Jump to content
Welcome to our new Citrix community!
  • 0

Add Cloud Storefront to an existing Netscaler Gateway that is being used for On-Prem Citrix.

Eddie Santana


We currently have on-prem Netscaler Gateway vserver being used for an on-prem Xenapp.


We are slowly moving to Citrix Cloud with Cloud Storefront. I would like to have Radius authentication so I want to configure a separate Gateway vserver for that (correct?).

Normally for On-Prem Storefront I would create session policy but how to I do that with cloud hosted storefront?  

Link to comment

14 answers to this question

Recommended Posts

  • 0

Hi Eddie, apologize for the confusion, just confirmed with in internal team on something, There is a Gateway vserver that needs to be externally accessible, the authentication vserver is bound to that gateway vserver auth policy. But yes Citrix Cloud will try to authenticate with the OAuth information it generates when configuring the IAM setup. But it does this while reaching the front Gateway vserver FQDN. Sorry for the confusion on  that one when I  was going through the links.

  • Like 1
Link to comment
  • 0

Hi Eddie, if you would like to use on-premise Citrix Gateway to handle RADIUS authentication, you will need to follow these two articles, it would not be a Gateway vserver but an Authentication vserver that handles the logon order for primary LDAP and secondary RADIUS auth.




Link to comment
  • 0

Thanks Victor! Starting to make sense now. 

I tried to follow those but got stuck on the VServer. 


So I should:

  1. Create an Auth vserver with a Mapped IP and public DNS (ex. citrix.company.com)
  2. Then in Citrix Cloud>IAM>select Citrix Gateway and enter the FQDN of the Auth vserver above?
  3. Follow articles


Link to comment
  • 0

The Authentication vserver does not have to be externally accessible. You can install Cloud Connectors that can reach Citrix Cloud and are able to talk in internally with the Authentication vServer. When adding the Gateway FQDN in Cloud IAM, the platform will use the connectors to resolve the internal address of the gateway and use that communication path to present the authentication page to the users.

Link to comment
  • 0

Test Failed.


  • Created Auth vServer on Netscaler
    • Applied IP and Cert
    • Assigned internal DNS A record to that IP.
  • On each Citrix Connector server I was able to Telnet via FQDN to port 443
  • On the Citrix Cloud>IAM>Gateway it was unable to find that internal FQDN.
    • However, I put any public facing FQDN and it proceeds to next step.

Now I am really not understanding how this suppose to work.




Link to comment
  • 0

Thanks Victor for checking on this.


Just some further clarification-

  • I will create a new Gateway vserver (Public facing) with a public FQDN
    • Dedicated for Citrix Cloud and not my current On-Prem
  • On that new Gateway vserver I specify
    • Server Cert
    • Primary Auth= Radius (ns_true)
    • Authentication Profile=The one created via the doc links sent earlier (????)
    • STA Servers= The Citrix Connector servers

Please confirm if is this is correct.

Link to comment
  • 0

Implementation completed and it's now worked as expected.


I did have to add an LDAP profile/policy because I was getting "Failed to login user due to insufficient claims. Please contact your administrator."  After adding the LDAP policy to the Auth vserver, it worked. 



I do have some follow-up behavioral questions.

Since I had to create a Gateway VServer for Citrix Cloud Auth (ex. Citrix.company.com), is it possible if a User goes directly to that  Gateway vserver (Citrix.company.com) , authenticate, it will log them into the Citrix Cloud Storefront?   


Link to comment
  • 0



Watch this detailed video of the setup- https://www.youtube.com/watch?v=RGg-lAe99OA



Additionally I detailed most in this thread since I use it as a KB source for my own references.


Here are some  Prereq /Tips-

  • Create a "Gateway Vserver" before starting
    • That will have a MIP add add a DNS name to that public. This FDDN is used when selecting Gateway on Citrix Cloud.
    • At the end you will just have to add the Advanced Auth Policy you create following the steps. 
  • You may need LDAP configured if you end up getting "Failed to login user due to insufficient claims. Please contact your administrator." after doing final test. 
  • Add the Authentication factors to the Authentication vserver NOT the Gateway vserver (ran into that confusion)

Follow these articles Victor posted in first post.




Your end result will end up like this



On Gateway vServer





Link to comment
  • 0

Thanks Eddie, for the details, Just to reiterate based on the steps you shared and video please let me know if the steps below make sense. 


  1. Deploy ADC (Citrix Gateway 13.0 41.20 Advanced edition )
  2. Configure ADC

  3. Configure gateway without any (Session Profile / Policy)- (External IP/DNS)

  4. Login to Citrix cloud, Under Identity and Access Management specify the FQDN of my new URL)

  5. Back to my on prem ADC, Create an OAuth IDP policy with details provided from Citrix cloud

  6. Bind the OAuth Policy to my virtual server


Link to comment
  • 0

Sounds about right.

That FQDN is the Gateway vserver (Item3 on your list). Then you will be given the Client ID, etc, then after your Netscaler stuff is done. Click on Test and Finish.


If you get error-"Failed to login user due to insufficient claims...." either add/check LDAP settings on Auth vServer.

Also there is mention on binding priority order in the video.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...