Set up Citrix Gateway for using micro VPN with Microsoft Endpoint Manager
Citrix micro VPN integration with Microsoft Endpoint Management enables your apps to access on-premises resources. For details see,Citrix micro VPN integration with Microsoft Endpoint Manager.
System requirements
- Citrix Gateway versions
- 13.1
- 13.0
- 12.1.50.x or later
- 12.0.59.x or later
You can download the latest version of Citrix Gateway from the Citrix Gateway download page.
A Windows desktop running Windows 7 or later (for Android app wrapping only)
- Microsoft
- Azure AD access (with Tenant Admin privileges)
- Intune-enabled tenant
- Firewall rules
- Enable a firewall rule to SSL traffic from a Citrix Gateway subnet IP to
*.manage.microsoft.com,https://login.microsoftonline.com, andhttps://graph.windows.net(port 443) - Citrix Gateway must be able to externally resolve the preceding URLs.
- Enable a firewall rule to SSL traffic from a Citrix Gateway subnet IP to
Prerequisites
Intune environment:If you don’t have an Intune environment, set up one. For instructions see theMicrosoft documentation.
Edge Browser App:The Micro VPN SDK is integrated within the Microsoft Edge app and Intune Managed Browser app for iOS and Android. For more information about the Managed Browser, see the MicrosoftManaged Browser page.
Grant Azure Active Directory (AAD) application permissions
Consent to Citrix multitenant AAD application to allow Citrix Gateway to authenticate with the AAD domain. The Azure Global Administrator must visit the following URL and consent:
Consent to Citrix multitenant AAD application to allow mobile applications to authenticate with the Citrix Gateway micro VPN. This link is only required if the Azure Global Admin has changed the default value for Users can register applications from Yes to No. This setting can be found in the Azure portal underAzure Active Directory > Users > User Settings.The Azure global administrator must visit the following URL and consent (add your Tenant ID)https://login.microsoftonline.com/[tenant_id]/adminconsent?client_id=9215b80e-186b-43a1-8aed-9902264a5af7.
配置Citrix Gateway for micro VPN
使用微VPN Intune,您必须配置Citrix Gateway to authenticate to Azure AD. An existing Citrix Gateway virtual server does not work for this use case. First, configure Azure AD to sync with the on-premises Active Directory. This step is necessary to ensure that authentication between Intune and Citrix Gateway occurs properly.
Download script:The .zip file includes a readme with instructions for implementing the script. You need to manually enter the information the scripts require and run the script on the Citrix Gateway to configure the service. You can download the script file from theCitrix Downloads page.
Important:After you have completed the Citrix Gateway configuration, and if you see the OAuth Status other than COMPLETE, see the Troubleshooting section.
Configuring Microsoft Edge Browser
- Sign in tohttps://endpoint.microsoft.com/and then navigate toIntune > Mobile apps.
- Publish the Edge App as you normally do and then add an app configuration policy.
- UnderManage, clickApp configuration policies.
- ClickAddand then enter a name for the policy you want to create. InDevice enrollment type, selectManaged apps.
- ClickAssociated App.
- Select the apps to which you want to apply the policy (Microsoft Edge or Intune managed browser) and then clickOK.
- ClickConfiguration Settings.
- In theNamefield, enter the name of one of the policies listed in the following table.
- In theValuefield, enter the value you want to apply for that policy. Click off the field to add the policy to the list. You can add multiple policies.
- ClickOKand then clickAdd.
The policy is added to your list of policies.
| Name (iOS/Android) | Value | Description |
|---|---|---|
| MvpnGatewayAddress | https://external.companyname.com |
External URL of your Citrix Gateway |
| MvpnNetworkAccess | MvpnNetworkAccessTunneledWebSSOor Unrestricted | MvpnNetworkAccessTunneledWebSSO is the default for tunneling |
| MvpnExcludeDomains | Comma-separated list of domain name to be excluded | Optional. Default=blank |
Note:Web SSO is the name for Secure Browse in the settings. The behavior is the same.
MvpnNetworkAccess- MvpnNetworkAccessTunneledWebSSO enables HTTP/HTTPS redirection through the Citrix Gateway, also known as Tunneled-Web SSO. The gateway responds to HTTP authentication challenges inline, providing a single-sign-on (SSO) experience. To use Web SSO, set this policy toMvpnNetworkAccessTunneledWebSSO.Full tunnel redirection is not supported currently. UseUnrestrictedto leave micro VPN tunneling off.
MvpnExcludeDomains- Comma-separated list of host or domain names to be excluded from being routed through the Citrix Gateway reverse web proxy. The host or domain names are excluded even though the Citrix Gateway configured split DNS settings might otherwise select the domain or host.
Note:This policy is only enforced forMvpnNetworkAccessTunneledWebSSOconnections. If
MvpnNetworkAccessisUnrestricted, this policy is ignored.
Troubleshooting
General issues
| Issue | Resolution |
|---|---|
| The “Add Policy Required” message appears when you open an app | Add policies in the Microsoft Graph API |
| There are policy conflicts | Only a single policy per app is allowed |
| The “Failed to package app”message appears when wrapping an app. For the complete message, see the following table | The app is integrated with the Intune SDK. You do not need to wrap the app with the Intune |
| Your app can’t connect to internal resources | Ensure that the correct firewall ports are open, you correct tenant ID, and so on |
Failed to package app error message:
Failed to package app. com.microsoft.intune.mam.apppackager.utils.AppPackagerException: This app already has the MAM SDK integrated. com.microsoft.intune.mam.apppackager.AppPackager.packageApp(AppPackager.java:113) com.microsoft.intune.mam.apppackager.PackagerMain.mainInternal(PackagerMain.java:198) com.microsoft.intune.mam.apppackager.PackagerMain.main(PackagerMain.java:56) The application cannot be wrapped.
Citrix Gateway issues
| Issue | Resolution |
|---|---|
| The permissions required to be configured for the gateway app on Azure are unavailable. | Check if a proper Intune license is available. Try using themanage.windowsazure.comportal to see if the permission can be added. Contact Microsoft support if the issue persists. |
Citrix Gateway cannot reachlogin.microsoftonline.comandgraph.windows.net. |
From NS Shell, check if you are able to reach the following Microsoft website: cURL -v -khttps://login.microsoftonline.com.然后,检查是否在Citrix DNS配置Gateway. Also check that the firewall settings are correct (in case DNS requests are firewalled). |
| An error appears in ns.log after you configure OAuthAction. | Check if Intune licensing is enabled and the Azure Gateway app has the proper permissions set. |
| Sh OAuthAction command does not show OAuth status as complete. | Check the DNS settings and configured permissions on the Azure Gateway App. |
| The Android or iOS device does not show the dual authentication prompt. | Check if the Dual Factor Device ID logonSchema is bound to the authentication virtual server. |
Citrix Gateway OAuth status and error condition
| Status | Error condition |
|---|---|
| AADFORGRAPH | Invalid secret, URL not resolved, connection timeout |
| MDMINFO | *manage.microsoft.comis down or unreachable |
| GRAPH | Graph endpoint is down unreachable |
| CERTFETCH | Cannot talk to “Token Endpoint:https://login.microsoftonline.combecause of a DNS error. To validate this configuration, go to shell and type cURLhttps://login.microsoftonline.com.This command must validate. |
Note:When the OAuth status is successful, the status is displayed as COMPLETE.