How to Configure Receiver for Seamless Experience Through NetScaler Gateway

How to Configure Receiver for Seamless Experience Through NetScaler Gateway

book

Article ID: CTX200664

calendar_today

Updated On:

Description

This article describes how to configure Receiver for seamless experience when accessed through NetScaler Gateway.

Background

In an environment, where users need full VPN connectivity to NetScaler Gateway (as opposed to ICA Proxy only), Desktop Receivers (Windows and Mac) seamlessly connect to NetScaler Gateway and initiate a full SSL tunnel through the NetScaler Gateway client. From an end user perspective, there is no NetScaler Gateway client. Receiver handles this internally. This is significantly different from any other VPN solution, where the end user would have to first launch the VPN client, connect to the VPN, become part of the internal network and then launch Receiver to connect to Web Interface/StoreFront

The following are the steps used for accessing the published apps and desktops:
Note: This setup was tested with StoreFront only as back end.

  1. Right-click on Receiver icon in the system tray and then click on Log On:

    User-added image

  2. A logon prompt from NetScaler is displayed and after you log on, you are connected to the VPN.
    You can right-click the Receiver icon to confirm if you are connected.

    User-added image

  3. Double-click the Receiver icon and if the store is already added in Receiver the apps will enumerate automatically.
    If the store is not added, then you can add the store manually to enumerate apps.

In simple terms the user experience accessing the XenApp/XenDesktop application from corporate network and internet will remain the same as you will always log on to Receiver under the hood. In case of internet it actually performs a full VPN connection to NetScaler Gateway and NetScaler Gateway in turn performs SSO to StoreFront and streams the apps.

This way you do not use browsers to launch the VPN and this is called as seamless access.

Prerequisites

  • Access Gateway Plugin should be installed on client machine before you can use Receiver to connect.

  • First time users will have to use browser to connect to VPN.

  • StoreFront configuration must be completed.

Instructions

To configure Receiver for seamless experience when accessing through NetScaler Gateway, complete the following steps:

  1. You should create a session profile with ICA Proxy mode OFF, CVPN to ALLOW and Split Tunnel can be On or Off.

    add vpn vserver portal.gpcl.com.au SSL 172.21.2.10 443
    add vpn sessionPolicy VPN_Policy_TRUSTED ns_true VPN_Profile_TRUSTED
    add vpn sessionAction VPN_Profile_TRUSTED -splitDns BOTH -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW     -clientlessVpnMode OFF -SSO ON -icaProxy OFF -wihome "https://portal-internal.example.com" -ntDomain GPA -clientlessVpnMode DISABLED -storefronturl "https://portal-internal.example.com"

    Note: In above command section do not get confused about -clientlessVpnMode set to OFF. In GUI it is set to Allow. The possible values for -clientlesVpnMode is either ON or OFF. From the command reference guide please see below:

    -clientlessVpnMode
                  Enable clientless access for web, XenApp or XenDesktop, and
                  FileShare resources without installing the NetScaler Gateway
                  Plug-in. Available settings function as follows:
                  * ON - Allow only clientless access.
                  * OFF - Allow clientless access after users log on with the
                  NetScaler Gateway Plug-in.
                  * DISABLED - Do not allow clientless access.
                  Possible values: ON, OFF, DISABLED
                  Default value: OFF

     

  2. Set CVPN/Pattern Set policies for the following cookies in the same order:

    1. Enter the value CsrfToken and then click Add.

    2. Enter the value ASP.NET_SessionId and then click Add.

    3. Enter the value CtxsPluginAssistantState and then click Add.

    4. Enter the value CtxsAuthId and then click Add.

    add vpn clientlessAccessPolicy SF_cvpn_pol_new1 true SF_cvpnbind vpn vserver portal.example.com -policy SF_cvpn_pol_new1 -priority 100 -gotoPriorityExpression END -type REQUEST -intranetApplication internal_network
    add vpn clientlessAccessProfile SF_cvpn
    set vpn clientlessAccessProfile SF_cvpn -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies StoreFront_cookies_new1
    add vpn clientlessAccessPolicy SF_cvpn_pol_new1 true SF_cvpn
    bind vpn vserver portal.example.com -policy SF_cvpn_pol_new1 -priority 100 -gotoPriorityExpression END -type REQUEST -intranetApplication internal_network
    add policy patset StoreFront_cookies_new1
    bind policy patset StoreFront_cookies_new1 CsrfToken -index 1
    bind policy patset StoreFront_cookies_new1 ASP.NET_SessionId -index 2
    bind policy patset StoreFront_cookies_new1 CtxsPluginAssistantState -index 3
    bind policy patset StoreFront_cookies_new1 CtxsAuthId -index 4
    set vpn clientlessAccessProfile SF_cvpn -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies StoreFront_cookies_new1

  3. Select Full VPN Tunnel in Store settings under Enable Remote Access.

    User-added image

Issue/Introduction

This article describes how to configure Receiver for seamless experience when accessed through NetScaler Gateway.

Additional Information

From nstrace Perspective

In configuration CVPN must be set to ALLOW because in nstrace you can observe the Receiver with CVPN requests.

When CVPN is OFF you will observe that the NetScaler does not send the following request from Receiver to the back end but sends a "403:Not a privilege user" error right away to the client:

User-added image

After CVPN is set to ALLOW in session profile you will observe that the NetScaler sends the request from Receiver to the back end and gets a 200 response, which is sent to the client.

User-added image

Powered by Wolken Software