[NetScaler AlwaysON VPN GATEWAY] PROXY SETTINGS CLEARED WHEN VPN CONNECTS

Summary

Proxy settings are lost when connecting to Citrix AlwaysOn VPN Gateway

Issue

Recently I had the opportunity to install a proof-of-concept on the Citrix AlwaysOn VPN Gateway. An interesting design decision taken by Citrix is to blank the Proxy settings on the device when connected via AlwaysOn removing any corporate settings.

This poses an issue if your organisation relies on the proxy/pac/wpad file to define which resources a user can access, or access external websites.

Resolution

In order to get around this we can utilise some in-built functionality in the NetScaler, that is to call a script when a user connects to the VPN.

We can use this script to configure the device as we see fit.

Implementation

Configuration Script

The following is a quick script to configure the browser to settings I require. However you should customise as you see fit or capture the settings from a machine in the correct state.
In my case all i require is that the “Automatically detect settings” box is checked
image

The following key sets our Proxy settings to “Automatically Detect”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

You will notice it is a HEX encoded string, a good explanation on how to manipulate the key can be found here:
http://tips4sysadmins.blogspot.co.uk/2013/02/disable-via-registry-internet-explorer.html

Script 1: Check Automatically detect

The following script adds the above key

@echo off

REM # Script to change Internet Explorer proxy settings
REM # Copyright (C) 2017  Adil Dean
REM # http://www.configmonkey.co.uk
REM # Script Name: CitrixVPN_ProxySettings.bat
REM # Script Version: 1.0
REM #
REM # This program is free software: you can redistribute it and/or modify
REM # it under the terms of the GNU General Public License as published by
REM # the Free Software Foundation, either version 3 of the License, or
REM #(at your option) any later version.
REM #
REM # This program is distributed in the hope that it will be useful,
REM # but WITHOUT ANY WARRANTY; without even the implied warranty of
REM # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
REM # GNU General Public License for more details.
REM #
REM # You should have received a copy of the GNU General Public License
REM # along with this program.  If not, see .

REM # Batch Script ############################################################
REM #
REM # AUTHOR: Adil Dean
REM # 
REM # UPDATES:
REM # 04/10/2017 - Adil Dean
REM #	- Clean-up script for publishing
REM #
REM ###########################################################################
 
REM .SYNOPSIS
REM		Script to change Internet Explorer proxy settings
REM .Description
REM		Script to change Internet Explorer proxy settings
REM		to be used with Citrix NetScaler AlwaysOn VPN
REM	.Requirements
REM		n/a
REM .EXAMPLE
REM 	.\CitrixVPN_ProxySettings.bat
REM .Notes

@echo off

REM Close Internet Explorer if it is open
TASKKILL /im iexplore.exe /f >nul 2>&1

REM Set Proxy to Auto Detect
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /t REG_BINARY /d 460000004700000009000000000000000000000000000000040000002e000000687474703a2f2f777061642e6368702e756b2e636c6966666f72646368616e63652e636f6d2f777061642e646174000000000000000000000000000000000000000003000000020000000a2f0e4a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c0a8f20100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c0a87501000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f

Script 2: Set Config file

Another configuration would be to set the proxy server. These settings are from the following article:
https://community.spiceworks.com/topic/1627710-citrix-netscaler-autoconfiguration-proxy-settings-cleared-upon-ssl-vpn-logon

@echo off

REM # Script to change Internet Explorer proxy settings
REM # Copyright (C) 2017  Adil Dean
REM # http://www.configmonkey.co.uk
REM # Script Name: CitrixVPN_ProxySettings.bat
REM # Script Version: 1.0
REM #
REM # This program is free software: you can redistribute it and/or modify
REM # it under the terms of the GNU General Public License as published by
REM # the Free Software Foundation, either version 3 of the License, or
REM #(at your option) any later version.
REM #
REM # This program is distributed in the hope that it will be useful,
REM # but WITHOUT ANY WARRANTY; without even the implied warranty of
REM # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
REM # GNU General Public License for more details.
REM #
REM # You should have received a copy of the GNU General Public License
REM # along with this program.  If not, see .

REM # Batch Script ############################################################
REM #
REM # AUTHOR: Adil Dean
REM # 
REM # UPDATES:
REM # 04/10/2017 - Adil Dean
REM #	- Clean-up script for publishing
REM #
REM ###########################################################################
 
REM .SYNOPSIS
REM		Script to change Internet Explorer proxy settings
REM .Description
REM		Script to change Internet Explorer proxy settings
REM		to be used with Citrix NetScaler AlwaysOn VPN
REM	.Requirements
REM		n/a
REM .EXAMPLE
REM 	.\CitrixVPN_ProxySettings.bat
REM .Notes

@echo off

REM Close Internet Explorer if it is open
TASKKILL /im iexplore.exe /f >nul 2>&1

REM Set PAC file
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d "http:/proxyurl.proxy.com/proxy.pac" /f

REM Configure proxy connection settings
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /t REG_BINARY /d 16000000050200000d0000000e0000000000000000000000000000000000000000000000000000

Option 3: GPUpdate

Script 3 would be to simply have a script that runs GPUpdate to pull down your settings, however this comes with a time-lag for the settings to apply depending on your environment.

@echo off

REM # Script to change Internet Explorer proxy settings
REM # Copyright (C) 2017  Adil Dean
REM # http://www.configmonkey.co.uk
REM # Script Name: CitrixVPN_ProxySettings.bat
REM # Script Version: 1.0
REM #
REM # This program is free software: you can redistribute it and/or modify
REM # it under the terms of the GNU General Public License as published by
REM # the Free Software Foundation, either version 3 of the License, or
REM #(at your option) any later version.
REM #
REM # This program is distributed in the hope that it will be useful,
REM # but WITHOUT ANY WARRANTY; without even the implied warranty of
REM # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
REM # GNU General Public License for more details.
REM #
REM # You should have received a copy of the GNU General Public License
REM # along with this program.  If not, see .

REM # Batch Script ############################################################
REM #
REM # AUTHOR: Adil Dean
REM # 
REM # UPDATES:
REM # 04/10/2017 - Adil Dean
REM #	- Clean-up script for publishing
REM #
REM ###########################################################################
 
REM .SYNOPSIS
REM		Script to change Internet Explorer proxy settings
REM .Description
REM		Script to change Internet Explorer proxy settings
REM		to be used with Citrix NetScaler AlwaysOn VPN
REM	.Requirements
REM		n/a
REM .EXAMPLE
REM 	.\CitrixVPN_ProxySettings.bat
REM .Notes

@echo off

REM Close Internet Explorer if it is open
TASKKILL /im iexplore.exe /f >nul 2>&1

REM Update Group Policy
GPUPDATE

Save the script somewhere accessibly by all the users whom will use the VPN software once connected. I would recommend somewhere like your domain controllers that is universally accessible rather than worrying about access rights.

Setup script on NetScaler

  1. Log onto NetScaler
  2. Click the Configuration tab
  3. Navigate to \Menu\NetScaler Gateway\Session
  4. Click the Session Profiles tab
  5. Check tick box next to your AlwaysOn profile
    image
  6. Click Edit
    image
  7. Click the Client Experience tab
    image
  8. Scroll to the bottom and click Advanced Settings
    image
  9. Click the General tab
  10. Check the box next to Login Script
  11. Enter the path for your script
  12. Click Ok
    image

Now when a user logs into the VPN on their client, the script will run at connection correcting the proxy settings.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s