One of the major pitfalls of this is the fact that many of us only have a single public IP address. This is also the case with many small businesses only having a single entry point to there network.
Which can be as simple as pointing your browser to a local Storefront website, or pointing your Citrix Reciever to the local Storefront site to start remote applications against a Citrix enviroment.
A good thing about trying to access a Citrix enviroment within the same domain that your workstation resides is having the ability to get single-sign on. So the NetScaler will act as an authentication layer, forward the credentials to Storefront and then authenticate on behalf of the user.
Then when a user clicks on an application Storefront will generate a. ICA file where it is specified which address the Citrix receiver client should communicate with, which will in this case be the NetScaler which will handle the ICA traffic between the client and the backend VDA agent.
Since it is the common deployment type for remote users, there are some settings that needs to be in place on the NetScaler. Now it is actually part of the latest Citrix Receiver policy the ability to netscaler content switching re write anime NetScaler Gateway address directly but this ofc requires that we have the ability to control the endpoint with group policy.
So all authentication is handled by Storefront and not by NetScaler. So when an endpoint is redirected to one of the sites vServer the GSLB Service is going to forward the endpoint to storefront and with an HTTP rewrite rule which is going to contain the client ip address directly.
So when the endpoint communicates with Storefront, Storefront looks at the client IP and talks with the resources which is closest to the endpoint and generates an list of applications and desktops available to it and when the users click on an application or desktop, Storefront is going to generate a ICA file containing a optimal gateway routing parameter which points the enduser to the closest datacenter based upon the endpoint IP.
This video shows how the user experince looks like from Optimal Gateway routing for external users, which are connecting directly to Storefront and from there launching sessions http: When a user clicks on an application it will generate an ICA file which points to the first NetScaler.
When the Receiver client is establishing a connection it will connect to the first NetScaler Gateway, which will in turn connect to another NetScaler Gateway virtual server which is located on the internal DMZ which will in turn talk with the VDA agents on the Inside.
This is useful if you do not have receiver installed or do not have admin rights to install it on the endpoint or have an endpoint which does not support receiver. This is defined by remove the ICA only setting on a virtual server which will mark it as Smart Access mode Now using client choices a user has multiple options when logging in, for instance a user can get multiple options available for instance a user can go into clientless access mode which is a browser only based VPN connection, where a user can gain access to file shares, mail, and internal resources and bookmarks.
Or a user can start a full VPN connection and have layer 2 network access ot the corporate network in that case when a user starts a Citrix application it will go across the VPN link so performance will not be as good as using regular ICA-proxy.
But here we can mix alot of different settings in the same vServer, we can also publish web resources directly into the clientless access portal http: All the options above except for nfactor can be delivered using a regular NetScaler Gateway appliance.
Now Unified Gateway was a new feature which was introduced in version The problem that has been with NetScaler Gateway was that people wanted to have multiple services behind a single IP-address and port.
Using Unified Gateway you are introducing another way of access. Firstly when a client connects to to a Unified Gateway server it will hit a Content Switching virtual server, and if the URL is correct the users will be redirected to the NetScaler Gateway Virtual server.
Now since we have a Content virtual server in front we can also add other services such as Exchange email, SharePoint or Web based applications behind the same IP and Port number. The automatic connection happens after a user is logged on the device, now based upon the AlwaysON policy on the NetScaler it should pop-up automatically and open up the homepage and allow for instant Citrix Receiver connection to the backend resources.
Since this feature uses the credentials of the logged in user it is best used for SSO if for instance a user takes a corpoate laptop or computer home and want to access the enviroment from home. We need to define DNS suffix which will be used to check if the endpoint is on the corporate network or external.
We can also define if the enduser should be able to disconnect from the tunnel or not. The video below shows the user-experience from logging on from a Windows 10 computer and automatic setting up the VPN tunnel against the virtual server and opening up the homepage and doing direct SSO.
Now previously we needed to change some files on the web. So from an enduser perspective it will look like this http: But for those that have tried Citrix Cloud so far knows that it deliveries the management bits of a Citrix infrastructure and then we need to have components installed locally known as CloudConnectors which act as DDC for the VDA agents.
Now previously we needed to have a NetScaler somewhere to access these resources, Storefront was already hosted by Citrix Cloud so when a user clicks on an application it would generate an ICA file and connect to the NetScaler and access those VDA agents.
The NetScaler ofc needed to have a public IP and digital certificate installed and also it needs to run either physically or as a virtual appliance.
Windows 10 Azure AD Join with ADFS and federated authentication Service So far in the previous scenarioes we have looked at using regular Active Directory as the authentication source against a Citrix enviroment, alot of customers are today moving towards Office and there they leverage AzureAD as part of it.NetScaler HTTP-to-HTTPS Redirect Configuration Example Here an easy quick example how to redirect HTTP to HTTPS, you can also do the redirect within the virtual server but then the virtual server is shown as down.
Content Switching (does the request have a server id cookie or not) Load balancing with Server Id definitions for each service group binding Rewrite of the response of . I am trying to use a Content Switching Action in my netscaler to replace the periods in a domain name with a hyphen.
Netscaler Action - Replace Period with Hyphen. Ask Question. You can either do a logical replace with regular expressions or a static replace where you simply have 1 rewrite policy / action for each application. You can. When I access OWA through the UG I can login (set up SSO using a traffic policy similar to previous versions of Exchange) however the content doesn't load.
I found a Citrix discussion detailing the same issue, however switching the app type to an Intranet application doesn't seem like a fix for CVPN. Now when I started working with NetScaler I was always thinking what the hell are the differences the features Rewrite, Responder and URL transformation which were like different options in the NetScaler AppExpert field.
Now after using these features for some time and scrolling in the discussion forums I notice the same question being . NetScaler looks up the hash on the T arteensevilla.com Content Accelerator Works When a load balancing or content switching virtual server receives a client request.
the NetScaler appliance evaluates a content accelerator policy that you have bound to the virtual server.