NetScaler Gateway 11.1 – SSL VPN

Last Modified: Nov 7, 2020 @ 6:35 am


ūüí° = Recently Updated


Here’s an overview of the NetScaler Gateway connection process:

  1. Users use SSL/TLS to connect to a NetScaler Gateway Virtual Server (VIP).
  2. NetScaler Gateway prompts the user for authentication.
  3. Once the user is authenticated, NetScaler Gateway uses Session Policies/Profiles to determine what happens next.

NetScaler Gateway supports five different connection methods:

  • ICA Proxy to XenApp/XenDesktop ‚Äď the client is built into Citrix Receiver
  • SSL VPN ‚Äď requires installation of NetScaler Gateway plug-in
  • Clientless ‚Äď browser only, no VPN client, uses rewrite
  • Secure Browse ‚Äď from MDX-wrapped mobile applications (XenMobile), uses rewrite
  • RDP Proxy ‚Äď only RDP client is needed

You can configure NetScaler Gateway Session Policies/Profiles to only use one of the connection methods. Or NetScaler Gateway can be configured to let users choose between ICA Proxy, Clientless, and SSL VPN connection methods. Here’s a sample Client Choices screen using the RfWebUI theme:

Session Policies/Profiles have several settings that control the behavior seen after authentication:

  • ICA Proxy – ON or OFF
    • If ON, then ICA Proxy is the only connection method allowed, overriding the other connection methods.
    • ICA Proxy does not launch the VPN client. It only needs Citrix Receiver.
    • ICA Proxy shows the Webpage that’s configured in the Web Interface Address field of the Session Profile. This is typically the StoreFront Receiver for Web page, but technically it can be any internal website.
    • If OFF, that doesn’t mean ICA Proxy doesn’t work. You can still send ICA traffic to the NetScaler Gateway Virtual Server, and the¬†NetScaler Gateway Virtual Server will still proxy it to internal VDAs.
    • Setting it to OFF allows the other connection methods to function. For example, Clientless Access can show both NetScaler Gateway Bookmarks and StoreFront published apps. If VPN is launched, then the portal page shown to the user after the tunnel is established can contain the StoreFront published applications.
  • Clientless Access – On, Off, Allow
    • If On, then Clientless is the only connection method allowed, assuming ICA Proxy is not set to ON. After the user logs in, the user is presented with a portal page that contains a list of bookmarks and/or StoreFront published icons. The VPN Client is not launched.
    • The Home Page setting in the Session Profile allows you to display an internal website instead of displaying the NetScaler Gateway Portal Page.
    • Bookmarks are configured at NetScaler Gateway > Resources > Bookmarks. You can bind the Bookmarks (Urls) to the NetScaler Gateway Virtual Server, or to AAA Groups.
    • Only Bookmarks configured for Clientless Access will work. The internal websites are rewritten so they are proxied through NetScaler Gateway. For example, if the internal website is http://intranet.corp.local, then Gateway rewrites them to This causes the web browser to send the HTTP Request to NetScaler Gateway, which then forwards the HTTP Request to the internal web server. No VPN needed.
  • Plug-in Type – Windows/MAC OS X
    • If both Clientless and ICA Proxy are set to Off, then the VPN Client will be downloaded and launched.
    • Once the VPN tunnel is established, the webpage configured in the¬†Home Page setting is displayed. Or the NetScaler Gateway Portal Page (Clientless Access) is displayed if no Home Page is configured. The Bookmarks in the Portal Page can link to internal websites that are only accessible through a VPN tunnel. Or Bookmarks can be configured for Clientless Access.
    • Additional Gateway objects control VPN behavior including: DNS Suffix, Intranet Applications, Intranet IPs, and Authorization Policies.
  • Client Choices – checked or unchecked
    • If Client Choices is checked, then it displays a page containing up to three buttons corresponding to the connection methods shown above. The Network Access with the¬†NetScaler Gateway Plug-in (VPN)¬†¬†button is always displayed. The Clientless Access button is displayed if Clientless Access is set to On or Allow. The Virtual App and Desktop Access button is displayed if a Web Interface Address is configured.

Here are some characteristics of Session Policies/Profiles:

  • Policy Expression¬†– If the Session Policy Expression is true, then the settings contained in the Session Profile are applied.
    • The Session Profile is also sometimes called the Action. That’s because all NetScaler policies follow a standard structure – if the expression evaluates to True, then perform the Action. For Session Policies in particular, the policy Action = Session Profile.
    • Session Policy Expressions are typically¬†ns_true, which is always true, or an¬†Endpoint Analysis (EPA) Scan created using the OPSWAT EPA Editor. In the latter case, the Session Profile only applies if the EPA scan succeeded.
  • Policy Bind Points – Session Policies can be bound to three different bind points – NetScaler Gateway Virtual Server, AAA Groups, and AAA User.
    • When bound to a¬†NetScaler Gateway Virtual Server, the Session policy/profile applies to all users that log into that Virtual Server.
    • When bound to a AAA Group, the Session policy/profile only applies to members of the AAA group (Active Directory group or local group)
    • When ¬†bound to a AAA User, the¬†Session policy/profile only applies to the AAA user (Active Directory user or local user)
  • Profile Conflicts – Multiple Session Policies/Profiles could apply to a single session. In this case, the Profile settings are merged. But if there’s a conflict (e.g. one Session Profile enables Clientless access, but another Session Profile disables Clientless access), then which one wins?
    • Priority number – When you bind a Session Policy to a bind point, you specify a priority number. This priority number usually defaults to¬†100.
    • Lowest priority number wins – The Session Policy bind point that has the lowest priority number, wins. Session Policies bound with a priority of 80 will win over Session Policies bound with a priority of 100. Remember, for settings that don’t conflict, the two Profiles merge, but for settings that do conflict, the lower priority number policy/profile settings win.
    • Bind point types – The type of bind point doesn’t matter. If you bind a Session Policy to a AAA Group with a priority of 100, and you also bind a Session Policy to the NetScaler Gateway Virtual Server with a priority of 80, then the conflicting settings in the Session Policy bound to the¬†NetScaler Gateway Virtual Server will win. You might think that AAA-bound policies always override Virtual Server-bound policies, but that is not the case.

AAA Groups are a critical component of NetScaler Gateway VPN configuration:

  • Group extraction – Make sure the LDAP Policy/Server is configured to extract to the user’s Active Directory Groups.
  • Create AAA Groups on the NetScaler that match exactly (case sensitive) with the user’s Active Directory Group Name.
  • You can then bind policies and other Gateway objects to the AAA Group, and these bindings only affect that particular AAA Group. These bindings include:
  • If the user belongs to multiple AAA Groups, then policies are applied as follows:
    • Session Policies – the settings are merged, unless there’s a conflict. If a conflict, then the policy with the lowest priority number wins.
    • Bookmarks, Intranet Applications, and Authorization Policies are merged.
    • Intranet IPs (IP Pool) are probably random allocation. It’s probably best to make sure a user only belongs to one AAA Group that assigns Intranet IPs.
  • You can also create local AAA Groups that are unrelated to Active Directory groups. There are several ways of getting users into these local AAA groups:
    • Create local AAA Users and assign them to the AAA Group
    • Configure Session Policy/Profile with a Client Security Check String¬†(EPA Scan). If the scan succeeds, users are placed into local Authorization AAA Groups. If the scan fails, then users are placed into a local Quarantine AAA Group and removed from all other AAA Groups.
    • When users are authenticated with a particular authentication server, the authentication server can be configured to place users into a¬†Default Authentication Group. This lets you apply different Session Policy/Profiles (and other Gateway objects) depending on how the user authenticated.

NetScaler Gateway supports Client Security Expressions (Endpoint Analysis expressions) at three different locations:

  • Preauthentication Policy Expression
    • If the EPA Scan succeeds, then the user is allowed to login.
    • If the EPA Scan fails, then the user is not allowed to login.
    • Preauthentication Policies are¬†bound to NetScaler Gateway Virtual Servers only, and thus applies to all users of that Virtual Server.
  • Session Policy Expression
    • This type of EPA Scan is configured in the Session Policy Expression, not the Profile.
    • If the EPA Scan succeeds, then the settings in the Session Profile are applied to the session.
    • If the EPA Scan fails, then the Session Profile is ignored. Other Session Policies expressions are still evaluated. Remember, Session Policy/Profiles merge, so all applicable Session Policies must be considered.
    • A limitation of this EPA method is that nothing negative happens. Instead, you typically design higher priority number (lower priority) Session Policies with restrictive settings so that if the EPA Scans fail, then users still get something. For example, youcan ¬†configure your highest priority number Session Policy/Profile with StoreFront (ICA Proxy) only. In the lower priority number Session Policies/Profiles, VPN might be enabled, but only if the EPA scan succeeds.¬†More restrictive Session Profiles usually uncheck Client Choices, and enable Clientless Access or ICA Proxy.
    • This method of EPA Scans is used in SmartAccess and SmartControl¬†configurations.
  • Session Profile > Security > Advanced Settings > Client Security¬†Check String
    • If the EPA Scan succeeds, add the user to the listed Authorization AAA Groups.
    • If the EPA Scan fails, add the user to the selected Quarantine Group, and remove the user from all other AAA Groups.
  • Assigning EPA scans to Session Policies and Session Profiles is also known as Post-Authentication EPA Scans.
  • If Endpoint Analysis is configured anywhere, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client.


Except for ICA Proxy, all NetScaler Gateway connection methods require a NetScaler Gateway Universal License for each concurrent session. Go to System > Licenses and make sure NetScaler Gateway User licenses are installed.

Also make sure the maximum AAA users equals the number of licenses. Go to NetScaler Gateway > Global Settings > Change authentication AAA settings.

DNS usually needs to function across the VPN tunnel. Go to Traffic Management > DNS > Name Servers to add DNS servers.

Create Session Profile

To enable SSL VPN: first create the Session Profile. Then create a Session Policy.

You can create multiple session Policies/Profiles with different settings. Then you can bind these Session Policies to AAA groups and/or NetScaler Gateway Virtual Servers.

To enable SSL VPN in a Session Profile:

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.
  3. Name the profile VPN or similar.
  4. In Session Profiles, every line has an Override Global checkbox to the right of it. If you check this box next to a particular field, then the field in this session profile will override settings configured globally or in a lower priority session policy.
  5. Switch to the Network Configuration tab.
  6. You will find a setting that lets you select a DNS Virtual Server. Or if you don’t select anything, then the tunnel will use the DNS servers configured under Traffic Management > DNS > Name Servers.
  7. Switch to the Client Experience tab. This tab contains most of the NetScaler Gateway VPN settings.
  8. Override Plug-in Type and set it to Windows/Mac OS X.
  9. On the Client Experience tab, override Split Tunnel and make your choice. Setting it to OFF will force all traffic to use the tunnel. Setting it to ON will require you to create Intranet Applications so the NetScaler Gateway Plug-in will know which traffic goes through the tunnel, and which traffic goes directly out the client NIC (e.g. to the Internet). REVERSE means all traffic goes through the tunnel except for the addresses defined in Intranet Applications.
  10. On the Client Experience tab, there are timers that can be configured. Global Settings contains default timers, so you might want to configure this Session Profile to override the defaults and increase the timeouts. See Configuring Time-Out Settings at Citrix Docs for details.
    1. Client Idle Time-out is a NetScaler Gateway Plug-in timer that disconnects the session if there is no user activity (mouse, keyboard) on the client machine.
    2. Session Time-out is a NetScaler timer that disconnects the session if there is no network activity for this duration.
    3. In addition to these two timers, on the¬†Network Configuration¬†tab, under¬†Advanced Settings, there’s a¬†Forced Timeout setting.

  11. By default, once the VPN tunnel is established, a portal page appears containing bookmarks, and StoreFront published icons. An example of the portal page in the RfWebUI theme is shown below:
  12. The X1 theme is shown below:
  13. On the Client Experience tab, the Home Page field lets you override the the default portal page, and instead display a different webpage (e.g. Intranet). This homepage is displayed after the VPN tunnel is established (or immediately if connecting using Clientless Access).
  14. NetScaler Gateway 11.1 can now automatically start the VPN tunnel whenever the user is remote. Click the plus icon next to AlwaysON Profile Name.
  15. Give the profile name. Hover over the question marks to see what each of them does. Then click Create. More info at AlwaysON at Citrix Docs.
  16. Additional VPN settings can be found by clicking Advanced Settings near the bottom of the Client Experience tab.
  17. Under Client Experience > Advanced Settings, on the General tab, there are settings to run a login script at login, enable/disable Split DNS, and enable Local LAN Access. Use the question marks to see what they do. Reliable DNS occurs when Split DNS is set to Remote.
  18. Note: if Split Tunnel is OFF, and if Split DNS is set to REMOTE, NetScaler only returns one IP address to DNS queries. This behavior can be changed by following Citrix¬†CTX200243¬†DNS Query Responds with Only One IP to Client PC When Connected Through NetScaler Gateway Full VPN.¬† ūüí°
  19. Under Client Experience > Advanced Settings, on the General tab, is a checkbox for Client Choices. This lets the user decide if they want VPN, Clientless, or ICA Proxy (StoreFront). Without Client Choices, one of the connection methods will occur automatically, depending on what’s enabled.
  20. On the main Client Experience tab, if you enabled Client Choices, you can set Clientless Access to Allow to add Clientless to the list of available connection methods.
  21. An example of Client Choices is shown below:
  22. The Client Experience > Advanced Settings section has additional tabs. A commonly configured tab is Proxy, which allows you to enable a proxy server for VPN users.
  23. Back in the main Session Profile, switch to the Security tab.
  24. Set the default authorization to Allow or Deny. If Deny (recommended), you will need to create authorization policies to allow traffic across the tunnel. You can later create different authorization policies for different groups of users.
  25. On the Published Applications tab, set ICA Proxy to Off. This ensures VPN is used instead of ICA Proxy.
  26. Configure the Web Interface Address, to embed StoreFront into the default portal page. Note: for X1 theme, additional iFrame configuration is required on the StoreFront side as detailed below. RfWebUI theme does not need any StoreFront changes.
  27. From Michael Krasnove: if you configured the Session Policy to direct users to StoreFront, but aren’t using RfWebUI, then placing the following¬†code in c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js will cause StoreFront to end the VPN tunnel when the user logs off of StoreFront.
    // Prevent the default "logoff" screen from being displayed
    CTXS.Controllers.LogoffController.prototype._handleLogoffResult = $.noop;
    CTXS.Extensions.afterWebLogoffComplete = function () {
     window.location.href = LOGOFF_REDIRECT_URL;
  28. Click Create when you’re done creating the Session Profile.

Create Session Policy

Once the Session Profile is created, you need a Session Policy linked to it. The Session Policy contains an expression, where if true, then the Session Profile is applied.

If multiple Session Policies apply to a particular connection, then the settings in the policies are merged. For conflicting settings, the Session Policy with the highest priority (lowest priority number) wins. Session Policies bound to AAA groups only override Session Policies bound to NetScaler Gateway Virtual Servers if the AAA group bind point has a lower priority number. In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. You can run the command nsconmsg ‚Äďd current ‚Äďg pol_hits to see¬†which Session Policies are applying to a particular connection. See¬†CTX214588¬†Understanding Session Policy Priority on Different Bind Points.

You can also bind Endpoint Analysis expressions to a Session Policy so that the Session Policy only applies to machines that pass the Endpoint Analysis scan.

To create a Session Policy that is linked to a Session Profile:

  1. In the right pane, switch to the Session Policies, tab and click Add.
  2. Give the policy a descriptive name.
  3. Change the Profile drop-down to the VPN Profile you just created.
  4. Add a policy expression. You can enter ns_true, which applies to all connections. This box uses classic expression syntax.
  5. Or you can add Endpoint Analysis scans. If the Endpoint Analysis scan succeeds, then the session policy is applied. If the Endpoint Analysis scan fails, then this session policy is skipped, and the next one is evaluated. This is how you can allow VPN if EPA scan succeeds, but all failed EPA scans will get a different session policy that only has ICA Proxy enabled.
  6. To add an Endpoint Analysis scan, use one of the Editor links on the right.
  7. Configure OPSWAT scans in the OPSWAT EPA Editor.
  8. Configure Client Security Expressions in the Expression Editor.
  9. You can combine multiple Endpoint Analysis scan expressions using Booleans (&&, ||, !). Click Create when done.

Bind Session Policy

Most of the NetScaler Gateway configuration objects can be bound to NetScaler Gateway Virtual Server, AAA Group, or both. This section details binding of Session Policies, but the other NetScaler Gateway objects (e.g. Authorization Policies) can be bound using similar instructions.

If you bind the Session Policy to a AAA group, only members of that Active Directory group will evaluate the policy expression and potentially receive the Session Profile settings.

Bind the new Session Policy to a NetScaler Gateway Virtual Server, or a AAA group.

  1. To bind to a NetScaler Gateway Virtual Server, edit a NetScaler Gateway Virtual Server (or create a new one).
  2. Click the pencil icon for the Basic Settings section.
  3. Click More.
  4. Make sure¬†ICA Only is unchecked and click OK. If this box is checked then VPN, Clientless, and other features won’t work.
  5. Note: with this box unchecked, Gateway Universal licenses are now required for all users connecting through this Gateway vServer.
  6. Scroll down to the Policies section, and click the Plus icon.
  7. In the Choose Type page, select Session, Request and click Continue.
  8. Click to select.
  9. Select the policy, and click Select.
  10. Click Bind.
  11. If you bind multiple session policies, the policies are merged based on priority number. This is where you specify a priority for each bound policy. See CTX214588 Understanding Session Policy Priority on Different Bind Points.
  12. You can also edit the policy or profile from this screen by clicking the ellipsis icon next to each bound policy.
  13. While editing the Gateway vServer, consider changing the Portal Theme to RfWebUI. This changes the default portal page to look identical to StoreFront. RfWebUI requires StoreFront to be 3.6 or newer.
  14. To bind to a AAA Group, go to NetScaler Gateway > User Administration > AAA Groups.
  15. Add a group with the same name (case sensitive) as the Active Directory group name. This assumes your LDAP policies/server are configured for group extraction (Group Attribute, and Sub Attribute).
  16. Edit the AAA Group.
  17. On the right, in the Advanced Settings column, add the Policies section.
  18. Click the plus icon to bind one or more Session Policies.
  19. If you want these Session Policies to override the Session Policies bound to the NetScaler Gateway Virtual Server, then make sure the Session Policies bound to the AAA Group have lower priority numbers. See CTX214588 Understanding Session Policy Priority on Different Bind Points.

NetScaler Gateway Plug-in Installation

Here is what the user sees when launching the VPN session for the first time. This assumes the user is an administrator of the local machine.

And then the default portal page is displayed. If using the RfWebUI theme, it might prompt you to install Receiver.

Only administrators can install the NetScaler Gateway Plug-in. You can download the Gateway plug-in from the NetScaler appliance at /var/netscaler/gui/vpns/scripts/vista and push it to corporate-managed machines. Or you can download VPN clients from The VPN client version must match the NetScaler firmware version.

While a VPN tunnel is established, you can open the Gateway Plug-in to see status. If the Gateway Plug-in is merged with Receiver, right-click Receiver, click Advanced Preferences, click NetScaler Gateway Settings and click Open.

Or, right-click the Gateway Plug-in icon, and click Open.

The hamburger menu on the left lets you see more info about the VPN tunnel.

If the Gateway VPN session isn’t established, you can open the Gateway plug-in, and login. No browser needed.

The Configuration page lets you enable Logging. Then the Logging page lets you collect the logs. See Citrix CTX138155¬†How to Collect Client VPN Logs for NetScaler Gateway.¬† ūüí°

VPN Client (NetScaler Gateway Plug-in) Session Profile Settings

  1. By default, if Receiver and NetScaler Gateway Plug-in are installed on the same machine, then the icons are merged. To see the NetScaler Gateway Plug-in Settings, you right-click Receiver, open Advanced Preferences, and then click NetScaler Gateway Settings. This makes it difficult to log off.

  2. You can configure the Session Policy/Profile to prevent the NetScaler Gateway Plug-in from merging with Receiver. Edit your VPN Session Policy/Profile. On the Client Experience tab, scroll down, and check the box next to Advanced Settings.
  3. Check the box next to Show VPN Plugin-in icon with Receiver. This causes the two icons to be displayed separately thus making it easier to access the NetScaler Gateway Plug-in settings, including Logoff.

  4. When the user logs off of VPN, a Cleanup page is displayed. This can be enabled or disabled in a Session Profile on the Client Experience tab.

  5. The cleanup options can be forced in a Session Profile on the Client Experience tab, under Advanced Settings > Client Cleanup.
  6. Whenever NetScaler firmware is upgraded, all users will be prompted to upgrade their VPN clients. You can edit a Session Policy/Profile, and use the Upgrade drop-downs to disable the automatic upgrade.
  7. The Plugin Upgrade settings are also configurable in the Gateway vServer, in the Basic Settings section.

Authorization Policies

If your Session Profile has Security tab > Default Authorization set to Deny (recommended), then create Authorization Policies to allow access across the tunnel.

  1. On the left, under NetScaler Gateway, expand Policies, and click Authorization.
  2. On the right, click Add.
  3. Name the Authorization Policy.
  4. Select Allow or Deny.
  5. NetScaler Gateway requires you to Switch to Classic Syntax. The other syntax option is for AAA.
  6. Enter an expression. Use the Expression Editor link to build an expression. You can specify destination IP subnets, destination port numbers, etc.
  7. Click Create when done.
  8. Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.
  9. On the right, in the Advanced Settings column, add the Authorization Policies section.
  10. Then click where it says No Authorization Policy to bind policies.

Intranet Applications

If you enabled Split Tunnel, then you’ll need to create Intranet Applications to specify which traffic goes through the tunnel.

  1. On the left, under NetScaler Gateway, expand Resources, and click Intranet Applications.
  2. On the right, click Add.
  3. Enter a name for the Internal subnet.
  4. Change the Interception Mode to TRANSPARENT.
  5. Enter an IP subnet. Only packets destined for this network go across the tunnel.
  6. Then click Create.
  7. Create additional Intranet applications for each internal subnet.
  8. Intranet Applications are usually bound to the Gateway Virtual Server, but you can also bind them to AAA Groups.
  9. On the right, in the Advanced Settings column, add the Intranet Applications section.
  10. On the left, click No Intranet Application to bind Intranet Applications.

DNS Suffix

Specify a DNS Suffix for Split DNS to function with single label DNS names.

  1. On the left, under NetScaler Gateway, expand Resources, and click DNS Suffix.
  2. On the right, click Add.
  3. Enter the DNS Suffix, and click Create. You can add multiple suffixes.


Bookmarks are the links that are displayed in the default portal interface. They can point to websites, or RDP addresses.

  1. Under NetScaler Gateway, expand Resources, and click Bookmarks.
  2. On the right, click Add.
  3. Give the bookmark a name and display text.
  4. Enter a website or RDP address.
  5. The other fields are for Single Sign-on through Unified Gateway. Click Create.
  6. Bookmarks (aka Published Applications > Url) are usually bound to AAA groups so different groups can have different bookmarks. But it’s also possible to bind Bookmarks to NetScaler Gateway Virtual Servers.
  7. If NetScaler Gateway Virtual Server, add the Published Applications section to bind Bookmarks (Url).
  8. For AAA Group, it’s the Bookmarks section.
  9. On the left, find the Published Applications section and click No Url to bind Bookmarks.

VPN Client IP Pools (Intranet IPs)

By default, NetScaler Gateway VPN clients use NetScaler SNIP as their source IP when communicating with internal resources. To support IP Phones or endpoint management, you must instead assign IP addresses to VPN clients.

Any IP pool you add to NetScaler must be reachable from the internal network. Configure a static route on the upstream router. The reply traffic should be routed through a NetScaler SNIP. Or the NetScaler can participate in OSPF.

When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots, or until the appliance runs out of IPs in the pool.

  1. Edit a NetScaler Gateway Virtual Server or a AAA group.
  2. On the right, in the Advanced Settings section, click the plus icon next to Intranet IP Addresses.
  3. On the left, click where it says No Intranet IP.
  4. Enter a subnet and netmask. Click Bind.
  5. In a Session Policy/Profile, on the Network Configuration tab, check the box next to Advanced Settings.
  6. Use the Intranet IP drop-down to configure the behavior when there are more VPN clients than available IPs in the address pool.
  7. If you set it to NOSPILLOVER, then users can only have one VPN session, as described in¬†CTX218066¬†How to Limit One Session Per User on NetScaler Gateway?.¬† ūüí°

  8. To see the Client IP address, on the client side, after the tunnel is established, right-click the NetScaler Gateway Plug-in, and click Open.
  9. See the Internal network address.
  10. To see the client IP on the NetScaler, go to NetScaler Gateway, and on the right is Active user sessions.
  11. Select one of the views, and click Continue.
  12. The right column contains the Intranet IP.

StoreFront in Gateway X1 Portal

If you enabled the RfWebUI theme, then no StoreFront configuration is necessary.

But if you want to embed StoreFront in the other Gateway themes (X1, Default, Green Bubble), then follow these instructions.

  1. On StoreFront, edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\web.config.
  2. On the bottom, there are three sections containing X-Frame-Options. Change all three of them from deny to allow.
  3. Also change frame-ancestors from none to self.
  4. In NetScaler, go to NetScaler Gateway > Global Settings and click Configure Domains for Clientless Access.
  5. Change the selection to Allow Domains, enter your StoreFront FQDN and click the plus icon.
  6. Click OK.
  7. In a Session Policy/Profile, on the Client Experience tab, make sure Single Sign-on to Web Applications is enabled.
  8. On the Published Applications tab, configure the Web Interface Address to point to the StoreFront Receiver for Web page.
  9. Configure the Single Sign-on domain to match what’s configured in StoreFront.
  10. The Applications page of the 3-page portal (e.g. X1 theme) should automatically show the StoreFront published icons.

Quarantine Group

NetScaler Gateway can be configured so that if Endpoint Analysis scans fail, then the user is placed into a Quarantine Group. You can bind session policies, authorization policies, etc. to this quarantine group. Policies bound to other AAA groups are ignored.

  1. Go to NetScaler Gateway > User Administration > AAA Groups.
  2. Add a new local group for your Quarantined Users. This group is local, and does not need to exist in Active Directory.
  3. Create a new Session Profile.
  4. On the Security tab, check the box next to Advanced Settings.
  5. Check the box to the right of Client Security Check String.
  6. Use the Editor links to add an Endpoint Analysis expression.
  7. Just below the Client Security Check String, select the previously created Quarantine Group.
  8. Click Create when done.
  9. Create a Session Policy and select the Session Profile you just created.
  10. Enter ns_true as the expression. Then click Create.
  11. Edit your Gateway Virtual Server and bind the new session policy.
  12. Bind session policies, authorization policies, etc. to your quarantine AAA group. These policies typically limit access to the internal network so users can remediate. Or, it might simply display a webpage telling users how to become compliant.
  13. To troubleshoot Quarantine policies, use the command¬†nsconmsg ‚Äďd current ‚Äďg pol_hits.
  14. Another option is to use the session policy bound to the Quarantine Group for SmartAccess configuration.
  15. Gateway Insight shows users that failed EPA scans and their quarantine status.

Related Pages

43 thoughts on “NetScaler Gateway 11.1 – SSL VPN”

  1. Hey Carl, Is there a different Cipher Suite you would recommend using on ICAOnly gateways from one you would traditionally put on a standard HTTPS virtual server? I’ve had experience in the past with certain Cipher Suite combinations causing session disconnects during high-bandwidth streaming such as an HD video stream. I wasn’t sure if there was an alternative suite that would be best focused for performance of Citrix applications.

    1. I’m not aware of anything different than ECHDE GCM ciphers. These are the ciphers needed for A+.

      There have been bugs in some versions of NetScaler firmware. What model of NetScaler?

  2. Hi Carl,

    When I made authorization policy on user group to restrict access resource,I found that the group user can still ping the resource what they cannot access. May I configure authorization policy to restrict ping ??

  3. Hi Carl

    I have just discovered that our EPA check doesn’t seem to work when using chrome – Session EPA set to only allow SSL VPN when domain and AV confirmed, works ok on IE11 but with chrome allows SSL VPN access regardless of whether domain and AV present or not, any ideas?

      1. it prompts to download epa plugin, even if plugin has already been installed, then page auto refreshes a couple of times before allowing access, just been informed that a further test shows that it also does this with Opera, so looks like only IE is allowing it to work as it should.

        1. Chrome doesn’t support integrated plug-ins. So all it can do is send down a command and hope the plugin can respond to it. If no response from the plugin, then it offers to install it. The behavior you described is what I expect in Chrome.

          1. Thanks Carl, so if Chrome doesn’t support the plug ins and the profile and policy is set, should the netscaler not deny access as it can’t get verification of the EPA criteria? Is there a way to block access from chrome and other browsers that don’t support the plug in?

          2. Sorry, I meant the plugin isn’t integrated into Chrome. That doesn’t mean it doesn’t work. Instead, it means Chrome has no way of knowing if the plugin is installed or not until it sends a command to the plugin and waits for a response. Chrome uses Protocol Handlers, which calls an external program. IE uses ActiveX. EPA should work fine in Chrome assuming the EPA plugin is installed on the local machine. You’ll see a countdown timer as Chrome waits for a response from the external plugin.

          3. We are having the same issue after upgrading to 11.1 from 11.0. Chrome, Firefox and the variants of these versions do not seem to connect. It prompts you to download the plugin and loops. Has anyone found any answer to this? I have a case open with citrix but they are clueless as usual.

          4. In Chrome, do you get the prompt at the top of the screen to launch the Gateway plug-in?

            When I see problems like this, it’s normally due to browser cache. Or maybe you customized the files for the NetScaler Gateway logon page.

  4. Thanks for awesome article. We are implementing SSL VPN using netscaler.

    AD Group A – Endpoint check (Corporate domain machine, AV Updated)

    Once Endpoint check is completed, if user is part of GroupA he/she should be able to access complete network.

    AD Group B – Endpoint check (AV updated)

    Once endpoint check is completed, if user is part of GroupB he/she should be able to access limited servers.

    How can we achieve this?


  5. Hi Carl,
    I need some clarification.
    How the full VPN of NetScaler works?

    When I established full VPN on my PC, I couldn’t see any route or new interface on my PC?
    Actually, I could tell only from looking on the network configuration whether I was connected with VPN or not.
    Thanks a lot!
    Love your blog.
    Its feel better to contact you instead of the official channels.

    1. The Gateway Plug-in does not create a NIC. Instead, it installs a filter driver that intercepts all network traffic and decides if it should go across the VPN tunnel or not. By default, the VPN clients share the NetScaler SNIP. You can also configure Intranet IPs to assign unique IP addresses to each VPN client.

      1. what about routes?
        it should inject route when using split tunneling or any other case on the client PC?

          1. Thank you very much Carl!
            Very interesting!
            It’s the same for Java plugin? And what about java plugin running on Linux?

  6. Hi Carl – great article as always and thanks again for the support you are providing.
    We have been attempting to deploy NetScaler VPN for some time now. Generally speaking it is running – connections can be made and performance has now been tweaked to acceptable levels, however:

    We are trying to use AlwaysOn and Single SignOn. I’m not sure if these features in and of themselves are the failure of if it lies somewhere else in the Gateway client stack.

    What we are running into is complete randomness in these 2 features. The GW client starts when it shouldn’t, doesn’t start when it should, hangs on connecting. SSO sometimes auto logs in but regularly prompts for a password re-entry, probably after the initial connection attempt fails.

    Even after turning AlwaysOn completely off my clients are still auto connecting. Profile changes are getting pushed out but to what level they are actually implementing I can’t say. We do see changes at times when pushing updated profiles so I know there is some response.

    Citrix support has been all but absent in answering this, last comment is they see a client problem but no idea as to when/if it will be fixed.

    One additional clue – typically when one of these fail events occurs we kill NSLOAD in Task Manager where upon it automatically restarts. Upon restart (may ask for password) it works every time. It appears there may be some sort of timing issues as to when it starts. We’ve tried manually changing the service to delay but it appears the AlwaysOn overrides that as it starts immediately anyway.

    We’ve been told this works in a “lab” however we have used unmanaged systems with the same results. There could still be some conflict though, the machines have to at least be domain members. We don’t have a great deal of GPO policies but there could be some simple conflict somewhere. The “lab” testing probably doesn’t go through enough test cycles to verify the intermittent nature and with support claiming they see an issue at the client and our Citrix partner avoiding the VPN install it would seem it goes deeper than some local app conflict.

    So – anyone else having issues?

    We are about ready to throw this thing out.

  7. it is possible to launch a vpn tunnel when needed? for example set a bookmark to use vpn and when the bookmark is selected launch the vpn tunnel? and is it possible to get the vpn to work without client choices?

  8. Hi Carl, we have some troubles with function “split DNS”, when we set SPLIT DNS to BOTH: is it possible trying to resolve names first with LOCAL DNS and then with REMOTE DNS ? It seems that client can resolve names only in the opposite way: first uses REMOTE DNS and then uses LOCAL DNS
    Some applications have the same name either in Internet or in the internal LAN: if a user connects via VPN, he has to connect to that applications via Internet.
    Thanks in advance

  9. Has anyone got alwayson to work before the user logs on ? We would like to work the same as cisco AnyConnect Start Before Logon

  10. My goal is that users can not download or install the plug-in by themselves ex. in their home computers. Plug-in must by installed and delivered by administrators only.

    1. If users don’t have administrative rights to their machines, then they can’t install it.

    2. Hi Kim,
      you can only “prevent” this by using an EPA Check (SmartAccess) to identify your coporate devices.
      Then, all users can download and install the EPA client, but your EPA check will fail for those users. Your next policy can be something like “only Citrix”, or/and only CVPN.

      Best Regards,

  11. You can always remove the gateway plug-in executables from the NetScaler itself – but they are publicly downloadable so your clients could find them.

    You can also choose (in the gateway vServer settings) to prompt clients to upgrade (or not) an existing gateway plugin when the NetScaler version changes.

    However it sounds more like you want to control your client computing environment, for that you would need to look at rights and permissions on the endpoints either in the OS directly or with a UEM (User Environment Management) tool.

  12. Windows NLA with NetScaler SSLVPN

    We have corporate machines running Windows 10. When users take there laptops home they login using their domain credentials in cached mode and connect to their home/public network. The issue that we are having is that the Citrix SSLVPN client uses a filter driver on the network adapter, so it does not detect the network change and apply the domain profile with our policies and the device remains stuck with public profile with no protection and therefore is not able to update the connection specific dns which is stored in the domain profile.

  13. Hi Carl,
    For the SSL-VPN Client you mention that the VPN client version must match the NetScaler firmware version. Does that mean that if I update the netscaler firmware the remote clients with an older software version can not connect?
    But how do you plan updates? What is the best practise?
    Is it possible to update the VPN client before updating the netscaler to have no downtime for the remote clients?

    1. The client should update automatically. No admin rights needed. Or, set the Session Profile to not require plugin updates.

      1. Thank you for your answer. Just to clarify that: You only need local admin rights for the initial installation of the NetScaler Gateway Plug-in? For the updates you don’t need local admin rights?
        And if I disable the plugin updates in the session profile the remote clients can still connect with an “older” VPN client?

  14. Hi Carl!
    Do you know if it’s possible to change the fieldnames from the Netscaler Gateway Plug-in?
    We are using a second faktor and want to rename “password” and “secondary password”.

    1. I think it reads the labels from the Portal Theme. Did you create a theme, modify the labels, and apply it to the Gateway?

  15. Upgraded from 10.5-59.13 to 11.1-47.14 and SSL VPN stopped working. After successfully passing EPA, the login forms appears, but EPA starts again after submitting LDAP credentials (successfull LDAP login). I have unbinded EPA pre-auth policies, and the login form appears again after being submitted with valid credentials. I think is something related to AGEE plugin: when installing the new version, Windows complains about the drivers not being digitally signed. Also tried clearing IE cache.

    Log states:
    17:18:19.355 | DEBUG | nsServer_iphlpapi called
    17:18:19.355 | VERBOSE | HideAdapter 0
    17:18:19.358 | DEBUG | Adapter Registry set successfully
    17:18:19.358 | DEBUG | Result = 0
    17:18:19.361 | DEBUG | nsServer_iphlpapi called
    17:18:19.361 | DEBUG | DisableAdapter Citrix Virtual Adapter
    17:18:19.485 | DEBUG | Citrix Virtual Adapter not found
    17:18:19.485 | DEBUG | Result = 1003
    17:18:19.488 | DEBUG | nsServer_iphlpapi called
    17:18:19.488 | VERBOSE | HideAdapter 1
    17:18:19.490 | DEBUG | Adapter Registry set successfully
    17:18:19.490 | DEBUG | Result = 0
    17:18:19.494 | ERROR | ns_delregvalue | 215 | Failed to delete modifiedRoutes registry value, err 2
    17:18:19.494 | ERROR | CnsServer::nsServer_regapi | 849 | Failed DeleteRegValue for ‘modifiedRoutes’
    17:18:19.498 | ERROR | ns_delregvalue | 215 | Failed to delete addedRoutes registry value, err 2
    17:18:19.498 | ERROR | CnsServer::nsServer_regapi | 849 | Failed DeleteRegValue for ‘addedRoutes’
    17:18:19.679 | DEBUG | Stopping service netprofm
    17:18:24.185 | DEBUG | Stop NlaSvc successful
    17:18:25.715 | DEBUG | Start NlaSvc successful
    17:18:26.215 | VERBOSE | Starting service netprofm
    17:18:27.218 | VERBOSE | Successfully restarted NlaSvc

    This looks like the culprit: 17:18:19.485 | DEBUG | Citrix Virtual Adapter not found

    Can anyone nudge me into the right direction?

    Thank you,

  16. Hi Carl,

    We are having some troubles with mapped network drives and outlook client 2010 since we’ve upgrade to the NS version 11.1-47.14. Users have to re-authenticate to network drives after ssl vpn connection is established. Outlook can’t send or receive any mails…. do you something about it?

  17. Are TCP Compression Policies a relevant consideration with an SSL VPN today? For example we see the built-in policy “ns_tunnel_cmpall_gzip” but it’s not that clear how to, or if one could, apply this to a gateway vServer.

    1. I think you can create a VPN Traffic Policy that has HTTP Compression. There’s also a Tunnel Traffic policy but I’m not sure how it’s used.

  18. I would like to use Radius (MFA) authentication only. I also would like to display of bookmarks based on AAA groups (AD linked). AAA group filtering does not work or is it even possible without LDAP authentication metod?

    1. Yes, but your MFA server would need to return the user’s groups in one of the attributes. Then the NetScaler RADIUS policy would need to extract those groups from the attribute.

      Alternatively, you can configure an LDAP policy with Authentication disabled and use that only for Group Extraction.

      MFA also supports LDAP auth instead of RADIUS auth. I assume LDAP auth can more easily get the AD groups.

      1. Hi,
        Is it possible to disable Netscaler gateway plug-in installations that users can not install plug-in by themselves?

          1. Are you asking how to disable VPN for certain users or machines?

            You can’t do a VPN without the plug-in. What exactly are you trying to achieve?

Leave a Reply

Your email address will not be published. Required fields are marked *