Citrix NetScaler - Advanced Clientless VPN

Reading Time: 3 minutes

Table of Contents

Overview

Recently a customer requested me to implement a Clientless VPN solution with Citrix NetScaler. CVPN? Wasn’t that the rewriting module which only works with simple Webapps and all other complex ones were failing or the rendering displayed buggy and incomplete?

Correct! But since 13.0, there’s a mode called Advanced Clientless VPN which replaces the legacy CVPN (CVPN V1) – I already wrote about that mode in context to HTML5 Workspace Sessions.

So let’s give it a try!

Configuration

NetScaler

Create a Session Profile and enable Clientless Access and Advanced Clientless VPN Mode in the Client Experience Tab:

In Citrix Gateway -> Global Settings, add your internal Domain-FQDN to the allowed Domains for Clientless Access:

Create Bookmarks to your internal Webapps, make sure Use Citrix Gateway as a Reverse Proxy is enabled and bind these to your Citrix Gateway vServer (for everyone) or to AAA Groups for a filtering mechanism:

Certificate / DNS

The advanced clientless VPN rewrites URLs in a unique manner. This uniqueness is maintained for every URL per user. For example, if the web-application is hosted on https://webapp.customer.com, and the Citrix Gateway vServer is hosted on https://cvpn.customer.com, then the advanced clientless VPN rewrites it as https://cvpneqwerty.cvpn.customer.com. This means, every URL is rewritten as a subdomain of the Citrix Gateway vServer. In this new URL, cvpneqwerty can be decrypted back to https://webapp.customer.com.

Which changes are required to your SSL Certificate?

If you’re using a wildcard -> make sure *.cvpn.customer.com is entered as a SAN attribute, otherwise you have to get a new wildcard certificate

If you’re using a SAN -> make sure cvpn.customer.com and .cvpn.customer.com are entered as SAN attributes

DNS – to resolve URLs like https://cvpneqwerty.cvpn.customer.com to the same IP as your Citrix Gateway vServer, you must add a new record for your subdomain cvpn.customer.com called * with the same IP address or alternatively a record called *.cvpn.customer.com

All done! These are some tests using advanced CVPN (My Citrix Gateway vServer is published as app.customer.com) to access a VMware vCenter or a Citrix Director, sure there are some limitations like the Shadowing Feature in Director or the VMware Web Console, as these are using CORS (Cross-Origin Resource Sharing) which isn’t technically supported by advanced CVPN. Microsoft’s Exchange OWA was also running out of the box.

Summary

To conclude, the Advanced Clientless VPN engine is really a great upgrade compared to V1, a simple way accessing Lab-Resources or just publishing internal Webapps for Users where there’s no need for Content Switching with AAA.

Hints

Depending on which kind of Webapps you are publishing with advanced CVPN (simple or complex) make sure you’re keeping an eye on NetScaler’s Packet CPU Usage. During my tests, the first VMware vCenter access, I noticed a high peak-usage, as there are many rewrites to process. Followed access by the same user (same browser) is handled by cache.

2 comments

Reeno says:

February 24, 2023 at 6:02 PM

Hi Julian

thank you very much for the post, I have a question related to the Advanced Clientless VPN and Rewrite Policy, is there an expression in the policy to use that gives me the randomly generated DNS name of the Adv. Clientless VPN?

I tried with HTTP.REQ.Hostname but unfortunately it doesn’t work

Many thanks

1. Julian Jakob says:
  
  March 6, 2023 at 8:55 AM
  
  Hi Reeno,
  I think thats not possible, here’s what Citrix is saying:
  
  “This uniqueness is maintained for every URL per user. For example, if the web-application is hosted on https://webapp.customer.com, and the VPN virtual server is hosted on https://vpn.customer.com, then the advanced clientless VPN rewrites it as https://cvpneqwerty.vpn.customer.com. This means, every URL is rewritten as a subdomain of the VPN virtual server. In this new URL, cvpneqwerty can be decrypted back to https://webapp.customer.com. The string cvpneqwerty is dynamic and therefore for SSL, you must bind the VPN virtual server with a wildcard certificate.”
  
  In my environment, the cvpneqwerty string can change on the same Webapp after a relogin which makes it kind of impossible to filter.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Citrix NetScaler – Advanced Clientless VPN