Citrix Gateway

Session policies

A session policy is a collection of expressions and settings that are applied to users, groups, virtual servers, and globally.

You use a session policy to configure the settings for user connections. You can define settings to configure the software users log on with, such as the Citrix Secure Access agent for Windows or the Citrix Secure Access agent for Mac. You can also configure settings to require users to log on with Citrix Workspace app or Secure Hub. Session policies are evaluated and applied after the user is authenticated.

Session policies are applied according to the following rules:

  • Session policies always override global settings in the configuration.
  • Any attributes or parameters that are not set using a session policy are set on policies established for the virtual server.
  • Any other attributes that are not set by a session policy or by the virtual server are set by the global configuration.

Important:

The following instructions are general guidelines for creating session policies. There are specific instructions for configuring session policies for different configurations, such as clientless access or for access to published applications. The instructions might contain directions for configuring a specific setting. However, that setting can be one of many settings that are contained within a session profile and policy. The instructions direct you to create a setting within a session profile and then apply the profile to a session policy. You can change settings within a profile and policy without creating a session policy. In addition, you can create all of your settings on a global level and then create a session policy to override global settings.

If you deploy Citrix Endpoint Management or StoreFront in your network, Citrix recommends using the Quick Configuration wizard to configure session policies and profiles. When you run the wizard, you define the settings for your deployment. Citrix Gateway then creates the required authentication, session, and clientless access policies.

Create a session policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. Complete the settings for the session profile and then click Create.
  7. In the Create Session Profile dialog box, add an expression for the policy, click Create and then click Close. Note: In the expression, select True value so the policy is always applied to the level to which it is bound.

Bind session policies

After you create a session policy, bind it to a user, group, virtual server, or globally. Session policies are applied as a hierarchy in the following order:

  • Users
  • Groups
  • Virtual servers
  • Globally

Bind a session policy to a virtual server by using the GUI

  1. Navigate to Citrix Gateway > Virtual Servers.
  2. Select a virtual server and click Edit. You can also create a new virtual server.
  3. Scroll down to the Policies section, and click the + icon.
  4. In Choose Policy, select Session.
  5. In Choose Type, select Request, and click Continue.
  6. In Select Policy, select the policy that you want to bind to this virtual server.
  7. In Priority, enter the priority number of the policy.
  8. Click Bind.

Bind a session policy to an authentication, authorization, and auditing group by using the GUI

  1. Navigate to Citrix Gateway > User Administration > AAA Groups.
  2. Select an existing authentication, authorization, and auditing group, and click Edit. You can also create an authentication, authorization, and auditing group.
  3. In Advanced Settings, click Policies, and then click the + icon.
  4. In Choose Policy, select Session, and click Continue.
  5. In Select Policy, select the policy that you want to bind to this authentication, authorization, and auditing group.
  6. In Priority, enter the priority number of the policy.
  7. Click Bind.

Bind a session policy to an authentication, authorization, and auditing user by using the GUI

  1. Navigate to Citrix Gateway > User Administration > AAA Users.
  2. Select an existing Citrix ADC user, and click Edit. You can also create an authentication, authorization, and auditing user.
  3. In Advanced Settings, click Policies, and then click the + icon.
  4. In Choose Policy, select Session, and click Continue.
  5. In Select Policy, select the policy that you want to bind to this authentication, authorization, and auditing user.
  6. In Priority, enter the priority number of the policy.
  7. Click Bind.

Note: For details on priority, see https://support.citrix.com/article/CTX214588.

Create a session profile

A session profile contains the settings for user connections.

Session profiles specify the actions that are applied to a user session if the user device meets the policy expression conditions. Profiles are used with session policies. You can use the configuration utility to create session profiles separately from a session policy and then use the profile for multiple policies. You can only use one profile with a policy.

Configure network settings for user connections in a session profile

You can use the Network Configuration tab in the session profile to configure the following network settings for user connections:

  • DNS server
  • WINS server IP address
  • Mapped IP address that you can use as an intranet IP address
  • Spillover settings for address pools (intranet IP addresses)
  • Intranet IP DNS suffix
  • HTTP ports
  • Forced time-out settings

Configure connection settings in a session profile

You can use the Client Experience tab in the session profile to configure the following connection settings:

  • Access Interface or customized home page
  • Web address for web-based email, such as Outlook Web Access
  • plug-in type (Citrix Secure Access agent for Windows, or Citrix Secure Access agent for macOS X)
  • Split tunneling
  • Session and idle time-out settings
  • Clientless access
  • Clientless access URL encoding
  • plug-in type (Windows, or Mac)
  • Single sign-on to web applications
  • Credential index for authentication
  • Single sign-on with Windows
  • Client cleanup behavior
  • Logon scripts
  • Client debug settings
  • Split DNS
  • Access to private network IP addresses and local LAN access
  • Client choices
  • Proxy settings

For more information about configuring settings for user connections, see Configuring Connections for the Citrix Secure Access agent.

Configure security settings in a session profile

You can use the Security tab in a session profile to configure the following security settings:

  • Default authorization action (allow or deny)
  • Secure Browse for connections from iOS devices
  • Quarantine groups
  • Authorization groups

For more information about configuring authorization on Citrix Gateway, see Configuring Authorization.

Configure Citrix Virtual Apps and Desktops settings in a session profile

You can use the Published Applications tab in a session profile to configure the following settings for connections to servers running Citrix Virtual Apps and Desktops:

  • ICA Proxy, which is client connections using Citrix Workspace app
  • Web Interface address
  • Web Interface portal mode
  • Single sign-on to the server farm domain
  • Citrix Workspace app home page
  • Account Services Address

For more information about configuring settings for connecting to published applications in a server farm, see Providing Access to Published Applications and Virtual Desktops Through the Web Interface.

You can create session profiles independently of a session policy. When you create the policy, you can select the profile to attach to the policy.

To create a session profile by using the GUI

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies, and then click Session.
  2. In the details pane, click the Profiles tab, and then click Add.
  3. Configure the settings for the profile, click Create, and then click Close.

After you create a profile, you can include it in a session policy.

To add a profile to a session policy by using the GUI

  1. In the configuration utility, in the navigation pane, expand Access Gateway > Policies and then click Session.
  2. On the Policies tab, do one of the following:
    • Click Add to create a session policy.
    • Select a policy, and then click Open.
  3. In Request Profile, select a profile from the list.
  4. Finish configuring the session policy, and then do one of the following:
    1. Click Create, and then click Close to create the policy.
    2. Click OK, and then click Close to modify the policy.
Session policies