How do I set the Citrix netscaler gateway plugin setting automatically?

[RANHO KIM]

If you install the Citrix netscaler gateway plugin, is there any way to automatically check the default value for local LAN Access?

How do I automatically check when I log in?

[Rhonda Rowland1709152125]

If you configure the session policy to apply this setting, it should override the client-side option. You can then take the client-side changes away if needed.

The session policy/profile would then be bound either to the vpn vserver or to the aaa group, depending on how you want the policy processed for some or all connections.

The setting is on the Client Experience tab under Advanced Settings.

Related settings might include split dns settings as well.

 

Settings documented in the Citrix Gateway/NetScaler Gateway admin guide and are not included in the Citrix ADC/NetScaler ADC guides...the gateway guides only.

See this section (though there used to be way more information online, than there is now).

https://docs.citrix.com/en-us/netscaler-gateway/12/vpn-user-config/configure-plugin-connections/ng-plugin-connect-internal-nw-resources-tsk.html

 

[RANHO KIM]

As shown in the figure, check the Local LAN Access in the Configure NetScaler Gateway Session Profile.
However, the Plugin does not reflect the Local LAN Access check when logging in.
Is there anything else that needs to be set up?

[Rhonda Rowland1709152125]

Which firmware version / plugin version are you running?

Are you sure this is the highest priority policy in effect, is there a chance that this setting is being overridden by another policy (what priority/bindpoint do you have this session policy assigned at).

 

 

[RANHO KIM]

Product : Citrix NetScaler VPX Enterprise Edition

Firmware Version : NS12.0.60.10.nc

Plugin Version : 12.0.60.10

 

If it's a priority, where should I check?
Isn't Global Settings a priority?

[Rhonda Rowland1709152125]

Global settings are just that global parameters.  Session policies override the global parameters.

Session policies can be bound to the vpn global, vpn vserver, aaa group, or aaa user.  

 

If you have a policy in use, then it will override the global parameters, if the profile setting has global override enabled.  If no policy sets the value, then the global parameter should be used.

In the classic policy engine, then priorities can change the precedence of a policy bind point. (highest priority overrides any bind point with lower priority).

In the advanced policy engine, then essentially policies bound to aaa user overrides aaa group; aaa group overrides vpn vserver; vpn vserver overrides vpn global. And any policy overrides global parameters.

 

To tell if you have policies bound, either look at your session policies node and check and see if any policies are bound and where and which priority. 

Then you can see if any policies conflict with your global setting.

 

Or check the running config to see which session policies are bound where.

There's not an easy way to review this.

 

 

 

 

 

[Rhonda Rowland1709152125]

Here are a few more things to help clarify...couldn't edit message after posting:

 

The screenshot you show above is a session profile and not a global parameter.   Do you have a policy pointing to this profile and have you bound the policy, otherwise it is not in use.

 

To tell if you have policies bound, either look at your session policies node and check and see if any policies are bound and where and which priority. 

Then you can see if any policies conflict with your global setting.

 

A couple of cli commands that may help:

show vpn vserver <vserver name>

show aaa group <group name>

show ns runningconfig | grep <sessionpolicy name> -i

These may help you if the policy(ies) are bound and if they are being hit.

 

If there are no other policies bound and this is the only one in effect, then it may be a bug in the vpn client.   But make sure the policy is bound and being hit.

Try uninstalling and reinstalling to see if restores the policy setting.  Or you can take the "client settings" away if user's don't need to manually change it and see if it goes into effect.

 

See if any of this helps.

 

[Siddhartha Sarmah]

The setting on session-profile, global simply enables that option for user to check it, if needed.

There is no way to force check this option as of date. 

 

 

 

 

 

[RANHO KIM]

I checked all the policies. There was no problem.
It is assumed to be a plug-in client bug.
The client cleanup prompt test results in normal operation.
However, the Local LAN Access policy is not reflected and continues uncheckboxing.

Is there anything else I know?