Citrix Gateway

Unified Gateway FAQ

What is Unified Gateway? **

Unified Gateway is a new feature in the Citrix ADC 11.0 release, providing the ability to receive traffic on a single virtual server (called a Unified Gateway virtual server) and then internally direct that traffic, as appropriate, to virtual servers that are bound to the Unified Gateway virtual server.

The Unified Gateway feature allows end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). Administrators can free up IP addresses and simplify the configuration of the Citrix Gateway deployment.

Each Unified Gateway virtual server can front-end one Citrix Gateway virtual server along with zero or more load balancing virtual servers as part of a formation. Unified Gateway works by leveraging the content switching feature of the Citrix ADC appliance.

Some examples of Unified Gateway deployments:

  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server]
  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server, one load balancing virtual server]
  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server, two load balancing virtual servers]
  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server, three load balancing virtual servers]

Each of the load balancing virtual servers can be any standard load balancing server that a hosts a backend service, such as Microsoft Exchange or Citrix ShareFile.

Why use Unified Gateway? **

The Unified Gateway feature enables end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). For administrators, the advantage is that they can free up IP addresses and simplify the configuration of the Citrix Gateway deployment.  

Can there be more than one Unified Gateway virtual server? **

Yes. There can be as many Unified Gateway virtual servers as you need.

Why is content switching needed for Unified Gateway? **

The content switching feature is required because the content switching virtual server is the one that receives traffic and internally directs it to the appropriate virtual server. The content switching virtual server is the primary component of the Unified Gateway feature.

In releases previous to 11.0, content switching can be used to receive traffic for multiple virtual servers. Is that use also called Unified Gateway? **

Use of a content switching virtual server for receiving traffic for multiple virtual servers is supported in releases earlier than 11.0. However, content switching could not direct traffic to a Citrix Gateway virtual server.

The enhancements in 11.0 enable a content switching virtual server to direct traffic to any virtual server, including a Citrix Gateway virtual server.

What has changed with content switching policies in Unified Gateway? **

1. A new command line parameter “-targetVserver” is added for the content switching action. The new parameter is used to specify the target Citrix Gateway virtual server. Example:

> add cs action UG_CSACT_MyUG -targetVserver UG_VPN_MyUG

In the Citrix Gateway configuration utility, the content switching action has a new option, Target Virtual Server, which can reference a Citrix Gateway virtual server.

2. A new advanced policy expression, is_vpn_url, can be used to match Citrix Gateway and authentication-specific requests.

What Citrix Gateway features are not currently supported in Unified Gateway? **

All features are supported in Unified Gateway. However, a minor issue (issue ID 544325) has been reported with native logon through the VPN plugin. In this case, seamless single sign-on (SSO) does not work.

With Unified Gateway, what is the behavior of EPA scans? **

With Unified Gateway, endpoint analysis is triggered only for Citrix Gateway access methods, not for AAA-TM access. If a user tries to access a AAA-TM virtual server even though the authentication is done on the Citrix Gateway virtual server, the EPA scan is not triggered. However, if the user is trying to gain clientless VPN/Full VPN access, the configured EPA scan is triggered. In that case, either authentication or seamless SSO is done.

Setup

What are the license requirements for Unified Gateway? **

Unified Gateway is supported only for Enterprise and Platinum licenses. It will not be available for Citrix Gateway only or Standard license editions.

Does the Citrix Gateway virtual server used with Unified Gateway need an IP/Port/SSL configuration? **

For a Citrix Gateway virtual server used with Unified Gateway virtual server, an IP/Port/SSL configuration is not needed on the Citrix Gateway virtual server. However, for RDP proxy functionality you can bind the same SSL/TLS server certificate to the Citrix Gateway virtual server.

Do I need to re-provision SSL/TLS certificates that are on Citrix Gateway virtual server for use with a Unified Gateway virtual server? **

You do not need to re-provision certificates that are currently bound to your Citrix Gateway virtual server. You are free to reuse any existing SSL certificate(s) and to bind those to the Unified Gateway virtual server.

What is the difference between a single URL and a multi-host deployment? Which one do I need? **

Single URL refers to the ability of the Unified Gateway virtual server handle traffic for one fully qualified domain name (FQDN). This restriction exists when Unified Gateway uses an SSL/TLS server certificate that has the certificate subject populated with the FQDN. For example: ug.citrix.com

If, however, Unified Gateway is using a wildcard server certificate, it can handle traffic for multiple subdomains. For example: *.citrix.com

Another option is SSL/TLS configuration with Server Name Indicator (SNI) functionality to allow binding of multiple SSL/TLS server certificates. Examples: auth.citrix.com, auth.citrix.de, auth.citrix.co.uk, auth.citrix.co.jp

Single host versus multiple hosts is analogous to the way websites are typically hosted on a webserver (for example Apache HTTP server or Microsoft Internet Information Services (IIS)). If there is a single host, you can use site path to switch traffic the same way you use alias or “virtual directory” in Apache. If there are multiple hosts, you use a host header to switch traffic similarly to the way you use Virtual Hosts in Apache.

Authentication

What authentication mechanisms can be used with Unified Gateway? **

All existing authentication mechanisms that work with Citrix Gateway work with Unified Gateway.

These include LDAP, RADIUS, SAML, Kerberos, Certificate based Authentication, and so on.

Whatever authentication mechanism is configured on Citrix Gateway virtual server before the upgrade is used automatically used when the Citrix Gateway virtual server is placed behind the Unified Gateway virtual server. There are no additional configuration steps involved, other than assigning a non-addressable IP address (0.0.0.0) to Citrix Gateway virtual server.

What is ”SelfAuth”’ Authentication? **

SelfAuth is not an authentication type by itself. SelfAuth describes how a URL is created. A new command line parameter, ssotype, is available for VPN URL configuration. Example:

\> add vpn url RGB RGB "http://blue.citrix.lab/" -vServerName Blue -ssotype selfauth

SelfAuth is one of the values of the ssotype parameter. This type of URL can be used to access resources that are not in the same domain as the Unified Gateway virtual server. The setting can be seen in the configuration utility when configuring a Bookmark.

What is ”StepUp” Authentication’? **

When additional, more secure levels of authentication are required for accessing a AAA-TM resource, you can use StepUp authentication. On the command line, use an authnProfile command to set the authenticationLevel parameter. Example:

> add authentication authnProfile AuthProfile -authnVsName AAATMVserver -AuthenticationHost auth.citrix.lab -AuthenticationDomain citrix.lab -AuthenticationLevel 100

This authentication profile is bound to the load balancing virtual server.

Is StepUp authentication supported for AAA-TM virtual servers? **

Yes, it is supported.

What is login once/logout once? **

Login Once: VPN users login once to either a AAA-TM or a Citrix Gateway virtual server. And from then on, VPN users have seamless access to all the Enterprise/Cloud/Web Applications. The user need not be reauthenticated. However, reauthentication is done for special cases, such as AAA-TM StepUp.

Logout Once: After the first AAA-TM or Citrix Gateway session is created, it is used to create subsequent AAA-TM or Citrix Gateway sessions for that user. If any of those sessions are logged out, the Citrix ADC appliance also logs out the user’s other applications or sessions.

Can common authentication policies be specified at the Unified Gateway level with AAA-TM load balancing virtual server specific authenticated bound at the load balancing virtual server level? What are the configuration steps to support this use case? **

If you need to specify separate authentication policies for AAA-TM virtual server behind Unified Gateway, you will need to have a separate, independently addressable authentication virtual server (similar to ordinary AAA-TM configuration). The authentication host setting on load balancing virtual server has to point to this authentication virtual server.

How do you configure Unified Gateway so that bound AAA-TM virtual server(s) have their own authentication policies? **

In this scenario, the load balancing server must have the authentication FQDN option set to point to the AAA-TM virtual server. The AAA-TM virtual server must have an independent IP address and be reachable from Citrix ADC and clients.

Is a AAA-TM Authentication Virtual server required for authenticating users coming through a Unified Gateway virtual server? **

No. The Citrix Gateway virtual server will authentication even the AAA-TM users.

Where do you specify Citrix Gateway Authentication policies—at the Unified Gateway virtual server or at the Citrix Gateway virtual server? **

Authentication policies are to be bound to Citrix Gateway virtual server.

How do you enable authentication on AAA-TM Virtual servers behind a Unified Gateway content switching virtual server? **

Enable authentication on AAA-TM and point the authentication host to the Unified Gateway content switching FQDN.

AAA-Traffic Management

How do I add TM Virtual servers behind content switching (single URL versus multi-host)? **

There is no difference between adding AAA-TM virtual servers for a single URL and adding it for multiple hosts. In either case, the virtual server is added as a target in a content switching action. The difference between single URL vs multi-host is implemented by content-switching policy rules.

What happens to authentication policies bound to a AAA-TM load balancing virtual server if that virtual server is moved behind a Unified Gateway virtual server? **

Authentication policies are bound to authentication virtual server, and the authentication virtual server is bound to the load balancing virtual server. For the Unified Gateway virtual server, Citrix recommends having the Citrix Gateway virtual server as the single authentication point, which negates the need to perform authentication on an authentication virtual server (or even the need for a specific authentication virtual server). Pointing the authentication host to the Unified Gateway virtual server FQDN ensures that authentication is done by Citrix Gateway virtual server. If you point the authentication host to content switching for Unified Gateway and still have an authentication virtual server bound, the authentication policies bound to the authentication virtual server are ignored. However, if you point an authentication host to an independent addressable authentication virtual server, the bound authentication policies bound take effect.

How do you configure session policies for AAA-TM sessions? **

If, in Unified Gateway, no authentication virtual server is specified for the AAA-TM virtual server, the AAA-TM sessions inherit the Citrix Gateway session policies. If the authentication virtual server is specified, the AAA-TM session policies bound to that virtual server are applied.

Portal Customization

What are the changes to Citrix Gateway portal in Citrix ADC 11.0? **

In Citrix ADC releases earlier than 11.0, a single portal customization can be set up at the global level. Every gateway virtual server in a given Citrix ADC appliance uses the global portal customization.

In Citrix ADC 11.0, with the portal themes feature, you can set up multiple portal themes. Themes can be bound globally or to specific virtual servers.

Does Citrix ADC 11.0 support Citrix Gateway portal customization? **

Using the configuration utility, you can use the new portal themes feature to customize and create the new portal themes completely. You can upload different images, set color schemes, change text labels and so on.

The portal pages that can be customized are:

  • Login Page
  • Endpoint Analysis Page
  • Endpoint Analysis Error Page
  • Post Endpoint Analysis Page
  • VPN Connection Page
  • Portal Home Page

With this release, you can customize Citrix Gateway virtual servers with unique portal designs.

Are portal themes supported in Citrix ADC high availability or cluster deployments? **

Yes. Portal Themes are supported in Citrix ADC high availability and cluster deployments.

Will my customizations be migrated as part of the Citrix ADC 11.0 upgrade process? **

No. Existing customizations to the Citrix Gateway portal page that are invoked through rc.conf/rc.netscaler file modification or by using custom theme functionality in 10.1/10.5 will not be automatically migrated upon upgrade to Citrix ADC 11.0.

Are there any pre-upgrade steps to follow to be ready for portal themes in Citrix ADC 11.0? **

Any existing customizations have to be removed from the rc.conf or rc.netscaler file(s).

The other option is that if custom themes are used, they have to be assigned the Default setting:

Navigate to Configuration > Citrix Gateway > Global Settings

Click Change Global Settings. Click Client Experience and select Default from UI Theme drop-down list.

I have customizations that are stored on the Citrix ADC instance, invoked by rc.conf or rc.netscaler. How do I move to portal themes? **

Citrix Knowledge Center article CTX126206 details such a configuration for Citrix ADC 9.3 and 10.0 releases up to 10.0 build 73.5001.e. Since Citrix ADC 10.0 build 10.0 73.5002.e (including 10.1 and 10.5), the UITHEME CUSTOM parameter has been available to help customers retain their customizations across reboots. If customizations are stored on the Citrix ADC hard drive and you would like to continue using these customizations, back up the 11.0 GUI files and insert them into the existing custom theme file. If you want to move to portal themes, you must first unset the UITHEME parameter in the Global Settings or the Session profile, under Client Experience. Or, you can set it to DEFAULT or GREENBUBBLE. Then you are able to start to create and bind a Portal Theme.

How can I export my current customizations and save them before upgrading to Citrix ADC 11.0? Can I move the exported files to a different Citrix ADC appliance? **

The customized files that were uploaded to the ns_gui_custom folder are on the disk and persist across upgrades. However, these files might not be entirely compatible with the new Citrix ADC 11.0 kernel and other GUI files that are part of the kernel. Therefore, Citrix recommends backing up the 11.0 GUI files and customizing the backups.

Moreover, there is no utility in the configuration utility to export the ns_custom_gui folder to another Citrix ADC appliance. You have to use SSH or a file transfer utility such as WinSCP to take the files off of the Citrix ADC instance.

Are portal themes supported for AAA-TM virtual servers? **

Yes. Portal Themes are supported for AAA-TM virtual servers.

RDP Proxy

What changed in RDP Proxy for Citrix Gateway 11.0? **

Many enhancements have been made to RDP Proxy since the Citrix ADC 10.5.e enhancement release. In Citrix ADC 11.0 this feature is available from the first released build.

Licensing changes

The RDP Proxy feature in Citrix ADC 11.0 can be used only with Platinum and Enterprise editions. Citrix Concurrent User (CCU) licenses must be obtained for each user.

Enable Command

In Citrix ADC 10.5.e there was no command to enable RDP Proxy. In Citrix ADC 11.0, the enable command has been added:

> enable feature rdpproxy

The feature must be licensed to run this command.

Other RDP Proxy Changes

A Pre-shared Key (PSK) attribute on the server profile has been made mandatory.

To migrate existing Citrix ADC 10.5.e configurations for RDP proxy to Citrix ADC 11.0, the following details should be understood and addressed.

If an administrator wants to add an existing RDP proxy configuration to a chosen Unified Gateway deployment:

  • The Citrix Gateway virtual server’s IP address must be edited and set to a non-addressable IP address (0.0.0.0).
  • Any SSL/TLS server certificates, authentication policies must be bound to the Citrix Gateway virtual server that is part of the chosen Unified Gateway formation.

How do you migrate a Remote Desktop Protocol (RDP) Proxy configuration based on Citrix ADC 10.5.e to Citrix ADC 11.0? **

Option 1: Keep the existing Citrix Gateway virtual server with RDP Proxy configuration as is, with a Platinum or Enterprise license.

Option 2: Move the existing Citrix Gateway virtual server with RDP Proxy configuration, placing it behind a Unified Gateway virtual server.

Option 3: Add a standalone Citrix Gateway virtual server with RDP Proxy configuration to an existing Standard Edition appliance.

How do you set up Citrix Gateway for RDP proxy configuration using the Citrix ADC 11.0 release? **

There are two options for deploying RDP proxy using the NS 11.0 release:

1) Using an externally facing Citrix Gateway virtual server. This requires one externally visible IP address/FQDN for the Citrix Gateway virtual server.  This option is what is available in Citrix ADC 10.5.e.

2) Using a Unified Gateway virtual server front-ending the Citrix Gateway virtual server.

With Option 2 the Citrix Gateway virtual server does not require its own IP address/FQDN, because it uses a non-addressable IP address (0.0.0.0).

Integrating with other Citrix Software

Is HDX Insight compatible with Unified Gateway?

When Citrix Gateway is deployed with Unified Gateway, the following conditions must be met:

  • The Citrix Gateway virtual server must have a valid SSL certificate bound to it.

  • The Citrix Gateway virtual server must be in an UP state to generate AppFlow records on Citrix ADM, for HDX Insight reporting.

How do I migrate my existing HDX Insight configuration?

No migration is needed. AppFlow policies bound to a Citrix Gateway virtual server carry over if that Citrix Gateway virtual server is put behind a Unified Gateway virtual server.

For existing data on Citrix ADM for the Citrix Gateway virtual server, there are two possibilities:

  • If the IP Address of the Citrix Gateway virtual server is assigned to a Unified Gateway virtual server as part of migration to Unified Gateway, the data remains linked to the Citrix Gateway virtual server
  • If the Unified Gateway virtual server is assigned a separate IP address, AppFlow data from the Citrix Gateway virtual server will be linked to that new IP address. Therefore, existing data will not be part of new data.
Unified Gateway FAQ