SmartAccess / SmartControl – NetScaler Gateway 12

Last Modified: Mar 18, 2019 @ 11:31 am


ūüí° = Recently Updated

Change Log

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings, hide icons) based on how users connect to NetScaler Gateway. Decisions are based on NetScaler Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess vs SmartControl:

  • SmartAccess lets you control visibility of published icons, while SmartControl does not.
  • SmartControl is configured exclusively on NetScaler, while SmartAccess requires configuration on both NetScaler, and inside Citrix Studio.
  • SmartControl requires NetScaler Platinum Edition licensing, while SmartAccess is available in all NetScaler Editions.
    • Both features require NetScaler Gateway Universal licenses for every concurrent connection.


Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in XenApp/XenDesktop at any time, but it won’t work, until you do the following:

  1. NetScaler appliance license: See Feature Licensing in the Gateway Tweaks post. In summary:
    • SmartAccess is available in all editions of NetScaler appliances.
    • SmartControl is available only in NetScaler Platinum Edition.
  2. NetScaler Gateway Universal Licenses – On the NetScaler, go to System > Licenses, and make sure you have NetScaler Gateway Universal Licenses allocated to the appliance.
    1. Most NetScaler Editions (except NetScaler Gateway Enterprise VPX) come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1,000 licenses, and NetScaler Platinum Edition = unlimited licenses.
    2. Additional NetScaler Gateway Universal licenses can be acquired through other means. See Feature Licensing in the Gateway Tweaks post for details.
    3. The Universal licenses are allocated to the hostname of the appliance (click the gear icon to change it), not the MAC address. In a High Availability pair, if each node has a different hostname, then you can allocate the licenses to one hostname, then reallocate to the other hostname. See Feature Licensing in the Gateway Tweaks post for details.

  3. NetScaler Gateway must have ICA Only unchecked.
    1. On the NetScaler, go to NetScaler Gateway > Virtual Servers, and edit your Gateway Virtual Server.
    2. In the Basic Settings section, click the pencil icon.
    3. Click More.
    4. Uncheck the box next to ICA Only, and click OK. This tells NetScaler Gateway to start using Universal licenses, and enables the SmartAccess and SmartControl features.
  4. Enable Trust XML on the XenDesktop Site/Farm:
    1. On a XenApp/XenDesktop Controller, run PowerShell as Administrator.
    2. Run asnp citrix.* to load the snapins.
    3. Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
  5. Configure Callback URL in StoreFront:
    1. In StoreFront Console, right-click the Stores node, and click Manage NetScaler Gateways.
    2. Edit a Gateway.
    3. On the Authentication Settings page, make sure a Callback URL is configured. The Callback URL must resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external, then the Callback FQDN must be different than the Single FQDN.

Once the prerequisites are in place, do the following as detailed below:

Endpoint Analysis

Endpoint Analysis (EPA) scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices, and only from a web browser (not from native Receiver). Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

EPA Policies

There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

  • With a Preauthentication Policy, if the Endpoint Analysis scan fails, then users can‚Äôt login.
  • With a Postauthentication Policy, Endpoint Analysis doesn‚Äôt run until after the user logs in. Typically, you create multiple Session Policies. One or more Session Policies have Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there‚Äôs a fallback in case the client device doesn‚Äôt support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.
    • Inside the Session Profile is a field for Client Security expression, which supports an EPA expression. This field is for VPN only, and does not affect SmartAccess.

Preauthentication Policies and Profiles are configured at NetScaler Gateway > Policies > Preauthentication.

  1. On the right, switch to the Preauthentication Profiles tab, and create a Preauthentication Profile to allow access.

  2. Switch to the Preauthentication Policies tab, and create a Preauthentication Policy with an EPA expression. Select the Request Action that allows access.

  3. The right side of the Expression box has links to create EPA expressions, as detailed below.

Post-authentication Policies and Profiles are configured at NetScaler Gateway > Policies > Session.

  1. When creating a Session Policy, the right side of the Expression box has links to create EPA expressions, as detailed below. Note: In NetScaler 12 build 51, the OPSWAT EPA Editor link does not work correctly. But you can use the OPSWAT EPA Editor on a Preauthentication Policy, and then copy the expression to a Session Policy.
  2. Classic Syntax vs Default Syntax РEPA expressions can only be added to Classic Syntax Policies. If you click Switch to Default Syntax, then the OPSWAT EPA Editor disappears.
  3. If you edit a Session Profile, on the Security tab…
  4. Under Advanced Settings, you will see a Client Security Check String box that lets you enter an EPA Expression. This field applies to VPN only, and does not affect SmartAccess.

EPA Expressions

NetScaler has two Endpoint Analysis engines: the original Client Security engine, and the newer OPSWAT EPA engine.

  • Both EPA expression types require the Session Policy to be Classic Syntax. If you see any messages about Classic Syntax being deprecated, ignore those messages.

OPSWAT EPA Expressions

To configure OPSWAT EPA expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
  2. Use the drop-down menus to select the scan criteria.
  3. You will see some fields with a plus icon that lets you configure more details for the scan.

    • Note: the text in these policy expressions is case sensitive.
  4. Then click Done.

Additional OPSWAT EPA Info

See the following links for more Advanced EPA information:

Original Client Security Expressions

To configure the original Client Security expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
  2. Change the Expression Type to Client Security.
  3. Use the Component drop-down to select a component.
    1. A common configuration is to check for domain membership as detailed at Citrix CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
    2. Citrix CTX128039 How to Configure a Registry-Based EPA Scan Expression on NetScaler to Look for the Active Device or Computer Name of an Explicit Workstation

Once the Preauthentication and/or Session Policies are created, bind them to your NetScaler Gateway Virtual Server:

  1. Edit a NetScaler Gateway Virtual Server.
  2. Scroll down to the Policies section, and click the plus icon.
  3. Select either Preauthentication or Session, and select the policy you already created. Then click Bind.
  4. Session Policies with EPA Expressions are typically higher in the list (lower priority number) than non-EPA Session Policies.

EPA Libraries

In NetScaler 12.0 build 57 and newer, the EPA Libraries are updated out-of-band.

  1. Download the latest EPA libraries.
  2. In the NetScaler ADC menu, click the NetScaler Gateway node.
  3. On the right, in the left column, click Upgrade EPA Libraries.
  4. Click Choose File
  5. Browse to one of the .tgz library files, and click Open.
  6. Click Upgrade.
  7. Click OK when prompted that EPA Library upgraded successfully.
  8. Click Upgrade EPA Libraries again.
  9. Click Choose File.
  10. Browse to the other .tgz EPA library file, and click Open.
  11. Click Upgrade.
  12. Click OK when prompted that upgraded successfully.
  13. To see the versions, click Upgrade EPA Libraries.

EPA Plug-in

The EPA plug-in is automatically deployed when the user connects to NetScaler Gateway – either before the logon page, or after the logon page.

To pre-deploy EPA plug-in, see CTX124649 How to Deploy NetScaler Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy. This article describes how to extract the plug-in .msi file, and deploy using Group Policy.

EPA and Portal Themes

The webpages displayed to the user when downloading the EPA plug-in and running the EPA plug-in can be customized by editing a Portal Theme.

Look in the Advanced Settings column on the right for the three EPA pages. Citrix CTX222812 How to Customize Custom Error Messages for NetScaler Gateway EPA Scans.

EPA Troubleshooting

From Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature:

  1. Go to NetScaler Gateway > Global Settings.
  2. On the right, click Change Global Settings.
  3. On the Security tab, click Advanced Settings.
  4. Scroll down, check the box next to Enable Client Security Logging, and click OK.
  5. When the scan fails, the user is presented with a Case ID.
  6. You can then grep /var/log/ns.log for the Case ID. Or search your syslog.

For client-side logging, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

  • Make a DWORD value named¬†“EnableEPALogging“, and set the value to 1.
  • After attempting the scan again, you’ll find¬†the¬†file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.

NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.



Make sure the prerequisites are completed. This includes:

  • ICA Only unchecked on NetScaler Gateway Virtual Server
  • Gateway Universal licenses installed
  • Callback URL configured at StoreFront
  • Trust XML enabled on Delivery Controllers

SmartAccess is configured in two places:

  • Delivery Group > Access Policy¬†page
  • Citrix Policy (user half only) > filters > Access control

In both cases, you enter the name of a matching Gateway Virtual Server, and the name of a matching Session Policy (or Preauthentication Policy).

  • Set AG farm name¬†or Site or Farm name¬†to the name of the NetScaler Gateway Virtual Server.
  • Set Access condition or¬†Filter¬†to the name of the NetScaler Gateway Session Policy (or Preauthentication Policy).
  • You can use * as a wildcard in either field.
  • The matching NetScaler Gateway Session Policy typically has an¬†EPA Expression configured in the Policy Rule. That way the Session Policy only applies to connections that match the EPA Expression.

Icon visibility – Access Control at the Delivery Group controls visibility of icons published from that Delivery Group.

  • Access Control on a Delivery Group is Allow only. Icons are hidden from non-matching connections.
  • You can uncheck¬†Connections through NetScaler Gateway to hide the published icons from all NetScaler Gateway connections.
  • It’s not possible to hide individual published applications. You can hide all applications from a single Delivery Group, or none of them. If you need more granularity, then you’ll have to split the applications onto different Delivery Groups.
  • App Groups do not have an Access Control option. It’s Delivery Groups only.

Citrix Policy Settings – Access Control filter on a Citrix Policy determines if the Policy settings apply or not.

  • Access Control filter applies to User Settings only. It’s not configurable for Computer Settings.
  • You typically configure the Unfiltered Citrix Policy to block all client device mappings. Then you configure a higher priority Citrix Policy with Access Control filter to re-enable client device mappings for endpoint machines that match the Session Policy and EPA Expression.

When connected to a session, Director shows SmartAccess Filters on the Session Details page. Notice the Farm Name (Gateway Virtual Server name) and Filter Name (Session Policy name)


The SmartControl feature lets you configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at Citrix Docs for detailed instructions.

  • Note: SmartControl requires NetScaler Platinum Edition. If you don’t have Platinum Edition, you can instead configure SmartAccess.
  • SmartControl cannot hide published icons. If you need that functionality, configure SmartAccess, either as a replacement for SmartControl, or as an addition to SmartControl.

To configure SmartControl:

  1. Make sure the Prerequisites are completed. This includes: ICA Only unchecked and Gateway Universal licenses installed. Callback URL and Trust XML are not needed.
  2. If you are using a Preauthentication Policy to run an Endpoint Analysis scan:
    1. Edit the Preauthentication Profile.
    2. Configure the Default EPA Group with a new group name. You’ll use this group name later.
  3. If you are instead using a Session Policy to run the post-authentication Endpoint Analysis scan:
    1. Edit the Session Profile
    2. On the Security tab, use the Smartgroup field to define a new group name for users that pass the scan. You’ll use this group name later.
  4. On the left, expand NetScaler Gateway, expand Policies, and click ICA.
  5. On the right, switch to the Access Profiles tab, and click Add.

    1. Configure the restrictions as desired, and click Create.
  6. Switch to the ICA Action tab, and click Add.

    1. Give the ICA Action a name.
    2. Select the ICA Access Profile.
    3. Click Create.
  7. Switch to the ICA Policies tab, and click Add.
  8. In the Create ICA Policy page, do the following:
    1. Give the ICA Policy a name.
    2. Select the previously created ICA Action.
    3. Enter an expression. You can use HTTP.REQ.USER.IS_MEMBER_OF(“MyGroup”).NOT¬†where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan.
  9. Click Create when done.
  10. Edit your Gateway Virtual Server.
    1. Scroll down to the Policies section, and click the plus icon.
    2. Change the Choose Type drop-down to ICA, and click Continue.
    3. Select the SmartControl policy you created earlier, and click Bind.

Related Pages

10 thoughts on “SmartAccess / SmartControl – NetScaler Gateway 12”

  1. Hi Carl,

    Is it possible to access 1 Delivery Group via 2 different VIP (one VIP is for public and Second VIP for client specific) through Access Policy (Edit Delivery Group)?


    1. Are you asking if you can add more than one Filter to the Delivery Group > Access Policy page? The GUI seems to indicate that you can.

  2. Hi, Carl
    Cloud you please help us, when i update epa Libraries get this error info”Required files are missing. Check whether the tar ball “mac_epa.tgz” is valid”
    Platform NSMPX-5500 /NS12.0

  3. Hi Carl,
    I can’t really understand.
    what license do I need to use NetScaler Gateway ICA policies and profiles?
    for example: I want to apply ICA Access Profile to disable LPT printers redirection.

    what license do I need to use this capability.

  4. Hi Carl,

    According to CTX204764, it is possible to check the presence of an antivirus without mentioning specific vendors

    add aaa preauthenticationpolicy “CLIENT.APPLICATION(‘ANTIVIR_0_RTP_==_TRUE[COMMENT: Generic Antivirus Product Scan]’) EXISTS”

    Is there a way to check whether the antivirus in place is active ? (in order to handle cases where the end user could have admin privileges on his machine and be able to disable the antivirus)

    Have a great day ūüėČ

    Kind regards


  5. Hello Carl,

    Thanks so much for clarifying this. Could you please help us in a scenario where we have 4 access profiles,3 with different permit rules. one for Clipboard, one for printer, one for Drive map and last one is Block_ALL. each permit looks membership of user into separate AD group. Allow_printer , Allow_Drive, Allow_Clipboard. Then we created 4 ICA policy 3 for the the permits Action/Access profile for printer clipboard and Drive. Last one for Block_All. 3 permits policy (clipboard, drive and ) are binded to Override_Global with priority 80 90 and 100. Block_All is binded to Default Global. but when we login only the first one in permit takes affect when user is part of all 3 permit AD group. other are being ignored.

    Something similar to below thread but in context of ICA policy.

    1. When you bind the policy and set priority, what is the ¬ęgoto expression¬Ľ value? Default is END, try setting NEXT to continue evaluating policies after the first hit.

Leave a Reply