[NetScaler SSL VPN] Pre-Configure NetScaler Gateway VPN plugin


Pre-configure the Citrix NetScaler Gateway Plugin without having to connect to a gateway to download an initial configuration.


In a managed environment the idea is to ensure all built-in tooling is pre-configured to simply work.

By default the Citrix NetScaler Plugin requires a user to enter a URL to download its configuration which does not result in a good experience.

Unfortunately unlike Receiver and the VDA you cannot pass arguments to the AgeeSetup.exe or the MSI’s contained within it to point it to the correct gateway.

Instead the user is prompted to enter the URL themselves which in itself is likely to create support tickets through erroneous data being entered.

The solution is to add some registry keys to ensure the client is pre-configured to the correct state before a user launches the plugin.


Machine Registry Keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client]

In addition a config.js file needs to be generated to configure the plugin with the correct URL and username (note if you are using single sign on this may not be required)

# Script to pre-configure Citrix VPN Client
# Script Name: ConfigureCitrixVPN.ps1
# ============================================================================
# Change History:
# 1.0 - 04/10/2017 - Adil Dean
#		- Script created
# ============================================================================
# Known Bugs/Feature requests:
# - No validation of inputs
# ============================================================================
# Requirements:
# - Script needs to be run in User Context
# - PowerShell 3.0
# Usage Instructions:
# - Run script from command line:
# %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file ".\ConfigureCitrixVPN.ps1"
Set-StrictMode -Version 2.0

# ============================================================================
# Initialise variables/Parameters
# ============================================================================
# *** Parameters ***
$strConnectionName = "VPN Label"         # Label for VPN in agent
$strGatewayURL = "https://"   # URL to NetScaler VPN Gateway

# *** Variables ***
$strUserName = $env:USERNAME                                      # Gets username of logged on user
$strConfigFilePath = $env:LOCALAPPDATA + '\Citrix\AGEE\config.js' # Path to config file
$strConnectionString = $null                                      # Intialising Connection string

# ============================================================================
# Script Body
# ============================================================================
# Build connection string
$strConnectionString = "{`"auto open homepage`":null,`"connectingTo`":`"$strGatewayURL`",`"connections`":[{`"name`":`"$strConnectionName`",`"url`":`"$strGatewayURL`"}],`"debug logging`":null,`"language`":null,`"lastUserName`":`"$strUserName`"}"

# Backup current config
Copy-Item $strConfigFilePath "$strConfigFilePath.backup" -Force

# Install new config
Out-File -FilePath $strConfigFilePath -InputObject $strConnectionString -Encoding ascii

# Stop VPN Process; NOTE: This will process will restart itself with the new config
Stop-Process -Name nsload



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s