Citrix Gateway

Unified Gateway

Citrix ADC with Unified Gateway: One URL

Citrix ADC with Unified Gateway enables simplified secure access to any application through a single URL for desktop and mobile users. Behind this single URL, administrators have a single point for configuration, security, and control of remote access to applications. And remote users have an improved experience with seamless single sign-on to all the applications they need along with login/logout once ease of use.

To accomplish this, Citrix ADC with Gateway, along with Citrix ADC’s Content Switching capacities and extensive authentication infrastructure, provides access to organizational sites and apps through this single URL. Also, remote users can use iOS or Android mobile devices and Linux, PC, or Mac systems with the Citrix Secure Access agent for uniform access to the Unified Gateway URL, wherever they might be.

A Unified Gateway deployment allows single URL access to the following categories of applications:

  • Intranet applications.
  • Clientless applications
  • Software as a Service application
  • Preconfigured applications served by Citrix ADC
  • Citrix Virtual Apps and Desktops published applications

Intranet applications might be any web-based application that resides inside the secure enterprise network. These are internal resources such as an organizational intranet site, a bug tracking application, or a wiki.

Typically also residing inside the secure enterprise network, the clientless applications Unified Gateway provides single URL access to are Outlook Web Access and SharePoint. These applications provide access to Exchange email and team resources without dedicated client software which need to be available to remote users.

SaaS applications, also commonly know as Cloud Apps, are external, cloud-based applications that organizations depend on such as ShareFile, Salesforce, or NetSuite. SAML based single sign-on is supported with those SaaS applications that offer it.

Some organizations might have preconfigured Citrix ADC served applications deployed in a Citrix ADC load balanced configuration. Often times this is also referred as a ‘reverse-proxy’ application. Unified Gateway supports these applications when a virtual server for the deployment resides on the same Citrix ADC Unified Gateway instance or appliance. These applications might have their own authentication configuration which is independent of the Unified Gateway configuration.

Any published Citrix Virtual Apps and Desktops published applications can be made available through a Unified Gateway URL. SmartAccess and SmartControl policies can optionally be applied to granular policy and access control to these resources.

The Unified Gateway Configuration Wizard

The recommended method to configuring a Citrix ADC with Unified Gateway deployment is to use the Unified Gateway configuration wizard. The wizard walks you through configuration and creates all the necessary virtual servers, policies, and expressions, and applies settings based on the details provided. After initial setup, the wizard can be used to manage your deployment and monitor its operation.

Note:

The Unified Gateway configuration wizard does not perform an initial systems configuration. Your Citrix Gateway appliance or VPX instance must have basic installation completed before configuring Unified Gateway. Refer to the installation instructions for Configuring Citrix Gateway with the First-time Setup Wizard to complete basic configuration.

The Unified Gateway elements configured by the wizard are:

  • The Unified Gateway primary virtual server
  • An SSL Server Certificate for the Unified Gateway virtual server
  • A primary and any optional secondary authentication configuration
  • A portal theme selection and optional customization
  • The user applications that are to be accessed through the Unified Gateway portal

For each of these elements, you need to provide configuration information. For a basic Unified Gateway deployment, the following information is needed.

  • For the primary Unified Gateway virtual server, the public IP address and IP port number for the deployment. This is the IP address that resolves in DNS to the Unified Gateway URL’s host name. For example, if your Unified Gateway deployment’s URL is https://mycompany.com/, the IP address must resolve to mycompany.com.
  • The signed SSL Server Certificate for the deployment. Citrix Gateway supports PEM or PFX formatted certificates.
  • Primary authentication server information. The authentication systems supported for this authentication configuration are LDAP/Active Directory, RADIUS, and Certificate based. A secondary LDAP or RADIUS authentication configuration might be created as well. The authentication server IP address must be provided along with any relevant administrator credentials or directory attributes. For Certificate authentication, the device certificate attributes and a CA certificate must be provided.
  • A portal theme might be selected. If a customized or branded portal design is desired, custom graphics might be uploaded to the system with the wizard.
  • For web-based user applications, the URLs for the individual applications must be specified. For web applications that are to utilize SAML single sign-on authentication, the utility collects the Assertion Consumer Service URL along with other optional SAML parameters. Gather the configuration details in advance for the applications that use a SAML authentication system.
  • For Citrix Virtual Apps and Desktops published resources to be made available through the Unified Gateway deployment, you must specify the integration point (StoreFront, the Web Interface, or Web Interface on Citrix ADC). The utility requires the integration point’s fully qualified domain name, the site path, the single sign-on domain, the Secure Ticket Authority (STA) server URL, and others depending on the type of integration point.

Additional Configuration Management

For site specific settings not available in the Unified Gateway configuration utility, such as alternative SSL settings or session policies, you can manage the needed settings in the Citrix Gateway configuration utility. You can modify these settings on the Content Switching or VPN virtual servers once they are created by the Unified Gateway configuration utility.

Content Switching Virtual Server

This is the Citrix ADC configuration entity behind the deployment’s main IP address and URL. The SSL Server Certificates and parameters are managed on this virtual server. As this virtual server is the responding network host for the deployment, the ICMP server response and RHI state can be modified on this virtual server, if necessary. The Content Switching virtual server can be found under the Configuration tab at Traffic Management > Content Switching > Virtual Servers.

Important:

When you upgrade your Unified Gateway environment to release 13.0 build 58.x or later, the DTLS knob is disabled in the content switching virtual server that is configured before the gateway or VPN virtual server. Manually enable the DTLS knob in the content switching virtual server after the upgrade. Do not enable the DTLS knob if you are using the wizard for configuration.

VPN Virtual Server

All other VPN parameters, profiles, and policy bindings for the Unified Gateway configuration are managed on this virtual server, including the main authentication configuration. This entity is managed under the Configuration tab at Citrix Gateway > Virtual Servers. The relevant VPN virtual server’s name includes the name given to the Content Switching virtual server during initial Unified Gateway configuration.

Note:

The VPN virtual servers created for a Unified Gateway deployment are non-addressable and assigned the 0.0.0.0 IP address.

Unified Gateway