Citrix Receiver for Mac supports the following operating systems: macOS High Sierra (10.13) macOS Sierra (10.12) Mac OS X El Capitan (10.11) Note: Mac OS X releases prior to Mac OS X El Capitan are not supported. Compatible Citrix products. Citrix Receiver for Mac is compatible with all currently supported versions of the following Citrix products. This release of Citrix Receiver for Mac contains a single installation package, CitrixReceiver.dmg, and supports remote access through NetScaler Gateway, and Secure Gateway. Citrix Receiver for Mac can be installed by a user from the Citrix website, automatically from Receiver for Web or from Web Interface, or by using an Electronic Software.
- Citrix Access Gateway For Mac Sierra Vista
- Citrix Gateway Log In
- Citrix Access Gateway For Mac Sierra Download
- Citrix Access Gateway For Mac Sierra Free
Applicable Products
- Citrix Gateway
- XenDesktop
- StoreFront
Information
NetScaler Smart Access is an advanced feature of NetScaler Gateway. Usually, it needs to be used in the following 2 scenarios.
- NetScaler End Point Analysis (EPA) is used.
- Restrict user’s app/desktop visibility if the session is from NetScaler Gateway.
In this document, I will focus on scenario 2. And I will use StoreFront + XenDesktop as an example, for XenApp, please refer to CTX138110 - How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance for Use with XenApp.
End Point Analysis (EPA) is extensively covered in https://support.citrix.com/pages/netscaler-gateway-epa
End Point Analysis (EPA) is extensively covered in https://support.citrix.com/pages/netscaler-gateway-epa
Important: SmartAccess will occupy the license. 1 user session occupies 1 gateway user license.
1) Configuration
NetScaler
NetScaler’s gateway configuration is very easy. Just enable Smart Access mode. Once when you enable smart access mode, it will occupy the license.
ICA Only: Checked means smart access is not enabled. Unchecked means smart access is enabled. So please keep it unchecked.
StoreFront
StoreFront needs to enable Callback.
Note: NetScaler Gateway’s virtual server must be HTTPS. StoreFront must be able to connect the NetScaler Gateway’s FQDN. And must trust NetScaler gateway’s certificate. Otherwise, “Can not complete your request” error will happen.
DDC
DDC’s configuration is the most complicated one. Access Policies are controlled here. I will introduce complex cases in section 3. In this section, I will make an easy example.
For user sessions from NetScaler Gateway. This user can see the desktop “New Desktop” only when this session is handled by virtual server “_XD_nssf.donnie.com” and hits policy “PL_WB_10.107.197.243” on NetScaler.
For user sessions from NetScaler Gateway. This user can see the desktop “New Desktop” only when this session is handled by virtual server “_XD_nssf.donnie.com” and hits policy “PL_WB_10.107.197.243” on NetScaler.
- Enable Trust XML.
- Right click the delivery group “New Desktop”, click “Edit Delivery Group”.
Farm: NetScaler Gateway’s virtual server name:
Filter: NetScaler Gateway’s policy name.
2) Detailed Workflow and Principle
This figure is from section “2.3. Get the App List” of article “NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow”. Please check that document for the details of a – g. Here, I would like to focus on c and d.
c. Callback. We configured callback address on StoreFront, it’s used here. After StoreFront receiving the users credential from NetScaler Gateway, StoreFront callback NetScaler to retrieve more information (virtual server name and policy names) in this step.
<FarmName>: The “Farm” field we configured on DDC’s access rule.
<String>: The “Filter” field we configured on DDC’s access rule.
<String>: The “Filter” field we configured on DDC’s access rule.
Note: Here, it may have multiple <string> entries. It’s because one session may hit multiple policies on NetScaler gateway. All of the policies’ names will be listed here even though the actions are not taken.
d. StoreFront POST the Farm and String information to DDC.
Then, DDC checks these entries and it’s access rule. Then provide the available apps/desktops to client. Pro tools crack for mac os sierra.
3) Case Sharing
Case 1: If sessions are from NetScaler Gateway, don’t allow them to see “New Desktop”
Configuration:
Method 1: Uncheck “Connections through NetScaler Gateway”
Method 2: Configure a non-exist virtual server name.
Any one of these 2 methods can work.
Case 2: If the session is from NetScaler Gateway, and if virtual server’s name is “_XD_nssf.donnie.com”, user is able to see “New Desktop”. Don’t check the policy name.
Configuration:
Use wildcard * for filter.
![Citrix access gateway for mac sierra 2017 Citrix access gateway for mac sierra 2017](/uploads/1/2/6/5/126527220/253829404.png)
Domain users except “temp” | Yes | |
Temp | Machine joins Domain “DONNIE” | Yes |
Machine doesn’t join Domain “DONNIE” | No |
This case is a little complicated. We can use EPA policy on NetScaler to detect if the machine joins domain.
Configuration:
NetScaler
- Create one Preauthentication policy on NetScaler to detect joined domain machines. Action is Allow. Kiosk mode for mac sierra.
- Create a policy for not joined domain machines. Action is also allow. Otherwise, these PCs will be rejected by NetScaler.
- Bind these 2 policies to the virtual server:
DDC
By default, there is only one access policy, we have configured it in the Studio. We can also use PowerShell to configure it.
Access policy configuration is in “IncludedSmartAccessTags” line. Format is “Farm:Filter”
We can configure it via the following steps.
- When temp user uses the machine that joins domain, action is allow.
After this step, all other users will not be able to see this desktop. So we need to create a new rule for all other users. - Add a new access policy for “New Desktop” delivery group, in previous step, we can see the DesktopGroupUid for this delivery group is 4:
- Enable this policy, and set it for Domain Users
- Configure this policy that will only take effect for sessions from NetScaler Gateway.
- Exclude temp from this rule.
Verify:
- Administrator, PC joins domain:
- Administrator, PC doesn’t join domain:
- temp, PC joins domain:
- temp, PC doesn’t join domain:
4) Troubleshooting & hints
- On NetScaler, we can run the following commands to check the hit policies.
- On StoreFront, take a packet trace file to check the POST request. Make sure that Farm and Strings are correct.
- NetScaler’s preauthentication policy is case sensitive.
- DDC access policy rules. Some tips for “Exclude” and “Include”.
- “Exclude” has a higher priority than “Include”.
- Allow means should not hit any “Exclude” rule and needs to hit all “Include” rules.
- If session hits one “Exclude” rule, next policy will not be checked.
What is Citrix Gateway?
Citrix Access Gateway For Mac Sierra Vista
What is Citrix Gateway? To answer this question, we first need to answer another: What is a gateway? A gateway is a device designed to provide data communication between a remote network and a local network. In short, users can access remote networks anywhere in the world by using a gateway. A gateway is one of the numerous ways our data is transferred over the Internet.
A gateway provides communication to a remote network or an independent system that is out of bounds for the current network users. Gateways are the entry and exit points of a network. Any incoming or outcoming data must first go through the gateway to use routing paths. Usually, a router device is configured to work as a gateway in computer networks.
Citrix Gateway is a solution requiring unique hardware and a software license.It can be deployed on-premises or on any hybrid or public clouds, such as Microsoft Azure, Amazon Web Services™ (AWS), Google Cloud, or Citrix Cloud Platform.It offers users server load balancing, single sign-on, and secure access to all the virtual, SoftwareasaService (SaaS), and web applications assigned to them from their organizations/services.
Citrix Gateway and Citrix Access Control
Since it includes the word “gateway,” you would expect all the features of a gateway, such as a server load balancing, enhanced security policies, web–filtering policies for Internet users, user behavior analytics, and more. However, this isn’t the case; Citrix expects you also to implement Citrix Access Control to manage all the features of a gateway.
Security Issues on Citrix Gateway
In December 2019, Citrix announced a critical vulnerability in its Citrix Gateway, Citrix Application Delivery (formerly called NetScaler ADC), and SD-WAN WANOP code-named CVE-2019-19781. If exploited, CVE-2019-19781 could effectively allow any hacker to gain direct access to the organization’s local network from a remote location and execute arbitrary code execution.
At the time, it was reported that CVE-2019-19781 jeopardized over 80,000 companies’ networks in 158 countries that were using Citrix Gateway, Citrix ADC, and SD-WAN WANOP. It took nearly a month for Citrix to finally release a permanent fix for the CVE-2019-19781 security flaw.
Citrix Gateway Log In
As of this writing, Citrix claims that it has released permanent fixes for all the supported versions of Citrix Gateway, Citrix ADC, and SD-WAN WANOP. While CVE-2019-19781 could appear as an isolated incident, it raises serious security issues about Citrix Gateway, considering how widespread the application is in the business community.
For many organizations, VDI has created an entirely new complex IT infrastructure that has to be licensed, administered, and maintained. This complexity in VDI infrastructures has the potential to not become expensive in the long run, but also lead to security issues. For example, in the case of Citrix Gateway, companies can easily connect workstations and sensitive business applications, including ERPs.
However, in all the connections, Citrix apps are accessed on the organization’s network perimeter, exposing them to attacks from malicious users. And if a vulnerability is exploited, hackers have access to not only the published apps but any other resource that resides on the company’s server.
A Better Alternative
If you’re looking into Citrix Gateway, you are probably considering Citrix Virtual Apps and Desktops to deliver applications and desktops. In that case, you might be interested in reading more about Parallels® Remote Application Server(RAS), the best alternative to provide high-performance UX at a fraction of the cost compared to Citrix.
Parallels RAS allows organizations to leverage existing investments into Citrix infrastructures, such as Citrix Hypervisor(formerly XenServer) and Citrix ADC (formerly Netscaler). Either integrate your existing gateways or install and configure your Parallels RAS Gateway on a physical or virtual machine--withoutpurchasing additional add-ons.Parallels RAS offers every feature outofthebox, from remote applications up to virtual desktop infrastructure (VDI) or remote PC. Including built-in high availability load balancing with the option to add a server (HALB) to quickly implement more servers/users in your infrastructure without worrying about extra costs.
Get your free 30-day evaluation period of Parallels RAS and make use of gateways quickly and without any extra cost!
References:
TechTarget | https://searchnetworking.techtarget.com/Citrix-Access-Gateway
BasVanKaam | https://www.basvankaam.com/2014/09/23/citrix-netscaler-gateway-the-basics/
Techopedia | https://www.techopedia.com/definition/5358/gateway
ThreatPost | https://threatpost.com/unpatched-citrix-flaw-exploits/151748/
Citrix Access Gateway For Mac Sierra Download
Forbes | https://www.forbes.com/sites/kateoflahertyuk/2020/01/14/new-citrix-security-alert-us-government-issues-test-tool-for-serious-flaw
Citrix Access Gateway For Mac Sierra Free
Parallels | https://www.parallels.com/products/ras/capabilities/application-desktop-delivery/