In a typical Desktops-as-a-Service environment, applications and desktops are securely delivered to the end user by leveraging Citrix NetScaler Gateway technology. To avoid allowing any Active Directory user account can login to the NetScaler Gateway, configuring LDAP search filters are a common practice to include only users with a specific group membership.

Using CloudPortal Services Manager and Hosted Apps and Desktops Resources provides a simple method to manage and provision logon access to NetScaler Gateway for service providers through a single control plane, without the requirement to touch Active Directory manually.

Here are the steps to activate this:

Create Hosted-Apps-and-Desktops Resource in CPSM

In the CloudPortal Services Manager Web Portal, navigate to Services -> Hosted Apps and Desktops -> Offering Management and then to the Resources tab. Click on New.

Fill in appropriate information and click on Save. This will create a new Active Directory Security Group (default OU is CortexSystem / Services / HostedAppsAndDesktops / Resources). If an Active Directory Security Group already exists and should be reused, select “Find an existing directory” instead of “Generate a directory name”. This will “pin” the HAaD Resource to the group.

Furthermore, it is also possible to create a new group and add it as a member to an existing group.

Configure NetScaler Gateway LDAP Policy

The next step is to configure the search filter in NetScaler Gateway LDAP policy. If the AD group already exists and was previously configured, this step can be skipped.

Login to the NetScaler Gateway UI and navigate to Configuration -> NetScaler Gateway -> Policies -> Authentication -> LDAP.

Switch to the Servers tab, select the appropriate LDAP profile and click on Edit.

In the Search Filter field, enter the LDAP search filter with the Active Directory group name of the previously created CPSM HAaD Resource. The default value is “Resource – <Directory Name>”.

An example search filter could be:
&(memberOf=CN=Resource – NSGLogonAllowed, OU=Resources, OU=HostedAppsandDesktops, OU=Services, OU=CortexSystem, DC=mydomain, DC=local)

If Active Directory groups are nested, it is required to add the string “1.2.840.113556.1.4.1941” as an extended match operator, for example:
&(memberOf:1.2.840.113556.1.4.1941:=CN=ctxNSG-LogonAllowed, CN=Users, DC=mydomain, DC=local)

Provision HAaD Resource to Resellers, Customers and Users

Last, but not least, the HAaD Resource needs to be provisioned in CloudPortal Services Manager to resellers, their customers and end users.

Once these few configuration steps are complete, logon access to the DaaS environment can be easily granted to users within a single control panel, just by provisioning the HAaD Resource to the customer and end users without the need to access Active Directory directly.