For one of my projects I was configuring a NetScaler HA Pair and after configuring the SSL VPN for laptops I wanted to configure a session profile to reroute mobile users (iOS devices running the Citrix Receiver 5.7) based on their User-Agent in the HTTP Header to a ICA Proxy enabled WI Services site. The SSL VPN was working including 2fact auth and SSO so I knew the start was good 😉
So I created the following session policy based on this manual:
Return to the NetScaler VPX configuration utility click Access Gateway > Policy Manager > Change group settings and user permissions.
Select Session Policies and Create new session policy.
The Create Access Gateway Session Policy window appears. Enter MobileAccess for the policy name and click New.
Name the Session Profile MobileDevices, on the Published Applications tab Override Global for ICA Proxy, Web Interface Address, Web Interface Portal Mode and Single Sign-On Domain.
Enter the following:
ICA Proxy: ON
Web Interface Address: http://XA.demo.local/Citrix/MobileAccess/config.xml
Web Interface Portal Mode: NORMAL
Single Sign-on Domain: ctxdemo
In the Configure Access Gateway Session Policy window, next to Match Any Expression, click Add…
Expression Type: General
Flow Type: REQ
Header Name: User-Agent
Select OK, Create and Close. The Access Gateway Session policy appears as an icon in the Access Gateway Policy Manager.
Under Configured Policies / Resources, expand the Virtual Servers > SmartAccess node and then drag the MobileAccessicon onto the SmartAccess > Session Policies icon.
Modify the priority of the policy so the MobileAccess policy has a high priority than the Remote Access policy. This is done by assigning a lower policy number.
Close the Access Gateway Policy Manger and Save the configuration
After the configuration I tested it with my Ipad with the Citrix Receiver 5.7 and got an error “the gateway settings are incorrect”. After an extensive search on google I found this post on the Citrix forums.
Apparently the Citrix Receiver 5.7 has a changed client header:
Which isn’t the problem but I am curious about the VpnCapable description that was added. The real problem was “Due to some new strings contained within the Citrix 5.7 Receiver“… So the Citrix Receiver 5.7 has some new strings that causes an error “The address given did not provide a valid App list. Please check the address, gateway settings, and your network connection”.
I changed the AG profile according to John War’s post:
On your AG session profile, ensure the following is set:
Access URL encoding: Clear
Plugin Type: Java
The The gateway settings are incorrect error was resolved but I got new error that the app list couldn’t be retrieved, the solution was pretty easy. For the SSL VPN I had configured Client Clean Up and I had to overrule these settings in my Session Profile for the mobile clients in order to make this work.
After configuring the client clean up I could connect with both my ipad, iphone and galaxy SII.
Latest posts by Kees Baggerman (see all)
- Recovering a Protection Domain snapshot to a VM - September 13, 2019
- Checking power settings on VMs using powershell - September 11, 2019
- Updated: VM Reporting Script for Nutanix with Powershell - July 3, 2019
- Updated (again!): VM Reporting Script for Nutanix AHV/vSphere with Powershell - June 17, 2019
- Updated: VM Reporting Script for Nutanix AHV with Powershell - April 8, 2019