Citrix Gateway – SmartAccess “light”? Do you have a requirement in your environment that users are allowed to internally copy or paste data to and from the Citrix environment? So access to the clipboard, client drives, USB drives and more is allowed? Within your own environment this makes sense. But how does it look like if the users should also access the environment from external devices? Here it would be better if not everything is allowed 😉
In this article you will see, how to setup the policies in your Citrix environment and on the Citrix Gateway.
The szenario looks like this:
Requirements
One prerequisite for the configuration described in this article is that you have a working Citrix Gateway configuration. There should be DNS entries on a VIP of the Citrix Gateway on which they perform user authentication for the site. You can make this in the local DNS or in the hostfiles of the individual storefront servers.
I describe here a slimmed down version of SmartAccess, which can also be used with a simple Citrix Gateway license. Universal Licenses are not required . If you want to use SmartAccess for granular user gradation, for example from external devices, you need Universal Licenses for your Citrix ADC appliance.
Configure your Citrix Gateway
First of all, you have to adjust the configuration of the virtual server of the Citrix Gateway. You have to activate “ICA Oly”. You can activate this in the advanced settings of the Basic Settings within the Citrix Gateway VPN Virtual Server.
Configure Citrix Site Settings
On the Citrix Gateway that was already everything. Next, we jump to one of our Citrix controllers. You have to check first, if the value “TrustRequestsSentToTheXmlServicePort” is set to “True” for the BrokerSite. (You can find more information about this under: https://support.citrix.com/article/CTX215015).
Check the value via the Powershell. Start the Powershell as administrator. Of course the user must have admin rights for the Citrix environment. Execute the following command:
Add-PSSnapin Citrix*
Get-BrokerSiteIn my environment the value is still on “False” so I have to change it.
You can set the value to True directly via the powershell. To check the settings you can read the BrokerSite again.
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Get-BrokerSiteThere, we’ve done that.
Next, go to the Citrix Storefront Console and set the Callback URL for the Citrix Gateway. I have marked the individual steps again. Please note that the Storefront Servers must reach one of the VIP addresses of the Citrix Gateway with the Callback URL hostname. I recommend to use the internal IP address of the Citrix Gateway (e.g. in the DMZ). If you do not want to make a DNS entry for this, or if you have several Citrix Gateways at different locations, you should make an entry in the hostfile of the Citrix Storefront Servers.
Here I have attached another screenshot, if the Callback URL is not set. In this case you get a warning in the Citrix Gateway configuration. The Citrix Gateway SmartAccess configuration would not work then. You can find more information in the Troubleshooting section.
Citrix Policies
Now switch to Citrix Studio to create the necessary policies. First I create the policy that prohibits access to the client devices for users connecting from outside.
Security Policy for Citrix Gateway Users
It is important that the settings of the “Access Control” are observed. Here you can see a screenshot especially for this.
In this directive I will now prohibit everything that should not be allowed from outside. This policy thus ensures that my Citrix Gateway SmartAccess works from the outside. Since the policy should apply to external users without exception, I will apply the policy to all users connecting through the Citrix Gateway.
Since we want to allow the use of client devices for the internal users, I need a second policy.
Security Policy for Internal Users
You have to “Deny” the policy for internal Users. So the policy is not applied to them.
In addition, they define the user group or scope to which the policy should allow access.
Here I have again presented the overview of the two guidelines. The order is important, otherwise the settings will not apply.
So, I finished the configuration. Now we can test the access from outside. You will see that if you connect externally through the Citrix Gateway, you will no longer have access to client devices. Please make sure to logoff the session before testing. Otherwise the settings can not apply.
Troubleshooting
A typical error that occurs in this configuration is that the storefront servers cannot resolve the callback URL. You can see relatively easily in the event log of the storefront controller. In this case, the user also gets the message “Cannot complete your Request” when connecting via the Citrix Gateway. The errors 10, 8 and 3 are then visible in the event log.
Please check in this case if the storefront servers can really reach a VIP of the Citrix Gateway on which the authentication takes place via the DNS entry of the callback URL.
You can find more information about this error and its multiple causes: https://support.citrix.com/article/CTX262124
I hope this article helps them. I would be glad about a comment or a Like in the social media.
Hi,
does this work with VPX in Standard licensing mode,
or do you have to purchase Enterprise, or Platinum licenses to make this work?
cheers
Hey, I think so. Works also with a Citrix gateway vpx