NetScaler Gateway VPN clients and supported features

Important:

  • Citrix SSO for iOS/Android is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.

  • The legacy VPN client was built using Apple’s private VPN APIs that are now deprecated. VPN support in Citrix Secure Access client for macOS/iOS is rewritten using Apple’s public Network Extension framework. NetScaler Gateway plug-in and VPN for iOS and macOS are no longer supported. Citrix Secure Access for iOS/macOS is the recommended VPN client to be used.

  • General availability of nFactor authentication support for Android devices would be available in one of the upcoming releases.

The following table lists some of the commonly used features supported for each VPN client.

Feature Citrix Secure Access for Windows Citrix Secure Access for Linux Citrix Secure Access for macOS Citrix Secure Access for iOS Citrix Secure Access for Android
Always On (user mode) Yes (11.1 and later) No No No Yes (via MDM) Android 7.0+
PAC file Yes (12.0 and later) No Yes Yes No
Client proxy support Yes Yes No No Yes. See note 1
Max limit of Intranet Applications 512 128 No limit No limit No limit
Intranet IP (IIP) support Yes Yes Yes Yes Yes
Split tunnel ON Yes Yes Yes Yes Yes
Split tunnel reverse Yes Yes Yes Yes Yes. See note 5
Split DNS REMOTE No Yes Yes Yes Yes. See note 6
Split DNS BOTH Yes No Yes Yes Yes. See note 6
FQDN based split tunnel Yes-Only ON (13.0 and later) No Yes Yes Yes. See note 5
Client idle timeout Yes Yes Yes No No
Endpoint analysis Yes Yes Yes No No
Device certificate (classic) Yes No Yes No No
nFactor authentication Yes (12.1 and later) No Yes Yes Yes. See note 3
EPA (nFactor) Yes (12.1 and later) No Yes No No
Device certificate (nFactor) Yes (12.1 and later) No Yes No No
Push notification Yes (12.1 and later) No No Yes Yes
OTP token autofill support. See note 2 No No No Yes Yes
TLS 1.3 support Yes Yes Yes Yes (Disabled, by default. Available on request.) Yes (Disabled, by default. Available on request.)
DTLS support. See note 4 Yes (13.0 and later) No Yes Yes No
HTTPOnly cookies Yes Yes Yes Yes Yes
Global server load balancing (GSLB) Yes Yes Yes Yes Yes
Local LAN access Yes No Always enabled Always enabled No

Note:

  1. Setting a proxy in the client configuration on the VPN virtual server in the gateway configuration for Android 10 and later is supported. Only basic HTTP proxy configuration with IP address and port is supported.
  2. Only QR code-scanned tokens are eligible for auto filling. Auto filling is not supported in the nFactor authentication flow.
  3. nFactor authentication support for Android devices is under preview and the feature is disabled, by default. Contact NetScaler support for enabling this feature. Customers must provide their NetScaler Gateway’s FQDN to the support team for enabling nFactor authentication for Android devices.
  4. For details, see Configure DTLS VPN virtual server using SSL VPN virtual server.
  5. FQDN based split tunnel support and reverse split tunnel for Android devices is under preview and the feature is disabled, by default. Contact NetScaler support for enabling this feature. Customers must provide their NetScaler Gateway’s FQDN to the support team for enabling it for Android devices.
  6. For Split DNS BOTH mode, DNS suffixes must be configured on the gateway and only DNS A record queries ending in those suffixes are sent to the gateway. Rest of the queries are resolved locally. Citrix Secure Access for Android also supports Split DNS LOCAL mode.

Reference

End-user help documentation

NetScaler Gateway VPN clients and supported features