Author: Carl Stalhood

Navigation

• Change Log
• Overview
• Prerequisites
• AAA Groups
• Session Policy/Profile
  • Create Session Profile
  • Create Session Policy
  • Bind Session Policy
• Citrix Gateway Plug-in (i.e. VPN Client)
  • Upgrade Gateway Plug-in on ADC
  • Install Gateway Plug-in on Clients
  • Citrix Gateway Plug-in Session Profile Settings
• Other VPN Objects
  • Authorization Policies
  • Intranet Applications
  • DNS Suffix
  • Bookmarks
  • VPN Client IP Pools (Intranet IPs)
• StoreFront in Gateway Clientless Access Portal
• Quarantine Group

💡 = Recently Updated

Change Log

• 2021 May 5 – Upgrade Gateway Plug-in on ADC
• 2021 Feb 5 – VPN Client – added SecureDNS info from 13.0-71.44 release notes
• 2021 Jan 9 – Bind Session Policy – added info from CTX289931 AAA group session policies are not applying based on priority
• 2019 Mar 6 – VPN Session Profile – added link to AlwaysOn service for Windows at Citrix Docs.
• 2018 Oct 6 – updated some screenshots for Gateway 12.1
  • Gateway Plug-in – 12.1 supports nFactor authentication
• 2018 Apr 3 – in the Create Session Profile section, added Clientless Access removal instructions from CTP Sam Jacobs at NetScaler Gateway Client Choices – hide/remove Virtual Apps and Desktops at Citrix Discussions
• 2018 Mar 18 – in the NetScaler Gateway Virtual Server section, added info from Julien Mooren NetScaler – Native OTP is breaking SSL VPN.
• 2018 Feb 8 – in Authorization Policies section, added info from CTX232237 NetScaler Unified Gateway Advanced Authorization Policy Support for UDP/ICMP/DNS Traffic

Overview

Here’s an overview of the Citrix Gateway connection process:

1. Users use SSL/TLS to connect to a Citrix Gateway Virtual Server (VIP).
2. Citrix Gateway prompts the user for authentication.
3. Once the user is authenticated, Citrix Gateway uses Session Policies/Profiles to determine what happens next.

Citrix Gateway supports six different connection methods:

• ICA Proxy to Citrix Virtual Apps and Desktops (CVAD) (aka XenApp/XenDesktop) and StoreFront – the client is built into Citrix Workspace app (aka Citrix Receiver)
• SSL VPN – requires installation of Citrix Gateway plug-in (VPN client)
• Clientless – browser only, no VPN client, uses rewrite
• Secure Browse – from MDX-wrapped mobile applications (Citrix Endpoint Management aka XenMobile), uses rewrite
• RDP Proxy – only RDP client is needed
• PCoIP Proxy – only VMware Horizon Client is needed

You can configure Citrix Gateway Session Policies/Profiles to only use one of the connection methods. Or Citrix Gateway can be configured to let users choose between ICA Proxy, Clientless, and SSL VPN connection methods. Here’s a sample Client Choices screen using the RfWebUI theme:

• The Clientless Access option opens a portal page that has icons from Citrix StoreFront (ICA Proxy), icons for RDP Proxy, icons for PCoIP Proxy, and links to websites.
  • The website links can be proxied through Citrix Gateway. Proxy methods include: clientless rewrite, SSL VPN, and traditional load balancing.
  • Citrix Gateway can optionally Single Sign-on to the websites.
•  The Virtual App and Desktop Access option only displays icons from Citrix StoreFront (ICA Proxy). For other types of icons, you’ll need Clientless Access.
• The Connect with Citrix Gateway Plug-in option launches the VPN tunnel. After the tunnel is established, a portal page is displayed. This can be the Clientless Access portal, or a user defined website URL (e.g. intranet).

Session Policies/Profiles have several settings that control the behavior seen after authentication:

• ICA Proxy – ON or OFF
  • If ON, then ICA Proxy is the only connection method allowed, overriding the other connection methods.
  • ICA Proxy does not launch the VPN client. It only needs Citrix Workspace app.
  • ICA Proxy shows the Webpage that’s configured in the Web Interface Address field of the Session Profile. This is typically the StoreFront Receiver for Web page, but technically it can be any internal website.
  • If OFF, that doesn’t mean ICA Proxy doesn’t work. You can still send ICA traffic to the Citrix Gateway Virtual Server, and the Citrix Gateway Virtual Server will still proxy it to internal VDAs.
  • Setting it to OFF allows the other connection methods to function. For example, Clientless Access can show both Citrix Gateway Bookmarks and StoreFront published apps. If VPN is launched, then the portal page shown to the user after the tunnel is established can contain the StoreFront published applications.
• Clientless Access – On, Off, Disabled
  • If On, then Clientless is the only connection method allowed, assuming ICA Proxy is not set to ON. After the user logs in, the user is presented with a portal page that contains a list of Gateway bookmarks and/or StoreFront published icons. The VPN Client is not launched.
  • The Home Page setting in the Session Profile allows you to display an internal website instead of displaying the Citrix Gateway Portal Page.
  • Bookmarks are configured at Citrix Gateway > Resources > Bookmarks. You can bind the Bookmarks (Urls) to the Citrix Gateway Virtual Server, or to AAA Groups.
  • Only Bookmarks configured for Clientless Access will work without a VPN. The internal websites are rewritten so they are proxied through Citrix Gateway. For example, if the internal website is http://intranet.corp.local, then Gateway rewrites them to https://gateway.corp.com/cvpn/http/internal.corp.local. This causes the web browser to send the HTTP Request to Citrix Gateway, which then forwards the HTTP Request to the internal web server. No VPN needed.
• Plug-in Type – Windows/MAC OS X
  • If both Clientless and ICA Proxy are set to Off, then the VPN Client will be downloaded and launched.
  • Once the VPN tunnel is established, the webpage configured in the Home Page setting is displayed. Or the Citrix Gateway Portal Page (Clientless Access) is displayed if no Home Page is configured. The Bookmarks in the Portal Page can link to internal websites that are only accessible through a VPN tunnel. Or Bookmarks can be configured for Clientless Access.
  • Additional Gateway objects control VPN behavior including: DNS Suffix, Intranet Applications, Intranet IPs, and Authorization Policies.
• Client Choices – checked or unchecked
  • If Client Choices is checked, then it displays a page containing up to three buttons allowing the user to choose between VPN, Clientless, or StoreFront. The Network Access with the Citrix Gateway Plug-in (VPN) button is always displayed. The Clientless Access button is displayed if Clientless Access is set to On or Off (not Disabled). The Virtual App and Desktop Access button is displayed if a Web Interface Address is configured.

Here are some characteristics of Session Policies:

• Citrix Gateway > Global Settings > Change Global Settings has the same settings as a Session Profile. However, all Session Policies/Profiles override the settings configured in Global Settings. That’s the whole point of the Override Global checkboxes in the Session Profiles.
  
• Session Policy Expression – If the Session Policy Expression is true, then the settings contained in the Session Profile are applied.
  • Action = Session Profile – The Session Profile is also sometimes called the Action. That’s because all Citrix ADC policies follow a standard structure – if the expression evaluates to True, then perform the Action. For Session Policies in particular, the policy Action = Session Profile.
  • EPA – The Session Policy Expression in Classic Syntax could include an Endpoint Analysis (EPA) expression.
• Default Syntax Expressions vs Classic Syntax Policy Expressions – Citrix ADC 12 and newer supports Default (Advanced) Syntax Expressions on Session Policies, in addition to the older Classic Syntax.
  • No syntax mixing – All Session Policies bound anywhere must be either Default or Classic. You cannot mix the two types.
  • EPA is Classic only – EPA Scans are only supported in Classic Expressions.
  • AD Group in Default Syntax – Default Syntax allows expressions for AD Group Membership like HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup"). This could eliminate AAA Groups in some circumstances.
• Policy Bind Points – Session Policies can be bound to three different bind points – Citrix Gateway Virtual Server, AAA Groups, and AAA User.
  • When bound to a Citrix Gateway Virtual Server, the Session policy/profile applies to all users that log into that Virtual Server.
  • When bound to a AAA Group, the Session policy/profile only applies to members of the AAA group (Active Directory group or local group)
  • When bound to a AAA User, the Session policy/profile only applies to the AAA user (Active Directory user or local user)
• Profile Conflicts – Multiple Session Policies/Profiles could apply to a single session. In this case, the Profile settings are merged. But if there’s a conflict (e.g. one Session Profile enables Clientless access, but another Session Profile disables Clientless access), then which one wins?
  • Priority number – When you bind a Session Policy to a bind point, you specify a priority number. This priority number usually defaults to 100.
    
  • Lowest priority number wins – The Session Policy binding that has the lowest priority number, wins. Session Policies bound with a priority of 80 will win over Session Policies bound with a priority of 100. Remember, for settings that don’t conflict, the two Profiles merge, but for settings that do conflict, the lower priority number policy/profile settings win.
  • Classic Policy Priority and multiple bind points – for Classic Session Policies the bind point location doesn’t matter. If you bind a Session Policy to a AAA Group with a priority of 100, and you also bind a Session Policy to the Citrix Gateway Virtual Server with a priority of 80, then the conflicting settings in the Session Policy bound to the Citrix Gateway Virtual Server will win because it has the lower priority number. You might think that AAA-bound policies always override Virtual Server-bound policies, but that is not the case.
  • Advanced Policy Priority and multiple AAA Groups – see CTX289931 AAA group session policies are not applying based on priority. The first created AAA Group overrides AAA Groups created later unless you specify the weight parameter when creating the AAA Group from the CLI.
• Global Settings vs Virtual Server Settings – When you bind a Session Policy to a Citrix Gateway Virtual Server, the settings in the Session Profile only apply to connections through that particular Citrix Gateway Virtual Server.
  • Settings in Citrix Gateway > Global Settings > Change Global Settings apply to every Gateway Virtual Server.
  • Settings in AAA Group > Policies > Session Policy/Profile apply to every Gateway Virtual Server.
  • If you want a particular Gateway Virtual Server to override AAA or Global, your only choice is to bind a Session Policy to the Gateway Virtual Server with a lower priority number than the AAA Bind Points.

AAA Groups are a critical component of Citrix Gateway VPN configuration:

• Group extraction – Make sure the LDAP Policy/Server is configured to extract to the user’s Active Directory Groups.
• Create AAA Groups on the Citrix ADC that match exactly (case sensitive) with the user’s Active Directory Group Name.
  • Default Syntax and AD Groups – An alternative to AAA Groups is to use HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") Default Syntax expressions. However, Default Syntax does not support Endpoint Analysis. And Default Syntax only applies to Session Policies and Authorization Policies, so you might still need AAA Groups for Bookmarks, Intranet Applications, and Intranet IPs.
• You can bind policies and other Gateway objects to the AAA Group, and these bindings only affect that particular AAA Group. These bindings include:
  • Session Policies
  • Bookmarks
  • Intranet IPs (aka IP Pool)
  • Intranet Applications (for split tunnel)
  • Authorization Policies (what’s allowed across the VPN tunnel)
  • Note: these objects can also be bound to the Gateway Virtual Server, which means they apply to all users that connect to that Gateway Virtual Server.
• If the user belongs to multiple AAA Groups, then policies are applied as follows:
  • Session Policies – the settings are merged, unless there’s a conflict. If a conflict, then the policy with the lowest priority number wins.
  • Bookmarks, Intranet Applications, and Authorization Policies are merged.
  • Intranet IPs (IP Pool) are probably random allocation. It’s probably best to make sure a user only belongs to one AAA Group that assigns Intranet IPs.
• You can also create local AAA Groups that are unrelated to Active Directory groups. There are several ways of getting users into these local AAA groups:
  • Create local AAA Users and assign them to the AAA Group
  • Configure Session Policy/Profile with a Client Security Check String (EPA Scan). If the scan succeeds, users are placed into local Authorization AAA Groups. If the scan fails, then users are placed into a local Quarantine AAA Group, and removed from all other AAA Groups.
  • When users are authenticated with a particular authentication server, the authentication server can be configured to place users into a Default Authentication Group. This lets you apply different Session Policy/Profiles (and other Gateway objects) depending on how the user authenticated.

Citrix Gateway supports Client Security Expressions (Endpoint Analysis expressions) at four different locations:

• nFactor (Authentication Virtual Server) Advanced EPA Policy and EPA Action – this is the preferred method in ADC 13 and newer since Classic EPA is supposed to be removed in ADC 13.1 and newer. See nFactor EPA for details.
• Classic Preauthentication Policy Expression
  • If the EPA Scan succeeds, then the user is allowed to login.
  • If the EPA Scan fails, then the user is not allowed to login.
  • Preauthentication Policies are bound to Citrix Gateway Virtual Servers only, and thus applies to all users of that Virtual Server.
• Classic Session Policy Expression – Note: Advanced Session Policies do not support EPA expressions. Use nFactor instead.
  • This type of EPA Scan is configured in the Session Policy Expression, not the Session Profile.
  • If the EPA Scan succeeds, then the settings in the Session Profile are applied to the session.
  • If the EPA Scan fails, then the Session Profile is ignored. Other Session Policies expressions are still evaluated. Remember, Session Policy/Profiles merge, so all applicable Session Policies must be considered.
  • A limitation of this EPA method is that nothing negative happens. Instead, you typically design higher priority number (lower priority) Session Policies with restrictive settings so that if the EPA Scans fail, then users still get something. For example, you can configure your highest priority number Session Policy/Profile with StoreFront (ICA Proxy) only. In the lower priority number Session Policies/Profiles, VPN might be enabled, but only if the EPA scan succeeds. More restrictive Session Profiles usually uncheck Client Choices, and enable Clientless Access or ICA Proxy.
  • This method of EPA Scans is used in SmartAccess and SmartControl configurations.
  • EPA expressions are not supported in Default Syntax, so you’ll need to use Classic Syntax instead.
• Session Profile > Security tab > Advanced Settings > Client Security Check String
  • If the EPA Scan succeeds, add the user to the listed Authorization AAA Groups.
  • If the EPA Scan fails, add the user to the selected Quarantine Group, and remove the user from all other AAA Groups.
  • If Quarantine Group is not defined, then prevent SSL VPN. Other methods of connecting (Clientless, StoreFront), still work.
• Assigning EPA scans to Session Policies and Session Profiles is also known as Post-Authentication EPA Scans.
• If Endpoint Analysis is configured anywhere, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client.

Prerequisites

Gateway Universal Licenses

Except for ICA Proxy, all Citrix Gateway connection methods require a Citrix Gateway Universal License for each concurrent session. Go to System > Licenses.

On the right, make sure Maximum Citrix Gateway User licenses are installed. Most Citrix ADC Editions come with built-in licenses. For example, Citrix ADC Premium Edition comes with Unlimited Gateway licenses.

DNS Name Servers

DNS usually needs to function across the VPN tunnel. Go to Traffic Management > DNS > Name Servers to add DNS servers.

In ADC 13.0 build 71.44 and newer, VPN plug-in for Windows supports Secure DNS update. This feature is disabled by default. To enable it, create the following on the client device: (source = 13.0-71.44 release notes) 💡

• HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.
  • When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.
  • To try only the secure DNS update, you can set the value to 2.

AAA Groups

1. Edit your LDAP Policy/Server, and make sure Group Extraction is configured. Configure the Group Attribute and the Sub Attribute Name. This causes Citrix ADC to extract the user’s AD groups when the user logs in using LDAP.
   
2. Go to Citrix Gateway > User Administration > AAA Groups.
   
3. On the right, click Add.
   
4. Enter a case sensitive group name that matches the group name in Active Directory. Click OK.
   
5. On the right, in the Advanced Settings column, you can see the types of objects that can be bound to AAA Groups. These objects are detailed later in this post.
   

Create Session Profile

To enable SSL VPN: first create the Session Profile. Then create a Session Policy.

You can create multiple Session Policies/Profiles with different settings. Then you can bind these Session Policies to AAA groups and/or Citrix Gateway Virtual Servers. The Session Profiles are merged, and if conflicts, lower priority bind points win.

To enable SSL VPN in a Session Profile:

1. On the left, expand Citrix Gateway, expand Policies, and click Session.
   
2. On the right, switch to the Session Profiles tab, and click Add.
   
3. Name the profile VPN or similar.
   
4. In Session Profiles, every field has an Override Global checkbox to the right of it. If you check this box next to a particular field, then you can configure that field, and the field in this session profile will override settings configured globally (Citrix Gateway > Global Settings > Change Global Settings), or in a lower priority (higher priority number) session policy.
   

Network Configuration tab

1. In the Session Profile, switch to the Network Configuration tab.
2. You will find a setting that lets you select a DNS Virtual Server. Or if you don’t select anything, then the tunnel will use the DNS servers configured under Traffic Management > DNS > Name Servers.
   

Client Experience Tab

1. In the Session Profile, switch to the Client Experience tab. This tab contains most of the Citrix Gateway VPN settings.
   
2. Override Plug-in Type, and set it to Windows/Mac OS X.
   
3. On the Client Experience tab, override Split Tunnel and make your choice. Setting it to OFF will force all traffic to use the tunnel. Setting it to ON will require you to create Intranet Applications so the Citrix Gateway Plug-in will know which traffic goes through the tunnel, and which traffic goes directly out the client NIC (e.g. to the Internet). REVERSE means all traffic goes through the tunnel except for the addresses defined in Intranet Applications.
   
4. On the Client Experience tab, there are timers that can be configured. Global Settings contains default timers, so you might want to configure this Session Profile to override the defaults and increase the timeouts. See Configuring Time-Out Settings at Citrix Docs for details.
   1. Client Idle Time-out is a Citrix Gateway Plug-in timer that disconnects the session if there is no user activity (mouse, keyboard) on the client machine.
   2. Session Time-out is a Citrix Gateway timer that disconnects the session if there is no network activity for this duration.
      
   3. In addition to these two timers, on the Network Configuration tab, under Advanced Settings…
      
   4. There’s a Forced Timeout setting.
      
5. By default, once the VPN tunnel is established, a portal page appears containing Gateway Bookmarks, and StoreFront published icons. An example of the portal page in the RfWebUI theme is shown below:
   
   1. The X1 theme is shown below:
      
6. On the Client Experience tab, the Home Page field lets you override the the default portal page, and instead display a different webpage (e.g. Intranet). This homepage is displayed after the VPN tunnel is established (or immediately if connecting using Clientless Access).
   
7. Citrix Gateway can automatically start the VPN tunnel whenever the user is remote. This method only starts the VPN Tunnel after the user is logged into Windows.
   1. On the Client Experience tab, click the plus icon next to AlwaysON Profile Name.
      
   2. Give the profile name. Hover over the question marks to see what each of them does.
   3. Then click Create.
   4. More info at AlwaysON at Citrix Docs.
      
8. Citrix Gateway 12.1 build 51 and newer also support the VPN Client establishing a tunnel before the user logs into Windows. The pre-logon AlwaysOn Service feature requires certificate-based authentication and registry keys on the client device. See AlwaysOn service for Windows at Citrix Docs. 💡
   
9. Additional VPN settings can be found by clicking Advanced Settings near the bottom of the Client Experience tab.
   
10. Under Client Experience > Advanced Settings, on the General tab, there are settings to run a login script at login, enable/disable Split DNS, and enable Local LAN Access. Use the question marks to see what they do.
11. Note: if Split Tunnel is OFF, and if Split DNS is set to REMOTE, Citrix Gateway only returns one IP address to DNS queries. This behavior can be changed by following Citrix CTX200243 DNS Query Responds with Only One IP to Client PC When Connected Through NetScaler Gateway Full VPN.
    
12. Under Client Experience > Advanced Settings, on the General tab, is a checkbox for Client Choices. This lets the user decide if they want VPN, Clientless, or ICA Proxy (StoreFront). Without Client Choices, one of the connection methods will occur automatically, depending on what’s enabled.
    
13. An example of Client Choices is shown below:
    
    • On the main Client Experience tab, if you enabled Client Choices, you can set Clientless Access to Off to add Clientless to the list of available connection methods in the Client Choices screen.
      
    • Clientless Access is difficult to remove from the Client Choices page since you need Clientless Access for StoreFront integration. The following removal instructions were confirmed on a custom Portal Theme based on RfWebUI:
      1. WinSCP to the Citrix ADC.
      2. Navigate to /var/netscaler/logon/themes/<yourThemeName>/css.
      3. Edit the file theme.css.
         
      4. At the bottom of the file, add the following code: (source = CTP Sam Jacobs at NetScaler Gateway Client Choices – hide/remove Virtual Apps and Desktops at Citrix Discussions.

         div.box:nth-child(2) {
          display:none;
         }

      5. When you refresh the Client Choices page, the Clientless box should be hidden.
         
14. The Client Experience > Advanced Settings section has additional tabs. A commonly configured tab is Proxy, which allows you to enable a proxy server for VPN users.
    

Security Tab

1. Back in the main Session Profile, switch to the Security tab.
   
2. Set the default authorization to Allow or Deny. If Deny (recommended), you will need to create authorization policies to allow traffic across the tunnel. You can later create different authorization policies for different groups of users.
   

Published Applications Tab

1. On the Published Applications tab, set ICA Proxy to Off. This ensures VPN is used instead of ICA Proxy.
   
2. Configure the Web Interface Address to embed StoreFront into the default Clientless Access portal page.
   • Note: for X1 theme, additional iFrame configuration is required on the StoreFront side as detailed below. RfWebUI theme does not need any StoreFront changes.
   • From Michael Krasnove: if you configured the Session Policy to direct users to StoreFront, but aren’t using RfWebUI, then placing the following code in c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js will cause StoreFront to end the VPN tunnel when the user logs off of StoreFront.

     var LOGOFF_REDIRECT_URL = 'https://YourGatewayFQDN.com/cgi/logout';
      
     // Prevent the default "logoff" screen from being displayed
     CTXS.Controllers.LogoffController.prototype._handleLogoffResult = $.noop;
      
     CTXS.Extensions.afterWebLogoffComplete = function () {
      window.location.href = LOGOFF_REDIRECT_URL;
     };

3. See the ICA Proxy post for more information on integrating StoreFront with Citrix Gateway.

Other Tabs

1. The Remote Desktop tab is detailed in the RDP Proxy post.
   
2. The PCoIP tab is detailed in the PCoIP Proxy post.
   
3. Click Create when you’re done creating the Session Profile.
   

Create Session Policy

Once the Session Profile is created, you need a Session Policy linked to it. The Session Policy contains an expression, where if true, then the Session Profile is applied.

If multiple Session Policies apply to a particular connection, then the settings in the policies are merged. For conflicting settings, the Session Policy with the highest priority (lowest priority number) wins. Session Policies bound to AAA groups only override Session Policies bound to Citrix Gateway Virtual Servers if the AAA group bind point has a lower priority number. In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. You can run the command nsconmsg –d current –g pol_hits to see which Session Policies are applying to a particular connection. See CTX214588 Understanding Session Policy Priority on Different Bind Points.

You can also include Endpoint Analysis expressions in a Session Policy, so that the Session Policy only applies to machines that pass the Endpoint Analysis scan. However, EPA Scans are only supported with Classic Syntax policy expressions, and not with Default Syntax.

To create a Session Policy that is linked to a Session Profile:

1. On the left, go to Citrix Gateway > Policies > Session.
   
2. In the right pane, switch to the Session Policies tab, and click Add.
   
3. Give the policy a descriptive name.
4. Change the Profile drop-down to the VPN Profile you just created.
   
5. The Expression box has an option for switching to Default Syntax.
   
   1. If Default Syntax, enter true in the Expression box so it always evaluates to true. If Classic Syntax, it would be ns_true instead of true.
   2. If Default Syntax, you can enter HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") to restrict the Session Profile to members of a specific AD group. In Classic Syntax, this isn’t possible in an expression, and instead you must assign the Session Policy to a AAA Group.
6. If Classic Syntax, you can add Endpoint Analysis scans to the Expression box. If the Endpoint Analysis scan succeeds, then the session policy is applied. If the Endpoint Analysis scan fails, then this session policy is skipped, and the next one is evaluated. This is how you can allow VPN if EPA scan succeeds, but all failed EPA scans will get a different session policy that only has ICA Proxy enabled.
   1. To add an Endpoint Analysis scan, use one of the Editor links on the right.
      
   2. Configure OPSWAT scans in the OPSWAT EPA Editor.
      
   3. Configure Client Security Expressions in the Expression Editor.
      
   4. You can combine multiple Endpoint Analysis scan expressions using Booleans (&&, ||, !).
7. Click Create when done.
   

Bind Session Policy

Most of the Citrix Gateway configuration objects can be bound to a Citrix Gateway Virtual Server, AAA Groups, or both. This section details binding of Session Policies, but the other Citrix Gateway objects (e.g. Authorization Policies) can be bound using similar instructions.

• Objects bound directly to the Citrix Gateway Virtual Server are evaluated for every user of that Gateway Virtual Server.
• Objects bound to a AAA Group are only evaluated for members of that AAA Group.
  • Polices bound to AAA Groups usually have lower priority numbers than policies bound to Gateway Virtual Servers, so the AAA binding can override the Gateway binding.
  • However, objects/policies bound to a AAA Group are applied to every Gateway Virtual Server on the same appliance. To override AAA bindings at a specific Gateway, you can bind lower priority number policies to the Gateway Virtual Server.

Bind the new Session Policy to a Citrix Gateway Virtual Server, or a AAA group.

To bind to a Citrix Gateway Virtual Server

1. Edit a Citrix Gateway Virtual Server (or create a new one).
   
2. To make sure ICA Only is unchecked:
   1. Click the pencil icon for the Basic Settings section.
      
   2. Click More.
      
   3. Make sure ICA Only is unchecked, and click OK to close the Basic Settings section.
   4. Note: with this box unchecked, Gateway Universal licenses are now required for all users connecting through this Gateway Virtual Server.
      
3. While editing the Gateway Virtual Server, consider changing the Portal Theme to RfWebUI. This changes the default portal page to look identical to StoreFront.
   
4. Scroll down to the Policies section, and click the Plus icon.
   
5. In the Choose Type page, ensure the Choose Policy drop-down is set to Session.
6. Ensure the Choose Type drop-down is set to Request, and click Continue.
   
7. Click where it says Click to select.
   
   1. If you already have Session Policies bound to this Gateway Virtual Server, then you might have to click Add Binding first.
      
8. Click the radio button next to the previously created Session Policy, and click Select.
9. Note: you cannot mix Classic Syntax Policies and Default Syntax Policies.
   
10. In the Priority field, adjust the priority number. If you want this Session Policy to override other Session Policies, then set the priority number to a low value. See CTX214588 Understanding Session Policy Priority on Different Bind Points.
11. Click Bind.
    
12. If you already have Session Policies bound to the Gateway Virtual Server, then the list of Policies is displayed. If you don’t see this list, on the left, in the Policies section, click the line that says Session Policies.
    
13. From this list, you can right-click the policies to Edit Binding (priority number), or Edit Profile.
    
14. If your Citrix Gateway Virtual Server is configured with a Traffic Policy for Native OTP (One Time Passwords), change the Traffic Policy expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.

    http.req.method.eq(post)||http.req.method.eq(get) && false

Bind to AAA Group

1. To bind to a AAA Group, go to Citrix Gateway > User Administration > AAA Groups.
   
2. On the right, add a AAA group with the same name (case sensitive) as the Active Directory group name. This assumes your LDAP policies/server are configured for group extraction (Group Attribute, and Sub Attribute).
   
3. Edit the AAA Group.
   
4. On the right, in the Advanced Settings column, add the Policies section.
   
5. Click the plus icon to bind one or more Session Policies.
6. If you want these Session Policies to override the Session Policies bound to the Citrix Gateway Virtual Server, then make sure the Session Policies bound to the AAA Group have lower priority numbers. See CTX214588 Understanding Session Policy Priority on Different Bind Points.
   
   
   
7. If a user belongs to multiple groups, then for Advanced Session Policies, see CTX289931 AAA group session policies are not applying based on priority. Classic Policies in multiple AAA Groups are lumped together and evaluated based on bind point priority number. Advanced Policies are no longer lumped together and instead each AAA Group is evaluated separately. The first AAA Group created has higher priority than later created AAA Groups unless you specify the weight when creating the AAA Group from the CLI. 💡
   

Citrix Gateway Plug-in

Upgrade Citrix Gateway Plug-in

Citrix ADC pushes the Gateway Plug-in (aka VPN client) to client machines. In newer builds of Citrix ADC 13.0, you can upgrade the VPN plugin on the ADC without upgrading the ADC firmware.

1. Download the latest plugin .tgz file from https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-gateway-windows-plug-in-clients.html.
   
2. In Citrix ADC, on the left click the Citrix Gateway node. On the right, click Upgrade EPA Libraries or EPA/VPN plugins.
   
3. This page shows you the versions of the currently installed plugins.
4. Click Choose File and select the win_vpn.tgz file. Click Upgrade.
   
5. Click OK when prompted that the upgrade completed successfully.
   
6. Go back to the Upgrade plug-in or EPA Libraries page to see the new versions.
   

Citrix Gateway Plug-in Installation

Here is what the user sees when launching the VPN session for the first time. This assumes the user is an administrator of the local machine.

1. Wait for 10 seconds for the webpage to not detect Gateway Plug-in, and then click the Download button.
   
2. Run the downloaded AGEE_setup.exe.
   
3. In the Please read the Citrix Gateway Plug-in License Agreement page, click Install.
   
4. In the Complete the Citrix Gateway Plug-in Setup Wizard page, click Finish.
   
5. Click Yes to restart your system.
   
6. In ADC 13.0 build 71.44 and newer, VPN plug-in for Windows supports Secure DNS update. This feature is disabled by default. To enable it, create the following on the client device: (source = 13.0-71.44 release notes) 💡
   • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.
     • When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.
     • To try only the secure DNS update, you can set the value to 2.

Only administrators can install the Citrix Gateway Plug-in. You can download the Gateway plug-in from the NetScaler appliance at /var/netscaler/gui/vpns/scripts/vista and push it to corporate-managed machines. Or you can download VPN clients from Citrix.com. The VPN client version must match the Citrix ADC firmware version.

To deploy the Gateway Plug-in using Group Policy, see CTX124649 How to Deploy NetScaler Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy.

While a VPN tunnel is established, you can open the Gateway Plug-in to see status. If the Gateway Plug-in is merged with Workspace app, right-click Workspace app, click Advanced Preferences, click Citrix Gateway Settings, and click Open.

Or, if the Gateway Plug-in icon is separated from Workspace app, then right-click the Gateway Plug-in icon, and click Open.

The hamburger menu on the left lets you see more info about the VPN tunnel.

If the Gateway VPN session isn’t established, you can open the Gateway plug-in, and login. No browser needed.

• Gateway Plug-in 12.1 build 49 with Citrix ADC 12 build 49 support nFactor authentication (e.g. Native OTP) in the Gateway Plug-in. Older versions do not support nFactor.  💡
  

The Configuration page lets you enable Logging. Then the Logging page lets you collect the logs. See Citrix CTX138155 How to Collect Client VPN Logs for NetScaler Gateway.

VPN Client (Citrix Gateway Plug-in) Session Profile Settings

Separate Icons for Workspace app and Gateway

1. By default, if Workspace app, and Citrix Gateway Plug-in, are installed on the same machine, then the icons are merged. To see the Citrix Gateway Plug-in Settings, you right-click Workspace app, open Advanced Preferences, and then click Citrix Gateway Settings. This makes it difficult to log off.
   
   
2. You can configure the Session Profile to prevent the Citrix Gateway Plug-in from merging with Workspace app. Edit your VPN Session Policy/Profile. On the Client Experience tab…
   
3. Scroll down, and check the box next to Advanced Settings.
   
4. At the bottom of the General tab, check the box next to Show VPN Plugin-in icon with Receiver.
   
5. This setting causes the two icons to be displayed separately thus making it easier to access the Citrix Gateway Plug-in settings, including Logoff.
   
   

Cleanup

1. When the user logs off of VPN, a Cleanup page is displayed. This can be enabled or disabled in a Session Profile on the Client Experience tab.
   
   
2. The cleanup options can be forced in a Session Profile on the Client Experience tab…
   
3. Under Advanced Settings > Client Cleanup.
   

VPN Client Upgrades

1. Whenever Citrix ADC firmware is upgraded, all users will be prompted to upgrade their VPN clients. You can edit a Session Policy/Profile, and on the Client Experience tab…
   
2. Use the Upgrade drop-downs to disable the automatic upgrade.
   
3. The Plugin Upgrade settings are also configurable in the Gateway Virtual Server…
   
4. In the Basic Settings > More section.
   
   
   

Authorization Policies

If your Session Profile has Security tab > Default Authorization Action set to Deny (recommended), then create Authorization Policies to allow access across the tunnel.

1. On the left, under Citrix Gateway, expand Policies, and click Authorization.
   
2. On the right, click Add.
   
3. Name the Authorization Policy.
4. Select Allow or Deny.
5. For the Expression, Citrix Gateway supports both Classic Syntax and Default Syntax.
   • Default Syntax gives you much greater flexibility in matching the traffic that should be allowed or denied. Hit Control+Space on your keyboard to begin building a Default Syntax expression. You typically want to identify traffic based on Destination IP Address, Destination Port Number, HTTP Request URL, HTTP Host Header, etc. Common expressions include:
     • CLIENT.IP.DST.IN_SUBNET()
     • CLIENT.TCP.DSTPORT.EQ()
     • You can also use HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") in your expressions.
   • CTX232237 NetScaler Unified Gateway Advanced Authorization Policy Support for UDP/ICMP/DNS Traffic explains new types of Authorization Policies in NetScaler 12.0 build 56 and newer.
     • CLIENT.UDP.DSTPORT.EQ(2080)
     • CLIENT.IP.PROTOCOL.EQ(ICMP)
     • CLIENT.UDP.DNS.DOMAIN.CONTAINS("citrix")
   • Note: you cannot mix both Classic Syntax and Default Syntax. You must unbind every Classic Syntax Authorization Policy before you can bind Default Syntax Authorization Policies.
6. Click Create when done.
   
7. Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.
   1. Or, you can use HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") in your Default Syntax expressions.
8. Edit a AAA Group at Citrix Gateway > User Administration > AAA Groups.
   
9. On the right, in the Advanced Settings column, add the Authorization Policies section.
   
10. Then click where it says No Authorization Policy to bind policies.
    
    • CTX232237 NetScaler Unified Gateway Advanced Authorization Policy Support for UDP/ICMP/DNS Traffic explains new types of Authorization Policies in NetScaler 12.0 build 56 and newer.
      

Intranet Applications

If you enabled Split Tunnel, then you’ll need to create Intranet Applications to specify which traffic goes through the tunnel.

1. On the left, under Citrix Gateway, expand Resources, and click Intranet Applications.
   
2. On the right, click Add.
   
   1. Enter a name for the Internal subnet.
   2. Change the Interception Mode to TRANSPARENT.
      
   3. Enter an IP subnet. Only packets destined for this network go across the tunnel.
      1. You typically specify a summary address for all internal subnets (e.g. 10.0.0.0/8).
      2. Alternatively, you can define minimal Intranet Application destinations as a security mechanism (assuming Split Tunnel is enabled), but Authorization Policies are more appropriate for that task.
3. Click Create.
   
4. Create additional Intranet applications for each internal subnet.
5. Intranet Applications are usually bound to the Gateway Virtual Server, but you can also bind them to AAA Groups.
6. On the right, in the Advanced Settings column, add the Intranet Applications section.
   
7. On the left, click No Intranet Application to bind Intranet Applications.
   

DNS Suffix

Specify a DNS Suffix for Split DNS to function with single label DNS names. Citrix Gateway adds these DNS suffixes to DNS queries across the VPN tunnel.

1. On the left, under Citrix Gateway, expand Resources, and click DNS Suffix.
   
2. On the right, click Add.
   
3. Enter the DNS Suffix, and click Create. You can add multiple suffixes.
   

Bookmarks

Bookmarks are the links that are displayed in the default portal interface. They can point to websites, or RDP addresses. PCoIP bookmarks come from VMware Horizon Connection Server. ICA bookmarks come from Citrix StoreFront.

1. Under Citrix Gateway, expand Resources, and click Bookmarks.
   
2. On the right, click Add.
   
   1. Give the bookmark a name, and display text.
   2. Enter a website or RDP address.
   3. Optionally browse to an Icon file.
   4. You typically need to check Use Citrix Gateway As a Reverse Proxy, especially for Clientless Access (rewrite without VPN) to an internal website.
   5. The other fields are for Single Sign-on through Unified Gateway.
3. Click Create.
   
4. Bookmarks (aka Published Applications > Url) are usually bound to AAA groups so different groups can have different bookmarks. But it’s also possible to bind Bookmarks to Citrix Gateway Virtual Servers.
5. If Citrix Gateway Virtual Server, add the Published Applications section to bind Bookmarks (Url).
   
6. For AAA Group, it’s the Bookmarks section.
   
7. On the left, find the Published Applications section, and click No Url to bind Bookmarks.
   

VPN Client IP Pools (Intranet IPs)

By default, Citrix Gateway VPN clients use Citrix ADC SNIP as their source IP when communicating with internal resources. To support IP Phones or endpoint management, you must instead assign IP addresses to VPN clients.

Any IP pool you add to Citrix Gateway must be reachable from the internal network. Configure a static route on the upstream router. The reply traffic to VPN Client IPs should be routed through a Citrix ADC SNIP. Or the Citrix ADC can participate in OSPF.

When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots, or until the appliance runs out of IPs in the pool.

1. Edit a Citrix Gateway Virtual Server, or a AAA group.
2. On the right, in the Advanced Settings section, click the plus icon next to Intranet IP Addresses.
   
3. On the left, click where it says No Intranet IP.
   
4. Enter a subnet and netmask. Click Bind.
   
5. In a Session Profile, on the Network Configuration tab, check the box next to Advanced Settings.
   
6. Use the Intranet IP drop-down to configure the behavior when there are more VPN clients than available IPs in the address pool.
   
   1. If you set it to NOSPILLOVER, then users can only have one VPN session, as described in CTX218066 How to Limit One Session Per User on NetScaler Gateway?.
      
      
      
7. To see the Client IP address, on the client side, after the tunnel is established, right-click the Citrix Gateway Plug-in, and click Open.
   
8. See the Internal network address.
   
9. To see the client IP on the Citrix ADC, go to Citrix Gateway, and on the right is Active user sessions.
   
10. Select one of the views, and click Continue.
    
11. The right column contains the Intranet IP.
    

StoreFront in Gateway Clientless Access Portal

If you enabled the RfWebUI theme, then no StoreFront configuration is necessary.

But if you want to embed StoreFront in the other Gateway themes (X1, Default, Green Bubble), then follow these instructions.

1. On StoreFront, edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\web.config.
   1. On the bottom, there are three sections containing X-Frame-Options. Change all three of them from deny to allow.
   2. Also change frame-ancestors from none to self.
      
2. In Citrix ADC, go to Citrix Gateway > Global Settings, and click Configure Domains for Clientless Access.
   
3. Change the selection to Allow Domains, enter your StoreFront FQDN, and click the plus icon.
4. Click OK.
   
5. In a Session Policy/Profile:
   1. On the Client Experience tab, make sure Single Sign-on to Web Applications is enabled.
      
   2. On the Published Applications tab, configure the Web Interface Address to point to the StoreFront Receiver for Web page.
   3. Configure the Single Sign-on domain to match what’s configured in StoreFront.
      
   4. You might have to override the Web Interface Portal Mode.
      
6. The Applications page of the 3-page portal (e.g. X1 theme) should automatically show the StoreFront published icons.
   

Quarantine Group

Citrix Gateway can be configured so that if Endpoint Analysis scans fail, then the user is placed into a Quarantine Group. You can bind session policies, authorization policies, etc. to this quarantine group. Policies bound to other AAA groups are ignored.

1. Go to Citrix Gateway > User Administration > AAA Groups.
   
   1. Add a new local group for your Quarantined Users. This group is local, and does not need to exist in Active Directory.
      
   2. Bind session policies, authorization policies, etc. to your quarantine AAA group. These policies typically allow limited access to the internal network so users can remediate. Or, it might simply display a webpage telling users how to become compliant.
      
   3. The Session Policy bound to the Quarantine Group is usually different than the Session Policies bound to other AAA groups. You can use the variation in Session Policy names for SmartAccess.
      1. One option is to configure the Delivery Groups > Access Policy so that icons are shown for Session Policies bound to non-quarantine AAA Groups, but not for the Session Policy that is bound to the Quarantine Group.
      2. Another option is to configure Citrix Policies > Access Control to disable functionality for the Quarantine Group Session Policy, but not for other AAA Group Session Policies.
2. Create or edit a Session Profile to include a Client Security Expression that checks for compliance.
   1. In the Session Profile, on the Security tab, check the box next to Advanced Settings.
      
   2. Scroll down, and check the box to the right of Client Security Check String.
   3. Use the Editor links to add an Endpoint Analysis expression.
      
   4. Just below the Client Security Check String, select the previously created Quarantine Group. If the Client Security Check String EPA Scan fails, then the failed users are added to the Quarantine Group and removed from all other AAA Groups.
      
3. Click Create when done creating or editing the Session Profile.
4. Create a Session Policy for the Session Profile that contains the Client Security Check String.
   1. Enter ns_true as the expression.
   2. Then click Create.
      
5. Edit your Gateway Virtual Server, and bind the Session Policy/Profile that has the Client Security Check String configured.
   
   
   
6. To troubleshoot Quarantine policies, use the command nsconmsg –d current –g pol_hits.
   
7. Citrix ADM Gateway Insight shows users that failed EPA scans, and their quarantine status.
   

Related Pages

• SmartAccess / SmartControl
• Back to Citrix Gateway

This article applies to Citrix Gateway 13.0, Citrix Gateway 12.1, and NetScaler Gateway 12.0. Citrix ADC is the new name for NetScaler. Citrix Gateway is the new name for NetScaler Gateway.

Navigation

• Change Log
• RDP Proxy Overview
• Requirements
• Configuration
  • Enable RDP Proxy Feature
  • Create RDP Server Profile
  • Create RDP Proxy Profile
  • Create RDP Bookmarks
  • Edit a Session Profile
  • Edit Citrix Gateway Virtual Server
  • Configure DNS
• Use RDP Proxy
  • Personal Bookmarks

💡 = Recently Updated

Change Log

• 2021 Apr 16 – changed NetScaler Gateway to Citrix Gateway and updated screenshots accordingly.
• 2019 Sep 27 – Create Bookmarks – RemoteApp info from Citrix Discussions
• 2018 Nov 18 – updated screenshots for ADC 12.1
  • Added some configuration instructions for RDS Connection Broker servers.
• 2018 Mar 11 – in RDP Proxy Profile section, added RDP Cookie info from CTX233207 RDP Session Fail to Reconnect after NetScaler HA failover, Error “This computer can’t connect to the remote computer.”
• 2018 Jan 2 – in Session Profile section, added link to CTX220499 How to Configure Authorization Policies for RDP Proxy

RDP Proxy Overview

Citrix ADC supports RDP Proxy through Citrix Gateway. No VPN required. RDP can connect through Citrix Gateway on port 443.

There are several ways of launching RDP sessions through Citrix Gateway RDP Proxy:

• Bookmarks on the Clientless Access portal page.
  • Bookmarks can be defined by the administrator.
  • Or users can add their own RDP bookmarks.
• After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
• In the RfWebUI Portal Theme, the Bookmark link lets users enter an RDP address, and click Go.
  

Links:

• RDP Proxy at Citrix Docs
• Kenny Baldwin blog post RDP-Proxy on NetScaler!
• Citrix CTX200853 How to Configure RDP Profile on NetScaler Gateway
• Anton van Pelt NetScaler Gateway = RD Gateway
• NetScaler 12.1 RDP Connection Redirection at Citrix Discussions

Requirements

Here are some requirements for RDP Proxy:

• Citrix ADC Advanced Edition or Premium Edition.
  • Citrix Gateway Enterprise VPX is not sufficient. It must be a full ADC license.
• Citrix Gateway Universal Licenses for each user.
  • Most Citrix ADC Editions come with built-in Gateway Universal licenses: Citrix ADC Standard Edition = 500 licenses, Citrix ADC Advanced Edition = 1000 licenses, and Citrix ADC Premium Edition = unlimited licenses. See Feature Licensing in the Gateway Tweaks post.
• TCP 443 opened to the Citrix Gateway Virtual Server.
• TCP 3389 opened from the Citrix ADC SNIP to the RDP Servers.

Configuration

Enable RDP Proxy Feature

1. Go to System > Settings, and click Configure Advanced Features.
   
2. In the left column, near the bottom, check the box for RDP Proxy and click OK.
   

Create RDP Server Profile

You do not need a RDP Server Profile if the machines you want to RDP to are not members of any RDS Connection Broker Infrastructure. Skip to the next section to create the RDP Client Profile.

If you want Citrix Gateway to RDP Proxy to a RDSH machine that is part of an RDS Connection Broker Infrastructure (aka RDS Collection, or member of RDS Broker Farm), then you’ll need the following:

• Citrix ADC 12.1 or newer
  • NetScaler 12.0 does not support RDSH machines connected to RDS Connection Broker.
• RDP Server Profile to enable the 3389 listener on your Gateway Virtual Server.

RDP connections through Citrix Gateway to RDP Connection Broker members requires that the Remote Desktop Session Hosts are configured to disable the GPO setting Use IP Address Redirection located in a GPO at Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | RD Connection Broker. Disable this setting on the RDSH machines, not the Connection Broker machine. Disabling this setting enables token-based redirection instead of IP-based redirection, which is required by RDP Proxy in Citrix Gateway.

To create the RDP Session Profile on Citrix ADC:

1. Expand Citrix Gateway, expand Policies, and click RDP.
   
2. On the right, on the Server Profiles tab, click Add.
   
3. In the Create RDP Server Profile window:
   1. Give the RDP Server Profile a name.
   2. If you don’t enter an RDP IP, then it will use the Gateway VIP.
   3. If you don’t enter a RDP Port, then it will default to 3389. This is an additional port that must be opened on the firewall.
   4. Enter a new Pre Shared Key.
   5. Change RDP Redirection to ENABLE. This is a new feature in ADC 12.1. This setting enables RDS Infrastructure to work.
4. Click Create.
   

Create RDP Proxy Client Profile

All RDP Proxy configurations need an RDP Client Profile.

1. Expand Citrix Gateway, expand Policies, and click RDP.
   
2. On the right, switch to the Client Profiles tab, and click Add.
   
   1. Give the RDP Client Profile a name, and configure the client device mappings as desired. Scroll down.
      
   2. For the RDP Cookie Validity field, Citrix CTX233207 says that after a HA failover, RDP Proxy session will not reconnect if the cookie has expired.
      
   3. If you are running ADC 12.1 or newer and need to allow RDP connections to RDS Infrastructure member machines, then enter the same Pre Shared Key that you configured in the RDP Server Profile. If you don’t need to RDP to any member of any RDS Infrastructure, then you don’t need these settings.
      • Also, for RDP Host, enter the FQDN of the Gateway Virtual Server. This is only needed for RDP Server Profiles.
   4. Click Create.
      
      

Create RDP Bookmarks

You can create administrator-defined bookmarks that can be assigned to everybody or can be assigned to specific Active Directory groups. Another option is to let each user create their own bookmarks.

1. On the left, expand Citrix Gateway, expand Resources, and click Bookmarks.
   
   • Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how Citrix ADC Rewrite can insert an RDP Proxy link into a StoreFront web page.
2. On the right, click Add.
   
   1. Give the Bookmark a name.
   2. For the URL, enter rdp://MyRDPServer using IP or DNS (FQDN).
      • For RDS Collections, enter the address of any RDP member of the collection. The RDP server will ask the Connection Broker to load balance across the Collection and then redirect the RDP connection to the least busy RDP server in the Collection.
      • For RemoteApp, see Citrix Discussions. Example URL:

        rdp://rdshost1.comtoso.com?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

   3. Check the box next to Use Citrix Gateway As a Reverse Proxy,
3. Click Create.
   
4. Create more bookmarks as desired.

Edit a Session Profile

1. Create or edit a Gateway Session Profile (Session Profiles tab).
   
2. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
   
   • CTX220499 How to Configure Authorization Policies for RDP Proxy states that Authorization Policy expressions for RDP Proxy must be HTTP Request-based, not TCP-based. For example: REQ.HTTP.URL CONTAINS 10.107.202.67.
3. On the Remote Desktop tab, check Override Global, and select the RDP Client Profile you created earlier.
   
4. On the Client Experience tab, set Clientless Access to On. This enables the clientless access portal that can display administrator-defined bookmarks and lets users add their own bookmarks.
   
5. On the Client Experience tab of the Session Profile, decide if you want Single Sign-on to Web Applications or not. It’s required for RDS Collections but optional for RDP machines that are not members of an RDS Infrastructure. If not checked then the user will be prompted to login again when launching an RDP session.
   
6. On the Published Applications tab, make sure ICA Proxy is OFF so the clientless portal is displayed.
   
7. Click OK when done.

Edit Citrix Gateway Virtual Server

1. Edit or Create your Gateway Virtual Server.
   
2. In the Basic Settings section, click the pencil icon on the top right to edit it.
   
3. Click More to show more settings.
   
   1. If the machines you are RDPing to are not members of an RDS Collection, then don’t configure RDP Server Profile. With no RDP Server Profile configured the RDP connections will be 443 to the Gateway. If you instead configure an RDP Server Profile then the RDP Connections will be 3389 or whatever port number you put in the RDP Server Profile.
      
   2. If you want to allow RDP to RDS Collection members, then select the RDP Server Profile that you created earlier. The RDP Server Profile enables port 3389 on the Gateway VIP. If you don’t select a RDP Server Profile, then RDP is proxied through 443 on the Gateway, but this won’t work for RDS Collection members.
      
   3. Scroll down. Make sure ICA Only is not checked. This means you’ll need Citrix Gateway Universal licenses for each user that connects through this Gateway.
   4. Click OK to close the Basic Settings section.
      
4. Bind a certificate.
5. Bind authentication policies.
6. In the Policies section, bind the Session Policy that has the RDP Client Profile configured. Be mindful of policy priority.
   
   
   
7. You can bind RDP Bookmarks to either the Citrix Gateway Virtual Server, or to a AAA group. To bind to the Citrix Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
   
8. On the left, in the Published Applications section, click where it says No Url.
   
9. Bind your Bookmarks.
   
10. While editing your Gateway vServer, you can also set the Portal Theme to RfWebUI. This is strongly recommended for the clientless access portal that displays the RDP bookmarks.
    

Configure DNS

1. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
   
2. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
   

Use RDP Proxy

1. Connect to your Citrix Gateway and login.
   
2. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.
   
   1. If X1 theme, the bookmarks are on the Web Apps page.
      
3. If RfWebUI theme, you can click Details to mark the Bookmark as a Favorite.
   
   
4. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or a DNS name (/rdpproxy/myserver).
   
5. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
   
6. Then open the downloaded .rdp file.
   
7. You can view the currently connected RDP users by going to Citrix Gateway > Policies > RDP, and on the right is the Connections tab.
   

Personal Bookmarks

1. If using the RfWebUI theme, another way to launch RDP sessions is to click the Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
   
2. You can also give the Bookmark a name and Save it.
   
3. Then access the saved bookmark from Apps > Personal Bookmarks.
   
   
4. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
   
5. The X1 theme has an Add button on the Web Apps page.
   
6. But there is no Go button. Instead, you save the Bookmark and launch it from the list.
   

This article applies to NetScaler Gateway 14.1, Citrix Gateway 13.x, Citrix Gateway 12.1, and NetScaler Gateway 12.0.

Navigation

• Change Log
• Prerequisites
• Endpoint Analysis
  • nFactor EPA
  • Classic EPA
  • OPSWAT EPA Expressions
  • Additional EPA Configuration
  • EPA Libraries
  • EPA Plug-in
  • EPA and Portal Themes
  • EPA Troubleshooting
• SmartAccess
• SmartControl

💡 = Recently Updated

Change Log

• 2024 Aug 3 – Delivery Group Access Policy page redesigned in CVAD 2407
• 2023 Aug 15 – added link to CTX572334 Eliminate Advanced Endpoint Analysis scans on Mobile devices/iOS
• 2020 Sep 8 – nFactor EPA – added info from CTX278960 AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) use-cases
• 2020 Jun 28 – added nFactor EPA section describing how to do SmartAccess using nFactor EPA.
• 2020 Apr 20 – renamed NetScaler Gateway to Citrix Gateway
• 2018 Nov 24 – EPA Libraries – updated for Windows version 4.3.344.0
• 2018 Oct 10 – EPA Libraries – updated for Mac version 4.3.244.0
• 2018 Sep 28 – EPA Libraries – updated for versions 4.3.204.0 and 4.3.57.0
• 2018 June 4 – new EPA Libraries section to upgrade EPA libraries

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings, hide icons) based on how users connect to Citrix Gateway. Decisions are based on Citrix Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess vs SmartControl:

• SmartAccess lets you control visibility of published icons, while SmartControl does not.
• SmartControl is configured exclusively on Citrix Gateway, while SmartAccess requires configuration on both Citrix Gateway, and inside Citrix Studio.
• SmartControl requires Citrix ADC Premium Edition licensing, while SmartAccess is available in all Citrix ADC Editions.
  • Both features require Citrix Gateway Universal licenses for every concurrent connection.

Prerequisites

Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in Citrix Virtual Apps and Desktops (CVAD) at any time, but it won’t work, until you do the following:

1. Citrix ADC appliance license: See Feature Licensing in the Gateway Tweaks post. In summary:
   • SmartAccess is available in all editions of Citrix ADC appliances.
   • SmartControl is available only in Citrix ADC Premium Edition.
2. Citrix Gateway Universal Licenses – On the Citrix ADC, go to System > Licenses, and make sure you have Citrix Gateway Universal Licenses allocated to the appliance.
   1. Most Citrix ADC Editions (except Citrix Gateway Enterprise VPX) come with built-in Gateway Universal licenses: Citrix ADC Standard Edition = 500 licenses, Citrix ADC Advanced Edition = 1,000 licenses, and Citrix ADC Premium Edition = unlimited licenses.
   2. Additional Citrix Gateway Universal licenses can be acquired through other means. See Feature Licensing in the Gateway Tweaks post for details.
   3. The Universal licenses are allocated to the hostname of the appliance (click the gear icon to change it), not the MAC address. In a High Availability pair, if each node has a different hostname, then you can allocate the licenses to one hostname, then reallocate to the other hostname. See Feature Licensing in the Gateway Tweaks post for details.
      
3. Citrix Gateway must have ICA Only unchecked.
   1. On the Citrix ADC, go to Citrix Gateway > Virtual Servers, and edit your Gateway Virtual Server.
      
   2. In the Basic Settings section, click the pencil icon.
      
   3. Click More.
      
   4. Uncheck the box next to ICA Only, and click OK. This tells Citrix Gateway to start using Universal licenses and enables the SmartAccess and SmartControl features.
      
4. Enable Trust XML on the Citrix Virtual Apps and Desktops (CVAD) Site/Farm:
   1. On a CVAD Controller, run PowerShell as Administrator.
   2. Run asnp citrix.* to load the snapins.
   3. Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
      
5. Configure Callback URL in StoreFront:
   1. In StoreFront Console, right-click the Stores node, and click Manage Citrix Gateways.
      
   2. Edit a Gateway.
      
   3. On the Authentication Settings page, make sure a Callback URL is configured. The Callback URL must resolve to a Citrix Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external, then the Callback FQDN must be different than the Single FQDN.
      

Once the prerequisites are in place, do the following as detailed below:

• Optionally, configure Endpoint Analysis.
• Configure either SmartControl or SmartAccess.

Endpoint Analysis

Endpoint Analysis (EPA) scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices. Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

Citrix ADC 12.1 and newer support two methods of doing EPA: nFactor EPA, or Classic EPA. Classic EPA will no longer be supported in ADC 13.1 and newer so you should eventually switch to nFactor EPA.

Workspace app on Windows supports EPA when configured using nFactor EPA. Workspace app does not support Classic EPA.

nFactor EPA

EPA can be one of the factors of an nFactor flow. EPA can be performed before authentication, or after authentication.

EPA doesn’t work on iOS/Android. To skip those platforms, see CTX572334 Eliminate Advanced Endpoint Analysis scans on Mobile devices/iOS.

1. Create an nFactor EPA Action.
   1. The easiest way to find EPA is to use the Search box on the top of the left menu. Or, navigate to Security > AAA > Policies > Authentication > Advanced Policies > EPA.
      
   2. The EPA Editor link on the right-side of the Expression box lets you configure EPA Expressions. See OPSWAT EPA Expressions below for more details on how to configure an Opswat expression.
   3. For SmartAccess based on the results of the EPA scan, configure the Default Group field with a new group name (doesn’t exist in Active Directory). You’ll later use the Group name in a Session Policy and use the Session Policy name in your Citrix Policy Access Filters or Delivery Group Access Control. Default Group probably only works if the EPA Factor is performed after authentication.
      
2. After creating an EPA Action, create an Advanced Authentication Policy of type EPA and select the EPA Action you created earlier.
   1. The expression is either true, or an expression that defines who needs EPA scanning. If you are configuring post-authentication EPA, then you can use group membership (e.g. AAA.User.Is_Member_Of()) expressions.
      
      
3. Create a Policy Label for the EPA Factor. Login Schema should be LSCHEMA_INT.
   
   1. Bind the EPA Policy to your Policy Label.
      
   2. If you don’t bind any other policies, then if EPA fails, then the user shown the Access Denied page. If you want authentication to continue even with a failed EPA scan, then bind another policy to the Policy Label.
      
   3. Create an Advanced Authentication Policy named similar to NoAuth and change Action Type to NO_AUTHN. Expression = true. Bind the NoAuth policy to the Policy Label.
      
   4. The final Policy Label should have an EPA Factor with Goto = NEXT and the second policy as NoAuth.
      
4. In earlier factors that authenticate the user, when binding an authentication policy, click in the Select Next Factor field and select your EPA Policy Label.
   
   • In the earlier authentication factor, edit the Login Schema Profile, click More, and check the box next to Enable Single Sign On Credentials. EPA as later factor overrides the password collected in earlier factors causing Single Sign-on to StoreFront to fail and this checkbox fixes that problem.
     
5. Create a Citrix Gateway Session Policy that is applied when the EPA factor succeeds.
   1. Go to Citrix Gateway > Policies > Session.
   2. On the tab named Session Profiles, click Add.
      
   3. Name it FullAccess or similar and click Create. The Session Profile does not need any settings.
      
   4. Switch to the tab named Session Policies and click Add.
      
   5. Select the Profile you just created.
   6. If you are doing Advanced Policies, then the Expression is AAA.USER.IS_MEMBER_OF(“GroupName”) where “GroupName” is the name of the Default Group you specified when you created the EPA Action. Click Create. If you are doing Classic Policies, then the expression is ns_true.
      
6. If your session policy is Advanced syntax, then bind the Session Policy to your Gateway vServer.
   1. Go to Citrix Gateway > Virtual Servers and edit an existing vServer.
      
   2. Scroll all the way down to the Policies section and click the Session Policies line.
      
   3. Add Binding and select the Session Policy you will use for SmartAccess. Priority doesn’t matter.
      
7. For both Advanced Session Policies and Classic Session Policies, create a AAA Group that matches the Default Group you specified in the EPA Action. CTX278960 says this is also required for IS_MEMBER_OF expressions.
   
8. If you are doing Classic Session Policies, then create bind the Session Policy to the AAA Group. If you are doing Advanced Session Policies bound directly to the Gateway Virtual Server, then you don’t need to bind anything to the AAA Group.
9. You can now use the Session Policy in your SmartAccess configuration. See the SmartAccess section below for more details.
   

Classic EPA Policies

There are two methods of Classic Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

• With a Preauthentication Policy, if the Endpoint Analysis scan fails, then users can’t login.
• With a Postauthentication Policy, Endpoint Analysis doesn’t run until after the user logs in. Typically, you create multiple Session Policies. One or more Session Policies have Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there’s a fallback in case the client device doesn’t support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.
  • Inside the Session Profile is a field for Client Security expression, which supports an EPA expression. This field is for VPN only, and does not affect SmartAccess.

Preauthentication Policies and Profiles are configured at Citrix Gateway > Policies > Preauthentication.

1. On the right, switch to the Preauthentication Profiles tab, and create a Preauthentication Profile to allow access.
   
   
2. Switch to the Preauthentication Policies tab, and create a Preauthentication Policy with an EPA expression. Select the Request Action that allows access.
   
   
3. The right side of the Expression box has links to create EPA expressions, as detailed below.
   

Classic Post-authentication Policies and Profiles are configured at Citrix Gateway > Policies > Session.

1. When creating a Session Policy, the right side of the Expression box has links to create EPA expressions, as detailed below.
2. Classic Syntax vs Default Syntax – EPA expressions can only be added to Classic Syntax Policies. If you click Switch to Default Syntax, then the OPSWAT EPA Editor disappears. Use nFactor EPA instead.
   
3. If you edit a Session Profile, on the Security tab…
   
4. Under Advanced Settings, you will see a Client Security Check String box that lets you enter an EPA Expression. This field applies only to VPN and does not affect SmartAccess. Also, this field does not function if your Session Policy is Advanced instead of Classic.
   

EPA Expressions

Citrix ADC has two Endpoint Analysis engines: the original Client Security engine, and the newer OPSWAT EPA engine.

OPSWAT EPA Expressions

To configure OPSWAT EPA expressions:

1. When creating an nFactor EPA Action, click the EPA Editor link.
   
   • When creating a Classic Preauthentication Policy, or Session Policy, click the OPSWAT EPA Editor link.
     
2. Use the drop-down menus to select the scan criteria.
3. You will see some fields with a plus icon that lets you configure more details for the scan.
   
   • Note: the text in these policy expressions is case sensitive.
     
4. Then click Done.
   

Additional OPSWAT EPA Info

See the following links for more Advanced EPA information:

• Advanced Endpoint Analysis Policy Expression Reference at Citrix Docs
• Advanced Endpoint Analysis Scans at Citrix Docs
• Citrix CTX220961 Pre authentication scan on Netscaler gateway for domain check
  
• Citrix CTX204764 Expression for EPA scan through NetScaler Gateway to check a generic antivirus and a generic firewall

  CLIENT.APPLICATION('ANTIVIR_0_RTP_==_TRUE[COMMENT: Generic Antivirus Product Scan]') EXISTS
  &&
  CLIENT.APPLICATION('FIREWALL_0_ENABLED_==_TRUE[COMMENT: Generic Firewall Product Scan]') EXISTS

• Citrix Blog Post Patch Management Endpoint Analysis on NetScaler Gateway
  
• Citrix CTX207623 Windows and macOS Supported Applications by OPSWAT Version 3 for NetScaler EPA Scans contains a list of applications supported by OPSWAT Windows and MAC EPA Scan
• Citrix CTX219296 How to configure EPA Expression to validate if the “Windows update” date is within specific time period.
  
  • Note: Automatic Updates must be enabled for this scan to work. See Citrix CTX219293 NetScaler Gateway EPA Scan Fails When Checking for “Windows Update” on Client Machine
    
• Citrix CTX228922 Configure EPA Scan for Windows Update – Critical or Automatic – shouldn’t have missing patch
  
• Citrix CTX205267 How Do I Configure EPA for Registry Check?
  
• CTX221121 Create EPA Scans to Detect Receiver on Clients. Clients without Workspace app or Receiver installed are sent to the a page with a link to the Workspace app Download page, and Clients with Workspace app or Receiver are allowed through to their ICA applications

  CLIENT.SYSTEM('REG-NON-NUM_HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Citrix\\Install\\ICA Client\\InstallFolder') EXISTS

Original Client Security Expressions

To configure the original Client Security expressions:

1. When creating a Classic Preauthentication Policy or Classic Session Policy, click the Expression Editor link.
   
2. Change the Expression Type to Client Security.
   
3. Use the Component drop-down to select a component.
   1. A common configuration is to check for domain membership as detailed at Citrix CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
   2. Citrix CTX128039 How to Configure a Registry-Based EPA Scan Expression on NetScaler to Look for the Active Device or Computer Name of an Explicit Workstation
      

Once the Classic Preauthentication and/or Classic Session Policies are created, bind them to your Citrix Gateway Virtual Server:

1. Edit a Citrix Gateway Virtual Server.
2. Scroll down to the Policies section, and click the plus icon.
   
3. Select either Preauthentication or Session, and select the policy you already created. Then click Bind.
   
4. Session Policies with EPA Expressions are typically higher in the list (lower priority number) than non-EPA Session Policies.
   

EPA Libraries

In NetScaler 12.0 build 57 and newer, the EPA Libraries are updated out-of-band.

1. Download the latest EPA libraries.
   
2. In the Citrix ADC menu, click the Citrix Gateway node.
3. On the right, in the left column, click Upgrade EPA Libraries.
   
4. Click Choose File
   
5. Browse to one of the .tgz library files, and click Open.
   
6. Click Upgrade.
   
7. Click OK when prompted that EPA Library upgraded successfully.
   
8. Click Upgrade EPA Libraries again.
   
9. Click Choose File.
   
10. Browse to the other .tgz EPA library file, and click Open.
    
11. Click Upgrade.
    
12. Click OK when prompted that upgraded successfully.
    
13. To see the versions, click Upgrade EPA Libraries.
    
    

EPA Plug-in

The EPA plug-in is automatically deployed when the user connects to Citrix Gateway – either before the logon page, or after the logon page.

To pre-deploy EPA plug-in, see CTX124649 How to Deploy NetScaler Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy. This article describes how to extract the plug-in .msi file, and deploy using Group Policy.

EPA and Portal Themes

The webpages displayed to the user when downloading the EPA plug-in and running the EPA plug-in can be customized by editing a Portal Theme.

Look in the Advanced Settings column on the right for the three EPA pages. Citrix CTX222812 How to Customize Custom Error Messages for NetScaler Gateway EPA Scans.

EPA Troubleshooting

From Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature:

1. Go to Citrix Gateway > Global Settings.
2. On the right, click Change Global Settings.
   
3. On the Security tab, click Advanced Settings.
   
4. Scroll down, check the box next to Enable Client Security Logging, and click OK.
   
5. When the scan fails, the user is presented with a Case ID.
   
6. You can then grep /var/log/ns.log for the Case ID. Or search your syslog.
   

For client-side logging, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

• Make a DWORD value named “EnableEPALogging“, and set the value to 1.
• After attempting the scan again, you’ll find the file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.

NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.

SmartAccess

Links:

• CTX138110 How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance
• CTX227055 Smart Access Guide for NetScaler Gateway, StoreFront and XenDesktop contains packet traces of the StoreFront Callback URL and XML Broker communication.

Make sure the prerequisites are completed. This includes:

• ICA Only unchecked on Citrix Gateway Virtual Server
• Gateway Universal licenses installed
• Callback URL configured at StoreFront
• Trust XML enabled on Delivery Controllers

SmartAccess is configured in two places:

• Delivery Group > Access Policy page in Web Studio in CVAD 2407 and newer has been redesigned. There are built-in Access Policies that you can edit. And you can add Access Policies. They support both inclusions and exclusions. See Citrix Docs for details.
  
  • CVAD 2402 and older looks like the screenshot below.
    
• Citrix Policy (user settings only) > filters > Access control in Web Studio looks like the screenshot below.
  
  • Group Policy looks like the screenshot below.
    

In any case, you enter the name of a matching Gateway Virtual Server, and the name of a matching Session Policy (or Preauthentication Policy).

• Set AG farm name or Site or Farm name to the name of the Citrix Gateway Virtual Server.
• Set Access condition or Filter to the name of the Citrix Gateway Session Policy (or Preauthentication Policy).
• You can use * as a wildcard in either field.
• The matching Citrix Gateway Session Policy typically has an EPA Factor in an nFactor flow that puts the user in a AAA Group that has a group-specific Session Policy bound to the AAA group. That way the Session Policy only applies to connections that match the EPA Expression.

Icon visibility – Access Control at the Delivery Group controls visibility of icons published from that Delivery Group.

• Access Control on a Delivery Group is Allow only. Icons are hidden from non-matching connections.
• You can uncheck Connections through Citrix Gateway to hide the published icons from all Citrix Gateway connections.
• It’s not possible to hide individual published applications. You can hide all applications from a single Delivery Group, or none of them. If you need more granularity, then you’ll have to split the applications onto different Delivery Groups.
• App Groups do not have an Access Control option. It’s Delivery Groups only.

Citrix Policy Settings – Access Control filter on a Citrix Policy determines if the Policy settings apply or not.

• Access Control filter applies to User Settings only. It’s not configurable for Computer Settings.
• You typically configure the Unfiltered Citrix Policy to block all client device mappings. Then you configure a higher priority Citrix Policy with Access Control filter to re-enable client device mappings for endpoint machines that match the Session Policy and EPA Expression.

When connected to a session, Director shows SmartAccess Filters on the Session Details page. Notice the Farm Name (Gateway Virtual Server name) and Filter Name (Session Policy name)

SmartControl

The SmartControl feature lets you configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at Citrix Docs for detailed instructions.

• Note: SmartControl requires Citrix ADC Premium Edition. If you don’t have Premium Edition, you can instead configure SmartAccess.
• SmartControl cannot hide published icons. If you need that functionality, configure SmartAccess, either as a replacement for SmartControl, or as an addition to SmartControl.

To configure SmartControl:

1. Make sure the Prerequisites are completed. This includes: ICA Only unchecked and Gateway Universal licenses installed. Callback URL and Trust XML are not needed.
2. If you are using a Preauthentication Policy to run an Endpoint Analysis scan:
   1. Edit the Preauthentication Profile.
      
   2. Configure the Default EPA Group with a new group name. You’ll use this group name later.
      
3. If you are instead using a Session Policy to run the post-authentication Endpoint Analysis scan:
   1. Edit the Session Profile
   2. On the Security tab, use the Smartgroup field to define a new group name for users that pass the scan. You’ll use this group name later.
      
4. On the left, expand Citrix Gateway, expand Policies, and click ICA.
   
5. On the right, switch to the Access Profiles tab, and click Add.
   
   1. Configure the restrictions as desired, and click Create.
      
6. Switch to the ICA Action tab, and click Add.
   
   1. Give the ICA Action a name.
   2. Select the ICA Access Profile.
   3. Click Create.
      
7. Switch to the ICA Policies tab, and click Add.
   
8. In the Create ICA Policy page, do the following:
   1. Give the ICA Policy a name.
   2. Select the previously created ICA Action.
   3. Enter an expression. You can use HTTP.REQ.USER.IS_MEMBER_OF(“MyGroup”).NOT where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan.
9. Click Create when done.
   
10. Edit your Gateway Virtual Server.
    1. Scroll down to the Policies section, and click the plus icon.
       
    2. Change the Choose Type drop-down to ICA, and click Continue.
       
    3. Select the SmartControl policy you created earlier, and click Bind.
       

Related Pages

• Citrix Gateway 12 – ICA proxy
• Back to Citrix ADC 12