Using NetScaler Gateway for Content Switching Policies with Legacy Citrix Clients

An article by Jeff Sani from Citrix Blogs

Starting with NetScaler 10.5 Build 51.1017.e+, you can now can create and bind Content Switching Policies directly to NetScaler Gateway VServers. Connections destined for the Gateway are terminated and processed as normal, but before any actions are invoked on the session, the policy engine checks to see if any Content Switching policies are bound which may apply. If the conditions defined in the policy are satisfied, connections are sent to the target Load Balancing VServers defined in the applicable Content Switching Policy action.

Although this particular enhancement was developed for ShareFile and XenMobile clients, another primary use case is to identify down-level Citrix clients such as PNAgent or embedded custom clients found in Thin Clients. The enhancement allows you to simplify your deployment design for these clients by leveraging the same DNS namespace, IP, and SSL Certificate already in place for modern Receiver and Browser clients. This was previously not possible as the down-level client authentication methods are incompatible with those required by the NetScaler Gateway VPN VServer. These connections normally have to terminate at the Web Interface services site, or legacy services URL on StoreFront. Combining this new feature with the Web Interface on NetScaler allows you to further consolidate infrastructure and provide an elegant solution that accommodates both legacy and current Citrix clients for hybrid deployments or migration strategies.

Legacy Citrix clients such as PNAgent were never enhanced to be able to authenticate to NetScaler Gateway. This meant that any deployment that had requirements for remote or secured connections from these clients involved provisioning a separate DNS entry point, IP address, and SSL certificate, not to mention additional NAT rules, firewall policies, and the associated end user support along with it. In some cases, more unsavory methods such as disabling authentication all together on the NetScaler Gateway were used to work around the deficiency. With this method, you don’t have to make these comprises anymore.

Before

before

After

after

Prerequisites

  • NetScaler Build 51.1017.e+ or 11.x
  • Existing or Configured VPN VServer
  • Web Interface or StoreFront Legacy Services
  • Existing Content Switching Target LB VServer for Web Interface, StoreFront, or Web Interface on NetScaler
  • Legacy Client Identifier – i.e. User-Agent
  • Web Interface on NetScaler installed

Implementation

Web Interface on NetScaler

Prior to configuring a Web Interface on NetScaler Services Site, you need to create an LB VServer target for use in your Content Switching configuration. As the Web Interface on NetScaler wizard does not permit you to create LB VServers of this type, this step must be done manually.

add service svc_wionns_xa65lab_http_80 127.0.0.1 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver lb_wionns_xa65lab_http_80 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
bind lb vserver lb_wionns_xa65lab_http_80 svc_wionns_xa65lab_http_80

VPN Vserver and Content Switching Policies

add policy patset Legacy_Citrix_Client_UA
bind policy patset Legacy_Citrix_Client_UA PNAMAIN.EXE -index 2
add lb vserver lb_wionns_xa65lab_http_80 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
add service svc_wionns_xa65lab_http_80 127.0.0.1 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 –cip DISABLED -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind lb vserver lb_wionns_xa65lab_http_80 svc_wionns_xa65lab_http_80
add cs policy pol_pnagent_ng -rule "HTTP.REQ.HEADER(\"User-
Agent\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"Legacy_Citrix_Client_UA\")" -action act_pnagent_ng
add cs action act_pnagent_ng -targetLBVserver lb_wionns_xa65lab_http_80
bind vpn vserver csv-test-ng -policy pol_pnagent_ng -priority 10

Web Interface on NetScaler Services Site

Read More

Be Sociable, Share!
 

Tags: , , , ,

Comments

No comments so far.

  • Leave a Reply
     
    Your gravatar
    Your Name