Citrix Access Gateway (based on the NetScaler platform) offers the best security access applications for virtual desktops Citrix XenApp and Citrix XenDesktop and applications. It is also the access component for remote Citrix CloudGateway, which provides secure delivery of Web, SaaS and iOS apps, as well as ShareFile data. With all the achievements of the proven NetScaler platform, has a standard of simplicity compromise on power. With all the features and control that provides an access gateway, it can be intimidating to some of us. At Citrix, we take the experience of the end user very seriously, and we want to ensure you get the job done with the least effort possible, without compromising the capabilities that our products can offer! With this vision in our (just released) Z3 version, we created a new simplified configuration wizard in Access Gateway. This remote access assistant is designed to help our case the most common use - remote access to applications Published & Desktops and CloudGateway. On new gateways (or NetScalers), based on 10.0.69.6+ version, you'll be able to access this wizard, as follows:
- on a device, authorized purely as an access gateway (provides no additional service NS), you'll see a new access Gateway Home tab, next to the Dashboard tab. By clicking on this Home tab will take you to the new homepage AGED, which displays basic monitoring information specific to Access Gateway. More importantly, in the corner at the top right you will see a link entitled "Create New Access Gateway. Clicking on the link starts the new Remote Access Wizard.
- On NetScaler appliances / VPX, you will be able to achieve the same Access Gateway home page by clicking on the Configuration node summary Access Gateway. Exact location: Configuration -> Access Gateway -> Getting Started -> Create / Monitor Access Gateway. This will take you to the same page Home Access Gateway as described above. Once there, you will see a link entitled "Create New Access Gateway. Clicking on the link starts the new Remote Access Wizard
The wizard is divided into the following configuration blocks :.
- Parameters of the access gateway
- Authentication
- certificate
- DNS
- Remote access configuration for Web Interface / CloudGateway
the execution of this wizard automatically creates for you, different policies (authentication, session, ...), and binds to a vServer AG. Let's take a look at the different policies created:
- authentication policies
Based on configuring LDAP / RADIUS you provide when the wizard, half authentication policies will be created for you. For example,
What you see above is a political and the sample LDAP authentication profile automatically created by the wizard.
- policy session
wizard also creates 4 session policies for you. Policy session define the relevant parameters for the session of the current user and generally consist of a condition (based on the end user device) and a corresponding action. These help you to provide relevant experiences for different types of platforms. Here is a screenshot of the 4 session of policies that are automatically configured on the basis of contributions to the wizard:
Lets get into some details about these policies. The four configured policies are used to identify the four different access scenarios that Citrix provides to the end user. So before entering the political, lets first understand these access scenarios:
| Access Method | versions | How to identify (REQ .HTTP.HEADER) |
| Pre CG 2.0 Receivers |
| User-Agent CONTAINS CitrixReceiver && X-Citrix-gateway NotExists |
| CG 2.0 Receivers |
| User-Agent CONTAINS CitrixReceiver && X-Citrix Gateway EXIST |
| receptor for Web | NA | User-Agent NOTCONTAINS CitrixReceiver && referer EXIST |
| AG Secure Access plug-in | All | User-Agent NOTCONTAINS CitrixReceiver && referer NotExists |
as well, as should be obvious from the above table, we can look at the request header HTTP used for some channels to identify the access method. And since different receivers / AG plugin need different session profiles, the same can be performed on the basis of the above rules. Here are things to keep in mind:
- All native Citrix Receivers (laptop and desktop) contain the string User-Agent = CitrixReceiver
- Receiver for Web does not contain this chain (because it is not a native receptor). Instead, as it is running on the browser, it contains the string Referer.
- AG Secure Access Plug-in does not contain chains
Well, having identified the different access methods, it is important to look at the profiles of session to be applied to each of them:
| access method | session profiles |
| Pre CG 2.0 Receivers | ICAProxy = ONSSO = ONWI Home = PNAgent site |
| CG 2.0 Receivers | ICAProxy = OFFCVPN = ONSSO = ONWI Home = Storefront website |
| receiver for the Web | ICAProxy = OFFCVPN = ONSSO = ONWI Home = Storefront website |
| AG Secure Access plug-in | ICAProxy = OFFCVPN = OFFSplit Tunnel = ON |
here are the things to note:
- Old desktop and mobile receivers connect to the site PNAgent, using ICAProxy
- New desktop and mobile receivers connect to the site Storefront using CVPN
- receiver for Web provides access to Storefront sites using CVPN
- AG Secure access plug-in provides full access tunnel to the corporate network
- the Clientless access policies
in addition to the session policy, the wizard also creates clientless access policies relevant. the clientless access policies are essentially rewrite policies, which are subject to all traffic in a session. There are two main policies that are configured:
- RfWeb Policy Rewrite -. This policy strikes for all RfWeb traffic and essentially turns the server side Rewrite oN
- No policy Rewrite - This policy is struck for all non-RfWeb traffic and essentially turns off Rewrite side server. This is done since, receivers provide client-side rewriting.
As you can see, once these policies are configured, you are good to go. You have all the requirements for end-users to connect their iPad / Android phones / Windows-Mac laptops and even Kiosk (with receiver for the Web). All this is a basic configuration for you to go. Beyond that, you can perform much more advanced configuration to take advantage of the power that truly offers Access Gateway. Smart Access is something that you should use to granularly control access to your end users.
0 Komentar