Let’s face it, NetScaler is a great product, no doubt, but there is a big configuration difference between Access Gateway and NetScaler. For techies that are used to setting up regular CAG there is a big difference. In Citrix NetScaler we need to use session policies, and as a result, there is more things we need to keep in mind.
I’ve searched and searched for a good overview of the required session policies for NetScaler Access Gateway, that make CloudGateway work with iOS, Android, Windows and Mac OSx. So, Edward and I wanted to give you a article that highlights these policies.
How to Configure Session Policies and Profiles for CloudGateway
We learned the hard way, and we want to give Bjarne Træholt a big heads up, our NetScaler Guru above all from Arrow ECS Denmark! To allow connections through Access Gateway Enterprise(NetScaler VPX or MPX) from the different versions of Receiver, you need to create session policies and profiles for CloudGateway with specific rules to enable the connections to work.
We need to create separate session policies and profiles for :
- Receiver for Windows and Receiver for Mac
- Receiver for Android
- Receiver for iOS
- Receiver for Web
- Access Gateway Plug-in
The following table shows the policy expression to configure based on the version of Receiver and the Access Gateway Plug-in you are using :
Receiver version does not support StoreFront services protocols
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS
Receiver version supports StoreFront services protocols
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
Access Gateway Plug-in for Windows
Access Gateway Plug-in for Mac
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS
Receiver for Web
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS
When you configure the policy expression for Receiver versions, you can distinguish between the Receiver type in the policy expression.
Receiver for Windows
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Windows/
Receiver for Mac
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS MacOSX/
Receiver for iOS
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS iOS/
Receiver for Android
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Android/
If you configure a session policy that supports StoreFront services protocols and Receiver for iOS, the expression might look like the following:
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS iOS/
Next we need to configure expressions in session policies
When you configure the expression for a session policy, you can use the following methode for CloudGateway Express and CloudGateway Enterprise deployments.
In the Add Expression dialog box, use the following parameters as a guideline for the expression:After you save the first expression, click And in the Create Access Gateway Session Policy dialog box to add && to the expression and then click Add.
- In Expression Type, select General.
- In Flow Type, select REQ.
- In Protocol, select HTTP.
- In Qualifier, select Header.
- In Operator, select CONTAINS, NOTCONTAINS, EXISTS, or NOTEXISTS depending on the expression.
- In Value, type the parameter, such as CitrixReceiver.
- In Header Name, type User-Agent and then click OK.
Configuring Session Profiles
When you configure session profiles for use with a session policy, you need to configure parameters that are specific for the type of connection the profile supports.
When you finish configuring the policy and profile, you then bind the session policy to the virtual server. You also need to assign a priority number for each session policy.
The session profiles you configure have different settings for CloudGateway Enterprise and CloudGateway Express.
If you run into problems be sure to check out How to Enable Receiver Logging to Troubleshoot StoreFront Activation/Provisioning