Access Gateway Enterprise Edition 10.x config

A colleague of mine, Matthew Allen who is fucking amazing on the Netscaler and I created this config after some trial and error and a call to Citrix support. This config should support all of the new Citrix Receiver clients with CloudGateway Express, CloudGateway Enterprise (AppController) as well as Receiver for Web. It might not jive with exactly what Citrix has published or what you’re doing but I’d like to keep this updated for those who would like to contribute. Post your updates in the comments.

Note that we’re using https access to the StoreFront server, modify if needed. It is also expected that you have already created an Access Gateway virtual server and have bound an authentication policy, valid certificate, Secure Ticket Authority (STA) server, and DNS server (Global Access Gateway Settings).

You will also need to go in to the Global Settings on the Access Gateway and under Clientless Access select Configure Domains for Clientless Access and check Allow Domains then OK. The domain names will be present once you have run the configuration.

  • STOREFRONT.DOMAIN.LOCAL – FQDN of your StoreFront server, make sure the Netscaler can resolve this name or use an IP address. Double-check the path against your StoreFront configuration (ex: STOREFRONT.DOMAIN.LOCAL/Citrix/StoreWeb)
  • DOMAIN.LOCAL – FQDN of your domain
  • AG_VS – Name of your Access Gateway Virtual Server you created
  • APPCONTROLLER.DOMAIN.LOCAL – FQDN of your App Controller

——-begin config——-

add policy patset StoreFront_cookies
bind policy patset ns_cvpn_default_inet_domains DOMAIN.LOCAL
bind policy patset ns_cvpn_default_inet_domains APPCONTROLLER.DOMAIN.LOCAL
bind policy patset ns_cvpn_default_inet_domains STOREFRONT.DOMAIN.LOCAL
bind policy patset StoreFront_cookies CsrfToken -index 1
bind policy patset StoreFront_cookies ASP.NET_SessionId -index 2
bind policy patset StoreFront_cookies CtxsPluginAssistantState -index 3
bind policy patset StoreFront_cookies CtxsAuthId -index 4
add vpn clientlessAccessProfile SF_cvpn
set vpn clientlessAccessProfile SF_cvpn -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies StoreFront_cookies
add vpn clientlessAccessPolicy SF_cvpn_pol TRUE SF_cvpn
add vpn sessionAction prof_PNA -defaultAuthorizationAction ALLOW -icaProxy ON -wihome "https://STOREFRONT.DOMAIN.LOCAL/Citrix/Store/PNAgent/config.xml" -ntDomain DOMAIN.LOCAL
add vpn sessionAction prof_cvpn -defaultAuthorizationAction ALLOW -SSO ON -homePage "https://STOREFRONT.DOMAIN.LOCAL/Citrix/StoreWeb" -icaProxy OFF -ntDomain DOMAIN.LOCAL -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT
add vpn sessionAction prof_native -defaultAuthorizationAction ALLOW -SSO ON -icaProxy OFF -wihome "https://STOREFRONT.DOMAIN.LOCAL/Citrix/StoreWeb" -ntDomain DOMAIN.LOCAL -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -storefronturl "https://STOREFRONT.DOMAIN.LOCAL"
add vpn sessionAction prof_AGPlugin -splitTunnel ON -defaultAuthorizationAction ALLOW -icaProxy OFF -wihome "https://STOREFRONT.DOMAIN.LOCAL/Citrix/StoreWeb"
add vpn sessionPolicy pol_PNA "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS" prof_PNA
add vpn sessionPolicy pol_cvpn "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" prof_cvpn
add vpn sessionPolicy pol_native "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" prof_native
add vpn sessionPolicy pol_AGPlugin "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" prof_AGPlugin
set vpn parameter -dnsVserverName VS_DNS -defaultAuthorizationAction ALLOW -forceCleanup none -clientOptions all -clientConfiguration all -SSO ON -homePage none -wiPortalMode NORMAL -clientlessModeUrlEncoding TRANSPARENT
bind tunnel global ns_tunnel_cmpall_gzip
bind vpn vserver AG_VS -policy LDAP_POL -priority 100
bind vpn vserver AG_VS -policy pol_PNA -priority 100
bind vpn vserver AG_VS -policy pol_native -priority 110
bind vpn vserver AG_VS -policy pol_cvpn -priority 120
bind vpn vserver AG_VS -policy pol_AGPlugin -priority 130
bind vpn vserver AG_VS -policy SF_cvpn_pol -priority 70 -gotoPriorityExpression END -type REQUEST

——-end config——-


36 thoughts on “Access Gateway Enterprise Edition 10.x config

  1. Unfortunately I wasn’t able to get this to work on my VPX running NS10.0 build I get a lot of “ERROR: Invalid argument” and missing parameter errors.

    1. was missing the “ON” argument on the end of this line: add vpn sessionAction PRO_PNA -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome “https://storefront.domain.local/Citrix/PNAgent” -ntDomain domain.local -clientlessVpnMode ON

      try now.

      1. Ah, I get it – replace ag_vs with my virtual server. Minor typo on second bind vpn vserver line, policy is “POL_PNA_DND” and it looks like it should be “POL_PNA_DRD” for Android. Other than that it goes through ok.

      2. updated that too… thanks for the feedback and helping correct the typo’s. It’s a work in progress as Citrix updates and changes things.

  2. So close! Getting a 403 on the Storefront server now then “An error: FailedInvalidGateway was reported for store ‘Store’ when finding the matching gateway from the list: [Netscaler VPX Production] for this request”.

      1. Glad you were able to resolve the problem, sorry I wasn’t able to get back to your email…been busy with an upcoming event.

  3. OMG, thank you so much, I really needed this, fixed my issues, I was banging my head against the wall because the cvpn rewrite was messing stuff up and I was getting 404 errors when I tried to launch a published app, all good now, I wish I knew which line fixed my problem, but all good now.

  4. I have everything working now except for ipad, is this working for others with ipad. On the ipad I am going to the safari browser and logging in and then pressing the activate button at the top to send the .cr file to receiver. The cr file is failing for some reason.

  5. The apps work fine in safari on ipad just I can’t get native receiver to work even after importing the cr file. I get gateway authentication failed, please check your credentials, address,gateway settings and network connection, oh man, so close. I am not doing email auto discovery yet.

    Here is what my .cr looks like, I have replaced the actual domain name for privacy


      1. Glad that worked for you, sharing information like this is the best way I know to be successful and help others do the same. I’m sure there will be updates as Citrix revises and releases new products, anything you come across to tweak the configuration would be much appreciated and credited.

        Dan Brinkmann

    1. can you elaborate on that question? are you looking for information on how to apply this configuration to a netscaler?

  6. Does this work with Basic mode? I had it running with the VS set to SmartAccess but I was told that I needed to change to Basic for licensing reasons and after switching it seems to be broken. (I get “Cannot connect to store” in the Win client and “the webpage cannot be found” from the web browser.)

    1. If the universal license is the one that is listed under “Maximum Access Gateway Users Allowed” on the Licenses page then according to our Citrix technical rep it does. I was doing some load testing with a dozen or so VMs hitting our Netscaler and I started getting errors like “your app is not available, please try again later” and “SSL Error 38: The proxy denied access to…” The Citrix guy said that if the Netscaler is in basic mode then it will use the “Maximum ICA Users Allowed” license instead of the Access Gateway one.

      1. yea i spoke too soon, the config was setup for smartaccess for the ssl vpn portion that was in there, you shouldn’t need it.

  7. Hi Dan. What are the PNAgent and /Roaming/Services Sites? Thought that the PNAgent Site was replaced with /Citrix/Store…

    1. PNAgent is used for legacy clients…i believe its also used when you use a URL from receiver clients (vs CR file or email based discovery)

      I’m going to be updating this whole config over the next week.

  8. Thanks Dan, it does work well, the only issue I’m running into is with Android and @work applications, the IOS @work apps are running fine with your config.

  9. Is it a requirement to use Clientless VPN in this way to use receiver with storefront? Clientless VPN require Access Gateway Universal Licenses that wouldn’t be necessary if ICA Proxy was used instead of Clientless VPN. Thats an expensive migration from Web Interface to StoreFront…

      1. I have no success in downloading the or using Emailbased Discovery when using ICA Proxy mode. It works in cvpn mode though. I dont know if this is by design or not.

  10. Hi Dan, the line starting “set vpn parameter -dnsVserverName VS_DNS”, what should VS_DNS refer to? Or is it meant to be AG_VS?
    Dan (xdguy)

  11. Hey Thanks for your Help.
    I only have a Problem with the Storefront 2.0. When im going through the AGEE it stands cannot complete your request. When i leave the AGEE SNIP on my StoreFront blank, it works. But SSO doesnt go anymore.

    Do you have a clue?

  12. I am looking to become “FUCKING Amazing at Netscaler. How did he do it and what did it take, this is a serious question. Citrix documentation sucks and I have not found a true method to become an expert at netscaler, so I would appreciate some guidance.

  13. How can I apply the configuration above to my NetScaler? I tried to copy the config into ns.conf but after a reboot the ns.conf file is replaced. Thank you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s