Deploying a full VPN solution might, in some cases, be needed for some users, as it allows a client to become a part of the internal network using the NetScaler Gateway plugin. With the use of the NetScaler Gateway plugin, we also have Endpoint analysis that allows us to scan a client for specific processes or, for example, to find out if antivirus software is running. Endpoint analysis is not covered as part of this book. For more information about Endpoint analysis, I suggest reading the Citrix article located at http://support.citrix.com/article/CTX135136.
Configuring the use of regular VPN with NetScaler Gateway is not so much different from ICA Proxy. We need the following:
- A NetScaler Gateway vServer with a name, a port, and an IP address
- A vServer set to SmartAccess
- A trusted certificate
- An authentication policy
- A session policy
The only difference here is that we need to set the vServer to SmartAccess, and we need to change the session policy.
When we are creating the session policy, there are attributes that should be configured in the Client Experience pane. There are multiple settings that define how a VPN tunnel should behave, so it is important to note what each feature does. Following are the settings:
- Split Tunnel: This is used to define if all client traffic or only traffic for destined servers in the network should go through the gateway in a CVPN connection.
- Client Idle Time-out (mins): This defines how long NetScaler waits before it disconnects the session when there is no user activity. This only applies to NetScaler plugins.
- Plug-in Type: This defines what kind of plugin is offered to the user, either Windows/Mac-based or Java-based.
- Single Sign-on to Web Applications: This allows NetScaler to do SSO either for the web interface/StoreFront or if we have set a custom homepage to be the SharePoint site.
- Credential Index: This defines which authentication credentials are forwarded to the web application. Here, we can choose from the primary or the secondary authentication set.
- Single Sign-on with Windows: This allows the Gateway plugin to authenticate to NetScaler using Windows credentials.
There are some exceptions here. If the Split Tunnel option is disabled, it means that all Endpoint traffic is routed through NetScaler. If it is enabled, it means the only traffic that is destined for the internal network is routed through NetScaler. This also means that we need to define which IP address or range of addresses the gateway should intercept. This is done using something called an intranet application, which is available in the vServer. Here, we can define a range of IP addresses or a single IP address that the gateway will intercept for the client. There are some differences here. For example, for Java-based clients, we need to define intranet applications as proxy-based, and for regular Windows/Mac clients we need to define the intranet applications as transparent. We cannot combine these two types of intranet applications.
Also, should we require giving a connected client a dedicated IP address, we need to define intranet IPs that will act like a DHCP server. Here, we can define a range of IP addresses that can be given to users. These intranet IPs can be bound to an AAA user, an AAA group, a vServer, or at a global level. IP addresses that are bound to a user take priority over the other options.
Now, under the Published Applications pane, we need to define the following:
- ICA Proxy: This should be set to
Offas the client will have a full VPN connection and does not need the gateway to proxy traffic. - Web Interface Address: This should be defined to allow clients to connect to the StoreFront site.
- Single Sign-on Domain: This defines which AD domain can be used for single sign-on.
When users connect to this vServer now, they will be presented with a download option that allows them to download the NetScaler Gateway plugin and they will be redirected to the StoreFront site.
Now, even though this uses the NetScaler Gateway plugin to establish a connection, we still need Citrix Receiver to establish a connection to the Citrix environment. It is possible to integrate these two clients. If a user has Citrix Receiver installed previously, and then installs the NetScaler Gateway plugin, they will get a new option under Citrix Receiver Applet | About | Advanced | Access Gateway Settings. From here, users can start a full VPN session directly using Citrix Receiver when they are connected by clicking on Login from the Access Gateway Settings option.
So after these settings are configured, we will have successfully configured a VPN solution on our Gateway. An important point to note is that in some cases you might get issues with building a VPN tunnel. In that case, you might consider using MAC-based forwarding. This issue happens with some firewalls.