Clientless access is a basic browser-based VPN solution, where users are presented with a homepage when they log in and from there they can access file shares, web applications, and other settings depending on what is defined in the session policy.
In order to allow clientless access, we need to define some settings in the session policy part of the Client Experience pane. Following are the settings:
- URL for Web-Based Email: This is used for logging into web-based e-mail solutions, such as Exchange OWA. This will appear as a pane within the clientless access session policy window.
- Session Time-out (mins): This defines how long NetScaler waits before it disconnects the session when there is no network traffic.
- Clientless Access: This defines if the SSL-based VPN should be enabled or disabled.
- Clientless Access URL Encoding: This defines whether the URL of internal web applications are obscured or are in clear text and visible to the users.
- Clientless Access Persistent Cookie: This is needed for accessing certain features in SharePoint such as opening and editing documents.
- Client Cleanup Prompt: This is used to control the display of the client cleanup prompt after exiting a SSL VPN session.
- Single Sign-on to Web Applications: This allows NetScaler to do SSO either for the web interface/StoreFront or if we have set a custom homepage to be the SharePoint site.
- Credential Index: This defines which authentication credentials are forwarded to the web application. Here, we can choose from the primary or the secondary authentication set.
In the Published Applications pane, we define the following settings in the request profile:
- Web Interface Address: Here, we define the URL to the StoreFront receiver.
- Web Interface Portal Mode: This defines if the web interface should appear with full graphical experience or use the compact view.
- Single Sign-on Domain: This defines which AD domain should be used for single sign-on.
Now, in order to activate clientless access, we only need to set the vServer to SmartAccess and set clientless access to ON under the session policy, but there are other settings as well that can affect this feature. For example, if we add a URL for web-based e-mail, users will have an e-mail pane after they log in, which is going to be proxied via NetScaler. This allows them to log in to their e-mail. URL encoding determines if the URL should be masked so that the users will never see the real URL when they are browsing on a web application. Persistent cookie is needed for some cases, such as using SharePoint. Also, adding the web interface address and defining single sign-on allows NetScaler to display the user's applications within the same clientless access session. If a user clicks on an application here, it will start a Citrix Receiver session. We also have the option to add file shares and web applications to the portal. This can be done either within the vServer under the Bookmarks pane or as a user-based policy. Note that when you add a bookmark and bind it to a user or a vServer, it will appear under the Enterprise pane of the portal. Users also have the option to add their own bookmarks. We will go through how to add settings to a specific user or group later in this chapter.
When we add a bookmark, we also have the option to use NetScaler Gateway as a reverse proxy. If this is enabled, it means that when a user clicks on the bookmark, the connection will go from the user to NetScaler, and from there to the application. If this is not enabled, the connection will go from the user to the specified address in the bookmark.