Deploying a full VPN solution might, in some cases, be needed for some users, as it allows a client to become a part of the internal network using the NetScaler Gateway plugin. With the use of the NetScaler Gateway plugin, we also have Endpoint analysis that allows us to scan a client for specific processes or, for example, to find out if antivirus software is running. Endpoint analysis is not covered as part of this book. For more information about Endpoint analysis, I suggest reading the Citrix article located at http://support.citrix.com/article/CTX135136.
Configuring the use of regular VPN with NetScaler Gateway is not so much different from ICA Proxy. We need the following:
The only difference here is that we need to set the vServer to SmartAccess, and we need to change the session policy.
When we are creating the session policy, there are attributes that should be configured in the Client Experience pane. There are multiple settings that define how a VPN tunnel should behave, so it is important to note what each feature does. Following are the settings:
There are some exceptions here. If the Split Tunnel option is disabled, it means that all Endpoint traffic is routed through NetScaler. If it is enabled, it means the only traffic that is destined for the internal network is routed through NetScaler. This also means that we need to define which IP address or range of addresses the gateway should intercept. This is done using something called an intranet application, which is available in the vServer. Here, we can define a range of IP addresses or a single IP address that the gateway will intercept for the client. There are some differences here. For example, for Java-based clients, we need to define intranet applications as proxy-based, and for regular Windows/Mac clients we need to define the intranet applications as transparent. We cannot combine these two types of intranet applications.
Also, should we require giving a connected client a dedicated IP address, we need to define intranet IPs that will act like a DHCP server. Here, we can define a range of IP addresses that can be given to users. These intranet IPs can be bound to an AAA user, an AAA group, a vServer, or at a global level. IP addresses that are bound to a user take priority over the other options.
Now, under the Published Applications pane, we need to define the following:
Off
as the client will have a full VPN connection and does not need the gateway to proxy traffic.When users connect to this vServer now, they will be presented with a download option that allows them to download the NetScaler Gateway plugin and they will be redirected to the StoreFront site.
Now, even though this uses the NetScaler Gateway plugin to establish a connection, we still need Citrix Receiver to establish a connection to the Citrix environment. It is possible to integrate these two clients. If a user has Citrix Receiver installed previously, and then installs the NetScaler Gateway plugin, they will get a new option under Citrix Receiver Applet | About | Advanced | Access Gateway Settings. From here, users can start a full VPN session directly using Citrix Receiver when they are connected by clicking on Login from the Access Gateway Settings option.
So after these settings are configured, we will have successfully configured a VPN solution on our Gateway. An important point to note is that in some cases you might get issues with building a VPN tunnel. In that case, you might consider using MAC-based forwarding. This issue happens with some firewalls.
18.118.120.206