Steps involved for enabling Netscaler Gateway 10.5 ‘Smart Access’ on Storefront 2.5.x and XenApp-Desktop 7.5

Hi,

Some steps I found critical for enabling Smart Access filtering in Netscaler Gateway 10.5.x / Storefront 2.5.x / XenApp or XenDesktop 7.5

Licensing

You will need an Universal License. NetScaler Platinum Edition works fine.
The Universal license limits the number of concurrent user sessions to the number of licenses you purchase. The Universal license supports the following features:

  • Full VPN tunnel
  • Micro VPN
  • Endpoint analysis
  • Policy-based SmartAccess
  • Clientless access to web sites and file shares

Actions to perform on Netscaler – part I

Create a Netscaler Gateway Virtual Server (and test if it is working)
Netscaler Gateway Virtual Server Name: Company_Gateway
(remember this name will need this)

Edit the Netscaler Virtual Server – Uncheck ‘ICA Only’ (If checked)

Session Policies & Session Profiles
The policy defines when. The profiles defines what.

Create/Copy a Netscaler Gateway ‘Session Profile’ (you can perform a copy when standing on a highlighted one and clicking ‘Add’) Note: The Netscaler Gateway Wizard automatically define’s two Session Profiles. One for the Native ICA Client aka Receiver. One for the HTML5 ‘web  site’ on storefront. aka ReceiverForWeb. Modify if needed. For example, point to a different Storefront Store. (if available in storefront)

Details on Session Profiles are out of scope, but their is good info on internet or http://discussions.citrix.com/ and http://support.citrix.com/proddocs/topic/netscaler-gateway-105/ng-how-session-policies-work-tsk.html

Create/Copy a Netscaler Gateway ‘Session Policy’ (you can perform a copy when standing on a highlighted one and clicking ‘Add’)

Note: The Netscaler Gateway Wizard automatically define’s two Session Policies. One for the Native ICA Client aka Receiver. One for the HTML5 ‘web  site’ on storefront. aka ReceiverForWeb. Modify the policies for your needs.

For example,

Session Policy Name: WB_Enable_USB_Policy
Note: For accessing the URL with a regular browser
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.IP.SOURCEIP == 111.222.333.444

Session Policy Name: OS_Enable_USB_Policy
Note: When accessing the URL by means of ICA Client/Receiver
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.IP.SOURCEIP == 111.222.333.444

Map the corresponding (two) Session Policies to the corresponding (two) Session Profiles

Actions to perform on Netscaler – part II

Edit your existing Netscaler Gateway Virtual Server. Add the ‘Session Profiles to the the Netscaler Virtual Server.  Insert priority’s – most of the time, insert restrictive policies first with the lowest number (these should be evaluated first)

Actions to perform on every Citrix Controller

Open Powershell
Add-PSSnapin Citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Define a new Citrix Policy – Enabling Removable Store (USB Thumb Drives) for example
Assign the Citrix Policy by means of ‘Access Control’

Add an entry:

Netscaler Farm Name = Netscaler Gateway Virtual Server Name = In our Example ‘Company_Gateway’
Access Condition = Session Policy = WB_Enable_USB_Policy

Add a second entry

Netscaler Farm Name = Netscaler Gateway Virtual Server Name = In our Example ‘Company_Gateway’
Access Condition = Session Policy = OS_Enable_USB_Policy

Save the policy.

NOTE: You can also use ‘Smart Access – Access Filtering’ on Desktops an Applications, for this, edit the relevant ‘Delivery Group’ or ‘Published Application’

When all inplace, start an application or desktop if your CLIENT IP is orginating from 111.222.333.444 you should have Removable Storage (USB Thumb drive) enabled and visible in your session.
Note, when accessing remote over the internet REQ.IP.SOURCEIP is probably an external gateway form where you are leaving your organisation and from where you are accessing the VIP of the Netscaler Gateway.

 

Hope this is helpfull.

 

Ronny.

Netscaler (Access) Gateway – /cgi/login – HTTP 500 Internal Server Error – HTTP 403 forbidden

Hi,

Problems with Netscaler (Access) Gateway?

You can login successful, but after logging in you get an HTTP error? /cgi/login page would display a HTTP 500 Internal Server Error 500 Pressing F5 for a refresh would result in an HTTP 403 forbidden: The website declined to show this page

  • Open the ‘Global Netscaler Gateway Settings’ page
  • navigate to ‘Network Configuration’
  • Under ‘Name Server’ add attleast one DNS server (two is a best practice)

Note: in my experience, adding a DNS Virtual Servers caused the error.
Only utilizing DNS Virtual Servers in this tab didn’t seem to work. It should have worked
because their up and runnining, tested. But it would not work.

Resolution: Just insert two DNS Server under the ‘Name Server’ tab

Other causes:

navigate to ‘Published Applications’
Double check the Web Interface Address URL for example: http(s)://storefront-or-webinterface-url.fqdn/ReceiverForWebSite
Check the IPv type

 

These HTTP errors are quite generic and can have multiple causes.
Hope this wil solve you HTTP 500 or 403.

 

Goodluck bug hunting,

 

Ronny