Citrix Gateway

Configuring SmartControl

SmartControl allows administrators to define granular policies to configure and enforce user environment attributes for Citrix Virtual Apps and Desktops on Citrix Gateway. SmartControl allows administrators to manage these policies from a single location, rather than at each instance of these server types.

SmartControl is implemented through ICA policies on Citrix Gateway. Each ICA policy is an expression and access profile combination that can be applied to users, groups, virtual servers, and globally. ICA policies are evaluated after the user authenticates at session establishment.

The following table lists the user environment attributes that SmartControl can enforce:

     
ConnectClientDrives Specifies the default connection to the client drives when the user logs on.  
ConnectClientLPTPorts Specifies the automatic connection of LPT ports from the client when the user logs on. LPT ports are the Local Printer Ports.  
ClientAudioRedirection Specifies the applications hosted on the server to transmit audio through a sound device installed on the client computer.  
ClientClipboardRedirection Specifies and configures clipboard access on the client device and maps the clipboard on the server.  
ClientCOMPortRedirection Specifies the COM port redirection to and from the client. COM ports are the COMmunication ports. COM ports are serial ports.  
ClientDriveRedirection Specifies the drive redirection to and from the client.  
Multistream Specifies the multistream feature for specified users.  
ClientUSBDeviceRedirection Specifies the redirection of USB devices to and from the client (workstation hosts only).  
Localremotedata Specifies the HTML5 file upload download capability for the Citrix Workspace app.  
ClientPrinterRedirection Specifies the client printers to be mapped to a server when a user logs on to a session.  
Policies Action Access Profiles
Add Edit Delete
Show Bindings Policy Manager Action

Policies

An ICA policy specifies an Action, Access Profile, Expression and optionally, a Log Action. The following commands are available from the Policies tab:

  • Add
  • Edit
  • Delete
  • Show Bindings
  • Policy Manager
  • Action

Add

  1. Go to Citrix Gateway > Policies and then click ICA.

    Select ICA

  2. In the details pane, on the Policies tab, click Add.

  3. In the Name dialog box, type a name for the policy.

    Policy name

  4. Next to Action do one of the following:

    • Click the > icon to select an existing action. For details see [Select an action] under (#common-processes).
    • Click the + icon to create an action. For details see [Create a new action] under (#common-processes).
    • The pencil icon is disabled.
  5. Create an expression.

  6. Create a Log Action. For more details see Create a Log Action.

  7. Enter a message into the Comments box. The comment writes to the message log. This field is optional.

  8. Click Create.  

Edit

  1. Go to Citrix Gateway > Policies and then click ICA.

  2. Select the ICA policy from the list.

  3. In the details pane, on the Policies tab, click Edit.

  4. Verify the policy name.

    Validate policy name

  5. To revise the Action do one of the following:

    • Click the > icon to revise an existing Action. For detail see [Select an action] under (#common-processes).
    • Click the + to icon create an Action. For detail see [Create a new action] under (#common-processes).
    • Click the pencil icon to revise the [Access Profile].
  6. Revise the Expression as desired. For details see [Expressions] under (#common-processes).

  7. To revise the Log Action do one of the following:

    • Click the + to create a Log Action.

    • Click the pencil icon to configure an Audit Message.

  8. Revise the comments as desired.

  9. Click OK.  

Delete

  1. Go to Citrix Gateway > Policies and then click ICA.

  2. Select the desired ICA policy from the list.

  3. In the details pane, on the Policies tab, click Delete.

  4. Confirm that you want to delete the policy by clicking Yes.

Show Binding

  1. Go to Citrix Gateway > Policies and then click ICA.

  2. Select the ICA policy from the list.

  3. In the details pane, on the Policies tab, click Show Bindings.

Policy Manager

  1. Go to Citrix Gateway > Policies and then click ICA.

  2. Select the desired ICA policy from the list.

  3. In the details pane, on the Policies tab, click Policy Manager

  4. From the Bind Point dialog box, select one of the following policies.

    • Override Global
    • VPN Virtual Server
    • Cache Redirection Virtual Server
    • Default Global
  5. From the Connection Type dialog box, select a binding policy from the menu.

  6. If you select either the VPN Virtual Server or the Cache Redirection Virtual Server, you connect to the server using the menu.

  7. Click Continue.

    ICA policy configuration page

Add Binding

  1. After selecting Continue, this screen appears.

  2. Select a Policy to attach the Binding.

  3. Select Add Binding.

    Add binding page

Policy Binding

1.     After selecting Done, this screen appears.

Unbind Policy

  1. Select the policy you want to unbind, and click the Unbind button.

    Unbind policy

  2. Click Done

  3. Click the Yes button on the pop-up screen to confirm that you desire to unbind the selected entity.

Bind NOPOLICY

  1. Select policy that requires NOPOLICY, and click the Bind NOPOLICY button.

    Bind `Nopolicy`

  2. Click Done

Edit

You can edit from the ICA Policy Manager.

  1. Select the policy you want to edit, and select Edit.

    Edit ICA policy

  2. You can make the following edits: [Edit Binding,] [Edit Policy][Edit Action].

    Policy edits

Edit Binding

  1. With the policy selected, click Edit Binding.

  2. Verify that you are editing the desired policy. This Policy Name is not editable.

    Edit policy binding

  3. Set the Priority as desired.

  4. Set Goto Expression as desired.

  5. Click the Bind button.

Edit Policy

  1. With the policy selected, click Edit Policy.

  2. Verify the policy Name to ensure you are editing the desired policy. This field is not editable.

    Edit policy

  3. To revise the Action policy, do one of the following:

    • Click the > icon to select an existing Action. For details see [Select an action] under (#common-processes).
    • Click the + icon to create an action. For details see [Create a new action] under (#common-processes).
    • Click the pencil icon to revise the Access Profile. For details see [Select an existing Access Profile] under (#common-processes).
  4. Revise the Expression as desired. For more details see [Expressions] under (#common-processes).

  5. Select the desired type of message from the menu. To create a Log Action, do one of the following:

  6. Enter comments about the ICA Policy.

  7. Click OK when the edit is complete.

Edit Action

  1. With the policy selected, click Edit Action.

  2. Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

  3. Next to Access Profile do one of the following:

    • Click the > icon to select a different Access Profile. For detail see Configure Action.
    • Click the + icon to select a new Channel Profile. Create an Access Profile.
    • Click the pencil icon to revise the Access Profile. For details see [Select an existing Access Profile] under (#common-processes).
  4. Click OK.

    Edit action

Action

The Policies > Action commands are used to rename the action.

  1. Select the desired ICA Action from the list.

  2. On the ICA Policies tab, click Action. Select Rename from the menu.

    Rename action page

  3. Rename the action.

  4. Click OK

Action

An Action connects a policy with an Access Profile. The following commands are available from the Policies tab:

  • Add
  • Edit
  • Delete
  • Action

Add

  1. Go to Citrix Gateway > Action and then click ICA.

    ICA page

  2. In the details pane, on the Action tab, click Add.

    Add action

    • Click the > icon to select an existing Access Profile. For detail see [Select an existing Access Profile] under (#common-processes).

    • Click the + icon to create an Access Profile. For detail see Create an Access Profile..

    • The pencil icon is disabled for this screen.

  3. Click Create.

    Create action

Edit

  1. Select the desired ICA policy from the list.

    lSelect ICA policy

  2. In the details pane, on the Action tab, click Edit.

Configure Action

  1. Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

  2. Next to Access Profile do one of the following:

    • Click the > to select an existing Access Profile. For detail see [Select an existing Access Profile] under (#common-processes).
    • Click the + to create an Access Profile. For detail see Create an Access Profile.
    • Click the pencil icon to Configure Access Profile.
  3. Click OK.

    Configure action

Delete

  1. Go to Citrix Gateway > Action and then click ICA.

  2. Select the desired ICA Action from the list.

  3. In the details pane, on the Action tab, click Delete.

    Delete action

  4. Confirm the Action you want to delete the policy by clicking Yes.

Action

The ICA Action > Action commands are used to rename the action.

  1. Go to Citrix Gateway > Action and then click ICA.

  2. Select the desired ICA Action from the list.

  3. In the details pane, on the Action tab, click Action.

    Action page

  4. Select Action > Rename from the menu.

  5. Rename the action.

  6. Click OK

Access Profiles

An ICA profile defines the settings for user connections.

Access profiles specify the actions that are applied to a user’s Citrix Virtual Apps and Desktops environment ICA if the user device meets the policy expression conditions. You can use the GUI to create ICA profiles separately from an ICA policy and then use the profile for multiple policies. You can only use one profile with a policy.

You can create Access Profiles independently of an ICA policy. When you create the policy, you can select the access profile to attach to the policy. An Access Profile specifies the resources available to a user. The following commands are available from the Policies tab:

  • Add
  • Edit
  • Delete

Creating an Access Profile with the GUI

  1. Go to Citrix Gateway > Policies and then click ICA.

  2. In the details pane, click the Access Profiles tab and then click Add.

  3. Configure the settings for the profile, click Create, and then click Close. After you create a profile, you can include it in an ICA policy.

Add an Access Profile to a policy using the GUI

  1. Go to Citrix Gateway > Policies and then click ICA.

  2. On the Policies tab, do one of the following:

    • Click Add to create an ICA policy.

    • Select a policy and then click Open.

  3. In the Action menu, select an Access Profile from the list.

  4. Finish configuring the ICA policy and then do one of the following:

    1. Click Create and then click Close to create the policy.

    1.  Click OK and then click Close to modify the policy.

Add

  1. Go to Citrix Gateway > Policies and then click ICA.

    Add ICA page

  2. In the details pane, on the Access Profiles tab, click Add.**

    Add ICA

  3. In Name, type a name for the Access Profile.

    Add access profile name

  4. Select Default or Disable from the menus shown to create the Access Profile.

  5. Click Create.

Edit

  1. Select the Access Profile you want to edit.

  2. In the details pane, on the Access Profiles tab, click Edit.

Edit access profile

Configure Access Profile

  1. Verify that the Name is the one you want to revise.

    Configure access profile

  2. Select Default or Disable from the menu to configure as required.
  3. Click OK.

Delete

  1. Go to Citrix Gateway > Action, and then click ICA.

  2. Select the desired ICA Action from the list.

  3. In the details pane, on the Action tab, click Delete.

    Delete ICA

  4. Confirm the Access Profile you want to delete by clicking Yes.

Common Processes

Create an action

  1. Type a Name for the Action.

  2. Select one of the following to supply the Access Profile:

    • Click the > to select an existing Access Profile. See for details [Select an existing Access Profile] under (#common-processes).

    • Click + to create an Access Profile. See for details Create an Access Profile.

    • The pencil icon is disabled.

  3. Click Create.

    Create action page

Select an action

  1. Select an Action by clicking the radio button to the left of it.  The associated Access Profile specifies the allowed user functions.

  2. Click the Select button.

    Select an action

Create an Access Profile

  1. Name the Access Profile.

    Access profile name

  2. You can configure the Access Profile from this menu.

  3. Click Create.

Select an existing Access Profile

  1. Select an Access Profile by clicking it.

    Select access profile

  2. Click Edit.

  3. Configure the Access Profile. For details see Configure Access Profile.

Expressions

  1. To create or revise an existing expression, select Clear.

    The expressions are the typical ICA Expressions. For the HTTP expressions enter the name with the “” and remove the ().

       
    ICA.SERVER.PORT This expression checks that the port specified matches the port number on the Citrix Virtual Apps and Desktops that the user is attempting to connect.
    ICA.SERVER.IP This expression checks that the IP specified matches the IP address on the Citrix Virtual Apps and Desktops that the user is attempting to connect.
    AAA.USER.IS_MEMBER_OF(“”).NOT This expression checks that the current connection is accessed by a user that is NOT a member of the specified group name.
    AAA.USER.IS_MEMBER_OF(“group name”) This expression checks that the user accessing the current connection is a member of the specified group.
    AAA.USER.NAME.CONTAINS(“”).NOT This expression checks that the user accessing the current connection is NOT a member of the specified group.
    AAA.USER.NAME.CONTAINS(“enter user name”) Specifies the resources for a user name. This expression checks that the current connection is accessed by the specified name.
    CLIENT.IP.DST.EQ(enter the IP address here).NOT This expression checks that the destination IP of the current traffic is NOT equal to the specified IP address.
    CLIENT.IP.DST.EQ(enter the IP address here) This expression checks that the destination IP of the current traffic is equal to the specified IP address.
    CLIENT.TCP.DSTPORT.EQ (enter port number).NOT This expression checks that the destination port is NOT equal to the specified port number.
    CLIENT.TCP.DSTPORT.EQ (enter port number) This expression checks that the destination port is equal to the specified port number.
  2. Simultaneously, select Control and the Space bar. Then your options are visible.

    Expression dialog

  3. Type the period. Make your selection, and press the Space bar.
  4. At each period of the expression in the previous table, type the period. Make your selection, and press the Space bar.
  5. Click OK.

Expression

Group Identification

The preauthentic or session functions define the expression with a group name variable.

Preauthentication

  1. Select Preauthentication from the configuration pane.

Select a `preauth` policy

  1. Select a name from the Preauthentication Policies.

  2. Select Edit from the Preauthentication Policies tab.

    Preauthentication Policies tab

  3. Select the pencil icon or + next to the Request Action dialog box.

    Edit

  4. Define the (“<groupname>”) in the Default EPA Group dialog box.

    EPA group

Session

  1. Select Session from the configuration pane.

Session option

Create a Log Action

  1. In the Configure Policy screen, next to the Log Action dialog box select the + icon

Log action page

Create Audit Message Action

  1. The Create Audit Message Action screen appears. Name the Audit Message. The Audit message only accepts numbers, letters, or an underscore character.

  2. From the menu specify the Audit Log Level.

   
Emergency Events that indicate an immediate crisis on the server.
Alert Events that might require action.
Critical Events that indicate an imminent server crisis.
Error Events that indicate some type of error.
Warning Events that require action soon.
Notice Events that the administrator must know about.
Informational All but low-level events.
Debug All events, in extreme detail.
  1. Enter an Expression. The Expression defines the format and content of the log.

  2. The check boxes.

    • Check the log in newnslog to send the message to a new ns log.
    • Select Bypass Safety Check to bypass the safety check. This allows unsafe expressions.
  3. Click Create.

Create audit message action

Revise a Log Action

  1. In the Configure Policy screen, next to the Log Action dialog box click the icon.

    Configure policy

Configure Audit Message Action

The following are editable fields:

  1. From the menu specify the Audit Log Level.

  2. Enter an Expression. The Expression defines the format and content of the log.

  3. The check boxes:

    • Check the Log in newnslog to send the message to a new ns log.

    • Select Bypass Safety Check to bypass the safety check. This allows unsafe expressions.

  4. Click OK.

    Config audit message page

Select an existing policy

  1. Click the > icon to select an existing policy.

    Policy page

  2. Select the radio button of the desired policy.

    Select a policy

Create a policy

  1. In Name, type a name for the policy.
  2. Click + to create a policy.

    Create policy

  3. Create an Action. For details see Create a new action.

  4. Name the Access Profile.

    Access profile name

  5. Configure the Access Profile from this menu.
  6. Click Create.
  7. Click Bind.

    Binding page

Configuring pre-authentication and post-authentication end point analysis

This section describes how to configure post-authentication and pre-authentication end point analysis (EPA).

To configure post-authentication EPA with SmartControl use the Smartgroup parameter from the VPN session action. The EPA expression is configured on the VPN session policy.

You can specify a group name for the smart group parameter. This group name can be any string. The group name does not need to be an existing group on the active directory.

Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF (“groupname”). Use the group name that was previously specified for the smart group.

To configure pre-authentication EPA with SmartControl use the Default EPA group parameter from the pre-authentication profile. The EPA expression is configured on the pre-authentication policy.

You can specify a group name for the Default EPA group parameter. This group name can be any string. The group name does not need to be an existing group on the active directory.

Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF (“groupname”), use the group name that was previously specified for the Default EPA Group.

Post-authentication configuration

Use the following procedure to set up smart groups for Post-authentication configuration.

  1. Go to Citrix Gateway > Policies > Session.

    Sessions page

  2. Go to Session Profiles> Add.

    Add session

Create Citrix Gateway Session Profile

  1. Select the Security tab.

  2. Enter a Name for your Citrix Gateway Profile (action).

  3. Select the box to the right of the menu and select the desired Default Authorization Action.

    Specify the network resources that users have access to when they log on to the internal network. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access. If you set the default authorization policy to DENY, you must explicitly authorize access to any network resource, which improves security.

  4. Select the box to the right of the menu and select the desired Secure Browse.

    Allow users to connect through Citrix Gateway to network resources from iOS and Android mobile devices with Citrix Workspace app. Users do not need to establish a full VPN tunnel to access resources in the secure network.

  5. Select the box to the right of the menu and enter the Smartgroup name.

    This is the group in which the user is placed when the session policy associated with this session action succeeds. The VPN session policy does the post authentication EPA check and if the check succeeds the user is placed in the group specified with a smart group. The is_member_of (aaa.user.is_member_of) expression can then be used with policies to check if the EPA has passed on the user belonging to this smart group.

  6. Click Create.

  7. Go to Citrix Gateway > Policies > Session.

  8. Go to Session Policies > Add.

  9. Enter the Name for the new session policy that is applied after the user logs on to Citrix Gateway.

  10. Select the Profile action using the menu.

    The Action applied by the new session policy if the rule criterion is met.

    Note: If the desired profile must be created select the +. For more details see Create Citrix Gateway Session Profile.

  11. Enter Expression in this field.

    This field defines the named expression that specifies the traffic that matches the policy. The expression can be written in either default or classic syntax. The maximum length of a literal string for the expression is 255 characters. A longer string can be split into smaller strings of up to 255 characters each, and the smaller strings concatenated with the + operator. For example, you can create a 500-character string as follows: ‘”” + “”’

    The following requirements apply only to the Citrix ADC CLI:

    • If the expression includes one or more spaces, enclose the entire expression in double quotation marks.
    • If the expression itself includes double quotation marks, escape the quotations by using the character.* Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.
  12. Click Create.

  13. Go to Session Policies.

  14. Select the Name of the Session Policy.

  15. Select Global Bindings from the Action menu.

  16. Select Add Binding.

  17. Select the > to choose an existing policy.

    Note: Select + to create a policy. For more details see section Create Citrix Gateway Session Profile.

  18. Choose a name from the list and press the Select button.

  19. Enter the Priority and click Bind.

  20. Click Done

  21. The check shows that your selection is Globally Bound.

    Session policy page

Pre-authentication configuration

Use the following procedure to set up the pre-authentication configuration.

  1. Go to Citrix Gateway > Policies > Preauthentication.

    Preauthentication page

  2. Select the Preauthentication Profiles tab and select Add.

    Add preauthentication profile

  3. Enter the Name for the preauthentication action.

    The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.

    Note: The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks.

  4. Select a Request Action that the policy is to invoke when a connection matches the policy.

    Note: If you want to or create a Preauthentication Profile, select the +. For more information see Create Preauthentication Profile

  5. Enter an Expression that is the name of the Citrix ADC named rule, or default syntax expression that defines the connections that match the policy.

  6. Click Create.

  7. Go to the Preauthentication Policies tab and select the desired policy.

  8. Select Global Binding from the Action menu.

  9. Select Add Bindings.

  10. Select > to select an existing policy.

    Select + to create a policy. For more details see, Create Citrix Gateway Session Profile.

  11. Select Policy.

  12. Enter the Priority and click Bind.

  13. Click Done.

  14. The check shows that the Preauthentication Policy is Globally Bound.

Create Preauthentication Profile

  1. Enter the Name for the preauthentication action

    The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.

    Note: If the name includes one or more spaces, enclose the name in double or single quotation marks. This is applicable only to the Citrix ADC CLI.

  2. Enter the Action from the menu.

    This option will Allow or Deny logon after endpoint analysis (EPA) results.

  3. Processes to be Canceled

    This option identifies a string of processes that the endpoint analysis (EPA) tool must terminate.

  4. Files to be deleted

    This option identifies a string specifying the paths and names of the files that the endpoint analysis (EPA) tool must delete.

  5. Default EPA Group

    The default EPA group is the group that is chosen when the EPA check succeeds.

  6. Click Create.