Cloud gateway v1.6

Proof of Concept Guide | Citrix CG Marketing

CloudGateway Enterprise PoC Best
Practice Guide
Citrix CloudGateway & Receiver Group

www.citrix.com

Citrix Systems, Inc. © 2012 Confidential Page i of 126

Citrix CloudGateway Proof of Concept Guide

Contents
CloudGateway Enterprise PoC Best Practice Guide ................................................................................................ i

Purpose and Scope .................................................................................................................................................2

CloudGateway Components ....................................................................................................................................2
Recommended Product Versions ............................................................................................................................................. 3

Integrating CloudGateway with XenDesktop/XenApp .............................................................................................3
Leveraging Existing WI/PNA Infrastructure ............................................................................................................................. 3
Deploying StoreFront ............................................................................................................................................................... 4
Recommended Product Versions ............................................................................................................................................. 5

3 Phases to a successful PoC .................................................................................................................................6
Phase 1: Deploying AppController and Receiver ...................................................................................................................... 6
Phase 2: Deploying Access Gateway ........................................................................................................................................ 6
Phase 3: Integrating with XD / XA ............................................................................................................................................ 7
Best practice Deployment flowchart ........................................................................................................................................ 8

Phase 1: Deploying AppController and Receiver ....................................................................................................9
Downloading, Importing and Configuring Citrix AppController ............................................................................................... 9
Basic Configuration of the Web Admin Console..................................................................................................................... 20
Adding Categories, Configuring Roles, and Assigning Applications ....................................................................................... 28
Configuring Data .................................................................................................................................................................... 37
Endpoint Configuration .......................................................................................................................................................... 46

Phase 2: Deploying Access Gateway ....................................................................................................................49
Authentication Server Configuration ..................................................................................................................................... 49
Authentication Policy Configuration ...................................................................................................................................... 50
Virtual Server – Basic Configuration ...................................................................................................................................... 51
Virtual Server – Authentication Configuration ....................................................................................................................... 53
Access Gateway Session and Access Policy & Profile Configuration ...................................................................................... 54
AppController Configuration .................................................................................................................................................. 68

Phase 3: Integrating StoreFront .............................................................................................................................73
AppController Configuration .................................................................................................................................................. 73
StoreFront Configuration ....................................................................................................................................................... 76
AccessGateway Configuration ............................................................................................................................................... 88

Deploying through Web Interface ..........................................................................................................................93



Appendix ................................................................................................................................................................96
PNA Session Policy and Profile: .............................................................................................................................................. 96
Clientless Access Policy and Profile: ..................................................................................................................................... 101
Receiver for Web Session Policy and Profile: ........................................................................................................................ 104
Native Receiver Session Policy and Profile: .......................................................................................................................... 109
ChromeOS Session Policy and Profile: .................................................................................................................................. 114
Access Gateway Plugin Policy and Profile: ........................................................................................................................... 118


Purpose and Scope
The purpose of this document is to help Citrix sales, partners and customers recommend a staged
approach to CloudGateway Proof of Concept deployments. It provides a high-level view of the product
versions required and a detailed list of prerequisites to get the best user experience across different
Receivers all while reducing the complexity of the deployment. Each PoC is unique and requires
careful assessment of the current environment and in some cases hands-on consulting engagement. As
such, this document should be used in conjunction with other admin and deployment guides.

As a level set, it is important to recognize the features that CloudGateway offers, distinct from
XenDesktop and XenApp. Generally, customers are interested in CloudGateway because they want to
leverage Enterprise Mobility features, specifically, the product features listed below:

 MDX App Vault - Mobile App Management
 MDX Web Connect – Secure Browser for Intranet Resources
 Secure Mobile Mail
 Web & SaaS applications – Single Sign On and Provisioning
 ShareFile – Corporate Directory Integration & Data Security

CloudGateway Components
CloudGateway is comprised of three key technology components:

1. Citrix Receivers are used to deliver CloudGateway enabled applications to the end users
2. AppController is the key infrastructure component in CloudGateway that integrates with
Active Directory, ShareFile, Web/SaaS applications and native mobile apps to deliver
enterprise mobility features
3. Access Gateway allows secure access to enterprise resources from outside of the corporate
network and is an integral part of the CloudGateway solution suite

The following diagram illustrates CloudGateway deployment at a high level.

Figure 1 CloudGateway Deployment Diagram

Citrix Systems, Inc. © 2010 Page 2 of 126


In this deployment, users will need to download the latest Receiver on the device and create an
account that points to AppController or Access Gateway to access CloudGateway delivered
applications. See the CloudGateway Deployment guide for further instructions on setting up
infrastructure components.

Recommended Product Versions
Infrastructure
 AppController 2.0 or latest
 Access Gateway 10.0.70 or latest

Receivers
Customers should use the latest versions of Citrix Receivers to get best user experience. More
specifically, the following Receiver versions are recommended for CloudGateway deployments.
 iOS 5.6
 Android 3.1
 Windows 3.3
 Mac 11.6

Integrating CloudGateway with XenDesktop/XenApp
CloudGateway can easily fit into an existing XenDesktop and XenApp deployment to deliver unified
application experience for Windows applications, desktops, Web & SaaS applications and native
mobile apps through Citrix Receivers. The following sections describe two separate approaches to
accomplish this integration.

Leveraging Existing WI/PNA Infrastructure
A large majority of the existing XenDesktop/XenApp install base will have Web Interface or PNA Site
optionally fronted by Access Gateway for remote worker use case. In this scenario adding
AppController atop the current environment will allow customers to leverage CloudGateway features.
Receivers can continue to talk to Web Interface or PNA Site (Standalone or Netscalar) for Windows
applications and can now integrate with AppController (optionally through Access Gateway) for Web,
SaaS and Mobile apps.



The following diagram illustrates the recommended deployment architecture at a high-level:

Figure 2 CloudGateway with WI/PNA Infrastructure

The benefit with this approach is that it minimizes the number of moving parts and allows customers
to easily augment their current environment with CloudGateway components. With this approach,
users will need to configure Receiver to create separate connections - one to their existing WI/PNA site
and another to AppController (or Access Gateway for remote use cases) for CloudGateway delivered
apps.

Deploying StoreFront
In this deployment, StoreFront replaces or deploys in parallel with WI/PNA Site for new Receivers.
Legacy Receivers can continue to connect to the existing WI server. StoreFront is used to aggregate
Windows applications & desktops through XenDesktop/XenApp and Web, SaaS, Mobile and ShareFile
data through CloudGateway for new Receivers. StoreFront allows single sign-on capabilities across the
delivery controllers (XenDesktop, XenApp Farms, CloudGateway) and provides a unified view of the
applications to the end user.
For large scale deployments it is recommend phasing out WI in stages.



The following diagram illustrates the recommended deployment model

Figure 3 CloudGateway with StoreFront

Recommended Product Versions
Infrastructure
 AppController 2.0
 StoreFront 1.2
 Access Gateway 10.0.70
 XenApp & XenDesktop – See StoreFront and CloudGateway Admin guide for recommended
versions

Receivers
Customers should use the latest versions of Citrix Receivers to get best user experience. More
specifically, the following Receiver versions are recommended for CloudGateway deployments.
 iOS 5.6
 Android 3.1
 Windows 3.3
 Mac 11.6



Known StoreFront Limitations Relative to Web Interface
The limitations listed below are related to StoreFront and are relative to the other alternative, which is
to leverage (Web Interface or PNA Site) for windows applications and desktops.
 Multi-Site support: StoreFront doesn’t support redundancy across multiple sites and disaster
recovery yet.
 Advanced Authentication Methods: StoreFront currently supports AD & OTP authentication
methods only. Advanced methods such as SmartCard, Proximity Cards, ADFS, SAML are not yet
supported.
 Advanced Features:
o Desktop appliance site
o Elective AD password change

In the next major release of StoreFront, we intend to bridge some of the critical feature gaps relative
to StoreFront. Customers who deem these features as critical to their deployment can continue to use
Web Interface for delivering Windows applications and desktops.

3 Phases to a successful PoC
Breaking down the PoC deployment into 3 phases will make the configuration process easy. Each
phase presents its own unique set of challenges, so completing all 3 phases at the same time will cause
the entire PoC to be delayed or fail. This deployment guide builds upon the previous so that issues are
isolated to a single phase, creating a path of least resistance.

Phase 1: Deploying AppController and Receiver
Deploying AppController and Receiver in a controlled environment is only accessible on the internal
network. Deployment on an internal network allows us to focus on the success of application delivery
without the distraction of dealing with DMZ firewalls or XenApp or XenDesktop integration.

Phase 2: Deploying Access Gateway
Phase 2 adds Access Gateway to the successfully deployed AppController and Receiver. This allows
access from the internet to all the applications already tested internally. Access Gateway deployments
have their own set of challenges which are different from deploying AppController. It is suggested that
users approach this as a separate project altogether. Deploying Access Gateway in the DMZ will most
likely involve other individuals and or departments within an Enterprise.



Phase 3: Integrating with XD / XA
The last phase is to include already existing XenDesktop or XenApp into the deployment.
There are two possible approaches:
 First, the easier approach, is to configure the Receiver on the endpoint to connect to the
existing Web Interface server. In this case the Receiver has two stores configured. The user is
required to switch between stores depending on what application he or she would like to
access.



 The second approach requires the deployment of StoreFront. With StoreFront all application
delivery services are aggregated through a single StoreFront service. In this case users will
have all their applications available through a single store, no switching is required.

Best practice Deployment flowchart



Phase 1: Deploying AppController and Receiver
Downloading, Importing and Configuring Citrix AppController
Before proceeding, the virtual imagine containing the package you need to install AppController
must be downloaded.

 To install AppController on the XenServer platform, the VM file with .xva extension must be
downloaded
 To install AppController on the VMWare platform, the VM file with .ova extension must be
downloaded

Download the AppController Virtual Image Here

Step Action
Log on to www.mycitrix.com using your MyCitrix ID
Click Downloads

1.



Step Action
Select CloudGateway from the Select Product drop-down menu

2.

Select Product Software from the Select Download Type drop-down menu

3.



Step Action
Click Find

4.

Click the + sign

5.



Step Action
Click CloudGateway Enterprise

6.

Click the Download button that corresponds to the type of virtual appliance you need

7.



Step Action
Click Yes, I accept

8.

Check the download agreement box and click Accept

9.



Step Action
Click Download your file manually and save the file

10.

Open XenCenter
Right click the name of the XenServer and click Import

11.



Step Action
Click Browse and select the .xva image file from Step 10
Click Next

12.

Select the Home Server you want to import the image on
Click Next

13.

Select a Storage repository
Click Import

14.



Step Action
Click Add to add the Network Interface
Click Next

15.

Click Finish to import the VM

16.

Click the Logs tab to view the status of the import process
Once complete, click the Console tab

17.



Step Action
The login prompt for AppController will show up once the import process is complete.

18.

Log in to the AppController CLI
19. Username: admin
Password: password
The Main Menu is displayed
Enter 0 to perform Express Setup

20.



Step Action
Enter 1 to configure the IP Address, Subnet Mask

Configure AppController with the following:
IP Address: <AppController IP address>
Subnet Mask: 255.255.255.0

21.

Enter 2 to configure the Default Gateway
Enter Default Gateway address

22.



Step Action
Enter 5 to Commit Changes
Enter Y to restart AppController

23.



Basic Configuration of the Web Admin Console
Here, administrators will perform basic configurations with the Web Admin Console. The basic
configurations include changing the administrator password, configuring the Active Directory
settings, and configuring the DNS and NTP server information.

Step Action
1. Open a browser and navigate to https://<AppController IP Address>:4443 to
access the Web Admin Console.

NOTE: You are taken to the /ControlPoint/index.html site. You can type the full path
if you would like. However, the URL is not case sensitive. Ignore the certificate
warning and continue to the site.

Log on with
Username: Administrator
Password: password

NOTE: This is not the same password you changed from the XenServer console. The
previous password was for account ‘admin’. This ‘Administrator’ account is used to
configure the AppController via the web console. However, both administrator and
admin accounts use the same password.



Step Action
2. You will be presented with the following screen. First we are going to run through the
Configure Network wizard. Click Configure to continue.

3. You will be prompted to change the Administrator password. Type
Current password: password
New password: <Type in a unique password>
Administrator email: <Type in an Administrator email in UPN format>
Click Next



Step Action
4. Enter the following parameters for the System settings:
Hostname: <Type in your Hostname>
DNS suffixes: <Type in your DNS suffixes>
Primary IP Address: <Enter your DNS server’s IP address>



Step Action
5. Enter the following parameters for the Active Directory configuration:
Server: <Enter the Active Directory IP address> (this is the IP address of your
Domain Controller)
Domain name: <Type in a Domain name>
Service account: <Type in a Service account in UPN format>
Base DN: Point to the user DN
Password: <Type in the password created in step 3>



Step Action
6. Enter the following parameters for the NTP Server Configuration:
NTP server: <Enter NTP server’s IP address> (general best practice is to use the
DC as time server)
Time Zone: US/Eastern

Enter the following information for your Workflow Email Settings:
Email Server: <Enter your mail server’s IP address>
Port: 25
Email: <Type in an Email in UPN format>(the sending account for the
workflow)



Step Action
7. A summary of all your defined settings is displayed. Click Save

8. When the Configure dialog pop up is displayed, click Yes to continue
The AppController logs off when settings are saved and users are retrieved from Active
Directory

9. Log back into the AppController Web Admin UI



Step Action
10. Click on the sprocket symbol in the upper right

11. Select Certificates from the left menu



Step Action
12. Create a PKCS#12 certificate on your certificate authority. Once created, select Server
(.pfx) from the Import drop-down menu on the right and select the certificate

For more information on AppController certificates, please refer to the following link:
http://support.citrix.com/proddocs/topic/appcontroller-20/clg-appc-config-certs-wrapper-c-con.html
13. Enter the certificate associated with the certificate when prompted
14. Select the newly imported certificate and click Make Active on the right side and
confirm the Activation when prompted
NOTE: You will be logged out. Simply log back into the AppController ControlPoint
UI to continue



Adding Categories, Configuring Roles, and Assigning Applications
Here, administrators will create categories, configure roles, and assign applications that are specific
to those roles. Roles are a primary way for administrators to deploy, provision and control
applications.

Step Action
1. Click on the Apps tab

2. Click on + next to the All categories drop-down
Enter the following parameters for Add Category:
Name: <Type in a unique category name>
Description: <Type in a unique description>
Repeat the above steps to create more categories as required



Step Action
3. Click Roles in the top menu

4. At the bottom left hand corner of the screen, click Add role

5. In the Add Role dialog enter the following information
Role name: <Type in a unique role name>
Move the required group from Available groups to Role members. Then click
Add

NOTE: In the current version of AppController, only a single group can be assigned to
a role



Step Action
6. Repeat steps 3 and 4 to create new roles and assign groups to them
7. Click Apps in the top menu

8. Click Web and SaaS App at the left hand panel

9. Search for an application from the available catalog
Click on Add to configure the connector



Step Action
10. From the Category drop-down menu select a category

From the Assigned Role drop-down menu select one or more roles
Click Save

11. Repeat step 9-10 to add more applications to the Store.
12. Click Mobile App at the top left hand panel



Step Action
13. Click Browse… and select the wrapped .cma file
Click Next



Step Action
14. Enter the following parameters for Mobile App Details:
Minimum OS version: <Type appropriate version>
Maximum OS version: <Type appropriate version>
Excluded devices: <Type list (comma separated) of devices to exclude>
Category: <Select a category>
Assigned role: <Assign one or more roles>
Click Next



Step Action
15. Review and assign the appropriate policies you would like to apply to the application
Click Finish

16. Repeat steps 13 – 16 to add more applications to the Store
17. Click Add Web Link at the top left pane
Web links enable users to browse your enterprise’s internal websites from their mobile
devices without needing full VPN connectivity



Step Action

18. Enter the following details:
App Name: <Provide a unique name>
Description: <Enter a description for this web link>
URL: <Enter the URL used to reach this application internally>
Assign a Category and Role, and then click Save



Step Action



Configuring Data
ShareFile enables users to securely share data with anyone, and sync files across all of their devices.
Unlike consumer file sync and sharing tools, ShareFile enables IT to deliver an enterprise-class file
sharing service that secures intellectual property while delivering the service users expect.
CloudGateway delivers transparent single sign-on access to apps and the ability to view or edit, sync
and share files as users roam between devices.

This document will help you understand how to configure Follow Me Data from the AppController
ControlPoint portal, so that apps and data are seamlessly available everywhere, across every type of
device including tablets, smartphones, PCs, Macs, and thin clients allowing you to access your data
anywhere.

Before you begin this step-by-step process, you will need the following:
1. A ShareFile service account
2. A .pem certificate for SAML

If you already have a ShareFile account with your own subdomain, go to step 4.

Step Action
1. Open a browser and navigate to
http://www.citrix.com/lang/English/lp/lp_2324434.asp
2. Click on Sign-up free and create a test account



Step Action
3. Complete the required information

4. After the account is created, log in to the newly created account. Select the Admin link
located at the top right side of the page



Step Action
5. The Admin page comes up. Select Edit Subdomains

6. Configure a subdomains (Your Last Name for example) and click Save

7. Log out of ShareFile
8. Open a browser and navigate to https://<AppController FQDN>:4443
9. Log in with the administrator username and password



Step Action
10. Select the sprocket symbol on the top right side of the screen

11. The System Configuration is shown. Click Certificates



Step Action
12. Click New in the right pane and follow the wizard to create a new private key and CSR
(Certificate Signing Request). Submit the CSR to your certificate authority and request for
a certificate in the PEM format.

13. Once you receive the certificate, click the Import drop-down menu and select the Saml
(.pem) option
Browse and select the PEM certificate



Step Action
14. You are prompted to input the certificate credentials.
Enter and confirm the password and click Ok

15. Select the Docs tab

16. Click Edit



Step Action
17. Enter the following settings:
Domain: <Subdomain configured when account was created>
Assigned Role: <Select a role>
Service Account: <username and password used to create your ShareFile
account> (Format: e-mail address)
Click Save

18. Once complete, you should see SAML Configuration with your SAML certificate’s
FQDN



Step Action
19. Select the sprocket symbol on the top right hand side of the screen

20. Log out of the AppController
21. In Internet Explorer, navigate to http://www.sharefile.com
22. Log in with your account credentials
23. Select your Subdomain. If you have more than one subdomain, please select the one you
configured with AppController
24. Click on Admin and then Configure Single Sign-on



Step Action
25. Notice that the SAML configuration has automatically been configured



Endpoint Configuration
Here, administrators will learn how to configure Receiver for iOS on their iPad.

Step Action
Open Safari on an iPad that’s connected to the same network as the AppController and
navigate to https://<AppController FQDN>
You are automatically redirected to the AppController Receiver for Web
Enter an Active Directory account username and password and click Log On

1.



Step Action
Tap on the user’s name at the upper right corner and tap Activate…

2.

Tap on Open in “Receiver” and when prompted log in with your Active Directory
credentials

3.

When prompted, enter your Active Directory username, password and domain

4.



Step Action
Click the large green plus sign on the left to slide out the blade. Go to the category
containing your mobile applications and tap the + sign corresponding to one of them to
install on your iPad. Once installed, launch the application

NOTE: The app will be installed on your springboard as well

5.

Tap on Log Off at the top left corner of the Store

6.

7. If you log in as a user that belongs to a different role on AppController, the applications
associated with that role will show up



Phase 2: Deploying Access Gateway
Complete the basic NetScaler configuration and then use the following Access Gateway
configurations:
1. Create an Authentication Server and corresponding Authentication policy
2. Create and configure an Access Gateway virtual server

Authentication Server Configuration
The Authentication Server is where you configure Access Gateway to communicate with your
authentication server. This is typically Active Directory, but since Access Gateway is not a
trusted domain member, you must use LDAP as the communication protocol.
Step Action
To configure a new Authentication Server or modify an existing one:
Expand the Access Gateway node
Expand the Policies node
Click Authentication
Click LDAP
In the right pane click Servers
Click Add to create a new Authentication Server
Select LDAP as the authentication type
Give the Authentication Server a unique name
Fill in the LDAP bind information highlighted above

NOTE: The Administrator account specified in the “Administrator Bind DN” field does
not need to be a domain or forest administrator. It needs to be a user account with
directory read privileges. It’s advisable to use a service account with a non-expiring
password. Click Retrieve Attributes to test connection settings.

1.



Authentication Policy Configuration
After creating an Authentication Server, you must configure an Authentication Policy that
determines when that authentication server will be used for authentication requests.
Step Action
To create a new Authentication Policy or modify an existing one:
Expand the Policies node
Click Authentication
Click the Policies tab
Click Add to create a new Authentication Policy

Type the following in the Create Authentication Policy window:
Name: <Give the Authetication Server a unique name>
Authentication type: LDAP
Server: <Select the Authentication Server created in “Authentication Server
Configuration”>
Client is from different geographical reg…drop-down menu: True Value
Click Add Expression
Click Create

1.



Virtual Server – Basic Configuration
The Access Gateway Virtual Server is the primary configuration point for remote access. It is where
you configure IP Address, Certificate, and Authentication and where you bind access policies.
Step Action
To configure a new Virtual Server or modify an existing one:
Click Virtual Servers
Click Add

1.



Step Action
Type the following for each category:
Give the Virtual Server a unique name
IP address: use an IP address that is externally accessible or is mapped to an
externally accessible IP address
Protocol: <Leave as is>
Port: <Leave as is>
Select the radio button for SmartAccess Mode
Available certificates: Select the appropriate server certificate
Click Add >

2.



Virtual Server – Authentication Configuration
The authentication server created is bound to the newly created virtual server by way of the
authentication policy.
Step Action
To associate an Authentication Server with an Access Gateway virtual server:
Click Virtual Servers
Click the Virtual Server created in the previous section
Click Open
Click the Authentication tab
Check Enable Authentication
Click Primary
Click Insert Policy

Authentication Policy: <Select the Authentication Policy created in
Authentication Policy Configuration>
Priority: <Leave as is>

Click OK

1.



Access Gateway Session and Access Policy & Profile Configuration
The steps below provide the steps used to create and bind the required session and access
policies to the Access Gateway virtual server. These policies enable the various Citrix Receivers
to connect to CloudGateway.
1. Navigate to Access Gateway->Policies->Clientless Access

2. In the right panel on the lower left click Add

3. In the Create Clientless Access Policy window click New



4. In the Create Clientless Access Profile configure the following settings:
Name: <Provide a unique name> Example: SF_cvpn
URL Rewrite: ns_cvpn_default_inet_url_label
Click the Client Cookies tab

5. Click New



6. Enter the following:
Name: <Enter a unique name with no white spaces> Example: StoreFront_cookies
(Enter the Pattern and Index, and then click Add one at a time for the following):
Pattern=CsrfToken, Index=1
Pattern=ASP.NET_SessionId, Index=2
Pattern=CtxsPluginAssistantState, Index=3
Pattern=CtxsAuthId, Index=4
Click Create twice to create the pattern set

7. Back in the Configure Clientless Access Policy window configure
Name: <Enter a unique name with no white spaces> Example: SF_cvpn_pol
Expression: true (Simply type within the Expression window)
Click Create to create the policy
Click Close



8. Go to Access Gateway->Policies->Session
In the right panel click Add



9. Click New in the Create Access Gateway Session Policy window

10. Select the Client Experience tab and configure the following settings:
Name: <Enter a unique name> Example: prof_cvpn
Home Page: <Enter the AppController Receiver for Web URL>
Example: https://ac.training.lab/Citrix/StoreWeb
Clientless Access: On (Default is Allow, change to On)
Clientless Access URL Encoding: Clear
Check the Single Sign-on to Web Applications check-box



11. Select the Security tab and ensure the Default Authorization Action is set to Allow

12. Click the Published Applications tab and configure the following profile options:
Ensure that ICAProxy is set to OFF
Web Interface Address: <Enter the AppController Receiver for Web URL>
Example: https://ac.training.lab/Citrix/StoreWeb
Single Sign-on Domain: <Enter the Active Directory domain name>
Click Create



13. Configure the following settings in the Create Access Gateway Session Policy window:
Name: <Enter a unique name> Example: pol_cvpn
Request Profile: <Select the profile created in the previous step>
Example: prof_cvpn
Click Add under the Expression box

14. Configure the following settings:
Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: EXISTS
Header Name: Referer
Click OK



15. Click Create and then click Close

16. Make sure you are still at the following location: Access Gateway->Policies->Session
Click Add in the right panel



Name: <Enter a unique name> Example: prof_native
Clientless Access: On (Default is Allow, change to On)

19. Select the Security tab and ensure the Default Authorization Action is set to Allow and
the Secure Browse check-box is checked



Single Sign-on Domain: training
Click Create

Name: <Enter a unique name> Example: pol_native
Request Profile: <Select the profile created in the previous step>
Example: prof_native



Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: CONTAINS
Value: CitrixReceiver
Header Name: User-Agent
Click OK and then click Add under the Expression box, once again

Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: EXISTS
Header Name: X-Citrix-Gateway
Click OK



24. hSet the drop-down to Match All Expressions
Click Create and then click Close

25. Go to Access Gateway->Virtual Servers and double-click the Access Gateway vserver
26. Click the Policies tab and then do the following to bind the polices to the vserver:
Click Insert Policy and select the first of the two session policies created in the previous
section, from the Policy Name drop-down menu. Repeat this step to add the second
policy as well.



27. Select Clientless under the Policies tab and click Insert Policy. Choose the Access Policy
created in this document to bind the policy to the vserver
Click Ok and close the vserver configuration window

28. Close the vserver configuration window and go to Access Gateway->Global Settings
Click Configure Domains for Clientless Access



29. The Configure Domains for Clientless Access window is shown

Select the radio button for Allow domains. Add the StoreFront server FQDN and the
AppController FQDN to his list.
Example: receiverstorefront.training.lab and ac.training.lab
Click OK and close the configuration window

30. Log out of the NetScaler Configuration Utility. Click OK to save the configuration



AppController Configuration
This step-by-step guide will demonstrate how to configure AppController with Access Gateway.

Step Action
Access the ControlPoint portal using the URL:
https:// <AppController FQDN>:4443
Log in to the ControlPoint portal as administrator

1.

Click system settings

2.



Step Action
Click Trust Settings
Click Edit

3.

Select Netscaler Access Gateway

In the Trust Settings window, enter the following:
Display Name: <Enter a unique “Display name”>
Callback URL: <Enter the Access gateway URL>
External URL:< Enter the externally accessible, fully qualified, URL of your
Access Gateway>
Select authentication type from the Log on type drop-down menu
Click Save

4.



So far, we have configured Receiver to communicate with AppController directly. At this point, remove
the previously configured store from your Receiver for iOS. This step-by-step guide will demonstrate
how to configure Receiver for iOS on an iPad to connect through Access Gateway.

Step Action
Open Safari on the iPad and navigate to https://<Access Gateway URL>
Log in using a set of Active Directory credentials

1.



Step Action
Tap on the account name at the upper right corner and tap Activate…

2.

Tap on Open in “Receiver”

3.

Log in to Receiver using your Active Directory credentials

4.



Step Action
Go to the category that contains your mobile applications and tap the + sign
corresponding to one of the mobile applications to install on your iPad

NOTE: The app will be installed on your springboard as well.

5.

Click on one of your published web links to test the web connect microvpn as well
Tap Log Off at the top right corner of the Store when complete

6.



Phase 3: Integrating StoreFront
AppController Configuration
This step-by-step guide assumed that the basic AppController configuration has been complete. The
guide below will demonstrate how to configure AppController so that users can deploy CloudGateway
through StoreFront.
Step Action
1. Access the AppController ControlPoint portal using the following URL:
https://<AppController’s FQDN>:4443
Login with the following credentials:
User name: Administrator
Password: <Enter the password>

2. Click the sprocket symbol



Step Action
3. Click Trust settings under System Configuration
Click Edit

4. Select StoreFront



Step Action
5. Enter the StoreFront’s FQDN prefixed with https in the web address field provided.
Click Save



StoreFront Configuration
This step-by-step guide will demonstrate how to configure StoreFront and integrate it with Access
Gateway.
Step Action
1. Connect to your StoreFront server.
2. Log on to StoreFront using your local administrator credentials.
3. Copy the StoreFront installer to your StoreFront server. Double click the
CitrixStoreFront-x64 installer.

4. Check the I accept the terms of this license agreement check-box and click Next



Step Action
5. Click Install

6. Once the installation completes, click Finish



Step Action
7. In the Citrix StoreFront snap-in console click Deploy Single Server

8. Open IIS manager
Expand the server node
Expand Sites
Expand Default Web Site
Click Bindings in the right pane
Click Add in the Site Bindings window



Step Action
9. Select https from the Type drop-down in the Add Site Binding window
Click the associated certificate from the SSL certificate drop-down and click OK

10. Since the certificate has already been applied to your StoreFront server the Server
address field will auto populate with the correct URL
Example: https://receiverstorefront.training.lab

Click Create



Step Action
11. Type the Store name of your choice and click Next

12. Click Add in the Create Store window



Step Action
13. Configure the following settings in the Add Delivery Controller window:
Display Name: <Name of your choice>
Type: CloudGateway Enterprise
Server: <AppController FQDN>
Port: 443
Click OK

14. If you would like to add additional delivery controllers such as XenDesktop and XenApp,
click Add in the Create Store window
15. Configure the following settings in the Add Delivery Controller window:
Display Name: <Display name of your choice>
Type: XenApp
Click Add from just below the Servers section



Step Action
16. Type the XenApp server FQDN in the Server name field and click OK

17. Assign the appropriate transport type (HTTP/HTTPS) and the port number will
automatically change. Repeat steps 14-16 to add additional delivery controllers.

Click OK



Step Action
18. Click Next

19. Select the Full VPN tunnel radio button from the Remote access section and then click
Add



Step Action
20. Configure the following details in the Add Gateway Server window:
Display name: <Enter a unique display name>
Gateway URL: < Enter the externally accessible, fully qualified, URL of your
Access Gateway>
Deployment mode: Appliance
Check the Set server as Access Gateway Enterprise Edition check-box
Subnet IP address: <Enter the NetScaler subnet IP address>
Logon type: Domain only
Click Next



Step Action
21. In the Callback URL filed type
URL: <Enter the externally accessible, fully qualified, URL of your Access
Gateway>
Click Next

22. Click Add



Step Action
23. Type the STA server URL in the STA URL field and click OK

24. Repeat steps 22-23 to add more STA servers if required.
Click Create



Step Action
25. Click Create

26. Click Finish



AccessGateway Configuration
Now that we have integrated StoreFront in the CloudGateway environment, this guide provides the
steps to change the session policies to point to StoreFront instead of AppController.

Step Action
1. Login to NetScaler and navigate to Access Gateway->Policies->Session
Click the Profiles tab in the right pane and then highlight the Receiver for Web profile
created previously and then click Open

Name: prof_cvpn
Home Page: <Change the home address from the AppController Receiver for
Web URL to the StoreFront Receiver for Web URL>
Example: https://receiverstorefront.training.lab/Citrix/StoreWeb



Step Action
Uncheck the Override Global check-box for Web Interface Address
Click OK



This step-by-step guide will demonstrate how to configure receiver for iOS on an iPad.

Step Action
Open Safari in the iPad and navigate to https://<Access Gateway URL>
Log in using your Access Gateway credentials

1.

Tap on username at the upper right corner and tap Activate…

2.



Step Action
Tap on Open in “Receiver”

3.

Log in to Receiver using your Active Directory credentials

4.

You can now see the apps delivered from all your delivery controllers, in a single Store.

5.



Step Action
Tap on one of the categories containing the applications delivered from XenApp. Click
the + sign corresponding to the application to your home screen and launch it

6.

Go the category containing your mobile applications and tap on the + sign corresponding
to one of the apps
NOTE: The app will be installed on your springboard as well

7.

8. Click on one of your published web links to test the web connect microvpn as well.
Tap Log Off at the top left corner of the Store when done.



Deploying through Web Interface
This section assumes that you already have configured Access Gateway to communicate with Web
Interface in order to deliver XenDesktop/XenApp applications to Receiver. This guide walks you
through the process to connect Receiver to a PNAgent/Legacy site.

Step Action
Open Receiver on your iPad and click Add Account

1.



Step Action
When prompted, enter the Access Gateway URL in the format below and click Next
https://<Access Gateway URL>

2.

Once Receiver verifies the Access Gateway URL, you’re prompted for details
Description: <Enter an appropriate description>
Enter your Active Directory Username, Password and Domain
Click Save

3.



Step Action
The apps and desktops from your PNAgent/Legacy appear

4.



Appendix
The steps below provide the procedure used to create session and access policies to the Access
Gateway virtual server. These policies enable the various Citrix Receivers to connect to
CloudGateway.

PNA Session Policy and Profile:
The session policy and profile described below is applicable to CloudGateway Express and is
related to configuring remote access to PNA/legacy sites only. This policy does not have to be
configured when setting up CloudGateway Enterprise.
1. Navigate to: Access Gateway->Policies->Session
Click Add in the right pane



2.
Click New in the Create Access Gateway Session Policy window

Name: <Provide a unique name> Example: prof_PNA



4.
Select the Security tab and ensure the Default Authorization Action is set to Allow

ICA Proxy: ON
Web Interface Address: <Provide the PNA site address>
Example: https://store.training.lab/Citrix/Store/PNAgent/config.xml
Click Create



Name: <Provide a unique name> Example: pol_PNA
Request Profile: <Select the profile created above>In this example: prof_PNA

Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: CONTAINS



Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: NOTEXISTS
Click OK

9. Set the drop-down to Match All Expressions



Clientless Access Policy and Profile:
The access policy and profile described below is applicable to CloudGateway Enterprise and is
related to configuring remote access to CloudGateway stores only. This policy is used in
conjunction with the Receiver for Web, Native Receiver, ChromeOS and Access Gateway
Plugin policies and profiles described later in this appendix.
Step Action

1. Navigate to Access Gateway->Policies->Clientless Access

2. The Create Clientless Access Policy window is shown
Click New, next to the Profile drop-down menu



Step Action

3. The Create Clientless Access Profile opens. Configure the following settings:
Name: <Provide a unique name> Example: SF_cvpn
URL Rewrite: ns_cvpn_default_inet_url_label
Click the Client Cookies tab

4. Click New



Step Action

5. Name the Pattern Set something unique (Example: StoreFront_cookies) and configure the
following cookies
(Enter the Pattern and Index, and then click Add one at a time for the following):
Pattern=CsrfToken, Index=1
Pattern=ASP.NET_SessionId, Index=2
Pattern=CtxsPluginAssistantState, Index=3
Pattern=CtxsAuthId, Index=4

Click Create to create the pattern set

6. Configure the following settings in the Configure Clienless Access Policy window:
Name: <Provide a unique name> Example: SF_cvpn_pol
Expression: true
Click Create to create the policy



Receiver for Web Session Policy and Profile:
related to configuring remote access to CloudGateway stores via web browsers. This policy is
used in conjunction with the Clientless Access policy and profile described in this appendix.

1. Navigate to Access Gateway->Policies->Session




Name: <Provide a unique name> Example: prof_cvpn
Home Page: <Provide the Receiver for Web Address>
Example https://receiverstorefront.training.lab/Citrix/StoreWeb
Clientless Access: On

4. Select the Security tab and ensure the Default Authorization Action is set to Allow



Single Sign-on Domain: <Provide your Active Directory domain name>
Example: training
Click Create

Name: <Provide a unique name> Example: pol_cvpn
Request Profile: <Select the profile created above>In this example: prof_cvpn



Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: NOTCONTAINS

Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: EXISTS
Header Name: Referer
Click OK



9.



Native Receiver Session Policy and Profile:
related to configuring remote access to CloudGateway stores via native Receivers installed on
desktops and mobile devices. This policy is used in conjunction with the Clientless Access
policy and profile described in this appendix.

1. Navigate to: Access Gateway->Policies->Session




Name: <Provide a unique name> Example: prof_native
Clientless Access: On

4. Select the Security tab and ensure the Default Authorization Action is set to Allow and
the Secure Browse check-box is checked



Single Sign-on Domain: <Provide your Active Directory domain name>
Example: training
Click Create

Name: <Provide a unique name> Example: pol_native
Request Profile: <Select the profile created above>In this example: prof_native



Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: CONTAINS

Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: EXISTS
Click OK



9. Set the drop-down to Match All Expressions



ChromeOS Session Policy and Profile:
related to configuring remote access to CloudGateway stores via devices that run the Chrome
Operating System. This policy is used in conjunction with the Clientless Access policy and
profile described in this appendix.

1. Go to Access Gateway->Policies->Session



Cloud gateway v1.6

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Cloud gateway v1.6

Similar to Cloud gateway v1.6 (20)

Cloud gateway v1.6