SmartAccess / SmartControl – Citrix Gateway

Last Modified: Apr 20, 2020 @ 5:07 am

This article applies to Citrix Gateway 13.0, Citrix Gateway 12.1, and NetScaler Gateway 12.0. Citrix ADC is the new name for NetScaler. Citrix Gateway is the new name for NetScaler Gateway.

Navigation

ūüí° = Recently Updated

Change Log

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings, hide icons) based on how users connect to Citrix Gateway. Decisions are based on Citrix Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess vs SmartControl:

  • SmartAccess lets you control visibility of published icons, while SmartControl does not.
  • SmartControl is configured exclusively on Citrix Gateway, while SmartAccess requires configuration on both Citrix Gateway, and inside Citrix Studio.
  • SmartControl requires Citrix ADC Platinum Edition licensing, while SmartAccess is available in all Citrix ADC Editions.
    • Both features require Citrix Gateway Universal licenses for every concurrent connection.

Prerequisites

Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in Citrix Virtual Apps and Desktops (CVAD) at any time, but it won’t work, until you do the following:

  1. Citrix ADC appliance license: See Feature Licensing in the Gateway Tweaks post. In summary:
    • SmartAccess is available in all editions of Citrix ADC appliances.
    • SmartControl is available only in Citrix ADC Premium Edition.
  2. Citrix Gateway Universal Licenses – On the Citrix ADC, go to System > Licenses, and make sure you have Citrix Gateway Universal Licenses allocated to the appliance.
    1. Most Citrix ADC Editions (except Citrix Gateway Enterprise VPX) come with built-in Gateway Universal licenses: Citrix ADC Standard Edition = 500 licenses, Citrix ADC Advanced Edition = 1,000 licenses, and Citrix ADC Premium Edition = unlimited licenses.
    2. Additional Citrix Gateway Universal licenses can be acquired through other means. See Feature Licensing in the Gateway Tweaks post for details.
    3. The Universal licenses are allocated to the hostname of the appliance (click the gear icon to change it), not the MAC address. In a High Availability pair, if each node has a different hostname, then you can allocate the licenses to one hostname, then reallocate to the other hostname. See Feature Licensing in the Gateway Tweaks post for details.
  3. Citrix Gateway must have ICA Only unchecked.
    1. On the Citrix ADC, go to Citrix Gateway > Virtual Servers, and edit your Gateway Virtual Server.
    2. In the Basic Settings section, click the pencil icon.
    3. Click More.
    4. Uncheck the box next to ICA Only, and click OK. This tells Citrix Gateway to start using Universal licenses and enables the SmartAccess and SmartControl features.
  4. Enable Trust XML on the Citrix Virtual Apps and Desktops (CVAD) Site/Farm:
    1. On a CVAD Controller, run PowerShell as Administrator.
    2. Run asnp citrix.* to load the snapins.
    3. Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
  5. Configure Callback URL in StoreFront:
    1. In StoreFront Console, right-click the Stores node, and click Manage Citrix Gateways.
    2. Edit a Gateway.
    3. On the Authentication Settings page, make sure a Callback URL is configured. The Callback URL must resolve to a Citrix Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external, then the Callback FQDN must be different than the Single FQDN.

Once the prerequisites are in place, do the following as detailed below:

Endpoint Analysis

Endpoint Analysis (EPA) scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices, and only from a web browser (not from native Workspace app or Receiver). Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

EPA Policies

There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

  • With a Preauthentication Policy, if the Endpoint Analysis scan fails, then users can‚Äôt login.
  • With a Postauthentication Policy, Endpoint Analysis doesn‚Äôt run until after the user logs in. Typically, you create multiple Session Policies. One or more Session Policies have Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there‚Äôs a fallback in case the client device doesn‚Äôt support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.
    • Inside the Session Profile is a field for Client Security expression, which supports an EPA expression. This field is for VPN only, and does not affect SmartAccess.

Preauthentication Policies and Profiles are configured at Citrix Gateway > Policies > Preauthentication.

  1. On the right, switch to the Preauthentication Profiles tab, and create a Preauthentication Profile to allow access.

  2. Switch to the Preauthentication Policies tab, and create a Preauthentication Policy with an EPA expression. Select the Request Action that allows access.

  3. The right side of the Expression box has links to create EPA expressions, as detailed below.

Post-authentication Policies and Profiles are configured at Citrix Gateway > Policies > Session.

  1. When creating a Session Policy, the right side of the Expression box has links to create EPA expressions, as detailed below.
  2. Classic Syntax vs Default Syntax РEPA expressions can only be added to Classic Syntax Policies. If you click Switch to Default Syntax, then the OPSWAT EPA Editor disappears.
  3. If you edit a Session Profile, on the Security tab…
  4. Under Advanced Settings, you will see a Client Security Check String box that lets you enter an EPA Expression. This field applies only to VPN and does not affect SmartAccess.

EPA Expressions

Citrix ADC has two Endpoint Analysis engines: the original Client Security engine, and the newer OPSWAT EPA engine.

  • Both EPA expression types require the Session Policy to be Classic Syntax. If you see any messages about Classic Syntax being deprecated, ignore those messages.

OPSWAT EPA Expressions

To configure OPSWAT EPA expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
  2. Use the drop-down menus to select the scan criteria.
  3. You will see some fields with a plus icon that lets you configure more details for the scan.

    • Note: the text in these policy expressions is case sensitive.
  4. Then click Done.

Additional OPSWAT EPA Info

See the following links for more Advanced EPA information:

Original Client Security Expressions

To configure the original Client Security expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
  2. Change the Expression Type to Client Security.
  3. Use the Component drop-down to select a component.
    1. A common configuration is to check for domain membership as detailed at Citrix CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
    2. Citrix CTX128039 How to Configure a Registry-Based EPA Scan Expression on NetScaler to Look for the Active Device or Computer Name of an Explicit Workstation

Once the Preauthentication and/or Session Policies are created, bind them to your Citrix Gateway Virtual Server:

  1. Edit a Citrix Gateway Virtual Server.
  2. Scroll down to the Policies section, and click the plus icon.
  3. Select either Preauthentication or Session, and select the policy you already created. Then click Bind.
  4. Session Policies with EPA Expressions are typically higher in the list (lower priority number) than non-EPA Session Policies.

EPA Libraries

In NetScaler 12.0 build 57 and newer, the EPA Libraries are updated out-of-band.

  1. Download the latest EPA libraries.
  2. In the Citrix ADC menu, click the Citrix Gateway node.
  3. On the right, in the left column, click Upgrade EPA Libraries.
  4. Click Choose File
  5. Browse to one of the .tgz library files, and click Open.
  6. Click Upgrade.
  7. Click OK when prompted that EPA Library upgraded successfully.
  8. Click Upgrade EPA Libraries again.
  9. Click Choose File.
  10. Browse to the other .tgz EPA library file, and click Open.
  11. Click Upgrade.
  12. Click OK when prompted that upgraded successfully.
  13. To see the versions, click Upgrade EPA Libraries.

EPA Plug-in

The EPA plug-in is automatically deployed when the user connects to Citrix Gateway – either before the logon page, or after the logon page.

To pre-deploy EPA plug-in, see CTX124649 How to Deploy NetScaler Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy. This article describes how to extract the plug-in .msi file, and deploy using Group Policy.

EPA and Portal Themes

The webpages displayed to the user when downloading the EPA plug-in and running the EPA plug-in can be customized by editing a Portal Theme.

Look in the Advanced Settings column on the right for the three EPA pages. Citrix CTX222812 How to Customize Custom Error Messages for NetScaler Gateway EPA Scans.

EPA Troubleshooting

From Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature:

  1. Go to Citrix Gateway > Global Settings.
  2. On the right, click Change Global Settings.
  3. On the Security tab, click Advanced Settings.
  4. Scroll down, check the box next to Enable Client Security Logging, and click OK.
  5. When the scan fails, the user is presented with a Case ID.
  6. You can then grep /var/log/ns.log for the Case ID. Or search your syslog.

For client-side logging, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

  • Make a DWORD value named¬†“EnableEPALogging“, and set the value to 1.
  • After attempting the scan again, you’ll find¬†the¬†file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.

NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.

SmartAccess

Links:

Make sure the prerequisites are completed. This includes:

  • ICA Only unchecked on Citrix Gateway Virtual Server
  • Gateway Universal licenses installed
  • Callback URL configured at StoreFront
  • Trust XML enabled on Delivery Controllers

SmartAccess is configured in two places:

  • Delivery Group > Access Policy¬†page
  • Citrix Policy (user half only) > filters > Access control

In both cases, you enter the name of a matching Gateway Virtual Server, and the name of a matching Session Policy (or Preauthentication Policy).

  • Set AG farm name¬†or Site or Farm name¬†to the name of the Citrix Gateway Virtual Server.
  • Set Access condition or¬†Filter to the name of the Citrix Gateway Session Policy (or Preauthentication Policy).
  • You can use * as a wildcard in either field.
  • The matching Citrix Gateway Session Policy typically has an¬†EPA Expression configured in the Policy Rule. That way the Session Policy only applies to connections that match the EPA Expression.

Icon visibility – Access Control at the Delivery Group controls visibility of icons published from that Delivery Group.

  • Access Control on a Delivery Group is Allow only. Icons are hidden from non-matching connections.
  • You can uncheck¬†Connections through Citrix Gateway to hide the published icons from all Citrix Gateway connections.
  • It’s not possible to hide individual published applications. You can hide all applications from a single Delivery Group, or none of them. If you need more granularity, then you’ll have to split the applications onto different Delivery Groups.
  • App Groups do not have an Access Control option. It’s Delivery Groups only.

Citrix Policy Settings – Access Control filter on a Citrix Policy determines if the Policy settings apply or not.

  • Access Control filter applies to User Settings only. It’s not configurable for Computer Settings.
  • You typically configure the Unfiltered Citrix Policy to block all client device mappings. Then you configure a higher priority Citrix Policy with Access Control filter to re-enable client device mappings for endpoint machines that match the Session Policy and EPA Expression.

When connected to a session, Director shows SmartAccess Filters on the Session Details page. Notice the Farm Name (Gateway Virtual Server name) and Filter Name (Session Policy name)

SmartControl

The SmartControl feature lets you configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at Citrix Docs for detailed instructions.

  • Note: SmartControl requires Citrix ADC Premium Edition. If you don’t have Premium Edition, you can instead configure SmartAccess.
  • SmartControl cannot hide published icons. If you need that functionality, configure SmartAccess, either as a replacement for SmartControl, or as an addition to SmartControl.

To configure SmartControl:

  1. Make sure the Prerequisites are completed. This includes: ICA Only unchecked and Gateway Universal licenses installed. Callback URL and Trust XML are not needed.
  2. If you are using a Preauthentication Policy to run an Endpoint Analysis scan:
    1. Edit the Preauthentication Profile.
    2. Configure the Default EPA Group with a new group name. You’ll use this group name later.
  3. If you are instead using a Session Policy to run the post-authentication Endpoint Analysis scan:
    1. Edit the Session Profile
    2. On the Security tab, use the Smartgroup field to define a new group name for users that pass the scan. You’ll use this group name later.
  4. On the left, expand Citrix Gateway, expand Policies, and click ICA.
  5. On the right, switch to the Access Profiles tab, and click Add.

    1. Configure the restrictions as desired, and click Create.
  6. Switch to the ICA Action tab, and click Add.

    1. Give the ICA Action a name.
    2. Select the ICA Access Profile.
    3. Click Create.
  7. Switch to the ICA Policies tab, and click Add.
  8. In the Create ICA Policy page, do the following:
    1. Give the ICA Policy a name.
    2. Select the previously created ICA Action.
    3. Enter an expression. You can use HTTP.REQ.USER.IS_MEMBER_OF(“MyGroup”).NOT¬†where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan.
  9. Click Create when done.
  10. Edit your Gateway Virtual Server.
    1. Scroll down to the Policies section, and click the plus icon.
    2. Change the Choose Type drop-down to ICA, and click Continue.
    3. Select the SmartControl policy you created earlier, and click Bind.

Related Pages

16 thoughts on “SmartAccess / SmartControl – Citrix Gateway”

  1. Hi Carl,
    I have a problem implementing EPA checks.
    I have configured an AAA vserver in front of my Citrix Gateway with EPA next factor and I have configured some different policies and Policylabels with specific EPA actions, depending on users groups or User-Agents.
    I wrote an exclusion for all non-windows devices, preventing any kind of EPA checks.
    All works fine except with IOS devices, when I configure Workspace App in automatic/native mode (XenApp Services) I get a generic error “no apps available at this time”. If I use the manual configuration with web interface mode, Workspace App prompts for credentials and all works fine, but I lose some good feature (eg Face id authentication for login).
    I have read in some posts and docs that IOS does not support NetScaler nFactor Authentication nor Advanced Authentication methods (really????) https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf.
    is there a way to bypass advanced auth only for IOS devices or I have to configure another logon point for mobile devices pointing directly to a Gateway?
    I tried to configure a Policylabel (higher priority) with only a policy with an LDAP action but of course it does not work.

    Thank you in advance

    1. Hi Carl,
      just a quick update on my request. I tried CR01 on IOS instead of Workspace App and I was able to display and launch my applications. I opened a case, I’m waiting for support’s analisys.

      Thank you
      Harald

  2. Hi Carl,

    I’ve been able to setup SmartAccess and I was going to test it by creating AAA user and Session policy with EPA expression under Security -> AAA Application Traffic -> Policies -> Session and bind that to AAA User, but for some reason the Session Policy does not accept e.g. the following classic syntax policy:

    CLIENT.APPLICATION(‘FIREWALL_0_ENABLED_==_TRUE[COMMENT: Generic Firewall Product Scan]’) EXISTS

    I get the following error: Expression syntax error [CLIENT.^APPLICATIO, Offset 7]

    Also the OPSWAT EPA Editor link is not available when configuring session policy. I had similar difficulties with session policies under Citrix Gateway, but after trying for couple of times it eventually accepted the expression, and only after being able to create the first session policy with the EPA Expression the OPSWAT EPA Editor link became visible in new policies. Should I be able to configure the Classic EPA Expression under Security -> AAA Application Traffic -> Policies -> Session?

    NetScaler VPX 12.1 55.13 with Enterprise license

    1. Not under AAA, but under Gateway, yes. At Gateway -> Policies -> Session you can create a Classic Session Policy. Note: VPN Session Policies are different from TM (aka AAA) Session Policies. For Gateway connections, you want VPN Session Policy, not TM Session Policy.

  3. Hi Carl,

    I have configured pre-authentication policy on my Netscaler VPX appliance. While downloading EPA plugin I am getting following error
    – Forbidden
    You don’t have permission to access /epa/scripts/win/nsepa_setup.exe on this server.
    I need your help to fix this issue

    Regards,
    Ilyas Ahmed

  4. Hi Carl,

    Is it possible to access 1 Delivery Group via 2 different VIP (one VIP is for public and Second VIP for client specific) through Access Policy (Edit Delivery Group)?

    Thanks,
    AJ

    1. Are you asking if you can add more than one Filter to the Delivery Group > Access Policy page? The GUI seems to indicate that you can.

  5. Hi, Carl
    Cloud you please help us, when i update epa Libraries get this error info”Required files are missing. Check whether the tar ball “mac_epa.tgz” is valid”
    Platform NSMPX-5500 /NS12.0 53.13.nc

  6. Hi Carl,
    I can’t really understand.
    what license do I need to use NetScaler Gateway ICA policies and profiles?
    for example: I want to apply ICA Access Profile to disable LPT printers redirection.

    what license do I need to use this capability.
    standard/enterprise/platinum?

  7. Hi Carl,

    According to CTX204764, it is possible to check the presence of an antivirus without mentioning specific vendors

    add aaa preauthenticationpolicy “CLIENT.APPLICATION(‘ANTIVIR_0_RTP_==_TRUE[COMMENT: Generic Antivirus Product Scan]’) EXISTS”

    Is there a way to check whether the antivirus in place is active ? (in order to handle cases where the end user could have admin privileges on his machine and be able to disable the antivirus)

    Have a great day ūüėČ

    Kind regards

    Yvan

  8. Hello Carl,

    Thanks so much for clarifying this. Could you please help us in a scenario where we have 4 access profiles,3 with different permit rules. one for Clipboard, one for printer, one for Drive map and last one is Block_ALL. each permit looks membership of user into separate AD group. Allow_printer , Allow_Drive, Allow_Clipboard. Then we created 4 ICA policy 3 for the the permits Action/Access profile for printer clipboard and Drive. Last one for Block_All. 3 permits policy (clipboard, drive and ) are binded to Override_Global with priority 80 90 and 100. Block_All is binded to Default Global. but when we login only the first one in permit takes affect when user is part of all 3 permit AD group. other are being ignored.

    Something similar to below thread but in context of ICA policy.

    https://discussions.citrix.com/topic/347876-access-gateway-session-policy-bound-to-ad-group/?_ga=2.149900534.1966599676.1516636603-707661493.1513697800

    1. When you bind the policy and set priority, what is the ¬ęgoto expression¬Ľ value? Default is END, try setting NEXT to continue evaluating policies after the first hit.

Leave a Reply