Session Policies for StoreFront – NetScaler Gateway 11

Last Modified: Jul 10, 2016 @ 2:26 pm

Navigation

This page details creation of session profiles and policies for NetScaler Gateway 11 where ICA Only (formerly known as Basic Mode) is checked.

Partly based on Citrix Knowledgebase Article CTX139963 – How to Configure NetScaler Gateway with StoreFront

Session Profiles/Policies CLI Commands

The CLI commands are shown below:

add vpn sessionAction "Receiver Self-Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com" -ntDomain Corp -clientlessVpnMode OFF -storefronturl "https://storefront.corp.com"

add vpn sessionAction "Receiver for Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com/Citrix/StoreWeb" -ntDomain Corp -clientlessVpnMode OFF

add vpn sessionPolicy "Receiver Self-Service" "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" "Receiver Self-Service"

add vpn sessionPolicy "Receiver for Web" "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" "Receiver for Web"

Session Profiles

Or use the GUI to create the policies/profiles:

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.
  3. Name the first one ReceiverSelfService or similar. This is for Receiver Self-Service (not in a web browser).
  4. Switch to the Client Experience tab.
  5. Check the Override Global box next to Clientless Access and set it to Allow. Scroll down.
  6. Check the Override Global box next to Plug-in Type and set it to Java.
  7. Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.
  8. If you need two-factor authentication, the session policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to PRIMARY.
  9. On the Security tab, check the Override Global box next to Default Authorization Action and set it to Allow.
  10. On the Published Applications tab, check the Override Global box next to ICA Proxy and set it to ON.
  11. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. StoreFront needs to accept this domain name (Configure Trusted Domains).
  12. If you have multiple domains, then leave Single Sign-on Domain field blank, and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
  13. For Account Services Address, enter the Base URL for StoreFront. NetScaler needs to be able to resolve this DNS name.
  14. Highlight the existing session profile and click Add. This copies the settings from the existing profile into the new one.
  15. Change the name of the second Session Profile to ReceiverForWeb or similar.
  16. On the Client Experience tab, Clientless Access should be set to Allow. Scroll down.
  17. Plug-in Type should still be set to Java.
  18. Single Sign-on to Web Applications should be enabled.
  19. If you need two-factor authentication, the session policy for Receiver for Web needs Credential Index set to PRIMARY. Only the Receiver Self-Service policy needs SECONDARY as detailed earlier.
  20. On the Security tab, the Default Authorization Action should still be Allow.
  21. On the Published Applications tab, for the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
  22. Account Services Address only applies to Receiver Self-Service so you can leave it or clear it.
  23. Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the NetBIOS name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
  24. Account Services Address is not needed in this profile but there’s no harm in leaving it.
  25. Click Create.

Session Policies

  1. On the right, switch to the Session Policies tab, and click Add.
  2. Name the Policy ReceiverSelfService or similar.
  3. Change the Request Profile to ReceiverSelfService.
  4. Either type in or use the Expression Editor link to build the following expression:
    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

  5. Then click Create.
  6. Add another policy, and name it ReceiverForWeb or similar.
  7. Change the Action to ReceiverForWeb.
  8. In the Expression box, either type in the following or use the Expression Editor. It’s the same as the previous expression, except it’s NOTCONTAINS instead of CONTAINS.
    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
  9. Click Create.

Next Step

Create NetScaler Gateway Virtual Server

12 thoughts on “Session Policies for StoreFront – NetScaler Gateway 11”

  1. Hi Carl, is it possible to block clients with specific Citrix receiver version or with version earlier than X (or Citrix IOS/Android Receiver earlier than X).
    I think Citrix Receiver version is not present in HTTP Header and there is no way to track it, am I right ot there are other ways to get it? Thank you.

  2. Hello Carl, similar question to @Graham.
    I’m a bit confused about the recommendation to set “Plugin-in Type: Java” for SelfService Receiver, and “Plugin-in Type: Win/Mac” for the Web Policy.
    AFAIK the Web Policy shouldn’t need any setting at all. Only the SelfService Policy would need “Plugin-in Type: Win/Mac”. Is this a mistake on you or my side?

    Second, do we need an Plug-in Type definition at all in ICA-Proxy ON mode? Doesn’t that override any Plug-in use at all?

    And Third hint from my side: In your step-by-step description you clone the Web-Profile from the SelfService Profile. But compared to the CLI command you don’t clear the “Account Services Address / -storefronturl” which should still be in the clone.

    Thanks for all your good work, and I hope I can help you a little bit with the small details!
    Marco

    1. Regarding the plugin type, I’m following http://support.citrix.com/article/CTX139963 . This was changed recently. It used to be Java for both but now it’s Windows for Web and Java for Receiver.

      The plugin type is used by Receiver Self-Service to contact StoreFront without needing a VPN tunnel. I suspect there’s special code to handle Receiver.

      Regarding Account Services Address, it is not used by Browsers, but there’s no harm in leaving it.

  3. Hi Carl,

    Thanks for a great series.

    Creating a Receiver (not web) policy above, in the GUI you override Plug-in Type to Java. Where does this appear in the command line? Or is it there by default?
    Thanks
    Graham

        1. I don’t have a good answer. I’m just following Citrix’s guides, which they changed, hopefully for a good reason.

  4. Hi Carl, What if I wanted to set smart card authentication as a primary, but if the user does not have a smart card or smart card reader then fallback to domain authentication? Would this be another session policy?

  5. Why on the ReceiverSelfService command do you have “-wihome “https://storefront.corp.com/Citrix/StoreWeb”” but on the gui build step number 10 you have “Don’t add any path to the end of the URL.” Just trying to make sure which is correct.

Leave a Reply