Citrix NetScaler Unified Gateway Series – Part 4 – Use Case for VPN and Selective Deployment

Citrix NetScaler Unified Gateway Series – Part 4 – Use Case for VPN and Selective Deployment

Citrix NetScaler Unified Gateway Series – Part 4 – Use Case for VPN and Selective Deployment

This post has already been read 44013 times!

In my previous 3 articles on the Citrix NetScaler Unified Gateway I have walked you through the initial deployment, integrating your Apps and Desktops and adding your Web and SaaS resources to your gateway.

In this article I am going to describe how to work with the VPN Access and restrict the access to a full VPN experience.  Then, in Part 5 we will look at Citrix NetScaler End Point Analysis and start to ensure our end points are secure before we allow the VPN to be initiated.

Firstly, lets assume that as a default we want to provide Citrix ICA only access to our customers.  Then if you own a company laptop and are a member of a specific AD Group then you get the option to initiate a full VPN.

Lets get into it.

Unbind The Existing Policies

Navigate to NetScaler Gateway – Virtual Servers

Screen Shot 2016-02-15 at 08.02.55

Locate your Virtual Server that the wizard created for you

Screen Shot 2016-02-15 at 08.03.02

Scroll down to Session Policies

Screen Shot 2016-02-15 at 08.03.31

Click on the Session Policies to view them.

Screen Shot 2016-02-15 at 08.03.40

You will see here that there are 3 session policies that the wizard has created for you.  Basically these will cover off Web, Receiver and VPN Access for you.  The User-Agent headers will determine what client settings are deployed to you during login.

We want to UnBind the VPN Access policy and tie that into an Active Directory Group and prohibit the client choices for “normal” users

Click on the UG_VPN policy and then click on UnBind

Screen Shot 2016-02-15 at 08.28.20

Select Yes to UnBind the policy

Screen Shot 2016-02-15 at 08.28.31

You now need to disable client choices for the remaining 2 policy options left

Click on the PB_WB policy and from the Edit Menu select Edit Profile

Screen Shot 2016-02-15 at 08.28.43


Screen Shot 2016-02-15 at 08.29.14

Click ok and done to return to the Session Policies

Click the PL_OS policy and from the Edit Menu select Edit Profile

Screen Shot 2016-02-15 at 08.29.30

Click the Client Experience tab, scroll down to the bottom, select Advanced Settings then turn OFF Client Choices

Screen Shot 2016-02-15 at 08.29.52

At this point you should be able to log into the NetScaler Unified Gateway and get the “normal” user options – i.e. Citrix ICA Only Access

Navigate to your Unified Gateway

Screen Shot 2016-02-15 at 08.31.07

Log into your portal and you should see your Apps as if you had selected Apps and Desktops from the client choices screen

Screen Shot 2016-02-15 at 08.31.24

Create Active Directory Group for VPN

Next we will create a group to assign the users whom we want a full VPN experience.

Log into your Active Directory Domain Controller and create a new group.  Please take a note of the Case and the Spaces in the Group as the NetScaler AAA Group needs to be an EXACT match.

Screen Shot 2016-02-15 at 08.34.22

Add your user account to the new group

Screen Shot 2016-02-15 at 08.35.04

Configure Your LDAP Authentication Policy

In order for the NetScaler Gateway to be able to read the users Group Memberships you will need to ensure some settings are present in your LDAP Authentication Profile

Navigate to NetScaler Gateway – Policies – Authentication – LDAP and double click your existing LDAP Authentication Policy

Click the Edit button next to the server selected

Scroll down to the Other Settings section, Expand Other Settings and ensure you have options for Group Attribute, Nested Group Extraction, Group Name Identifier, Group Search Attribute and Group Search Sub Attribute.

Screen Shot 2016-02-15 at 08.44.26

Adding your AAA Group

Navigate to NetScaler Gateway – User Administration – AAA Groups

Screen Shot 2016-02-15 at 08.35.26

Click Add and enter a Group Name – this needs to be EXACTLY the same as your Active Directory Group Name

Screen Shot 2016-02-15 at 08.35.40

Click OK and Done.  Then double click your listed group to re-open the group to add and bind the policies

Screen Shot 2016-02-15 at 08.36.04

On the right click the + next to Policies and Authorisation Policies

Click the + next to Policies to bind your VPN Access Policy

Screen Shot 2016-02-15 at 08.36.25

Select Session as the type and click Continue

Screen Shot 2016-02-15 at 08.37.39

Select the UG_VPN policy from the list and give it a priority of 10 (The lowest of the 3 existing policies)

Screen Shot 2016-02-15 at 08.37.56

Click Bind

Click the + next to Authorisation Policies and then click the + to Select a policy to Bind

Screen Shot 2016-02-15 at 08.46.27

Click on Add to add a new Authorisation Policy

Screen Shot 2016-02-15 at 08.46.34

Give it a name, select Allow to the action and enter ns_true for the expression

Screen Shot 2016-02-15 at 08.47.11

Click Select to Bind the policy

Screen Shot 2016-02-15 at 08.47.20

Then click Bind.

Thats it, your Gateway should be set up for selecting VPN access based on the AD Group Membership you created.


I have started a ping to my internal ESXi Server (

Screen Shot 2016-02-15 at 08.49.32

I have now logged into my Citrix NetScaler Unified Gateway as Administrator – and have been shown the client options.  This is because my account is a member of the netscaler-vpn group in Active Directory

Screen Shot 2016-02-15 at 08.49.22

I select Virtual App And Desktop access and will be shown all my subscribed applications and desktops from StoreFront

Screen Shot 2016-02-15 at 08.49.50

Note – my ping is still not responding

Screen Shot 2016-02-15 at 08.49.32

I will now log out and back in as Administrator again, only this time I will select clienteles access from the client choices.

Screen Shot 2016-02-15 at 08.49.22

I am displayed the Clientless access portal and can access all my Apps, Desktops and Web Resources

Screen Shot 2016-02-15 at 08.51.04

Note – my ping is still not responding

Screen Shot 2016-02-15 at 08.49.32

I will now log back out and in as Administrator only this time I will select the NetWork Access Option.

Screen Shot 2016-02-15 at 08.49.22

Once I click this button the NetScaler Unified Gateway will check my machine for the VPN Client

Screen Shot 2016-02-15 at 07.49.08

Its not found as this is the first time I have logged into this gateway and requested a full VPN so will display this screen and allow me to download the client

Screen Shot 2016-02-15 at 07.49.35

Click download and wait for the client software to download to your machine.  Don’t worry if it takes a little while to download and install as the NetScaler Unified Gateway will continue to loop until it picks up that you have a client installed

Screen Shot 2016-02-15 at 07.49.50

Once the download has finished open the installer and select Install Citrix Access Gateway Plugin

Screen Shot 2016-02-15 at 07.52.33

Click Continue

Screen Shot 2016-02-15 at 07.52.43

Read the EULA and click Continue

Screen Shot 2016-02-15 at 07.52.52

Click Agree to accept the EULA conditions

Screen Shot 2016-02-15 at 07.53.02

Click Install to install the software

Screen Shot 2016-02-15 at 07.53.12

Wait for the software to install and accept and trust prompts that your browser will display

Screen Shot 2016-02-15 at 07.53.37

Screen Shot 2016-02-15 at 07.54.21

When finished click Close to complete the installation

Screen Shot 2016-02-15 at 07.54.36

If you switch back to your Citrix NetScaler Unified Gateway you should see the following page displayed allowing you to access all your apps, desktops and web resources.

Screen Shot 2016-02-15 at 08.00.00

What you should also notice is that your ping is now responding

Screen Shot 2016-02-15 at 08.51.42

You should now be fully connected to your network and can act as though you are part of the LAN (Assuming your firewall rules are in place)

Screen Shot 2016-02-15 at 08.00.56

In Part 5 I will be looking at securing the VPN connectivity with a quarantine option using End Point Analysis, be sure to check back for that soon.

Hope this helps some of you out.



5 thoughts on “Citrix NetScaler Unified Gateway Series – Part 4 – Use Case for VPN and Selective Deployment

  1. MartijnHS

    Cool read, would it be possible to hide all this for a user and make this single sign on (like direct access) and also do endpoint inspection. If rules are not met redirect them to non vpn access funtions?

  2. Philip

    This is so cool! Thank you for your Post, I have been struggling for a year on Access Gateway to hide VPN access from non VPN users and it took me 10 min with your POST – Bloody Marvellous.

  3. evan

    Do you know if one can hide the Vpn Gateway Pop up Splash box? Useful if using always on and forcing users to use the vpn if remote.

    1. Bretty Post author

      Not sure if you can. I know there are some registry keys to do that kind of thing but would need to dig into it a little. Don’t know off the top of my head. Will find out though 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.