Citrix NetScaler Expression Session Policies for CloudGateway

Let’s face it, NetScaler is a great product, no doubt, but there is a big configuration difference between Access Gateway and NetScaler. For techies that are used to setting up regular CAG there is a big difference. In Citrix NetScaler we need to use session policies, and as a result, there is more things we need to keep in mind.

I’ve searched and searched for a good overview of the required session policies for NetScaler Access Gateway, that make CloudGateway work with iOS, Android, Windows and Mac OSx. So, Edward and I wanted to give you a article that highlights these policies.

How to Configure Session Policies and Profiles for CloudGateway

We learned the hard way, and we want to give Bjarne Træholt a big heads up, our NetScaler Guru above all from Arrow ECS Denmark! To allow connections through Access Gateway Enterprise(NetScaler VPX or MPX) from the different versions of Receiver, you need to create session policies and profiles for CloudGateway with specific rules to enable the connections to work.
We need to create separate session policies and profiles for :

  • Receiver for Windows and Receiver for Mac
  • Receiver for Android
  • Receiver for iOS
  • Receiver for Web
  • Access Gateway Plug-in

netscaler cloudgateway policies

The following table shows the policy expression to configure based on the version of Receiver and the Access Gateway Plug-in you are using :

Receiver version does not support StoreFront services protocols

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS

Receiver version supports StoreFront services protocols

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS

Access Gateway Plug-in for Windows

Access Gateway Plug-in for Mac

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS

Receiver for Web

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS

When you configure the policy expression for Receiver versions, you can distinguish between the Receiver type in the policy expression.

Receiver for Windows

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Windows/

Receiver for Mac

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS MacOSX/

Receiver for iOS

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS iOS/

Receiver for Android

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Android/

If you configure a session policy that supports StoreFront services protocols and Receiver for iOS, the expression might look like the following: 

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS iOS/


Next we need to configure expressions in session policies

When you configure the expression for a session policy, you can use the following methode for CloudGateway Express and CloudGateway Enterprise deployments.

  1. In the Create Access Gateway Session Policy dialog box, select Advanced Free-Form and then click Add.

  2. In the Add Expression dialog box, use the following parameters as a guideline for the expression:After you save the first expression, click And in the Create Access Gateway Session Policy dialog box to add && to the expression and then click Add.

    1. In Expression Type, select General.
    2. In Flow Type, select REQ.
    3. In Protocol, select HTTP.
    4. In Qualifier, select Header.
    5. In Operator, select CONTAINSNOTCONTAINSEXISTS, or NOTEXISTS depending on the expression.
    6. In Value, type the parameter, such as CitrixReceiver.
    7. In Header Name, type User-Agent and then click OK.
  3. Repeat Step 2 to configure the second rule.

  4. When you finish adding the rules, click Create and then click Close.

Configuring Session Profiles

When you configure session profiles for use with a session policy, you need to configure parameters that are specific for the type of connection the profile supports.

When you finish configuring the policy and profile, you then bind the session policy to the virtual server. You also need to assign a priority number for each session policy.

The session profiles you configure have different settings for CloudGateway Enterprise and CloudGateway Express.

 

If you run into problems be sure to check out How to Enable Receiver Logging to Troubleshoot StoreFront Activation/Provisioning