Citrix states in their article: CTX109917

Document ID: CTX109917, Created on: May 9, 2006, Updated: May 9, 2006

Products: Advanced Access Control 4.2, Citrix Access Gateway 4.2

Summary

Access Gateway with Advanced Access Control does not support clientless failover for Web-based methods of access; however, in standalone mode, double-clicking the Access Gateway icon launches the VPN client which is able to detect a downed gateway and failover to the next one in the list. In the Advanced Access Control mode of operation, the icon is merely a shortcut to Internet Explorer. In this case, the VPN client is not initially launched and there’s no method to detect a downed gateway until a user has authenticated through the Web browser.

In usage, be aware that the Access Gateway icon (installed on the end user’s desktop) is used to initiate access to the appliance regardless of whether it’s configured for standalone or Advanced Access Control mode of operation.

Although the same icon is used, different behavior occurs depending on how the Access Gateway appliance is configured.

Although the Access Gateway VPN client supports client-side failover, Web-based access (in the Advanced Access Control mode of operation) does not support clientless failover. Access Gateway use-cases that require Web-based access (authentication against a logon point, access to the NavUI, for example) need to incorporate an external hardware load balancer, such as Citrix NetScaler, to offer client-side failover capabilities.

Note that the VPN client failover functionality is still supported in the Access Gateway’s Advanced Access Control mode of operation in the same manner as a standalone Access Gateway appliance; however, failover occurs only after an end-user has authenticated to the appliance through Internet Explorer.

Configuring Access Gateway Failover

The Access Gateway can be configured to fail over to multiple Access Gateway appliances. Because Access Gateway failover is active/active, you can use each Access Gateway as a primary gateway for a different set of users. During the initial connection from the Secure Access Client, the Access Gateway provides the failover list to the client. If the client loses the connection to the primary Access Gateway, it iterates through the list of failover appliances. If the primary Access Gateway fails, the connection waits for 20 seconds and then goes to the failover list to make the connection. The client performs a DNS lookup for the first failover appliance and tries to connect. If the first failover Access Gateway is not available the client tries the next failover appliance. When the client successfully connects to a failover Access Gateway, the client is prompted to log on.

To specify Access Gateway failover

1. Click the Access Gateway Cluster tab and then click the Failover Servers tab.

2. In Failover Server 1, Failover Server 2, and/or Failover Server 3, type the external IP address or the fully qualified domain name (FQDN) of the Access Gateway(s) to be used for failover operation. The Access Gateways are used for failover in the order listed.

3. In Port, type the port number. The default is 443.

4. Click Submit.

Configuring Internal Failover

Internal failover enables the Secure Access Client to connect to the Access Gateway from inside the firewall. When internal failover is configured, the client will failover to the internal IP address of the Access Gateway if the external IP address cannot be reached.

To enable internal failover

1. Click the Global Cluster Policies tab.

2. Under Advanced Options, select Enable Internal Failover.