Remote access to Citrix XenApp and/or XenDesktop environment can be accomplished using the Citrix NetScaler Gateway. NetScaler Gateway is a feature that comes on the NetScaler appliance. All ICA connections are encrypted over SSL/TLS allowing secure access to the users desktops and applications. The following article goes through the steps of setting up remote access on the NetScaler appliance for ICA only connections.
Open a web browser and connect to the primary NetScaler appliance or the Subnet IP (SNIP), if it's been configured for management access. The SNIP will always take you to the primary appliance.
Expand System > Settings.
Click Configure Basic Features.
Select NetScaler Gateway and click OK.
We are going to be configuring authentication, namely LDAP, but we need to make sure that NetScaler's time is in sync with the domain controllers. Expand System > NTP Servers and click Add.
Enter a domain controller's IP address in NTP Server and click Create.
Expand System > Authentication > LDAP.
Click Servers tab.
Enter Name and select Security Type. Security Type can be PLAINTEXT, TLS or SSL, but in order for NetScaler Gateway to allow users to change an expired password in Active Directory TLS or SSL must be used. If the user password has expired and PLAINTEXT is used the user will receive an access denied error message when they logon. To use TLS or SSL the domain controller must have an SSL certificate. The Port will be configured with 389 for PLAINTEXT and TLS or 636 for SSL.
Scroll down the page.
Enter the Base DN (where it can find the users), Administrator Bind DN (an ordinary user account that allows the NetScaler to query LDAP for user authentication) and Administrator Password. Click Test Connection to make sure the LDAP connection works.
Choose sAMAccountName from the Server Logon Name Attribute drop-down box, Group Attribute should be set to memberOf, Sub Attribute Name is cn and select --<< New >>-- from the SSO Name Attribute and type sAMAccountName in the box below.
To allow users to change their passwords when they expire check the box Allow Password Change. This option isn't available if PLAINTEXT was selected for the LDAP Security Type.
You can repeat these steps to add more servers for redundancy or for additional Active Directory domains.
Click Policies tab and click Add.
Enter a description in Name, select the server you just created in the Server drop-down box and in the expression type ns_true, so LDAP authentication is always used.
If you added any further servers in then you also need to create the policies to go with them.
In the this particular case the NetScaler is connected to two networks, LAN and DMZ. Currently it only has IP addresses on the LAN. This step goes through added a Subnet IP (SNIP), so it has internal communication with the DMZ network.
Expand System > Networks > IPs.
Enter the IP Address and Netmask.
Scroll down the page and deselect Enable Management Access control to support the below listed applications to prevent the NetScaler from being managed via the DMZ network.
The new IP address should appear in the list. Now NetScaler has direct access to the DMZ network.
To make sure that NetScaler knows which NIC is connected to which network we will create a VLAN and assign the SNIP for the DMZ to that VLAN.
Expand System > Network > VLANs.
By default VLAN 1 is present and all interfaces are bound to it. Click Add.
Enter the VLAN ID, Alias Name (to easily identify the VLAN) and select the interface that is connected to the network under Interface Bindings. Click IP Bindings tab.
Select the IP address that was created earlier. Only SNIP's will be listed in this table.
The VLAN should appear in the list with the interface bound to it and longer assigned to VLAN 1. We will leave the other interface on the default VLAN.
All my Internet traffic is routed through the DMZ. Now that the NetScaler is directly connected to the DMZ all Internet bound traffic can just go direct through this interface. I am therefore going to change the default gateway on the appliance.
Expand System > Network > Routes.
Enter 0.0.0.0 for the Network and Netmask and enter the default gateway IP address in Gateway.
You should have two default routes listed.
Select the old default route and click Delete.
A single default route should be listed now.
Expand Traffic Management > SSL and click Import PKCS#12.
Enter the PEM filename that will be created on the applaince from the PFX file in Output File Name. Click on Choose File for PKCS12 File.
Browse to locate the PFX certificate file and click Open.
Enter the password used to encrypt the PFX file in Import Password, select either DES or DES3 in Encoding Format and enter a password to encrypt the PEM file on the NetScaler into PEM Passphrase and Confirm PEM Passphrase.
Expand Traffic Management > SSL > Certificates > Server Certificates and click Install.
Enter a certificate name in Certificate-Key Pair Name, click Choose File for Certificate File Name and browse the appliance for the certificate file that was imported in earlier and enter the password used to encrypt it in Password. Click Install.