This post has already been read 40940 times!
In my previous 3 articles on the Citrix NetScaler Unified Gateway I have walked you through the initial deployment, integrating your Apps and Desktops and adding your Web and SaaS resources to your gateway.
https://bretty.me.uk/citrix-unified-gateway-series-part-1-citrix-unified-gateway-initial-setup/
https://bretty.me.uk/citrix-netscaler-unified-gateway-series-part-3-adding-web-and-saas-resources/
In this article I am going to describe how to work with the VPN Access and restrict the access to a full VPN experience. Then, in Part 5 we will look at Citrix NetScaler End Point Analysis and start to ensure our end points are secure before we allow the VPN to be initiated.
Firstly, lets assume that as a default we want to provide Citrix ICA only access to our customers. Then if you own a company laptop and are a member of a specific AD Group then you get the option to initiate a full VPN.
Lets get into it.
Unbind The Existing Policies
Navigate to NetScaler Gateway – Virtual Servers
Locate your Virtual Server that the wizard created for you
Scroll down to Session Policies
Click on the Session Policies to view them.
You will see here that there are 3 session policies that the wizard has created for you. Basically these will cover off Web, Receiver and VPN Access for you. The User-Agent headers will determine what client settings are deployed to you during login.
We want to UnBind the VPN Access policy and tie that into an Active Directory Group and prohibit the client choices for “normal” users
Click on the UG_VPN policy and then click on UnBind
Select Yes to UnBind the policy
You now need to disable client choices for the remaining 2 policy options left
Click on the PB_WB policy and from the Edit Menu select Edit Profile
Click ok and done to return to the Session Policies
Click the PL_OS policy and from the Edit Menu select Edit Profile
Click the Client Experience tab, scroll down to the bottom, select Advanced Settings then turn OFF Client Choices
At this point you should be able to log into the NetScaler Unified Gateway and get the “normal” user options – i.e. Citrix ICA Only Access
Navigate to your Unified Gateway
Log into your portal and you should see your Apps as if you had selected Apps and Desktops from the client choices screen
Create Active Directory Group for VPN
Next we will create a group to assign the users whom we want a full VPN experience.
Log into your Active Directory Domain Controller and create a new group. Please take a note of the Case and the Spaces in the Group as the NetScaler AAA Group needs to be an EXACT match.
Add your user account to the new group
Configure Your LDAP Authentication Policy
In order for the NetScaler Gateway to be able to read the users Group Memberships you will need to ensure some settings are present in your LDAP Authentication Profile
Navigate to NetScaler Gateway – Policies – Authentication – LDAP and double click your existing LDAP Authentication Policy
Click the Edit button next to the server selected
Scroll down to the Other Settings section, Expand Other Settings and ensure you have options for Group Attribute, Nested Group Extraction, Group Name Identifier, Group Search Attribute and Group Search Sub Attribute.
Adding your AAA Group
Navigate to NetScaler Gateway – User Administration – AAA Groups
Click Add and enter a Group Name – this needs to be EXACTLY the same as your Active Directory Group Name
Click OK and Done. Then double click your listed group to re-open the group to add and bind the policies
On the right click the + next to Policies and Authorisation Policies
Click the + next to Policies to bind your VPN Access Policy
Select Session as the type and click Continue
Select the UG_VPN policy from the list and give it a priority of 10 (The lowest of the 3 existing policies)
Click Bind
Click the + next to Authorisation Policies and then click the + to Select a policy to Bind
Click on Add to add a new Authorisation Policy
Give it a name, select Allow to the action and enter ns_true for the expression
Click Select to Bind the policy
Then click Bind.
Thats it, your Gateway should be set up for selecting VPN access based on the AD Group Membership you created.
Testing
I have started a ping to my internal ESXi Server (192.168.0.31)
I have now logged into my Citrix NetScaler Unified Gateway as Administrator – and have been shown the client options. This is because my account is a member of the netscaler-vpn group in Active Directory
I select Virtual App And Desktop access and will be shown all my subscribed applications and desktops from StoreFront
Note – my ping is still not responding
I will now log out and back in as Administrator again, only this time I will select clienteles access from the client choices.
I am displayed the Clientless access portal and can access all my Apps, Desktops and Web Resources
Note – my ping is still not responding
I will now log back out and in as Administrator only this time I will select the NetWork Access Option.
Once I click this button the NetScaler Unified Gateway will check my machine for the VPN Client
Its not found as this is the first time I have logged into this gateway and requested a full VPN so will display this screen and allow me to download the client
Click download and wait for the client software to download to your machine. Don’t worry if it takes a little while to download and install as the NetScaler Unified Gateway will continue to loop until it picks up that you have a client installed
Once the download has finished open the installer and select Install Citrix Access Gateway Plugin
Click Continue
Read the EULA and click Continue
Click Agree to accept the EULA conditions
Click Install to install the software
Wait for the software to install and accept and trust prompts that your browser will display
When finished click Close to complete the installation
If you switch back to your Citrix NetScaler Unified Gateway you should see the following page displayed allowing you to access all your apps, desktops and web resources.
What you should also notice is that your ping is now responding
You should now be fully connected to your network and can act as though you are part of the LAN (Assuming your firewall rules are in place)
In Part 5 I will be looking at securing the VPN connectivity with a quarantine option using End Point Analysis, be sure to check back for that soon.
Hope this helps some of you out.
Laters,
b@m
Cool read, would it be possible to hide all this for a user and make this single sign on (like direct access) and also do endpoint inspection. If rules are not met redirect them to non vpn access funtions?
Have a read of part 5, it will do Epa then fail back to ica only if the check fails.
Thanks.
Dave.
This is so cool! Thank you for your Post, I have been struggling for a year on Access Gateway to hide VPN access from non VPN users and it took me 10 min with your POST – Bloody Marvellous.
Do you know if one can hide the Vpn Gateway Pop up Splash box? Useful if using always on and forcing users to use the vpn if remote.
Not sure if you can. I know there are some registry keys to do that kind of thing but would need to dig into it a little. Don’t know off the top of my head. Will find out though 🙂