SmartAccess / SmartControl – NetScaler 11

Last Modified: Jun 8, 2016 @ 5:32 am


đź’ˇ = Recently Updated

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings) based on how users connect. Decisions are based on NetScaler Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess can also control application/desktop icon visibility.


Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in XenApp/XenDesktop at any time but it won’t work until you do the following:

  1. On the NetScaler, go to System > Licenses and make sure you have NetScaler Gateway Universal Licenses allocated to the appliance. The Universal licenses are allocated to the hostname of the appliance (click the gear icon), not the MAC address. In a High Availability pair, if each node has a different hostname then you can allocate the licenses to one hostname, then reallocate to the other hostname.
  2. After installing licenses, go to NetScaler Gateway > Global Settings.
  3. On the top right, click Change authentication AAA settings.
  4. At the top of the page, change the Maximum Number of Users to match your installed license count. Then click OK. This setting is commonly missed and if not configured it defaults to only 5 concurrent connections.
  5. On a XenApp/XenDesktop Controller, run PowerShell as Administrator.
  6. Run asnp citrix.* to load the snapins.
  7. Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
  8. In StoreFront Console, go to the NetScaler Gateway node and edit (Change General Settings) the existing Gateway object.
  9. Make sure a Callback URL is configured to resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external then the Callback FQDN must be different than the Single FQDN.
  10. On the NetScaler, go to NetScaler Gateway > Virtual Servers and edit your Gateway Virtual Server.

  11. In the Basic Settings section, click the pencil icon.
  12. Click More.
  13. Uncheck the box next to ICA Only and click OK. This tells NetScaler Gateway to start using Universal licenses and enables the SmartAccess and SmartControl features.

Once the prerequisites are in place, do the following as detailed below:

Endpoint Analysis

Endpoint Analysis scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices. Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

  • With a Preauthentication Policy, if the Endpoint Analysis scan fails then users can’t login.
  • With a Postauthentication Policy, Endpoint Analysis doesn’t run until after the user logs in. Typically, you create multiple Session Policies. One or more policies has Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there’s a fallback in case the client device doesn’t support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.

NetScaler 11 has two Endpoint Analysis engines: the classic Client Security engine and the newer OPSWAT Advanced EPA engine.

To configure OPSWAT Advanced EPA expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
  2. Use the drop-down menus to select the scan criteria. Then click Done.

See the following links for more Advanced EPA information:

To configure Client Security expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
  2. Change the Expression Type to Client Security.
  3. Use the Component drop-down to select a component. A common configuration is to check for domain membership as detailed at CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
  4. You can also use EPA expressions when configuring a Quarantine Group.

Once the Policies are created, bind them to your NetScaler Gateway Virtual Server:

  1. Edit a NetScaler Gateway Virtual Server.
  2. Scroll down to the Policies section and click the plus icon.
  3. Select either Preauthentication or Session and select the policy you already created. Then click Bind.

EPA Troubleshooting

Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature:  💡

  1. Go to NetScaler Gateway > Global Settings.
  2. On the right, click Change Global Settings.
  3. On the Security tab, click Advanced Settings.
  4. Scroll down, check the box next to Enable Client Security Logging, and click OK.
  5. When the scan fails, the user is presented with a Case ID.
  6. You can then grep /var/log/ns.log for the Case ID. Or search your syslog.


To determine why your EPA scans fail, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.
Make a DWORD value named “EnableEPALogging” and set the value to 1.

After attempting the scan again, you’ll find the file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.


NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.


NetScaler 11.0 has a new SmartControl feature, where you can configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at for detailed instructions.

  1. If you are using a Preauthentication Policy to run an Endpoint Analysis scan, edit the Preauth profile.

  2. Configure the Default EPA Group with a new group name. You’ll use this group name later.
  3. If you are instead using a Session Policy/Profile to run the post-authentication Endpoint Analysis scan, on the Security tab, use the Smartgroup field to define a group name for users that pass the scan. You’ll use this group name later.
  4. On the left, expand NetScaler Gateway, expand Policies, and click ICA.
  5. On the right, switch to the Access Profiles tab and click Add.
  6. Configure the restrictions as desired and click OK.
  7. Switch to the ICA Action tab and click Add.
  8. Give the Action a name and select the Access Profile. Click Create.
  9. Switch to the ICA Policies tab and click Add.
  10. Select the previously created ICA Action.
  11. Enter an expression. You can use REQ.USER.IS_MEMBER_OF(“MyGroup”) where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan. Click Create when done.
  12. Edit your Gateway Virtual Server.
  13. Scroll down to the Policies section and click the plus icon.
  14. Change the Policy Type to ICA and click Continue.
  15. Select the SmartControl policy you created earlier and click Bind.


CTX138110 How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance

In XenApp/XenDesktop, edit a Citrix policy and add the Access Control filter. If you are using GPO to deliver Citrix Policies, then only Citrix Policies in the user half of the GPO support Access Control filters.

You can leave the default wildcards for farm name and condition to match all NetScaler Gateway connections. Or you can match specific NetScaler Gateway / Session Policy connections:

  • AG farm name = name of the NetScaler Gateway Virtual Server.
  • Access condition = name of the NetScaler Gateway Session Policy.

You typically create a Citrix policy to turn off all client device mappings for all external users. Then you create a higher priority Citrix policy that re-enables client device mappings for those users that passed the Endpoint Analysis scan expression on a particular Session Policy.

If you edit a Delivery Group, there’s an Access Policy page where you can hide or show the Delivery Group for all NetScaler Gateway connections or for specific NetScaler Gateway Virtual Server / Session Policy connections.

  • Farm name = NetScaler Gateway Virtual Server name
  • Filter = NetScaler Gateway Session Policy name

This configuration is only available at the entire Delivery Group. It is not possible to perform this configuration for only specific published applications unless they are on different Delivery Groups.

Related Pages

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

35 thoughts on “SmartAccess / SmartControl – NetScaler 11”

  1. Great article, thank you.
    I configured a policy in our environment to not create client printers for remote connections. It works just fine on our internal NetScaler but as soon as I change the filter to the external gateway VIP name, it stops working (allows local printer creation).

    The external NetScaler is in our DMZ; does the XML port need to be open from the Gateway VIP to the DDC’s?
    Thanks again.

    1. Did you configure all of the SmartAccess prerequisites: Gateway licenses, no ICA Only, Trust XML, callback URL, etc.?

      If you add multiple filter types to a policy, I think it is AND, not OR.

      1. I’ve been reading a lot more and I think it is because of our authentication policy. We are using a SAML authentication policy at the Gateway with a redirection URL (secureauth). It’s an older product and doesn’t pass authentication through to StoreFront after the two factor authentication is completed. This means that Passthrough from NetScaler Gateway is turned off on the receiver for web site and it never uses the call back URL. The users are always presented with two authentication prompts; one at the gateway and one at StoreFront.

        I don’t think it will work with just a simple XD policy.

        I am setting up a NetScaler ICA policy now in QA to test. More

  2. Good morning Carl,

    I have a customer who needs to control access to his environment to only his thin client devices (HP with Linux), as he is delivering their desktops via internet access but do not want their users to access it from anywhere else. What are your recommendations in this scenario?

    Thank you and your blog is awesome! 🙂

    1. Non-Windows Thin Clients would fail any EPA scan.

      You might be able to use User-Agent Header to control access, but be aware that User-Agent is easy to change by the user.

      1. Thank you!

        Sorry for my lack of knowledge, but the user-agent header that I know of is “receiver or not receiver”, is there a way to input the type of receiver as in Receiver for linux?

  3. Carl –

    My situation: Were using the same URL for internal and external NSGW VIP’s in the environment. We need to implement Smart Access (NS version 11.0 so that we can limit connectivity to specified domain names.

    Question: In Step 9 under “Prerequisites” you state “If you are configuring Single FQDN for internal and external then the Callback FQDN must be different than the Single FQDN.”. Does the different FQDN need to be registered somewhere (DNS), to those NSGW VIP’s? Or can you just make something up and place it in the Netscaler Gateway Config on the Storefront servers?

    1. The callback is from StoreFront to Gateway. You can edit HOSTS file on StoreFront. Make sure the Gateway certificate matches the DNS name.

      1. Thank you, Carl-

        So, if our internal and external NSGW URL is “” (IP: 123.456.789.123) and I wanted to make my call back URL “”, I could place a host file entry on my Storefront box that looks like this: = 123.456.789.123 ?

        Is that what you’re saying on the first portion of your response?

        When you say “Gateway Certificate” are you referring to the Wildcard cert on the Netscalers?

        To further clarify: The Netscalers are currently working, we just want to add the “Endpoint Analysis” piece to check for Domain.

        1. If your Callback Gateway certificate is a wildcard, then it should match the new FQDN you make up for the callback.

          1. All that matters is that your Callback FQDN resolve to a Gateway VIP and the certificate on that Gateway matches whatever FQDN you’re using.

  4. Hi Carl, we’re currently working on trying to allow local printer pass through for one of my employers subsidiaries. We only want to allow the the client creation of printers if they are connecting from specific public IP’s (work offices). I can see how we could apply the policy based on NetScaler Access Policies, but I am not sure about the NetScaler end of things. Would EPA be the way to accomplish this? I do not have a lot of NetScaler experience, but I am working with our Network engineering team to see if we can pull this off. Thanks in advance, you are the best and have helped me get through a lot of issues in our Citrix 7.6 deployment.

    1. You might be able to create an ICA Policy (Smart Control) on the NetScaler that disables client printing. The Policy expression would be client.IP.SRC.EQ( or something like that. Or you can create two policies, one that disables printing and one that leaves it the default. Then bind both policies to the Gateway but in the correct priority order.

      1. Thanks Carl! I am Sorry I am just getting back to you, I was on PTO and it has been a whirlwind!. We are going to give that a shot and see how it goes. Right now we’re just researching to confirm that the client.IP.SRC will return the public IP of the client and not the endpoint IP (local address) of the client. I’m thinking it will work as expected, otherwise this is no different than setting a security policy within Citrix Studio based on IP (which can only check the endpoint IP).

        1. NetScaler sees the outer IP. The local client IP is embedded in ICA and not sure NetScaler can see that like the VDAs can.

          1. That answers that for me! Thank you! I am not sure when we will implement the solution, but I will definitely write back and let you and everyone know how it goes.

  5. Hi Carl,
    You mention setting ICA Only to be false, switches the NetScaler to use Universal licenses. Currently, we have an Enterprise license, which has unlimited ICA connections, but only 5 “SSL VPN” licenses, and we’re looking at using SmartAccess. However, if we untick ICA Only, does that mean that we have to upgrade the license to allow for all our users, even if the majority purely use ICA?

    Also, thanks for your blog, it’s been a lifesaver many times!


    1. Yes, Gateway Universal licenses are required for SmartAccess. If you have XA/XD Platinum then you already have the licenses. You can also buy them “a la carte”.

  6. Hi Carl

    Thanks again for the the details.

    We have Netscaler 10.5, Standard Platform license and Universal Gateway license. Can we have Smart Access/Control feature there?

  7. Hi Carl,

    great Article.
    We configured SmartAccess with post-authentication EPA through Session Policy. EPA is working, but the correspondingly Citrix Policy is not working. We’re using Netscaler 11 and XenApp 6.5. Any idea why this is not working or where to find helpful log files? Thank you

    1. Syslog should should you the failed scan. On the client side there’s nsepa.txt file in C:\ProgramData.

      1. Hi Carl the scan is not the problem. This is working as expected. Depending on the result of the epa scan, another session policy is applied. And a citrix policy (example: drive mapping not allowed) is linked with the session policy. And this “link” is not working, and so the citrix policy is not applied.

        1. So SmartAccess is not working. This is usually because Callback is not configured in StoreFront, or XML Trust is not enabled in the farm Site Settings. You might have to run CDF Trace on StoreFront and/or the Controller to troubleshoot the issue.

          1. Carl, we use NetScaler 11 to make a endpoint analysis to check if a domain member or not. In our environment, NetScaler deploy in two-arm-mode, so we have two AGVS and AG-Callback VS. when configure by your step, I find that the end device which in our domain cannot get XenDesktop resource. Can you tell me how to cause it. many thanks.

          2. Is the EPA scan failing?

            Is it not working for anybody? If so, you might have to a Citrix Partner or Citrix Support to review your configuration.

          3. Dear Carl, thanks for your help! We have successfully build endpoint analysis environment. When some login to NetScaler Gateway, if Sales’s device is not a domain member, he cannot get his resource. But another question, by customer requirements, when Executive&Administrative login, whatever his device is a domain member or not, he will obtain his VDI resource. As you know, all the Roles are using hosted shared desktop from ONE delivery group, so we cannot use Policy Access in delivery group to classify different roles that who can get resource or cannot get resource by SmartAccess. So, could you please tell me how to achieve our customer’s requirements by NetScaler or other useful ways?

          4. SmartAccess is only configurable at the Delivery Group level. Do you want it for each published desktop?

Leave a Reply