Citrix Gateway cli config

Posted byJeff Riechers Leave a comment on Citrix Gateway cli config

For LDAP authentication, you can use the following CODE to create the LDAP connection, create a AAA server, and the necessary authentication profiles. Just change the settings in the [ ] to match your environment

add authentication ldapAction -serverIP [IP of LDAP Load Balancer] -serverPort 636 -ldapBase "dc=[domain], dc=[suffix]" -ldapBindDn [user@domain.suffix] -ldapBindDnPassword [LDAP Bind DN password] -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute1 mail
add authentication Policy LDAP_LB_Adv -rule true -action [Name of LDAP Connection]
add authentication vserver Advanced_LDAP SSL 0.0.0.0
bind authentication vserver Advanced_LDAP -policy LDAP_LB_Adv -priority 100 -gotoPriorityExpression NEXT
bind ssl vserver Advanced_LDAP -certkeyName [Client wildcard cert]
add authentication authnProfile Advanced_LDAP_Profile -authnVsName Advanced_LDAP

The below code will bind STA servers globally, this is my preferred method for multiple sites as STA servers can be shared among stores and virtual servers.

bind vpn global -staServer "http://[ip of controller1]"
bind vpn global -staServer "http://[ip of controller2]"

If you are using LDAP or Radius for on-premise authentication you need to specify the domain name in the session action. These session actions will do that.

add vpn sessionAction Local_WebReceiver_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://[Storefront Load Balancer IP]/Citrix/[Storename]Web/" -ntDomain [NetBios Domain Name]
add vpn sessionAction Local_Native_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://[Storefront Load Balancer IP]/Citrix/[Storename]/" -ntDomain [NetBios Domain Name] -clientlessVpnMode OFF

If you are using SAML or OAuth, the response returned is the UPN. With the UPN you omit the NetBios Domain name. Also federated accounts such as these will need a dedicated Store that is setup for federation. These session actions will set those settings.

add vpn sessionAction Federated_WebReceiver_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://[Storefront Load Balancer IP]/Citrix/[Federated Storename]Web/"
add vpn sessionAction Federated_Native_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://[Storefront Load Balancer IP]/Citrix/[Federated Storename]/" -clientlessVpnMode OFF

Leave a comment

Your email address will not be published. Required fields are marked *