp Services Site for Use with Citrix Receiver
Note: Web Interface 5.x is required to allow for use with NetScaler Gateway.
The Citrix Receiver uses a XenApp Services site (formally "Program Neighborhood Agent" site) to get information about the applications a user has rights to and presents them to the Citrix Receiver running on the mobile device.
-
In the Web Interface console, create a XenApp Services site (such as http://ServerName/Citrix/PNAgent or http://Servername/CustomPath/config.xml). For this procedure, refer to Citrix Documentation - Integrating NetScaler Gateway with XenApp or XenDesktop.
-
Configure the XenApp Services site to support connections from NetScaler Gateway connection.
-
In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
-
Change the Access Method to Gateway Direct.
-
Enter the FQDN of the NetScaler Gateway appliance.
-
Enter the Secure Ticket Authority (STA) information.
Configure Session Policy and Corresponding Session Profile for Use with Citrix Receiver
-
Navigate to Configuration Utility > NetScaler Gateway > Policies > Session > Session Profile > Add to create a new Session Profile.
The Session Profile’s Published Applications Tab should be configured to point to the XenApp Services site created in Procedure 1.
The following is an example of the CLI command to create the session profile:
add vpn sessionAction CitrixReceiver_Profile -SSO ON -icaProxy ON -wihome http://<servername>/citrix/pnagent/config.xml -
Navigate to Configuration Utility > NetScaler Gateway > Policies > Session Policy > Add, to create a new session policy to identify if the connection is from Citrix Receiver.
When you create the session policy, configure the following qualifying expression(s):
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiverNote: The above expression allows all variants of Citrix Receiver to leverage the policy.
The following screen shot shows an example of this policy:
The following is an example of the CLI command:
add vpn sessionPolicy CitrixReceiver_Policy "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" CitrixReceiver_ProfileIf you would like to create specific expressions for iPhone/iPad, you could use the following qualifiers in the expression field:
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver-iPad
REQ.HTTP.HEADER User-Agent CONTAINS CFNetwork
REQ.HTTP.HEADER User-Agent CONTAINS DarwinThe following is an example of the CLI command:
add vpn sessionPolicy iPhone_Policy "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver-iPad || REQ.HTTP.HEADER User-Agent CONTAINS CFNetwork || REQ.HTTP.HEADER User-Agent CONTAINS Darwin" iPhone_Profile
Bind Session Policy to User Group or Virtual Server
The Session Policy created must have a higher priority than the Standard Session Policy(s) bound at the User Group or Virtual Server level. If it has a lower priority then the Citrix Receiver will return an error.
-
Navigate to Configuration Utility > NetScaler Gateway > Virtual Servers > select the virtual server > Policies > Add Binding to bind the policy.
Issue/Introduction
Additional Information
Authentication Policy Configuration
-
If dual authentication is required on NetScaler Gateway (such as RSA SecurID and Active Directory) and there are no qualifying expressions defined in authentication policy other than "ns_true", RSA SecurID authentication must be defined as the default primary authentication type. Active Directory authentication must be the secondary authentication type.
-
RSA SecurID uses a RADIUS server to enable token authentication.
For more information refer to CTX125364 - How to Configure Two-Factor Authentication on NetScaler Gateway for Use with Mobile/Tablet Devices.
Citrix Documentation - Configure Access Gateway Enterprise Edition for Citrix Receiver for iOS
# Please note that using Windows Receiver with Web Interface (including WI on NS) at the Backend is not supported at the NetScaler gateway level.
