Policies and profiles on Citrix Gateway
Policies and profiles on Citrix Gateway allow you to manage and implement configuration settings under specified scenarios or conditions. An individual policy states or defines the configuration settings that go into effect when a specified set of conditions is met. Each policy has a unique name and can have a profile bound to the policy.
How policies work
A policy consists of a Boolean condition and collection of settings called a profile. The condition is evaluated at runtime to determine if the policy must be applied.
A profile is a collection of settings, using specific parameters. The profile can have any name and you can reuse it in more than one policy. You can configure multiple settings within the profile, but you can only include one profile per policy.
You can bind policies, with the configured conditions and profiles, to virtual servers, groups, users, or globally. Policies are referred to by the type of configuration settings they control. For example, in a session policy, you can control how users log on and the number of time users can stay logged on.
If you are using Citrix Gateway with Citrix Virtual Apps, Citrix Gateway policy names are sent to Citrix Virtual Apps as filters. When configuring Citrix Gateway to be compatible with Citrix Virtual Apps and SmartAccess, you configure the following settings in Citrix Virtual Apps:
- The name of the virtual server that is configured on the appliance. The name is sent to Citrix Virtual Apps as the Citrix Gateway farm name.
- The names of the pre-authentication or session policies are sent as filter names.
For more information about configuring Citrix Gateway to be compatible with Citrix Endpoint Management, see Configuring Settings for Your Citrix Endpoint Management Environment.
For more information about configuring Citrix Gateway to be compatible with Citrix Virtual Apps and Desktops, see Accessing Citrix Virtual Apps and Citrix Virtual Desktops Resources with the Web Interface and Integrating with Citrix Endpoint Management or StoreFront.
For more information about preauthentication policies, see Configuring Endpoint Polices.
Conditional policies
When configuring policies, you can use any Boolean expression to express the condition for when the policy applies. When you configure conditional policies, you can use any of the available system expressions, such as the following:
- Client security strings
- Network information
- HTTP headers and cookies
- Time of day
- Client certificate values
You can also create policies to apply only when the user device meets specific criteria, such as a session policy for SmartAccess.
Another example of configuring a conditional policy is varying the authentication policy for users. For example, you can require users who are connecting with the Citrix Secure Access agent from outside the internal network, such as from their home computer or by using Micro VPN from a mobile device, to be authenticated by using LDAP and users who are connecting through the WAN to be authenticated using RADIUS.
Note: You cannot use policy conditions based on endpoint analysis results if the policy rule is configured as part of security settings in a session profile.
Priorities of policies
Policies are prioritized and evaluated in the order in which the policy is bound.
The following two methods determine policy priority:
- The level to which the policy is bound: globally, virtual server, group, or user. Policy levels are ranked from highest to lowest as follows:
- User (highest priority)
- Group
- Virtual server
- Global (lowest priority)
- Numerical priority takes precedence regardless of the level at which the policy is bound. If a policy that is bound globally has a priority number of one and another policy bound to a user has a priority number of two, the global policy takes precedence. A lower priority number gives the policy a higher precedence.
Create policies on Citrix Gateway
You can use the configuration utility to create policies. After you create a policy, you bind the policy to the appropriate level: user, group, virtual server, or global. When you bind a policy to one of these levels, users receive the settings within the profile if the policy conditions are met. Each policy and profile has a unique name.
If you have Citrix Endpoint Management or StoreFront as part of your deployment, you can use the Quick Configuration wizard to configure the settings for this deployment. For more information about the wizard, see Configuring Settings with the Quick Configuration Wizard.