Monday, September 6, 2010

Pre-Logon Client Choices in Access Gateway Enterprise

By: Rick Rohne

This is an update to a previous article that I wrote about adding a pull-down menu with connection type choices on the logon page for Access Gateway Enterprise Edition. By default Access Gateway Enterprise Edition uses group extraction and EPA scans to determine what kind of connection a user can make. Access Gateway Enterprise also has a client choices screen after authentication that can provide end user selections. These policies may not always offer the best solution for your organization. Therefore configuring a pre-logon client choice may be the best option.


The following are some reasons why you would give users a selection box before authentication:
1. Give users a choice to access their appliacations, desktops, or VPN sessions
2. Allow users to access Sharepoint, OWA, and other clientless web applications using the same url.
3. Allows users to have more control, reducing support calls.
4. Get more out of Access Gateway Enterprise.
I created this video to give you an idea on how this can be used:


NOTE: The index.html file mentioned on this article is found under /netscaler/ns_gui/vpn

First create a cookie on the user's workstation

This procedure creates a cookie on the user's workstation which will be evaluated by the session policy. The name of the cookie is NSCookie

1. Download index.html to your workstation.
2. Open the file for editing with your preferred document editor software.
3. Locate the following section:

4. Add the following on the next available line

5. The next line should read:

6. Add storeValues(this);" so that it reads:

Next create the actual pull-down menu

1. On the same index.html page locate the line that reads:

2. Add the following code.

(Note: you can add as many OPTIONS as you wish. The Value’s m(x) will be used to match up against a session policy)

3. Save the changes and copy the file to the /netscaler/ns_gui/vpn directory
Note: make sure to backup the original file.

Create a procedure to allow the custom page to survive a reboot

1. Connect to the appliance using an SSH client such as PuTTY.
2. Type shell.
3. Make a directory on the hard drive to hold the custom file.
mkdir /var/customizations
4. Copy the modified page to the new directory.

cp /netscaler/ns_gui/vpn/index.html /var/customizations/

5. Create a startup script file called rc.netscaler under /nsconfig (if one is not already present).
cd /nsconfig
touch rc.netscaler

6. Copy the copy command into rc.netscaler.
echo cp /var/customizations/index.html /netscaler/ns_gui/vpn/index.html >> /nsconfig/rc.netscaler
Next you must modify the session policies to be based on the presence of the cookie instead of the default "true value".

The expression syntax would look similar to that shown in the screen shot below:

add vpn sessionPolicy xMyDT-pol "REQ.HTTP.HEADER Cookie CONTAINS MyDT" XD_ONLY

More Information

The user will then be given a drop down menu on the default logon page. The cookie will be placed on their workstation and evaluated by the session policies. MyDT is the default which should always match the users Default connection while others will match other session policies.

More information on Access Gateway Enterprise
blog comments powered by Disqus
Microsoft Virtualization, Citrix, XENServer, Storage, iscsi, Exchange, Virtual Desktops, XENDesktop, APPSense, Netscaler, Virtual Storage, VM, Unified Comminications, Cisco, Server Virtualization, Thin client, Server Based Computing, SBC, Application Delivery controllers, System Center, SCCM, SCVMM, SCOM, VMware, VSphere, Virtual Storage, Cloud Computing, Provisioning Server, Hypervisor, Client Hypervisor.