Citrix AppController is the XenMobile component that can provide mobile device users access to native, virtual hosted, web, and SaaS apps.  NetScaler Gateway is the XenMobile component that integrates with AppController to provide remote access, and single sign-on (among other features).  Currently a single AppController can only integrate with a single domain.  Until the multiple domain enhancement is added to a future AppController release an alternative is to architect your implementation using NetScaler Gateway cascading LDAP policies along with universal domain groups.

You need a separate AppController corresponding to each domain, and you must create groups in NetScaler Gateway corresponding to AD universal groups representing respective domains.  The NetScaler Gateway also requires duplicate policies and profiles for authentication and session configurations for each, with appropriate respective domain & AppController values applied.

Multiple domains are often employed corresponding to geographic regions in a global enterprise forests.  Therefore for example three domains representing Americas (AMER), Asia Pacific (APAC), and Europe/Middle East/Africa (EMEA) would require three sets of those configuration settings.  Find below a corresponding generic example of pertinent NetScaler cli statements along with a brief description of each section.

### Groups – must match the universal group name exactly as defined in the domain

add aaa group AMERGROUP

add aaa group EMEAGROUP

add aaa group APACGROUP

### Authentication Profiles – defines parameters to authenticate against respective domain server/(s)

add authentication ldapAction “AMERAD” -serverIP X.X.X.X -serverPort 636 -authTimeout 60 -ldapBase “OU=Accounts,DC=AMERDOMAIN,DC=net” -ldapBindDn “CN=AMERSVCACCT@AMERICAS.net,OU=Accounts,DC=AMERDOMAIN,DC=net” -ldapBindDnPassword XYZ -encrypted -ldapLoginName SamAccountName -searchFilter “&(memberOf=CN=AMERGROUP,OU=Accounts,DC=AMERDOMAIN,DC=net)” -groupAttrName memberOf -subAttributeName CN -secType SSL -nestedGroupExtraction ON -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN

add authentication ldapAction “EMEAAD” -serverIP Y.Y.Y.Y -serverPort 636 -authTimeout 60 -ldapBase “OU=Accounts,DC=EMEADOMAIN,DC=net” -ldapBindDn “CN=EMEASVCACCT@EMEADOMAIN.net,OU=Accounts,DC=EMEADOMAIN,DC=net” -ldapBindDnPassword XYZ -encrypted -ldapLoginName SamAccountName -searchFilter “&(memberOf=CN=EMEAGROUP,OU=Accounts,DC=EMEADOMAIN,DC=net)” -groupAttrName memberOf -subAttributeName CN -secType SSL -nestedGroupExtraction ON -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN

add authentication ldapAction “APACAD” -serverIP Z.Z.Z.Z -serverPort 636 -authTimeout 60 -ldapBase “OU=Accounts,DC=APACDOMAIN,DC=net” -ldapBindDn “CN=APACSVCACCT@APACDOMAIN.net,OU=Accounts,DC=APACDOMAIN,DC=net” -ldapBindDnPassword XYZ -encrypted -ldapLoginName SamAccountName -searchFilter “&(memberOf=CN=APACGROUP,OU=Accounts,DC=APACDOMAIN,DC=net)” -groupAttrName memberOf -subAttributeName CN -secType SSL -nestedGroupExtraction ON -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN

### Authentication Policies – normally an expression defines which users the policy should apply to, but since the group is already matched all hits are valid (ie: ns_true)

add authentication ldapPolicy AMERLDAPPOLICY ns_true “AMERAD”

add authentication ldapPolicy EMEALDAPPOLICY ns_true “EMEAAD”

add authentication ldapPolicy APACLDAPPOLICY ns_true “APACAD”

### Session Profiles – defines characteristics of the session including target AppController and Single Sign-on details

add vpn sessionAction AMER_OS -dnsVserverName vs_DNS -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -wihome “https://AMERAPPC.com” -ntDomain americas -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT

add vpn sessionAction AMER_WEB -dnsVserverName vs_DNS -defaultAuthorizationAction ALLOW -SSO ON -homePage “https://AMERAPPC.com/Citrix/StoreWeb” -icaProxy OFF -wihome “https://AMERAPPC.com/Citrix/StoreWeb” -ntDomain americas -clientlessVpnMode ON

add vpn sessionAction AMER_AG_PLUGIN -splitTunnel ON -defaultAuthorizationAction ALLOW -icaProxy OFF -wihome “https://AMERAPPC.com/Citrix/StoreWeb”

add vpn sessionAction EMEA_OS -dnsVserverName vs_DNS -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -wihome “https://EMEAAPPC.EMEADOMAIN.com/Citrix/StoreWeb” -ntDomain emea -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT

add vpn sessionAction EMEA_WEB -dnsVserverName vs_DNS -defaultAuthorizationAction ALLOW -SSO ON -homePage “https://EMEAAPPC.EMEADOMAIN.com/Citrix/StoreWeb” -icaProxy OFF -wihome “https://EMEAAPPC.EMEADOMAIN.com/Citrix/StoreWeb” -ntDomain emea -clientlessVpnMode ON

add vpn sessionAction EMEA_AG_PLUGIN -splitTunnel ON -defaultAuthorizationAction ALLOW -icaProxy OFF -wihome “https://EMEAAPPC.EMEADOMAIN.com/Citrix/StoreWeb”

add vpn sessionAction APAC_OS -dnsVserverName vs_DNS -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -wihome “https://APACAPPC.APACDOMAIN.com/Citrix/StoreWeb” -ntDomain asiapacific -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT

add vpn sessionAction APAC_WEB -dnsVserverName vs_DNS -defaultAuthorizationAction ALLOW -SSO ON -homePage “https://APACAPPC.APACDOMAIN.com/Citrix/StoreWeb” -icaProxy OFF -wihome “https://APACAPPC.APACDOMAIN.com/Citrix/StoreWeb” -ntDomain asiapacific -clientlessVpnMode ON

add vpn sessionAction APAC_AG_PLUGIN -splitTunnel ON -defaultAuthorizationAction ALLOW -icaProxy OFF -wihome https://APACAPPC.APACDOMAIN.com/Citrix/StoreWeb

# Session Policies – used to identify which types of devices the sessions should apply to respectively

add vpn sessionPolicy AMERPOLICY_OS “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS” AMER_OS

add vpn sessionPolicy AMERPOLICY_WEB “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS” AMER_WEB

add vpn sessionPolicy AMERPOLICY_AG_PLUGIN “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS” AMER_AG_PLUGIN

add vpn sessionPolicy EMEAPOLICY_OS “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS” EMEA_OS

add vpn sessionPolicy EMEAPOLICY_WEB “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS” EMEA_WEB

add vpn sessionPolicy EMEAPOLICY_AG_PLUGIN “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS” EMEA_AG_PLUGIN

add vpn sessionPolicy APACPOLICY_OS “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS” APAC_OS

add vpn sessionPolicy APACPOLICY_WEB “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS” APAC_WEB

add vpn sessionPolicy APACPOLICY_AG_PLUGIN “REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS” APAC_AG_PLUGIN

# Binds – links the configured components to the NetScaler Gateway virtual server

bind vpn vserver NGVIP -policy AMERLDAPPOLICY

bind vpn vserver NGVIP -policy EMEALDAPPOLICY -priority 10

bind vpn vserver NGVIP -policy APACLDAPPOLICY -priority 20

bind aaa group AMERGROUP -policy AMERPOLICY_AG_PLUGIN

bind aaa group AMERGROUP -policy AMERPOLICY_OS

bind aaa group AMERGROUP -policy AMERPOLICY_WEB

bind aaa group EMEAGROUP -policy EMEAPOLICY_AG_PLUGIN

bind aaa group EMEAGROUP -policy EMEAPOLICY_OS

bind aaa group EMEAGROUP -policy EMEAPOLICY_WEB

bind aaa group APACGROUP -policy APACPOLICY_AG_PLUGIN

bind aaa group APACGROUP -policy APACPOLICY_OS

bind aaa group APACGROUP -policy APACPOLICY_WEB

For more information regarding XenMobile see the following Reference Architecture: http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/reference-architecture-for-mobile-device-and-app-management.pdf

For more information regarding AppController configuration see: http://support.citrix.com/proddocs/topic/cloudgateway/clg-deployment-cloudgateway-landing-page-con.html

For more information regarding NetScaler Gateway configuration see: http://support.citrix.com/proddocs/topic/netscaler-gateway/ng-10-1-edocs-landing-con.html

Matt Brooks

Architect

Worldwide Consulting Solutions – Mobility Practice

tweetmattbrooks