Configuring Netscaler and Web Interface for application publishing

I needed to secure as Citix XenApp farm behind Netscaler VPX Access Gateway to publish secure applications.


  • Install 2 Netscaler 10.0 virtual appliances in VmWare
  • Configure IP Address for the Netscalers
  • Install Platform and VPX Licenses

Step1: Installing Certificate

  • After you have exported your SSL certificate from the certificates.mmc on Windows Server to a *.pfx (make sure you exported the private key), you can import this certificate to the NetScaler.
  • Logon to the Netscaler and click SSL Certificates > Import PKCS#12
  • 8.1a-MainSSL
  • The output file name can be anything you like, however be sure to take note of it.  wildcard.odh.key is used in the example.  The .KEY file will contain both a Private Key as well as the Certificate combined into one file.
  • 8.1a-ImportSSL
  • A file has now been created on the NetScaler called “wildcard.remotemobileaccess.key”
  • 8.1a-ListWildcardSSL
  • Install WinSCP, connect to the IP address of the NetScaler.  Click the double dot to get to the previous directory.  Browse to /nsconfig/ssl.  We are now going to create a new .cer file and modify the wildcard.odh.key file.
    • Edit the .key file with WinSCP
    • Select everything starting from —–BEGIN CERTIFICATE—– to the end of the file.  Click Cut. Leave the file open.
    • Open a new file on your desktop, name it whatever you like, except make sure the extension is .CER and not .TXT.  Paste the information you cut out of the .key file in step 2.  Save and close the .CER file you created and drag and drop it into WinSCP so that its uploaded into the nsconfig/ssl folder on the NetScaler
    • Save the modified Key file from step 2 using the save button in the WinSCP file editor.
    • You now have both a .key file and .cer file on the Netscaler and can continue with the certificate installation process.  Click SSL > Certificates > Install
    • 8.1a-InstallWildCard
  • If you have not previously installed the intermediate certificate chain from your Certificate Authority (like DigiCert), then you will need to do that (SSL > Certificates > Install).
  • 8.1a-InstallIntermediate
  • We now need link the new SSL Cert that you installed to the Certificate Chain from your CA:
  • Right Click on your WildCard Cert and select “Link”. Choose the DigiCert/Other Intermediate Certificate.
  • 8.1a-LinkSSL

Step2: Configuring Access Gateway

  • Add DNS Entry for your Access Gateway URL.
  • Create a basic Access Gateway Virtual Server
    • Go to Access Gateway -> Virtual Servers – > Add
    • Enter Name, IP Address, and Select the previously created WildCard Cert(Click Add)
    • 8.1a-CreateVirtualServer
    • Click Create. You will see a new Virtual Server Created.
    • LDAP Policies
      • Go to Access Gateway -> Policies -> Authentication -> LDAP.
      • Click Servers Tab
        • Click Add.
        • Fill out the Name, IP, Base DB, Admin Bind DN, Admin PW. See image below.8.1a-LDAPServer
  • Click Create.
  • Do the same for any more Domain Controllers.
  • Click Policies Tab
    • Click Add
    • Fill out the Name, Select DC server, Add Expression to look at header for the domain name. (We are tracking cookies because of multiple domain dropdown option)
    • 8.1a-LDAPPolicy
    • Click Create.
    • Repeat the steps for all Domain Controller Policies
    • Session Policies
      • Go to Access Gateway -> Policies -> Session
        • Click Profiles Tab
          • Click Add
          • Click Published Applications Tab
          • Enter Policy Name
          • Set ICA Proxy to “ON”
          • Enter Web Interface Address
          • Enter Single Sign-on Domain
          • 8.1a-SessionPolicy
          • Click Create
          • Click Policies Tab
            • Click Add
            • Enter Policy Name
            • Select the Profile you just created
            • Enter Cookie Expression.
            • 8.1a-SessionPolicy2
  • Click Create
  • Apply Policies/STA to Access Gateway
    • Open up the Virtual Server create earlier
    • Click Authentication Tab
      • Add the LDAP Policies
      • 8.1a-VirtualServer_LDAP
    • Click Policies Tab
      • Add Session Policies
      • 8.1a-VirtualServer_Session
    • Click on Published Application tab
    • Click OK to save the settings.

Step2: Configuring Web Interface

  • Open Citrix Web Interface Console
    • Right click on XenApp Web Site – > Create Site
    • Give it a name “ICA Proxy”
    • Specify Point of Authentication “At Access Gateway”. Click Next
    • 8.1a-WI-PointOfAuth
    • Enter the “Access Gateway Authentication URL”
    • 8.1a-WI-GatewayURL
    • Click Next to finish the site.
  • Add XenApp Servers
    • Right click on newly created site. Select Server Farms
    • Add XenApp Servers
    • Click OK.
  • Edit Secure Access Settings:
    • Right click on newly created site. Select Secure Access
      • Click Add and select Gateway Direct
    • Click Next
    • Enter the FQDN Address for the Virtual Server address
    • Click Next
    • Specify the STA server(s). Must match the same server as configured in Access Gateway.
    • 8.1a-WI-STA
    • Click Finish

Publish some application in your farm and test your Access Gateway to make sure you can access the Web Interface site thru Access Gateway.

One thought on “Configuring Netscaler and Web Interface for application publishing

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s