They age-old problem of Legacy Citrix Receiver client access through a common NetScaler Gateway has now been solved!

Starting with NetScaler 10.5 Build 51.1017.e+, you can now can create and bind Content Switching Policies directly to NetScaler Gateway VServers. Connections destined for the Gateway are terminated and processed as normal, but before any actions are invoked on the session, the policy engine checks to see if any Content Switching policies are bound which may apply. If the conditions defined in the policy are satisfied, connections are sent to the target Load Balancing VServers defined in the applicable Content Switching Policy action.

Although this particular enhancement was developed for ShareFile and XenMobile clients, another primary use case is to identify down-level Citrix clients such as PNAgent or embedded custom clients found in Thin Clients. The enhancement allows you to simplify your deployment design for these clients by leveraging the same DNS namespace, IP, and SSL Certificate already in place for modern Receiver and Browser clients. This was previously not possible as the down-level client authentication methods are incompatible with those required by the NetScaler Gateway VPN VServer. These connections normally have to terminate at the Web Interface services site, or legacy services URL on StoreFront.  Combining this new feature with the Web Interface on NetScaler allows you to further consolidate infrastructure and provide an elegant solution that accommodates both legacy and current Citrix clients for hybrid deployments or migration strategies.

Legacy Citrix clients such as PNAgent were never enhanced to be able to authenticate to NetScaler Gateway. This meant that any deployment that had requirements for remote or secured connections from these clients involved provisioning a separate DNS entry point, IP address, and SSL certificate, not to mention additional NAT rules, firewall policies, and the associated end user support along with it. In some cases, more unsavory methods such as disabling authentication all together on the NetScaler Gateway were used to work around the deficiency. With this method, you don’t have to make these comprises anymore.

Before

before

After

after

Prerequisites

  • NetScaler Build 51.1017.e+ or 11.x
  • Existing or Configured VPN VServer
  • Web Interface or StoreFront Legacy Services
  • Existing Content Switching Target LB VServer for  Web Interface, StoreFront, or Web Interface on NetScaler
  • Legacy Client Identifier – i.e. User-Agent
  • Web Interface on NetScaler installed

Implementation

Web Interface on NetScaler

Prior to configuring a Web Interface on NetScaler Services Site, you need to create an LB VServer target for use in your Content Switching configuration. As the Web Interface on NetScaler wizard does not permit you to create LB VServers of this type, this step must be done manually.

add service svc_wionns_xa65lab_http_80 127.0.0.1 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver lb_wionns_xa65lab_http_80 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
bind lb vserver lb_wionns_xa65lab_http_80 svc_wionns_xa65lab_http_80

VPN Vserver and Content Switching Policies

add policy patset Legacy_Citrix_Client_UA
bind policy patset Legacy_Citrix_Client_UA PNAMAIN.EXE -index 2
add lb vserver lb_wionns_xa65lab_http_80 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
add service svc_wionns_xa65lab_http_80 127.0.0.1 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 –cip DISABLED -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind lb vserver lb_wionns_xa65lab_http_80 svc_wionns_xa65lab_http_80
add cs policy pol_pnagent_ng -rule "HTTP.REQ.HEADER(\"User-
Agent\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"Legacy_Citrix_Client_UA\")" -action act_pnagent_ng
add cs action act_pnagent_ng -targetLBVserver lb_wionns_xa65lab_http_80
bind vpn vserver csv-test-ng -policy pol_pnagent_ng -priority 10

Web Interface on NetScaler Services Site

add wi site "/Citrix/PNAgent/" "<a href="https://csv-ng.pnwlab.local&quot;">https://csv-ng.pnwlab.local"</a> "<a href="http://192.168.15.160&quot;">http://192.168.15.160"</a> -sessionReliability ON -authenticationPoint WebInterface -defaultAccessMethod GatewayDirect -siteType XenAppServices
add wi site "/Citrix/DesktopWeb/" "<a href="https://csv-ng.pnwlab.local&quot;">https://csv-ng.pnwlab.local"</a> "<a href="http://192.168.15.160&quot;">http://192.168.15.160"</a> -sessionReliability ON -authenticationPoint AccessGateway -agAuthenticationMethod Explicit –defaultAccessMethod
bind wi site "/Citrix/PNAgent/" PNWLAB xa65lab-a.pnwlab.local

That is really all you need to do.

Note that is it not required to actually configure a Content Switching VServer – only the policies and respective actions need to be defined. 

If you desire to use existing Web Interface LB you have already setup or StoreFront with the Legacy Services URL enabled, there are not a whole lot changes here – just create your LB VServers and respective CS VServer policy actions to leverage those resources instead.  Also, if you are using the UI, you may have already noticed that there exists an option in the breadcrumb menu for adding Content Switching Policies to a VPN Vserver:

image

Testing and Validation

Testing is fairly straightforward. Simply alter the URL being used by the down-level client to be that of the NetScaler Gateway VPN VServer.

Here is how to alter PNAgent for example:

image

If everything is in place you should see that the client can indeed connect properly to obtain the initial configuration, prompt for the required authentication,  and eventually enumerate/launch applications.  On the NetScaler, you can verify that the policy or policies that you have defined are being hit as an additional verification by checking the UI or using the CLI.

UI:

image

CLI:

Policy: pol_pnagent_ng  Rule: HTTP.REQ.HEADER(“User-Agent”).SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(“Legacy_Citrix_Client_UA”)   Action: act_pnagent_ng

Hits: 16

1)      CS Vserver: csv-test-ng
Priority: 100
Hits: 16
Done
>

Extended Use Cases

This new feature has many use cases outside of that presented here – mainly revolving around:

  • Legacy PNAgent Support
  • Web Interface to StoreFront Migrations
  • Legacy ThinClient/Device Support
Some of the other use cases that crossed my mind were:
  • ShareFile Sync > Controller
  • Worx Client > XenMobile Server
  • OWA/SharePoint
  • EPA Remediation Site Redirection

Additional Resources