Optional — Native Citrix Workspace App Support
This section describes how to enable Native Citrix Workspace app support in addition to the browser-based access documented above:
- Set up another rewrite policy to the secondary authentication. This rewrite tells Citrix Workspace app that if it receives a username and password but no token, to initiate authentication via RADIUS with the native client.
- Add another LDAP connection to be used only for authorization group extraction. Unlike the legacy experience, group information is not sent over RADIUS.
This topic offers instructions on making these configurations via CLI commands, or in the Citrix NetScaler graphical user interface console. When using the console, Citrix may present a warning message "Classic authentication policies are deprecated". You can safely ignore these messages.
Create Another Rewrite Action
In the Citrix NetScaler console, go to AppExpert > Rewrite > Actions > Add.
Configure the fields as follows:
| Name | sample-receiver-rewrite-action
|
Give your rewrite action a descriptive name. |
| Type | INSERT_AFTER_ALL
|
Inserts the expression after the search text. |
| Expression to choose target location | HTTP.RES.BODY(1000000)
|
1 million characters in the HTTP response body. |
| Expression to insert with | "\r\n" + "<META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS">"
|
If expression is true, then rewrite action is performed. |
| Search type = Text | </title> |
If found, insert content before </title> tag. |
Create Another Rewrite Action in CLI
Use the sample command below to create another rewrite action via the command line. Single quotes need to be escaped with a backslash:
add rewrite action sample-receiver-rewrite-action insert_after_all "HTTP.RES.BODY(1000000)" q/"\r\n" + "<META http-equiv=\"X-Citrix-AM-GatewayAuthType\" content=\"SMS\">"/ -search "text(\"</title>\")"
Create Another Rewrite Policy
In the Citrix NetScaler console, go to AppExpert > Rewrite > Policies > Add.
Configure the fields as follows:
| Name | sample-receiver-rewrite-policy
|
Give your rewrite policy a descriptive name. |
| Action | Rewrite Action | Select the rewrite action created above. |
| Expression | HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
|
If expression is true, then rewrite action is performed. This will ensure this policy is only triggered for the native Receiver. |
Create Another Rewrite Policy in CLI
Use the sample command below to create another rewrite policy via the command line. Inner single and double quotes need to be 'escaped' with a backslash:
add rewrite policy sample-receiver-rewrite-policy "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" sample-receiver-rewrite-action
Bind the Policy to the Virtual Server
In the Citrix NetScaler console, go to NetScaler Gateway > Virtual Servers > Policies > Add (+)
Configure the fields as follows:
| Choose Policy | Rewrite | |
| Choose Type | Response | |
| Select Policy | Rewrite Policy | Select the rewrite policy created above. |
| Priority | 110
|
To ensure this policy is enforced second, set the policy binding to 110 (the first LDAP policy is already set to 100). |
| Goto Expression | END | This is the final rewrite policy. |
Bind the Policy to the Virtual Server in CLI
Use the sample command below to create another rewrite policy via the command line:
bind vpn vserver sample-virtual-server -policy sample-receiver-rewrite-policy -priority 110 -gotoPriorityExpression END -type RESPONSE
Edit the Original Rewrite Policy Binding
To prompt the policy to complete both rewrites, edit the existing rewrite policy binding:
In the Citrix NetScaler console, go to NetScaler Gateway > Virtual Servers > Edit > Policies
Configure the fields of the first policy as follows:
| Policy Name | Existing Policy Name | |
| Priority | 100
|
|
| Goto Expression | NEXT | Allows the second rewrite policy to run (example: sample-receiver-write-policy) |
Edit the Original Rewrite Policy Binding in CLI
Use the sample command below to edit the original rewrite policy via the command line:
bind vpn vserver sample-virtual-server -policy sample-rewrite-policy -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
Add a Second LDAP Connection
Add another LDAP connection to be used only to retrieve group membership and user attributes that can be used for authorization policies. Unlike the legacy experience, group membership and user attribute information is not sent over RADIUS.
-
In the Citrix NetScaler console, go to NetScaler Gateway > Policies > Authentication > LDAP > Servers > Add
-
In the list of LDAP servers, check the box for your LDAP server and click Add.
The configuration of your LDAP server is copied to this new server.
-
Give the server a different name. Example:
sample-ldap-server2 -
Uncheck the Authentication box.
-
Click Create.
Add a Second LDAP Connection in CLI
Use the sample command below to create a second LDAP connection via the command line. Replace the code in blue with your enterprise password:
add authentication ldapAction sample-ldap-server2 -serverName imprivata.com -ldapBase "dc=imprivata,dc=com" -ldapBindDn "cn=administrator,cn=users,dc=imprivata,dc=com" -ldapBindDnPassword <mypassword> -ldapLoginName sAMAccountName -groupAttrName memberOf -authentication DISABLE
Create a Second LDAP Policy
In the Citrix NetScaler console, go to NetScaler Gateway > Policies > Authentication > LDAP > Policies > Add
Configure the fields as follows:
| Name | sample-ldap-policy2
|
Give your LDAP policy a descriptive name. |
| Server | LDAP Server | Select the second LDAP server created in the previous section. |
| Expression | REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
|
Ensures this policy is only triggered when logging in at the native Receiver. |
Create a Second LDAP Policy in CLI
Use the sample command below to create a second LDAP policy via the command line. Inner single and double quotes need to be escaped with a backslash:
add authentication ldapPolicy sample-ldap-policy2 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" sample-ldap-server2
Bind the Second LDAP Policy to the Virtual Server
In the Citrix NetScaler console, go to NetScaler Gateway > Virtual Servers > Basic Authentication > Add (+)
Configure the fields as follows:
| Choose Policy | LDAP | |
| Choose Type | Primary | Adding a second LDAP server without authentication. |
| Select Policy | LDAP Policy | Select the second LDAP policy created in the section above. |
| Priority | 110
|
To ensure this policy is enforced second, set the policy binding to 110 (the first LDAP policy is already set to 100). |
Bind the Second LDAP Policy to the Virtual Server in CLI
Use the sample command below to bind the second LDAP policy to the virtual server via the command line:
bind vpn vserver sample-virtual-server -policy sample-ldap-policy2 -priority 110
