NetScaler Gateway 10.1. Sign In to access restricted downloads. Evaluations and Trial Software. Earlier Versions. Access Gateway. Sign In to access restricted downloads. Earlier Versions. NetScaler Gateway Plug-in v4.4.8 for Mac OS X. Jul 22, 2019. NetScaler Gateway Plug-in v4.4.4 for Mac OS X. Download Citrix Workspace app.
- NetScaler Gateway
This article contains information about how to configure NetScaler Gateway EPA to scan the Media Access Control (MAC) address to authenticate the IP address of the user.
When authenticating the (MAC address of an internet user against predefined combinations of MAC addresses and IP addresses, the network-based MAC address scan fails. This is because the network traffic from the internet does not contain the actual MAC address of the user. The MAC address available with the network traffic is that of a gateway or an intermediate appliance.
Therefore, to scan the MAC address from the computer of the user, registry-based scan or a Client Security scan must be performed.
Registry Based Method
Complete the following procedure to perform a registry-based scan for the MAC address of an internet user to authenticate them against predefined combinations of MAC addresses and IP addresses:
Note: The following procedure contains a sample configuration with registry scan to search the MAC address or an equivalent entry in the registry of the computer.
Search the MAC address in the registry of the computer.The exact match of the MAC address might not be easy to search. However, you can search for an equivalent entry for the MAC address. To search, run the following command on from the command prompt:
net config rdr
The following is the sample output of the command:
The command completed successfully.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Run the following command from the command prompt to start the Registry Editor utility:
Note: Do not use the regedit command to start the Registry Editor utility. You cannot make the appropriate search if you run the regedit command.
Search the key identified in the Step 1, such as A38A41F5-783E-4AED-9035-A2798922CE33, in the registry of the computer.The search for the sample entry displays that the key exists at the following location in the registry:
The following screen shot displays the location of the key in the Registry Editor Window:
In addition, the search shows that the sub key for this entry is NetCfgInstanceId. To locate the actual network interface card (NIC), ensure that you check all the options available under the entry. In the preceding screen shot, the Status Bar of the Registry Editor Window displays the complete path of the sub key.
Run the following command from the command line interface of the NetScaler appliance to add the path that is identified in the preceding steps of the procedure:
add aaa preauthenticationpolicy scan_epa q/CLIENT.REG(HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass
' && REQ.IP.SOURCEIP 10.103.0.42/ EPA
In this command, scan_epa is the name of the policy and EPA is the name of the action.
Run the following command from the NetScaler CLI to enable pre-authentication checks:
set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true
Note: Use this procedure to authenticate a small group of users. However, it might not be practical to add each of the large number of Secure Access (SSL VPN) users.
Non-Registry Based Method
The following is the preauthentication policy for MAC address and domain check:
EPA MAC Check CLIENT.SYSTEM('MAC_ADDR_anyof_XXXXXXXXXXXX[COMMENT: MAC Address]') EXISTS – no colons or spaces or dashes in the MAC address.
To enable preauthentication policy for MAC address, run the following command from CLI:
add aaa preauthenticationpolicy <policy name> 'CLIENT.SYSTEM('MAC_ADDR_anyof_<MAC address>[COMMENT: MAC Address]') EXISTS' <Action Name>
MAC's MAC addres filter in EPA will be as below
CLIENT.SYSTEM(MAC-MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]) EXISTS
where as for Windows it appears as
MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]
Citrix Netscaler is available as a physical appliance and virtual appliance. Netscaler Virtual appliance is available for XenServer, VMWare ESXi, Hyper-V and KVM. This post will cover the installation of Netscaler VPX on VMWare ESXi host. Even though we are using netscaler 12.x build here, the procedure is same for almost all versions of Netscaler VPX appliances for VMWare ESXi.
NetScaler VPX Installation on ESXi
We need to download the netscaler VPX for ESXi from citrix.
- My citrix login credentials to download media and license.
- Two free IP ( with subnet mask gateway) One for Netscaler IP ( NSIP) and another for subnet IP (SNIP)
- DNS server details (optional)
- Time Zone
- Necessary ESXi resources and login credentials for ESXi host.
Importing Netscaler OVF
Extract the downloaded zip file which will contain mf, ovf and vmdk files as shown below.
Login to ESXi host or VCenter server- Select new vm in web console or file – deploy / import ovf in vsphere client
Select deploy OVF – Next
Provide the Name for VPX and select or drag and drop all 3 files as shown below, only two files will show after selecting.
Select the datastore
select the network card for VPX
view and finish
With this Netscaler VPX will be created on ESXi and it will be powered on.
Netscaler VPX initial Configuration
once VPX is powered on – Open console and provide the ip details
- Netscaler IP – This is NSIP, used for management
- Subnet Mask
enter 4 for save and quit – Enter
Check the login nsroot/nsroot
Now the VPX is installed and we can manage from web browser.
Netscaler VPX assigning SubnetIP and Hostname
Login to netscaler by entering the NSIP provided earlier. default login details are user nsroot and password nsroot
skip the ceip
select the subnet IP
provide the Subnet IP and Mask, Subnet IP is used for internal servers and services communication
Similarly click on host name, provide hsotname for netscaler, DNS server IP’s ( click on + sign for multiple DNS) and time zone.
Netscaler will reboot to apply changes, select Yes
Login to Netscaler after reboot.
Click on license
If you have license bound to host id import else select do it later , Will cover below how to license VPX.
Review all the IP’s and details and continue.
Netscaler VPX is ready, But need to license it.
Licensing Citrix Netscaler VPX
License Netscaler Licenses are bound to Host ID which is the MAC address of the network interface in case of VPX. For Physical appliances, login to portal and download directly the license file as host ID is not required, its already hoard coded.
Identifying Netscaler Host ID
Netscaler host ID can be identified in 2 ways in GUI as shown below. Configuration – system – Host ID
The second way of getting host ID and the best way is using CLI. Configuration – System – Diagnostics – Command line interface.
Netscaler Gateway App
Run below commands as shown below.
- lmutil lmhostid
Then Host ID will show as below.
Login to Mycitrix portal – allocate – select your vpx license – provide Host id taken from above step and download license.
Adding Netscaler Licenses
After downloading the license – Configuration – System – License – Select Manage license
Select add license
Browse the license in local computer as shown below – open
Select reboot to apply the license.
Netscaler Gateway Plug In Download
After reboot login to verify the edition and license features, in my case its platinum.
Download Netscaler Gateway For Mac Catalina
Hope this post is useful. Your suggestions and comments are most welcome.