vpn-vserver¶
The following operations can be performed on "vpn-vserver":
add| rm| set| unset| bind| unbind| enable| disable| show| stat| rename| check|
add vpn vserver¶
Creates a Citrix Gateway virtual server to allow authenticated users to access intranet resources, such as XenApp, XenDesktop, and web servers.
Synopsis¶
add vpn vserver <name> <serviceType> [<IPAddress> [-range <positive_integer>] [-ipset <string>]] [<port>] [-state ( ENABLED | DISABLED )] [-authentication ( ON | OFF )] [-doubleHop ( ENABLED | DISABLED )] [-maxAAAUsers <positive_integer>] [-icaOnly ( ON | OFF )] [-icaProxySessionMigration ( ON | OFF )] [-dtls ( ON | OFF )] [-loginOnce ( ON | OFF )] [-deviceCert ( ON | OFF )] [-certkeyNames <string>] [-downStateFlush ( ENABLED | DISABLED )] [-Listenpolicy <expression> [-Listenpriority <positive_integer>]] [-tcpProfileName <string>] [-httpProfileName <string>] [-comment <string>] [-appflowLog ( ENABLED | DISABLED )] [-icmpVsrResponse ( PASSIVE | ACTIVE )] [-RHIstate ( PASSIVE | ACTIVE )] [-netProfile <string>] [-cginfraHomePageRedirect ( ENABLED | DISABLED )] [-maxLoginAttempts <positive_integer> [-failedLoginTimeout <mins>]] [-l2Conn ( ON | OFF )] [-deploymentType <deploymentType>] [-rdpServerProfileName <string>] [-WindowsEPAPluginUpgrade <WindowsEPAPluginUpgrade>] [-LinuxEPAPluginUpgrade <LinuxEPAPluginUpgrade>] [-MacEPAPluginUpgrade <MacEPAPluginUpgrade>] [-logoutOnSmartcardRemoval ( ON | OFF )] [-authnProfile <string>] [-vserverFqdn <string>] [-pcoipVserverProfileName <string>] [-SameSite <SameSite>]
Arguments¶
name
Name for the Citrix Gateway virtual server. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Can be changed after the virtual server is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my server" or 'my server').
serviceType
Protocol used by the Citrix Gateway virtual server.
Possible values: SSL Default value: SSL
IPAddress
IPv4 or IPv6 address of the Citrix Gateway virtual server. Usually a public IP address. User devices send connection requests to this IP address.
range
Range of Citrix Gateway virtual server IP addresses. The consecutively numbered range of IP addresses begins with the address specified by the IP Address parameter. In the configuration utility, select Network VServer to enter a range. Default value: 1 Minimum value: 1
port
TCP port on which the virtual server listens.
ipset
The list of IPv4/IPv6 addresses bound to ipset would form a part of listening service on the current vpn vserver
state
State of the virtual server. If the virtual server is disabled, requests are not processed.
Possible values: ENABLED, DISABLED Default value: ENABLED
authentication
Require authentication for users connecting to Citrix Gateway.
Possible values: ON, OFF Default value: ON
doubleHop
Use the Citrix Gateway appliance in a double-hop configuration. A double-hop deployment provides an extra layer of security for the internal network by using three firewalls to divide the DMZ into two stages. Such a deployment can have one appliance in the DMZ and one appliance in the secure network.
Possible values: ENABLED, DISABLED Default value: DISABLED
maxAAAUsers
Maximum number of concurrent user sessions allowed on this virtual server. The actual number of users allowed to log on to this virtual server depends on the total number of user licenses. Minimum value: 0
icaOnly
-
When set to ON, it implies Basic mode where the user can log on using either Citrix Receiver or a browser and get access to the published apps configured at the XenApp/XenDEsktop environment pointed out by the WIHome parameter. Users are not allowed to connect using the Citrix Gateway Plug-in and end point scans cannot be configured. Number of users that can log in and access the apps are not limited by the license in this mode.
-
When set to OFF, it implies Smart Access mode where the user can log on using either Citrix Receiver or a browser or a Citrix Gateway Plug-in. The admin can configure end point scans to be run on the client systems and then use the results to control access to the published apps. In this mode, the client can connect to the gateway in other client modes namely VPN and CVPN. Number of users that can log in and access the resources are limited by the CCU licenses in this mode.
Possible values: ON, OFF Default value: OFF
icaProxySessionMigration
This option determines if an existing ICA Proxy session is transferred when the user logs on from another device.
Possible values: ON, OFF Default value: OFF
dtls
This option starts/stops the turn service on the vserver
Possible values: ON, OFF Default value: ON
loginOnce
This option enables/disables seamless SSO for this Vserver.
Possible values: ON, OFF Default value: OFF
deviceCert
Indicates whether device certificate check as a part of EPA is on or off.
Possible values: ON, OFF Default value: OFF
certkeyNames
Name of the certificate key that was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate
downStateFlush
Close existing connections when the virtual server is marked DOWN, which means the server might have timed out. Disconnecting existing connections frees resources and in certain cases speeds recovery of overloaded load balancing setups. Enable this setting on servers in which the connections can safely be closed when they are marked DOWN. Do not enable DOWN state flush on servers that must complete their transactions.
Possible values: ENABLED, DISABLED Default value: ENABLED
Listenpolicy
String specifying the listen policy for the Citrix Gateway virtual server. Can be either a named expression or an expression. The Citrix Gateway virtual server processes only the traffic for which the expression evaluates to true. Default value: "none"
Listenpriority
Integer specifying the priority of the listen policy. A higher number specifies a lower priority. If a request matches the listen policies of more than one virtual server, the virtual server whose listen policy has the highest priority (the lowest priority number) accepts the request. Default value: 101 Minimum value: 0 Maximum value: 100
tcpProfileName
Name of the TCP profile to assign to this virtual server.
httpProfileName
Name of the HTTP profile to assign to this virtual server. Default value: "nshttp_default_strict_validation"
comment
Any comments associated with the virtual server.
appflowLog
Log AppFlow records that contain standard NetFlow or IPFIX information, such as time stamps for the beginning and end of a flow, packet count, and byte count. Also log records that contain application-level information, such as HTTP web addresses, HTTP request methods and response status codes, server response time, and latency.
Possible values: ENABLED, DISABLED Default value: ENABLED
icmpVsrResponse
Criterion for responding to PING requests sent to this virtual server. If this parameter is set to ACTIVE, respond only if the virtual server is available. With the PASSIVE setting, respond even if the virtual server is not available.
Possible values: PASSIVE, ACTIVE Default value: PASSIVE
RHIstate
A host route is injected according to the setting on the virtual servers. * If set to PASSIVE on all the virtual servers that share the IP address, the appliance always injects the hostroute. * If set to ACTIVE on all the virtual servers that share the IP address, the appliance injects even if one virtual server is UP. * If set to ACTIVE on some virtual servers and PASSIVE on the others, the appliance injects even if one virtual server set to ACTIVE is UP.
Possible values: PASSIVE, ACTIVE Default value: PASSIVE
netProfile
The name of the network profile.
cginfraHomePageRedirect
When client requests ShareFile resources and Citrix Gateway detects that the user is unauthenticated or the user session has expired, disabling this option takes the user to the originally requested ShareFile resource after authentication (instead of taking the user to the default VPN home page)
Possible values: ENABLED, DISABLED Default value: ENABLED
maxLoginAttempts
Maximum number of logon attempts Minimum value: 1 Maximum value: 255
failedLoginTimeout
Number of minutes an account will be locked if user exceeds maximum permissible attempts Minimum value: 1
l2Conn
Use Layer 2 parameters (channel number, MAC address, and VLAN ID) in addition to the 4-tuple (<source IP>:<source port>::<destination IP>:<destination port>) that is used to identify a connection. Allows multiple TCP and non-TCP connections with the same 4-tuple to coexist on the Citrix ADC.
Possible values: ON, OFF
deploymentType
rdpServerProfileName
Name of the RDP server profile associated with the vserver.
WindowsEPAPluginUpgrade
Option to set plugin upgrade behaviour for Win
Possible values: Always, Essential, Never
LinuxEPAPluginUpgrade
Option to set plugin upgrade behaviour for Linux
Possible values: Always, Essential, Never
MacEPAPluginUpgrade
Option to set plugin upgrade behaviour for Mac
Possible values: Always, Essential, Never
logoutOnSmartcardRemoval
Option to VPN plugin behavior when smartcard or its reader is removed
Possible values: ON, OFF Default value: OFF
authnProfile
Authentication Profile entity on virtual server. This entity can be used to offload authentication to AAA vserver for multi-factor(nFactor) authentication
vserverFqdn
Fully qualified domain name for a VPN virtual server. This is used during StoreFront configuration generation.
pcoipVserverProfileName
Name of the PCoIP vserver profile associated with the vserver.
SameSite
SameSite attribute value for Cookies generated in VPN context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite
Possible values: None, LAX, STRICT
Example¶
The following example creates a VPN virtual server named myvpnvip which supports SSL protocols and with AAA functionality enabled: vserver myvpnvip SSL 65.219.17.34 443 -aaa ON
rm vpn vserver¶
Removes a Citrix Gateway virtual server. Policies that are bound to the virtual server are automatically unbound.
Synopsis¶
rm vpn vserver <name>@ ...
Arguments¶
name
Name of the virtual server to remove.
Example¶
rm vserver vpn_vip
set vpn vserver¶
Modifies the specified parameters of a Citrix Gateway virtual server.
Synopsis¶
set vpn vserver <name> [-IPAddress <ip_addr|ipv6_addr|*>] [-ipset <string>] [-authentication ( ON | OFF )] [-doubleHop ( ENABLED | DISABLED )] [-icaOnly ( ON | OFF )] [-icaProxySessionMigration ( ON | OFF )] [-dtls ( ON | OFF )] [-loginOnce ( ON | OFF )] [-deviceCert ( ON | OFF )] [-certkeyNames <string>] [-maxAAAUsers <positive_integer>] [-downStateFlush ( ENABLED | DISABLED )] [-Listenpolicy <expression>] [-Listenpriority <positive_integer>] [-tcpProfileName <string>] [-httpProfileName <string>] [-comment <string>] [-appflowLog ( ENABLED | DISABLED )] [-icmpVsrResponse ( PASSIVE | ACTIVE )] [-RHIstate ( PASSIVE | ACTIVE )] [-netProfile <string>] [-cginfraHomePageRedirect ( ENABLED | DISABLED )] [-maxLoginAttempts <positive_integer>] [-rdpServerProfileName <string>] [-failedLoginTimeout <mins>] [-l2Conn ( ON | OFF )] [-WindowsEPAPluginUpgrade <WindowsEPAPluginUpgrade>] [-MacEPAPluginUpgrade <MacEPAPluginUpgrade>] [-LinuxEPAPluginUpgrade <LinuxEPAPluginUpgrade>] [-logoutOnSmartcardRemoval ( ON | OFF )] [-authnProfile <string>] [-vserverFqdn <string>] [-pcoipVserverProfileName <string>] [-SameSite <SameSite>]
Arguments¶
name
Name of the virtual server to modify.
IPAddress
IPv4 or IPv6 address of the Citrix Gateway virtual server. Usually a public IP address. User devices send connection requests to this IP address.
ipset
The list of IPv4/IPv6 addresses bound to ipset would form a part of listening service on the current vpn vserver
authentication
Require authentication for users connecting to Citrix Gateway.
Possible values: ON, OFF Default value: ON
doubleHop
Use the Citrix Gateway appliance in a double-hop configuration. A double-hop deployment provides an extra layer of security for the internal network by using three firewalls to divide the DMZ into two stages. Such a deployment can have one appliance in the DMZ and one appliance in the secure network.
Possible values: ENABLED, DISABLED Default value: DISABLED
icaOnly
-
When set to ON, it implies Basic mode where the user can log on using either Citrix Receiver or a browser and get access to the published apps configured at the XenApp/XenDEsktop environment pointed out by the WIHome parameter. Users are not allowed to connect using the Citrix Gateway Plug-in and end point scans cannot be configured. Number of users that can log in and access the apps are not limited by the license in this mode.
-
When set to OFF, it implies Smart Access mode where the user can log on using either Citrix Receiver or a browser or a Citrix Gateway Plug-in. The admin can configure end point scans to be run on the client systems and then use the results to control access to the published apps. In this mode, the client can connect to the gateway in other client modes namely VPN and CVPN. Number of users that can log in and access the resources are limited by the CCU licenses in this mode.
Possible values: ON, OFF Default value: OFF
icaProxySessionMigration
This option determines if an existing ICA Proxy session is transferred when the user logs on from another device.
Possible values: ON, OFF Default value: OFF
dtls
This option starts/stops the turn service on the vserver
Possible values: ON, OFF Default value: ON
loginOnce
This option enables/disables seamless SSO for this Vserver.
Possible values: ON, OFF Default value: OFF
deviceCert
Indicates whether device certificate check as a part of EPA is enabled or not.
Possible values: ON, OFF Default value: OFF
certkeyNames
Name of the certkey which was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate
maxAAAUsers
Maximum number of concurrent user sessions allowed on this virtual server. The actual number of users allowed to log on to this virtual server depends on the total number of user licenses. Minimum value: 0
downStateFlush
Close existing connections when the virtual server is marked DOWN, which means the server might have timed out. Disconnecting existing connections frees resources and in certain cases speeds recovery of overloaded load balancing setups. Enable this setting on servers in which the connections can safely be closed when they are marked DOWN. Do not enable DOWN state flush on servers that must complete their transactions.
Possible values: ENABLED, DISABLED Default value: ENABLED
Listenpolicy
String specifying the listen policy for the Citrix Gateway virtual server. Can be either a named expression or an expression. The Citrix Gateway virtual server processes only the traffic for which the expression evaluates to true. Default value: "none"
Listenpriority
Integer specifying the priority of the listen policy. A higher number specifies a lower priority. If a request matches the listen policies of more than one virtual server, the virtual server whose listen policy has the highest priority (the lowest priority number) accepts the request. Default value: 101 Minimum value: 0 Maximum value: 100
tcpProfileName
Name of the TCP profile to assign to this virtual server.
httpProfileName
Name of the HTTP profile to assign to this virtual server. Default value: "nshttp_default_strict_validation"
comment
Any comments associated with the virtual server.
appflowLog
Log AppFlow records that contain standard NetFlow or IPFIX information, such as time stamps for the beginning and end of a flow, packet count, and byte count. Also log records that contain application-level information, such as HTTP web addresses, HTTP request methods and response status codes, server response time, and latency.
Possible values: ENABLED, DISABLED Default value: ENABLED
icmpVsrResponse
Criterion for responding to PING requests sent to this virtual server. If this parameter is set to ACTIVE, respond only if the virtual server is available. With the PASSIVE setting, respond even if the virtual server is not available.
Possible values: PASSIVE, ACTIVE Default value: PASSIVE
RHIstate
A host route is injected according to the setting on the virtual servers. * If set to PASSIVE on all the virtual servers that share the IP address, the appliance always injects the hostroute. * If set to ACTIVE on all the virtual servers that share the IP address, the appliance injects even if one virtual server is UP. * If set to ACTIVE on some virtual servers and PASSIVE on the others, the appliance injects even if one virtual server set to ACTIVE is UP.
Possible values: PASSIVE, ACTIVE Default value: PASSIVE
netProfile
The name of the network profile.
cginfraHomePageRedirect
When client requests ShareFile resources and Citrix Gateway detects that the user is unauthenticated or the user session has expired, disabling this option takes the user to the originally requested ShareFile resource after authentication (instead of taking the user to the default VPN home page)
Possible values: ENABLED, DISABLED Default value: ENABLED
maxLoginAttempts
Maximum number of logon attempts Minimum value: 1 Maximum value: 255
rdpServerProfileName
Name of the RDP server profile associated with the vserver.
failedLoginTimeout
Number of minutes an account will be locked if user exceeds maximum permissible attempts Minimum value: 1
l2Conn
Use Layer 2 parameters (channel number, MAC address, and VLAN ID) in addition to the 4-tuple (<source IP>:<source port>::<destination IP>:<destination port>) that is used to identify a connection. Allows multiple TCP and non-TCP connections with the same 4-tuple to coexist on the Citrix ADC.
Possible values: ON, OFF
WindowsEPAPluginUpgrade
Option to set plugin upgrade behaviour for Win
Possible values: Always, Essential, Never
MacEPAPluginUpgrade
Option to set plugin upgrade behaviour for Mac
Possible values: Always, Essential, Never
LinuxEPAPluginUpgrade
Option to set plugin upgrade behaviour for Linux
Possible values: Always, Essential, Never
logoutOnSmartcardRemoval
Option to VPN plugin behavior when smartcard or its reader is removed
Possible values: ON, OFF Default value: OFF
authnProfile
Authentication Profile entity on virtual server. This entity can be used to offload authentication to AAA vserver for multi-factor(nFactor) authentication
vserverFqdn
Fully qualified domain name for a VPN virtual server. This is used during StoreFront configuration generation.
pcoipVserverProfileName
Name of the PCoIP vserver profile associated with the vserver.
SameSite
SameSite attribute value for Cookies generated in VPN context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite
Possible values: None, LAX, STRICT
unset vpn vserver¶
Use this command to remove vpn vserver settings.Refer to the set vpn vserver command for meanings of the arguments.
Synopsis¶
unset vpn vserver <name> [-ipset] [-authentication] [-doubleHop] [-icaOnly] [-icaProxySessionMigration] [-dtls] [-loginOnce] [-deviceCert] [-certkeyNames] [-maxAAAUsers] [-downStateFlush] [-Listenpolicy] [-Listenpriority] [-tcpProfileName] [-httpProfileName] [-comment] [-appflowLog] [-icmpVsrResponse] [-RHIstate] [-netProfile] [-cginfraHomePageRedirect] [-maxLoginAttempts] [-rdpServerProfileName] [-l2Conn] [-WindowsEPAPluginUpgrade] [-MacEPAPluginUpgrade] [-LinuxEPAPluginUpgrade] [-logoutOnSmartcardRemoval] [-authnProfile] [-vserverFqdn] [-pcoipVserverProfileName] [-SameSite]
bind vpn vserver¶
Binds attributes to the specified Citrix Gateway virtual server.
Synopsis¶
bind vpn vserver <name> [-policy <string> [-priority <positive_integer>] [-secondary] [-groupExtraction] [-gotoPriorityExpression <expression>] [-type <type>]] [-intranetApplication <string>] [-nextHopServer <string>] [-urlName <string>] [-intranetIP <ip_addr> <netmask> ] [-intranetIP6 <ip_addr|ipv6_addr|*> <numaddr>] [-staServer <URL> [-staAddressType ( IPV4 | IPV6 )]] [-appController <URL>] [-sharefile <string>] [-portaltheme <string>] [-eula <string>] [-analyticsProfile <string>]
Arguments¶
name
Name of the virtual server.
policy
Name of a policy to bind to the virtual server (for example, the name of an authentication, session, or endpoint analysis policy).
priority
Integer specifying the policy's priority. The lower the number, the higher the priority. Policies are evaluated in the order of their priority numbers. Maximum value for default syntax policies is 2147483647 and for classic policies is 64000. Minimum value: 0 Maximum value: 2147483647
secondary
Binds the authentication policy as the secondary policy to use in a two-factor configuration. A user must then authenticate not only via a primary authentication method but also via a secondary authentication method. User groups are aggregated across both. The user name must be exactly the same for both authentication methods, but they can require different passwords.
groupExtraction
Binds the authentication policy to a tertiary chain which will be used only for group extraction. The user will not authenticate against this server, and this will only be called if primary and/or secondary authentication has succeeded.
gotoPriorityExpression
Applicable only to advance vpn session policy. Expression or other value specifying the next policy to evaluate if the current policy evaluates to TRUE. Specify one of the following values: * NEXT - Evaluate the policy with the next higher priority number. * END - End policy evaluation. * An expression that evaluates to a number. If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows: * If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next. * If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next. * If the expression evaluates to a number that is larger than the largest numbered priority, policy evaluation ends. An UNDEF event is triggered if: * The expression is invalid. * The expression evaluates to a priority number that is numerically lower than the current policy's priority. * The expression evaluates to a priority number that is between the current policy's priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label.
type
Bind point to which to bind the policy. Applies only to rewrite and cache policies. If you do not set this parameter, the policy is bound to REQ_DEFAULT or RES_DEFAULT, depending on whether the policy rule is a response-time or a request-time expression.
Possible values: REQUEST, RESPONSE, ICA_REQUEST, OTHERTCP_REQUEST
intranetApplication
Name of the application to bind to the virtual server. Intranet applications are used to enable access to selected applications located in the internal network. They are required for any user connecting with the Citrix Gateway Plug-in for Java.
nextHopServer
Name of the next hop server to bind to the virtual server.
urlName
Web address of the next hop virtual server to bind to the virtual server.
intranetIP
The network ID for the range of intranet IP addresses or individual intranet IP addresses to be bound to the virtual server.
netmask
A range of IP addresses in an address pool, bound to a virtual server. When users log on, Citrix Gateway assigns an IP address from the pool.
intranetIP6
The network id for the range of intranet IP6 addresses or individual intranet ip to be bound to the vserver.
numaddr
A range of IP addresses in an address pool, bound to a virtual server. When users log on, Access Gateway assigns an IP address from the pool. Minimum value: 1
staServer
Web address of the Secure Ticket Authority (STA) server, in the following format: 'http(s)://FQDN/URLPATH'
staAddressType
Type of the STA server address(ipv4/v6).
Possible values: IPV4, IPV6
appController
App Controller server, in the format 'http(s)://IP/FQDN'
sharefile
ShareFile server, in the format 'IP:PORT / FQDN:PORT'
portaltheme
Name of Portal theme to bind to vpn vserver
eula
Name of EULA to bind to vpn vserver
analyticsProfile
bind lb vserver <vserver_name> -analyticsProfile <analytics-profile-name>.
unbind vpn vserver¶
Unbinds the specified attributes from a virtual server.
Synopsis¶
unbind vpn vserver <name> [-policy <string> [-secondary] [-groupExtraction] [-type <type>]] [-intranetApplication <string>] [-nextHopServer <string>] [-urlName <string>] [-intranetIP <ip_addr> <netmask>] [-intranetIP6 <ip_addr|ipv6_addr|*> <numaddr>] [-staServer <URL>] [-appController <URL>] [-sharefile <string>] [-portaltheme <string>] [-eula <string>] [-analyticsProfile <string>]
Arguments¶
name
Name of the virtual server from which to unbind an attribute.
policy
Name of the policy to unbind from the virtual server.
secondary
Binds the authentication policy as the secondary policy to use in a two-factor configuration. A user must then authenticate not only via a primary authentication method but also via a secondary authentication method. User groups are aggregated across both. The user name must be exactly the same for both authentication methods, but they can require different passwords.
groupExtraction
Binds the authentication policy to a tertiary chain which will be used only for group extraction. The user will not authenticate against this server, and this will only be called if primary and/or secondary authentication has succeeded.
type
Bind point from which to unbind the policy.
Possible values: REQUEST, RESPONSE, ICA_REQUEST, OTHERTCP_REQUEST
intranetApplication
Name of intranet application to unbind from the virtual server.
nextHopServer
Name of the next hop server to remove.
urlName
Web address of the next hop virtual server to unbind.
intranetIP
The range of IP addresses to unbind from the virtual server.
netmask
The netmask of the intranet IP address or range.
intranetIP6
The range of IP addresses to unbind from the virtual server.
numaddr
The number of ipv6 addresses Minimum value: 1
staServer
Web address of the Secure Ticket Authority (STA) server to remove, in the following format: 'http(s)://FQDN/URLPATH'
appController
App Controller server to be removed, in the format 'http(s)://IP/FQDN'
sharefile
ShareFile server to be removed, in the format 'IP:PORT / FQDN:PORT'
portaltheme
Name of the Portal theme to unbind from vpn vserver
eula
Name of EULA to unbind from vpn vserver
analyticsProfile
unbind lb vserver <vserver_name> -analyticsProfile <analytics-profile-name>.
enable vpn vserver¶
Enables a Citrix Gateway virtual server. Note: Virtual servers, when added, are enabled by default.
Synopsis¶
enable vpn vserver <name>@
Arguments¶
name
Name of the virtual server to be enabled.
Example¶
enable vserver vpn1
disable vpn vserver¶
Disables a Citrix Gateway virtual server. The virtual server is taken out of service.
Synopsis¶
disable vpn vserver <name>@
Arguments¶
name
Name of the virtual server to be disabled. The Citrix Gateway still responds to ARP and/or PING requests for the IP address of the virtual server. You can enable the Citrix Gateway virtual server again at any time, because the virtual server is still configured.
Example¶
disable vserver lb_vip
show vpn vserver¶
Displays information about all the configured Citrix Gateway virtual servers, or displays detailed information about the specified Citrix Gateway virtual server.
Synopsis¶
show vpn vserver [<name>] show vpn vserver stats - alias for 'stat vpn vserver'
Arguments¶
name
Name of the Citrix Gateway virtual server for which to show detailed information.
Output¶
IPAddress
The Virtual IP address of the VPN virtual server.
IPAddress
The IP address of the virtual server.
value
Indicates whether or not the certificate is bound or if SSL offload is disabled.
port
The virtual TCP port of the VPN virtual server.
range
The range of VPN virtual server IP addresses. The new range of VPN virtual servers will have IP addresses consecutively numbered, starting with the primary address specified with the <ipaddress> argument.
ipset
The list of IPv4/IPv6 addresses bound to ipset would form a part of listening service on the current vpn vserver
serviceType
The VPN virtual server's protocol type. Currently, the only possible value is SSL.
type
The type of virtual server; for example, CONTENT based or ADDRESS based.
state
The current state of the virtual server, as UP, DOWN, BUSY, and so on.
status
Whether or not this virtual server responds to ARPs and whether or not round-robin selection is temporarily in effect.
cacheType
Virtual server cache type. The options are: TRANSPARENT, REVERSE, and FORWARD.
redirect
The cache redirect policy. The valid redirect policies are: l. CACHE - Directs all requests to the cache. 2. POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting. 3. ORIGIN - Directs all requests to the origin server.
precedence
This argument is used only when configuring content switching on the specified virtual server. This is applicable only if both the URL and RULE-based policies have been configured on the same virtual server. It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE. l URL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies. l RULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies. For all URL-based policies, the precedence hierarchy is: 1. Domain and exact URL 2. Domain, prefix, and suffix 3. Domain and suffix 4. Domain and prefix 5. Domain only 6. Exact URL 7. Prefix and suffix 8. Suffix only 9. Prefix only 10. Default
redirectURL
The URL where traffic is redirected if the virtual server in system becomes unavailable. WARNING! Make sure that the domain you specify in the URL does not match the domain specified in the -d domainName argument of the ###add cs policy### command. If the same domain is specified in both arguments, the request will be continuously redirected to the same unavailable virtual server in the system. If so, the user may not get the requested content.
authentication
Indicates whether or not authentication is being applied to incoming users to the VPN.
doubleHop
Indicates whether double-hop functionality is enabled or not.
icaOnly
Indicates whether an ICA only license feature is enabled or not.
icaProxySessionMigration
This option determines if an existing ICA Proxy session is transferred when the user logs on from another device.
dtls
This option starts/stops Turn service on the vserver
loginOnce
This option enables/disables seamless SSO for this Vserver.
advancedEpa
Indicates whether advanced EPA feature is enabled or not.
deviceCert
Indicates whether device certificate check as a part of EPA is enabled or not.
certkeyNames
Name of the certificate key which was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate
maxAAAUsers
The maximum number of concurrent users allowed to log on into this virtual server at a time.
curAAAUsers
The number of current users logged on to this virtual server.
curTotalUsers
The total number of current users connected through this virtual server.
domain
The domain name of the server for which a service needs to be added. If the IP address has been specified, the domain name does not need to be specified.
rule
The name of the rule, or expression, if any, that policy for the VPN server is to use. Rules are combinations of expressions. Expressions are simple conditions, such as a test for equality, applied to operands, such as a URL string or an IP address. Expression syntax is described in the Installation and Configuration Guide. The default rule is true.
policyName
The name of the policy, if any, bound to the VPN virtual server.
policy
The name of the policy, if any, bound to the VPN virtual server.
serviceName
The name of the service, if any, to which the virtual server policy is bound.
weight
Weight for this service, if any. This weight is used when the system performs load balancing, giving greater priority to a specific service. It is useful when the services bound to a virtual server are of different capacity.
cacheVserver
The name of the default target cache virtual server, if any, to which requests are redirected.
backupVServer
The name of the backup VPN virtual server for this VPN virtual server.
priority
Integer specifying the policy's priority. The lower the number, the higher the priority. Policies are evaluated in the order of their priority numbers. Maximum value for default syntax policies is 2147483647 and for classic policies is 64000.
cltTimeout
The idle time, if any, in seconds after which the client connection is terminated.
soMethod
VPN client applications are allocated from a block of intranet IP addresses. That block may be exhausted after a certain number of connections. This switch specifies the method used to determine whether or not a new connection will spill over, or exhaust, the allocated block of intranet IP addresses for that application. Possible values are CONNECTION or DYNAMICCONNECTION. CONNECTION means that a static integer value is the hard limit for the spillover threshold. The spillover threshold is described below. DYNAMICCONNECTION means that the spillover threshold is set according to the maximum number of connections defined for the VPN virtual server.
soThreshold
VPN client applications are allocated from a block of intranet IP addresses. That block may be exhausted after a certain number of connections. The value of this option is the number of client connections after which the mapped IP address is used as the client source IP address instead of an address from the allocated block of intranet IP addresses.
soPersistence
Whether or not cookie-based site persistance is enabled for this VPN vserver. Possible values are 'ConnectionProxy', HTTPRedirect, or NONE
soPersistenceTimeOut
The timeout, if any, for cookie-based site persistance of this VPN vserver.
actType
intranetApplication
The intranet VPN application.
nextHopServer
The name of the next hop server bound to the VPN virtual server.
urlName
The intranet URL.
intranetIP
The network ID for the range of intranet IP addresses or individual intranet IP addresses to be bound to the virtual server.
netmask
The netmask of the intranet IP address or range.
intranetIP6
The network id for the range of intranet IP6 addresses or individual intranet ip to be bound to the vserver.
numaddr
The number of ipv6 addresses
staServer
Configured Secure Ticketing Authority (STA) server.
staAddressType
Type of the STA server address(ipv4/v6).
staAuthID
Authority ID of the STA Server. Authority ID is used to match incoming STA tickets in the SOCKS/CGP protocol with the right STA server.
staState
State of the STA Server. If Authority ID is set then STA Server is UP else DOWN.
appController
Configured App Controller server in XenMobile deployment.
sharefile
Configured ShareFile server in XenMobile deployment. Format IP:PORT / FQDN:PORT
useMIP
Deprecated. See 'map' below.
map
Whether or not mapped IP addresses are ON or OFF. Mapped IP addresses are source IP addresses for the virtual servers running on the Citrix ADC. Mapped IP addresses are used by the system to connect to the backend servers.
downStateFlush
Close existing connections when the virtual server is marked DOWN, which means the server might have timed out. Disconnecting existing connections frees resources and in certain cases speeds recovery of overloaded load balancing setups. Enable this setting on servers in which the connections can safely be closed when they are marked DOWN. Do not enable DOWN state flush on servers that must complete their transactions.
type
Bindpoint to which the policy is bound.
gotoPriorityExpression
Next priority expression.
disablePrimaryOnDown
Tells whether traffic will continue reaching backup virtual servers even after the primary virtual server comes UP from DOWN state.
Listenpolicy
The string is listenpolicy configured for VPN vserver
Listenpriority
This parameter is the priority for listen policy of VPN Vserver.
tcpProfileName
Name of the TCP profile to assign to this virtual server.
httpProfileName
Name of the HTTP profile to assign to this virtual server.
policySubType
stateflag
flags
comment
Any comments associated with the virtual server.
appflowLog
Log AppFlow records that contain standard NetFlow or IPFIX information, such as time stamps for the beginning and end of a flow, packet count, and byte count. Also log records that contain application-level information, such as HTTP web addresses, HTTP request methods and response status codes, server response time, and latency.
icmpVsrResponse
Criterion for responding to PING requests sent to this virtual server. If this parameter is set to ACTIVE, respond only if the virtual server is available. With the PASSIVE setting, respond even if the virtual server is not available.
RHIstate
A host route is injected according to the setting on the virtual servers. * If set to PASSIVE on all the virtual servers that share the IP address, the appliance always injects the hostroute. * If set to ACTIVE on all the virtual servers that share the IP address, the appliance injects even if one virtual server is UP. * If set to ACTIVE on some virtual servers and PASSIVE on the others, the appliance injects even if one virtual server set to ACTIVE is UP.
netProfile
The name of the network profile.
cginfraHomePageRedirect
When client requests ShareFile resources and Citrix Gateway detects that the user is unauthenticated or the user session has expired, disabling this option takes the user to the originally requested ShareFile resource after authentication (instead of taking the user to the default VPN home page)
maxLoginAttempts
Maximum number of logon attempts
failedLoginTimeout
Number of minutes an account will be locked if user exceeds maximum permissible attempts
secondary
Binds the authentication policy as the secondary policy to use in a two-factor configuration. A user must then authenticate not only via a primary authentication method but also via a secondary authentication method. User groups are aggregated across both. The user name must be exactly the same for both authentication methods, but they can require different passwords.
groupExtraction
Binds the authentication policy to a tertiary chain which will be used only for group extraction. The user will not authenticate against this server, and this will only be called if primary and/or secondary authentication has succeeded.
deploymentType
WindowsEPAPluginUpgrade
Option to set plugin upgrade behaviour for Win
LinuxEPAPluginUpgrade
Option to set plugin upgrade behaviour for Linux
MacEPAPluginUpgrade
Option to set plugin upgrade behaviour for Mac
logoutOnSmartcardRemoval
Option to VPN plugin behavior when smartcard or its reader is removed
epaprofile
Advanced EPA profile to bind
epaprofileoptional
Mark the EPA profile optional for preauthentication EPA profile. User would be shown a logon page even if the EPA profile fails to evaluate.
rdpServerProfileName
Name of the RDP server profile associated with the vserver.
ngname
Node group devno to which this authentication virtual sever belongs
state
State of the virtual server. If the virtual server is disabled, requests are not processed.
vstype
Virtual Server Type, such as Load Balancing, Content Switch, Cache Redirection
l2Conn
Use Layer 2 parameters (channel number, MAC address, and VLAN ID) in addition to the 4-tuple (<source IP>:<source port>::<destination IP>:<destination port>) that is used to identify a connection. Allows multiple TCP and non-TCP connections with the same 4-tuple to coexist on the Citrix ADC.
portaltheme
Name of the portal theme bound to VPN vserver
eula
Name of the EULA bound to VPN vserver
userDomains
List of user domains specified as comma seperated value
csVserver
Name of the CS vserver to which the VPN vserver is bound
authnProfile
Authentication Profile entity on virtual server. This entity can be used to offload authentication to AAA vserver for multi-factor(nFactor) authentication
vserverFqdn
Fully qualified domain name for a VPN virtual server. This is used during StoreFront configuration generation.
pcoipVserverProfileName
Name of the PCoIP vserver profile associated with the vserver.
analyticsProfile
Name of the analytics profile bound to the VPN Vserver
noDefaultBindings
to determine if the configuration will have default ssl CIPHER and ECC curve bindings
SameSite
SameSite attribute value for Cookies generated in VPN context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite
devno
count
Example¶
show vpn vserver
stat vpn vserver¶
Displays statistics for all Citrix Gateway virtual servers, or displays detailed statistics for the specified Citrix Gateway virtual server.
Synopsis¶
stat vpn vserver [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]
Arguments¶
name
Name of the virtual server for which to show detailed statistics.
detail
Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.
fullValues
Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated
ntimes
The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0
logFile
The name of the log file to be used as input.
clearstats
Clear the statsistics / counters
Possible values: basic, full
Output¶
count
devno
stateflag
Counters¶
IP address (IP)
The IP address on which the service is running.
Port (port)
The port on which the service is running.
Vserver protocol (Protocol)
Protocol associated with the vserver
State
Current state of the server. There are seven possible values: UP(7), DOWN(1), UNKNOWN(2), BUSY(3), OFS(Out of Service)(4), TROFS(Transition Out of Service)(5), TROFS_DOWN(Down When going Out of Service)(8)
Requests (Req)
Total number of requests received on this service or virtual server. (This applies to HTTP/SSL services and servers.)
Responses (Rsp)
Number of responses received on this service or virtual server. (This applies to HTTP/SSL services and servers.)
Request bytes (Reqb)
Total number of request bytes received on this service or virtual server.
Response bytes (Rspb)
Number of response bytes received by this service or virtual server.
Related Commands¶
rename vpn vserver¶
Renames a Citrix Gateway virtual server.
Synopsis¶
rename vpn vserver <name>@ <newName>@
Arguments¶
name
Name of the Citrix Gateway virtual server.
newName
New name for the Citrix Gateway virtual server. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my server" or 'my server').
Example¶
rename vpn vserver vpn1 vpn1new
check vpn vserver¶
Invokes Cerebro executable for connectivity checks for the servers bound to a VPN virtual server
Synopsis¶
check vpn vserver <name>
Arguments¶
name
Name of the Citrix Gateway virtual server.
Output¶
response
Example¶
check vpn vserver <vserver name>