SSL VPN using web and tunnel mode

Recent Posts

NetScaler Gateway 12 – SSL VPN
Sorry to revive an old topic. So you mean to create a second group, add the users also to the second one and see if the error still appears? One of the primary advantages of an SSL VPN is that it uses the TLS technology implemented in modern web browsers, so there is no need to install specific client software. I dont have a workable solution yet but I'm thinking of using multiple Vservers. The other fields are for Single Sign-on through Unified Gateway. Keep these factors in

13 answers to this question

SSL VPN Remote Access working,

Go to the Dashboard. If you have not done so already, download FortiClient from www. Select Customize Port and set it to Skip to content Share this post: Victoria Martin Technical Writer at Fortinet. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.

Latest posts by Victoria Martin see all Episode Security Round Table 2 - September 19, Episode If you do select Enable Split Tunneling , traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.

To add an Endpoint Analysis scan, use one of the Editor links on the right. Click Create when done. To make sure ICA Only is unchecked: This changes the default portal page to look identical to StoreFront. Scroll down to the Policies section, and click the Plus icon. Click where it says Click to select.

If you want this Session Policy to override other Session Policies, then set the priority number to a low value. From this list, you can right-click the policies to Edit Binding priority number , or Edit Profile. Edit the AAA Group. On the right, in the Advanced Settings column, add the Policies section. Click the plus icon to bind one or more Session Policies. This makes it difficult to log off.

This setting causes the two icons to be displayed separately thus making it easier to access the NetScaler Gateway Plug-in settings, including Logoff. On the right, click Add. Name the Authorization Policy. Select Allow or Deny. Default Syntax gives you much greater flexibility in matching the traffic that should be allowed or denied. Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.

Or, you can use HTTP. On the right, in the Advanced Settings column, add the Authorization Policies section. Then click where it says No Authorization Policy to bind policies. Enter a name for the Internal subnet. Enter an IP subnet. Only packets destined for this network go across the tunnel. You typically specify a summary address for all internal subnets e. Alternatively, you can define minimal Intranet Application destinations as a security mechanism assuming Split Tunnel is enabled , but Authorization Policies are more appropriate for that task.

Create additional Intranet applications for each internal subnet. On the right, in the Advanced Settings column, add the Intranet Applications section. You can add multiple suffixes. Bookmarks Bookmarks are the links that are displayed in the default portal interface.

Give the bookmark a name, and display text. Enter a website or RDP address. Optionally browse to an Icon file. The other fields are for Single Sign-on through Unified Gateway. On the left, click where it says No Intranet IP.

Enter a subnet and netmask. Select one of the views, and click Continue. The right column contains the Intranet IP. On StoreFront, edit the file C: On the bottom, there are three sections containing X-Frame-Options. Change all three of them from deny to allow. Also change frame-ancestors from none to self. You might have to override the Web Interface Portal Mode.

X1 theme should automatically show the StoreFront published icons. Add a new local group for your Quarantined Users. This group is local, and does not need to exist in Active Directory. Bind session policies, authorization policies, etc. These policies typically allow limited access to the internal network so users can remediate.

Or, it might simply display a webpage telling users how to become compliant. You can use the variation in Session Policy names for SmartAccess. Scroll down, and check the box to the right of Client Security Check String. Use the Editor links to add an Endpoint Analysis expression. Click Create when done creating or editing the Session Profile.

In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. First create the Session Profile.

Then create a Session Policy. Authorization Policies can be bound using similar instructions. Here is what the user sees when launching the VPN session for the first time. Only administrators can install the NetScaler Gateway Plug-in.

Or you can download VPN clients from Citrix. Bookmarks are the links that are displayed in the 3-pane interface. They can point to file shares or websites. Any IP pool you add to NetScaler must be reachable from the internal network. Configure a static route on the upstream router. When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots or until the appliance runs out of IPs in the pool.

NetScaler Gateway can be configured so that if Endpoint Analysis scans fail, then the user is placed into a Quarantine Group.

You can bind session policies, authorization policies, etc. Policies bound to other AAA groups are ignored. Prior to using this article, there was a manual process that I had followed. Here are my challanges: It takes a couple of tries when a VPN user gets through.

The download the client window pops up everytime and the process takes forever. There are times when the process doesnt go thru and user is back to the prompt to log on. The 3 pane window comes up. The plan is to show storefront instead so users can launch the apps. If so, did you add a static route on your internal network so replies can return to NetScaler?

I have a Netscaler I have a carefully tested DFS namespace. In fact all the current namespaces properly resolve and are accessible. Sites are working and the Folder referrals are exactly as they should be. Testing is with a domain joined laptop running Windows When this happens I can manually open any of the actual file shares directly on their respective servers, so I have not lost connectivity. Something with either name resolution or some other mechanics of DFS????

Rebooting the laptop and reconnecting does not restore DFS access. In fact in my most recent test I can not get the DFS shares functional through the tunnel. Remote connection is actually the corporate guest WiFi so the traffic all on fast links unless Azure is hanging something up. Very interested in your thoughts on this one..

When configuring two separate IP Pools for two separate AAA groups, is it possible to allow those two subnets to see one another?

I need both of these subnets to talk ping, RDP, etc… to each other. Dose the routing ever leave the NetScaler in this case? Thank you for all your expert wisdom. It has been a tremendous help in implementing. Just to make things easier, I just have everyone in the same IP Pool now, Since they belong to the same subnet, I do not understand why not.

Is there a security setting within the NetScaler Gateway configuration that needs to be enable for client to client communication? Hello Carl, You give a lot of time to the Citrix community, thanks. If you are still watching this thread — we are rolling out Any guidance as to what might be happening? There is detection enabled but in my experience with Cisco which also has detection, the MTU setting itself was the most effective.

According to that article the default MSS is which is likely enough although I have had some perform better in the range. In the end this did not improve speed. I was reading — https: This would seem to show that there is nothing on the client PC or main network to blame. Any other suggestions before we sift through WireShark? This can result in the MAC address changing when the snip communicates with the backend servers resulting in lower performance.

So in our reverse dns lookup, you could have 3 or 4 hostnames now with the same ip address. So if one user logs in and gets a x. Thus when doing a nslookup, we could get both their hostames replying.

We opened up a case with citrix, but they said its not a netscaler issue, that we need to include a logoff script in the session policy to delete the pointer record in DNS at logoff. I think it would, but this issue can occur anytime throughout the day. Carl, insightful as always: The VPN Client icon, while it shows up in Can this be done through the VPN client or does it need to be done through the front end web portal or can it be both? The Citrix Receivers have the same problem. I expect Citrix to eventually address the limitation.

We have a captive portal landing web page that is setup to authenticate laptop users connecting in from public-access networks i. If we were to implement the SSLVPN always on functionality on the Netscaler how can we configure this so that once users connect using the always on VPN the NS can pass the users credentials through without sending them to the captive portal login to authenticate. If we issue certificates to the endpoints do we need to generate and install a public ssl certifcate on the netscaler to authenticate the endpoints using certificates?

This can be any CA. Then you can enable Client Certificate Authentication. Is it in any way possible to skip the version check of the EPA plugin? Is there a workaround? Users are not allowed to install the plugin themselves and I am not able to roll out a new client to everyone over night. Is there a workaround for this problem? It might be possible to change the file.

But I came across this article and I will test it with the client: I have to add about subnets to a aaa group. I have not tried that. So you mean to create a second group, add the users also to the second one and see if the error still appears? What can I configure on the Netscaler differently to make this connection? What do I have to consider? It is possible to establish a connection to the Netscaler gateway through a proxy?

I have the possibility on the netscaler to configure which IP addresses or networks over the Tunell must go? Great article as always. I find most of what I need on your site as, yes.

I am doing clientless VPN and the customer has two stipulations: How do I create a site ACL in the gateway, i. NetScaler has authorization policies based on destination IP address. Then use a different device to control access from those source IPs. I want the user to be able to select link B or C but to fail on D. Link E is the tricky one. I want only members of a given AD group to be able to select it, but lets set that aside for now.

If it goes across the VPN tunnel, then Authorization policies or firewall rules are your option. When I try with a Client Plug-in v Could you tell me where and what can I check? Hello Carl, Thankyou for your answer. Do you have another idea what can i check? Port 80 HTTP for example. Thanks a lot for your articles. I was able to install it a few month ago but now we changed the system and after I installed the version The difference before was I did a version Update from

Recommended Posts