Table of Contents
So you have Citrix NetScaler running to load balance your Microsoft Exchange 2016 infrastructure. What else can you use it for you ask yourself. Well, you know that VPN appliance you have running just for VPN? Get rid of it, because Citrix NetScaler can provide you with full-blown SSL VPN! With Citrix NetScaler VPN you can provide your end-users with full SSL VPN (Virtual Private Network) access in order to ensure that resources in your network are securely accessed. Citrix NetScaler provides access to any device anywhere.
Deliverables of this post:
- Citrix NetScaler SSL VPN Setup with full access to your network.
- SSL VPN access using Microsoft Windows 10 desktop.
- SSL VPN access using Apple iOS (iPhone or iPad).
Requirements for the configuration:
- CitrixÃ‚Â NetScaler 11.1Ã‚Â (www.citrix.com).
- NetScaler Gateway Universal License.
- Ip addresses for the virtual server for VPN.
- Valid SSL certificate.
- Active Directory for user authentication.
- A hostname, in my case https://vpn.vikash.nl. This must match your SSL certificate.
My homelab setup
I am running this whole setup from my Microsoft Hyper-V 2016 Server, running all of my Microsoft Windows virtual machines. This Hyper-V Server is also running my Citrix NetScaler.
So letÃ¢â‚¬â„¢s start.
Create Session Profile
First we have to create the session profile and then the session policy. Navigate toÃ‚Â NetScaler Gateway -> Policies -> NetScaler Gateway Policies and Profiles -> Session and click onÃ‚Â Session Profiles. Then click onÃ‚Â Add.
Give the profile a name and click onÃ‚Â Client Experience tab.
Set the time-out values according to your needs.Ã‚Â Because we want to redirect all the traffic from the client through the SSL VPN tunnelÃ‚Â setÃ‚Â Split Tunnel toÃ‚Â OFF.Ã‚Â Set the plug-in type toÃ‚Â Windows/MAC OS X.
We have to create anÃ‚Â AlwaysON profile. Click on theÃ‚Â + (plus) sign.
Give theÃ‚Â AlwaysON profile a name and setÃ‚Â Client Control toÃ‚Â ALLOW. Click then onÃ‚Â Create.
Make sure theÃ‚Â AlwaysON profile we just created is selected.
Now click on the tabÃ‚Â Security and set theÃ‚Â Default Authorization Action toÃ‚Â ALLOW.
Click on theÃ‚Â Published Application tab and make sure thatÃ‚Â ICA Proxy is set toÃ‚Â OFF. Then click onÃ‚Â Create.
So now your session profile should be available in theÃ‚Â Session Profiles overview.
Create Session Policy
After creating the session profile, it is time to create theÃ‚Â Session Policy for the session profile we just created.Ã‚Â Navigate toÃ‚Â NetScaler Gateway -> Policies -> NetScaler Gateway Policies and Profiles -> Session Policies. Click onÃ‚Â Session Policies and then click onÃ‚Â Add to create a new policy.
Give the policy and name and enterÃ‚Â ns_true in theÃ‚Â Expression section. Then click onÃ‚Â Create.
The newly created policy should now be available in theÃ‚Â Session Policies overview.
ConfigureÃ‚Â the VPN Virtual Server
After creating the profile and policy we can now create the NetScaler Gateway Virtual Server. This is the virtual server providing the VPN access toÃ‚Â the end-user. So if you have firewall or nat-appliances, make sure that your external port 443 is redirected to this virtual server.
Navigate toÃ‚Â NetScaler Gateway -> NetScaler Gateway Servers -> Virtual Servers and click onÃ‚Â Add.
Give the virtual server a name. Set the IP address and click on OK.
Bind the SSL certificate
Let’s bind theÃ‚Â SSL certificate to this virtual server. Click here to check my post about importing SSL certificates on Citrix NetScaler. Click onÃ‚Â No Server Certificate.
Select the SSL certificate and click onÃ‚Â Bind.
Click onÃ‚Â Continue.
I am using my Active Directory as primary (and only) user authentication. If you require second authentication, you can add it here as well.
Click on theÃ‚Â + (plus) sign on theÃ‚Â Basic Authentication horizontal bar.
SelectÃ‚Â LDAP for Active Directory authentication. ChooseÃ‚Â Primary asÃ‚Â Type. Click onÃ‚Â Continue.
Select your LDAP policy. This contains the Active Directory authentication server. Click then onÃ‚Â Bind.
Click onÃ‚Â Continue.
And click again onÃ‚Â Continue.
Bind the session policy
Now we can bind the session policy created earlier. Click on theÃ‚Â + (plus) sign on theÃ‚Â Policies horizontal bar.
Make sure you haveÃ‚Â Session as policy andÃ‚Â Request as type selected. Click onÃ‚Â Continue.
Select the session policy we created earlier in this post and click onÃ‚Â Bind.
Now click on Done.
In the overview of the NetScaler Gateway Virtual Servers we can see the virtual server being available with status UP.
Testing with clients
So now we have configured the VPN service on Citrix NetScaler, it is time to test it using different endpoints. In myÃ‚Â case I will test using a Windows 10 desktop, and an Apple iPhone with iOS 10.2.1.
Windows 10 SSL VPN client
Start a browser on your desktop, and navigate to the hostname where the virtual server is listening. In my case that is https://vpn.vikash.nl. This translates to the IP address of the virtual server on my NetScaler.
Enter a username and password. Click onÃ‚Â Log On.
Because this desktop client logs in for the first time, it does not have the NetScaler Access Gateway Plug-in installed. You will be prompted to install it. Click onÃ‚Â Download and thenÃ‚Â Run the installer.
Click onÃ‚Â Install.
When the installation process finishes, click onÃ‚Â Finish.
The browser page will refresh, and you will have a full-blown SSL VPN session now using Citrix NetScaler.
Check the status of the SSL VPN session using the NetScaler Gateway status option by clicking the icon in the notification area in the taskbar.
Apple iOS (iPhone / iPad) client
Make sure you have installed theÃ‚Â Citrix VPN app from the Apple App Store. Get itÃ‚Â here. Start the app on your iPhone.
Tap onÃ‚Â Add VPN Configuration.
Enter the VPN details and add a user account. Tap onÃ‚Â Disabled to set the Certificate options.
Select theÃ‚Â Automatic option. Tap onÃ‚Â Ok.
Now tap onÃ‚Â Save.
And then tap onÃ‚Â Save and Connect to start the VPN connection.
You will be prompted to enter the password for the user. Then tap onÃ‚Â Log In.
The VPN should now be connected! You can also see the connection status in the app and on the upper-right corner of your iOS device. If you tap op the iÃ‚Â next toÃ‚Â Connected you can see more information about the VPN session.
This concludes this tutorial. Feel free to contact me of you have any questions or comments.
You can follow me on twitter or add the RSSÃ‚Â feed from myÃ‚Â blog and you will be notified when I add new posts.