1.NetScaler 10 VPX - Basic Setup

We have NetScaler VPX 10 and people access Citrix XenApp / XenDesktop through it (Access Gateway)

Here is our current setup

User access Citrix resources from home using : https//ourcitrix.domain.com

They get all the published Applications and desktops through it.

Now there are some external vendors / consultants that we need to grant access to some internal applications and intranet sites so that they could do their stuff. We do not want them to access Our XenApp/XenDesktop Stuff.

I was reading SSL VPN in NetScaler access Gateway may help to publish directly

What should our approach be.

Create another Access Gateway Virtual Server?

Create another Website ?

How many certificates do we need ? -- one for XenApp/XenDesktop and other for SSL VPN??

Any suggestions Please
MOQINFRAAsked:
Who is Participating?
 
AdamBNYCCommented:
Few questions and a few answers.

Are the applications that the external vendors need accessible through Citrix already? If so, i would just create a new AD group and put the dev accounts in there and assign the group to the desired application groups within XenApp/Xendesktop.

The reason I would do this, is that I prefer not to give a full VPN tunnel to external vendors. If security is of highest concern, I would actually create the Vendors their own small XenApp farm, say 2 or 3 virtual servers with the applications that they need. I might even create the farm in the DMZ and control their access based on firewall ACL's.

Back to your original question about "if you need another Access Gateway Virtual Server, The answer is no. You can create the proper policy and tie it to a group within AD for the external vendors and give them permissions to only get the SSL-VPN option. So when they log in, they will not get ICA-proxy, just the full tunnel SSL-VPN.

This will keep things simpler for you and you will not have to purchase additional certs or setup additional vServers, VIP's public IP's, etc.
0
 
MOQINFRAAuthor Commented:
Thanks

The application havent been published through XenApp/Xendesktop

Although could have been , however they have decided that SSL VPN is more secure as XenApp Sessions may give them more access to environmnet (Which i think is not true) however i dont have the real answer on why they created a separate Virtual server for SSL VPN though

Will you be able to point me the steps on how can i use the already existing virtual Server to add SSL VPN policy

And do i have to create a new key and new CSR for the 2nd virtual server (if we choose that ) or i can resue the key that i had created for 1st cert.

Appreciate your responses.
0
 
AdamBNYCCommented:
See here
http://support.citrix.com/servlet/KbServlet/download/26413-102-650371/Access%20Gateway%20Enterprise%20Edition%20(AGEE)%20Implementation%20Checklist.pdf

If you are creating a new virtual server, with a different FQDN out on the internet and dont have a wildcard cert for your enterprise, then yes, you will have to create a new CSR reflecting the desired FQDN for the new portal
0
 
MOQINFRAAuthor Commented:
Will this CSR need a new key or i can use the key that i had created already (on which my accessgateway site for XenApp is running)
0
 
AdamBNYCCommented:
On that one, Im not sure. admittedly certificates are a sore spot for me when diving down into these details. Maybe someone else can chime in.
0
 
AdamBNYCCommented:
oh, I also had one more thought to keep in the back of your mind. a VPX 10 can only handle 10Mbps of traffic. Depending on how many full tunnel SSL-VPN users you have and what they are transferring, you might hit the ceiling of that virtual appliance.
0
 
MOQINFRAAuthor Commented:
We just purchased the 200 MB license :). VPX200.  Need to install the new license
0
 
MOQINFRAAuthor Commented:
all we need to know is , for a new certificate csr do i need a new key or i have to use the already existing key which we used for the first access gateway virtual server
0
 
MOQINFRAAuthor Commented:
Finally i created a key and a csr

@Adam

If i have a single site and then use groups as you said , will all users need to have an access gateway plugin for receiver as well
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.