Citrix Gateway

Configure Access Scenario Fallback

SmartAccess allows Citrix Gateway to determine automatically the methods of access that are allowed for a user device based on the results of an endpoint analysis scan. Access scenario fallback further extends this capability by allowing a user device to fall back from the Citrix Secure Access agent to the Web Interface or StoreFront by using Citrix Workspace app if the user device does not pass the initial endpoint analysis scan.

To enable access scenario fallback, you configure a post-authentication policy that determines whether users receive an alternative method of access when logging on to Citrix Gateway. This post-authentication policy is defined as a client security expression that you configure either globally or as part of a session profile. If you configure a session profile, the profile is associated to a session policy that you then bind to users, groups, or virtual servers. When you enable access scenario fallback, Citrix Gateway initiates an endpoint analysis scan after user authentication. The results for user devices that do not meet the requirements of a fallback post-authentication scan are as follows:

  • If client choices are enabled, users can log on to the Web Interface or StoreFront by using Citrix Workspace app only.
  • If clientless access and client choices are disabled, users can be quarantined into a group that provides access only to the Web Interface or StoreFront.
  • If clientless access and the Web Interface or StoreFront are enabled on Citrix Gateway and ICA Proxy is disabled, users fall back to clientless access.
  • If the Web Interface or StoreFront is not configured and clientless access is set to allow, users fall back to clientless access.

When clientless access is disabled, the following combination of settings must be configured for the access scenario fallback:

  • Define client security parameters for the fallback post-authentication scan.
  • Define the Web Interface home page.
  • Disable client choices.
  • If user devices fail the client security check, users are placed into a quarantine group that allows access only to the Web Interface or StoreFront and to published applications.

Create policies for Access Scenario Fallback

To configure Citrix Gateway for access scenario fallback, you need to create policies and groups in the following ways:

  • Create a quarantine group in which users are placed if the endpoint analysis scan fails.
  • Create a global Web Interface or StoreFront setting that is used if the endpoint analysis scan fails.
  • Create a session policy that overrides the global setting and then bind the session policy to a group.
  • Create a global client security policy that is applied if the endpoint analysis fails.

When configuring the access scenario fallback, use the following guidelines:

  • Using client choices or access scenario fallback requires the Endpoint Analysis plug-in for all users. If endpoint analysis cannot run or if users select Skip Scan during the scan, users are denied access. Note: The option to skip the scan is removed in Citrix Gateway 10.1, Build 120.1316.e
  • When you enable client choices, if the user device fails the endpoint analysis scan, users are placed into the quarantine group. Users can continue to log on with either the Citrix Secure Access agent or the Citrix Workspace app to the Web Interface or StoreFront. Note: Citrix recommends that you do not create a quarantine group if you enable client choices. User devices that fail the endpoint analysis scan are quarantined are treated in the same way as user devices that pass the endpoint scan.
  • If the endpoint analysis scan fails and the user is put in the quarantine group, the policies that are bound to the quarantine group are effective only if there are no policies bound directly to the user that have an equal or lower priority number than the policies bound to the quarantine group.
  • You can use different web addresses for the Access Interface and, the Web Interface or StoreFront. When you configure the home pages, the Access Interface home page takes precedence for the Citrix Secure Access agent and the Web Interface home page takes precedence for Web Interface users. The Citrix Workspace app home page takes precedence for StoreFront.

Create a quarantine group

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > User Administration, and then click AAA Groups.
  2. In the details pane, click Add.
  3. In Group Name, type a name for the group, click Create, and then click Close. Important: The name of the quarantine group must not match the name of any domain group to which users might belong. If the quarantine group matches an Active Directory group name, users are quarantined even if the user device passes the endpoint analysis security scan.

After creating the group, configure Citrix Gateway to fall back to the Web Interface if the user device fails the endpoint analysis scan.

Configure settings to quarantine user connections

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global Citrix Gateway Settings dialog box, on the Published Applications tab, next to ICA Proxy, select OFF.
  4. Next to Web Interface Address, type the web address for StoreFront or the Web Interface.
  5. Next to Single Sign-On Domain, type the name of your Active Directory domain, and then click OK.

After configuring the global settings, create a session policy that overrides the global ICA Proxy setting and then bind the session policy to the quarantine group.

Create a session policy for Access Scenario Fallback

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
  2. In the details pane, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. On the Published Applications tab, next to ICA Proxy, click Override Global, select On, and then click Create.
  6. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and then click Close.

After creating the session policy, bind the policy to a quarantine group.

Bind the session policy to the quarantine group

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > User Administration, and then click AAA Groups.
  2. In the details pane, select a group, and then click Open.
  3. Click Session.
  4. On the Policies tab, select Session, and, then click Insert Policy.
  5. Under Policy Name, select the policy, and then click OK.

After creating the session policy and profile enabling the Web Interface or StoreFront on Citrix Gateway, create a global client security policy.

Create a global client security policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Security tab, click Advanced Settings.
  4. In Client Security, enter the expression. For more information about configuring system expressions, see Configuring System Expressions and Configuring Compound Client Security Expressions
  5. In Quarantine Group, select the group you configured in the group procedure, and then click OK.
Configure Access Scenario Fallback