💡 = Recently Updated
SmartAccess / SmartControl
SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings) based on how users connect. Decisions are based on NetScaler Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.
SmartAccess can also control application/desktop icon visibility.
Other than the NetScaler appliance license, both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in XenApp/XenDesktop at any time but it won’t work until you do the following:
- NetScaler appliance license – SmartAccess works with all editions of NetScaler appliances. However, SmartControl only works with NetScaler Platinum Edition.
- Gateway Universal licenses – Both SmartAccess and SmartControl require NetScaler Gateway Universal licenses. NetScaler 11.1 build 49 and newer come with a minimum of 500 Universal licenses so this might no longer be an issue. In 11.1 build 49 and newer, NetScaler Standard Edition comes with 500 licenses, NetScaler Enterprise Edition comes with 1,000 licenses, and NetScaler Platinum Edition comes with unlimited licenses.
- On the NetScaler, go to System > Licenses and make sure you have NetScaler Gateway Universal Licenses allocated to the appliance. The Universal licenses are allocated to the hostname of the appliance (click the gear icon), not the MAC address. In a High Availability pair, if each node has a different hostname then you can allocate the licenses to one hostname, then reallocate to the other hostname.
- After installing licenses, go to NetScaler Gateway > Global Settings.
- On the top right, click Change authentication AAA settings.
- At the top of the page, change the Maximum Number of Users to match your installed license count. Then click OK. This setting is commonly missed and if not configured it defaults to only 5 concurrent connections.
- On a XenApp/XenDesktop Controller, run PowerShell as Administrator.
- Run asnp citrix.* to load the snapins.
- Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
- In StoreFront Console, go to the NetScaler Gateway node and edit (Change General Settings) the existing Gateway object.
- Make sure a Callback URL is configured to resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external then the Callback FQDN must be different than the Single FQDN.
- On the NetScaler, go to NetScaler Gateway > Virtual Servers and edit your Gateway Virtual Server.
- In the Basic Settings section, click the pencil icon.
- Click More.
- Uncheck the box next to ICA Only and click OK. This tells NetScaler Gateway to start using Universal licenses and enables the SmartAccess and SmartControl features.
Once the prerequisites are in place, do the following as detailed below:
- Optionally, configure Endpoint Analysis.
- Configure either SmartControl or SmartAccess.
Endpoint Analysis scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.
Endpoint Analysis is supported on Windows and Mac devices. Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.
There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.
- With a Preauthentication Policy, if the Endpoint Analysis scan fails then users can’t login.
- With a Postauthentication Policy, Endpoint Analysis doesn’t run until after the user logs in. Typically, you create multiple Session Policies. One or more policies has Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there’s a fallback in case the client device doesn’t support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.
NetScaler 11 has two Endpoint Analysis engines: the classic Client Security engine and the newer OPSWAT Advanced EPA engine.
To configure OPSWAT Advanced EPA expressions:
- When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
- Use the drop-down menus to select the scan criteria. Then click Done.
See the following links for more Advanced EPA information:
- Advanced Endpoint Analysis Policy Expression Reference at docs.citrix.com
- Citrix Blog Post Patch Management Endpoint Analysis on NetScaler Gateway
To configure Client Security expressions:
- When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
- Change the Expression Type to Client Security.
- Use the Component drop-down to select a component. A common configuration is to check for domain membership as detailed at CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
- You can also use EPA expressions when configuring a Quarantine Group.
Once the Policies are created, bind them to your NetScaler Gateway Virtual Server:
- Edit a NetScaler Gateway Virtual Server.
- Scroll down to the Policies section and click the plus icon.
- Select either Preauthentication or Session and select the policy you already created. Then click Bind.
Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature: 💡
- Go to NetScaler Gateway > Global Settings.
- On the right, click Change Global Settings.
- On the Security tab, click Advanced Settings.
- Scroll down, check the box next to Enable Client Security Logging, and click OK.
- When the scan fails, the user is presented with a Case ID.
- You can then grep
/var/log/ns.logfor the Case ID. Or search your syslog.
To determine why your EPA scans fail, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.
Make a DWORD value named “EnableEPALogging” and set the value to 1.
After attempting the scan again, you’ll find the file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.
NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.
NetScaler 11.0 has a new SmartControl feature, where you can configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at docs.citrix.com for detailed instructions.
- If you are using a Preauthentication Policy to run an Endpoint Analysis scan, edit the Preauth profile.
- Configure the Default EPA Group with a new group name. You’ll use this group name later.
- If you are instead using a Session Policy/Profile to run the post-authentication Endpoint Analysis scan, on the Security tab, use the Smartgroup field to define a group name for users that pass the scan. You’ll use this group name later.
- On the left, expand NetScaler Gateway, expand Policies, and click ICA.
- On the right, switch to the Access Profiles tab and click Add.
- Configure the restrictions as desired and click OK.
- Switch to the ICA Action tab and click Add.
- Give the Action a name and select the Access Profile. Click Create.
- Switch to the ICA Policies tab and click Add.
- Select the previously created ICA Action.
- Enter an expression. You can use REQ.USER.IS_MEMBER_OF(“MyGroup”) where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan. Click Create when done.
- Edit your Gateway Virtual Server.
- Scroll down to the Policies section and click the plus icon.
- Change the Policy Type to ICA and click Continue.
- Select the SmartControl policy you created earlier and click Bind.
CTX138110 How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance
In XenApp/XenDesktop, edit a Citrix policy and add the Access Control filter. If you are using GPO to deliver Citrix Policies, then only Citrix Policies in the user half of the GPO support Access Control filters.
You can leave the default wildcards for farm name and condition to match all NetScaler Gateway connections. Or you can match specific NetScaler Gateway / Session Policy connections:
- AG farm name = name of the NetScaler Gateway Virtual Server.
- Access condition = name of the NetScaler Gateway Session Policy.
You typically create a Citrix policy to turn off all client device mappings for all external users. Then you create a higher priority Citrix policy that re-enables client device mappings for those users that passed the Endpoint Analysis scan expression on a particular Session Policy.
If you edit a Delivery Group, there’s an Access Policy page where you can hide or show the Delivery Group for all NetScaler Gateway connections or for specific NetScaler Gateway Virtual Server / Session Policy connections.
- Farm name = NetScaler Gateway Virtual Server name
- Filter = NetScaler Gateway Session Policy name
This configuration is only available at the entire Delivery Group. It is not possible to perform this configuration for only specific published applications unless they are on different Delivery Groups.