Session policies
A session policy is a collection of expressions and settings that are applied to users, groups, virtual servers, and globally.
You use a session policy to configure the settings for user connections. You can define settings to configure the software users log on with, such as the Citrix Secure Access client for Windows or the Citrix Secure Access client for Mac. You can also configure settings to require users to log on with Citrix Workspace app or Secure Hub. Session policies are evaluated and applied after the user is authenticated.
Session policies are applied according to the following rules:
- Session policies always override global settings in the configuration.
- Any attributes or parameters that are not set using a session policy are set on policies established for the virtual server.
- Any other attributes that are not set by a session policy or by the virtual server are set by the global configuration.
Important:
The following instructions are general guidelines for creating session policies. There are specific instructions for configuring session policies for different configurations, such as clientless access or for access to published applications. The instructions might contain directions for configuring a specific setting. However, that setting can be one of many settings that are contained within a session profile and policy. The instructions direct you to create a setting within a session profile and then apply the profile to a session policy. You can change settings within a profile and policy without creating a session policy. In addition, you can create all of your settings on a global level and then create a session policy to override global settings.
If you deploy Citrix Endpoint Management or StoreFront in your network, Citrix recommends using the Quick Configuration wizard to configure session policies and profiles. When you run the wizard, you define the settings for your deployment. NetScaler Gateway then creates the required authentication, session, and clientless access policies.
Create a session policy
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
- In the details pane, on the Policies tab, click Add.
- In Name, type a name for the policy.
- Next to Request Profile, click New.
- In Name, type a name for the profile.
- Complete the settings for the session profile and then click Create.
- In the Create Session Profile dialog box, add an expression for the policy, click Create and then click Close. Note: In the expression, select True value so the policy is always applied to the level to which it is bound.
Sample session policy expressions
Following are the expression examples of session policies:
-
add vpn sessionPolicy sessPol1 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") || HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixWorkspace\")" sessAct1
-
add vpn sessionPolicy sessPol2 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" sessAct2
-
add vpn sessionPolicy sessPol3 true sessAct3
Bind session policies
After you create a session policy, bind it to a user, group, virtual server, or globally. Session policies are applied as a hierarchy in the following order:
- Users
- Groups
- Virtual servers
- Globally
Bind a session policy to a virtual server by using the GUI
- Navigate to NetScaler Gateway > Virtual Servers.
- Select a virtual server and click Edit. You can also create a new virtual server.
- Scroll down to the Policies section, and click the + icon.
- In Choose Policy, select Session.
- In Choose Type, select Request, and click Continue.
- In Select Policy, select the policy that you want to bind to this virtual server.
- In Priority, enter the priority number of the policy.
- Click Bind.
Bind a session policy to an authentication, authorization, and auditing group by using the GUI
- Navigate to NetScaler Gateway > User Administration > AAA Groups.
- Select an existing authentication, authorization, and auditing group, and click Edit. You can also create an authentication, authorization, and auditing group.
- In Advanced Settings, click Policies, and then click the + icon.
- In Choose Policy, select Session, and click Continue.
- In Select Policy, select the policy that you want to bind to this authentication, authorization, and auditing group.
- In Priority, enter the priority number of the policy.
- Click Bind.
Bind a session policy to an authentication, authorization, and auditing user by using the GUI
- Navigate to NetScaler Gateway > User Administration > AAA Users.
- Select an existing NetScaler user, and click Edit. You can also create an authentication, authorization, and auditing user.
- In Advanced Settings, click Policies, and then click the + icon.
- In Choose Policy, select Session, and click Continue.
- In Select Policy, select the policy that you want to bind to this authentication, authorization, and auditing user.
- In Priority, enter the priority number of the policy.
- Click Bind.
Note: For details on priority, see https://support.citrix.com/article/CTX214588.
Create a session profile
A session profile contains the settings for user connections.
Session profiles specify the actions that are applied to a user session if the user device meets the policy expression conditions. Profiles are used with session policies. You can use the configuration utility to create session profiles separately from a session policy and then use the profile for multiple policies. You can only use one profile with a policy.
Configure network settings for user connections in a session profile
You can use the Network Configuration tab in the session profile to configure the following network settings for user connections:
- DNS server
- WINS server IP address
- Mapped IP address that you can use as an intranet IP address
- Spillover settings for address pools (intranet IP addresses)
- Intranet IP DNS suffix
- HTTP ports
- Forced time-out settings
Configure connection settings in a session profile
You can use the Client Experience tab in the session profile to configure the following connection settings:
- Access Interface or customized home page
- Web address for web-based email, such as Outlook Web Access
- plug-in type (Citrix Secure Access client for Windows, or Citrix Secure Access client for macOS X)
- Split tunneling
- Session and idle time-out settings
- Clientless access
- Clientless access URL encoding
- plug-in type (Windows, or Mac)
- Single sign-on to web applications
- Credential index for authentication
- Single sign-on with Windows
- Client cleanup behavior
- Logon scripts
- Client debug settings
- Split DNS
- Access to private network IP addresses and local LAN access
- Client choices
- Proxy settings
Note:
-
Starting from Citrix Secure Access for Windows 24.8.1.15, the split DNS feature is applicable to both TCP and UDP based DNS requests. DNS resolution works based on the split DNS setting as follows:
-
Remote: All DNS requests are resolved at the remote DNS server.
-
Local: DNS requests for host names matching the DNS suffix or tunneled applications are sent to the remote DNS server. DNS requests for other host names are sent to the local DNS server.
-
Both: All DNS requests matching the DNS suffix or tunneled applications are sent to the remote DNS server. DNS requests for other host names are sent to both local and remote servers and the first successful response is accepted.
-
-
Citrix Secure Access client for Linux only supports split DNS Remote setting in Secure Private Access and NetScaler Gateway on-premises deployments regardless of the NetScaler Gateway’s split DNS setting.
For more information about configuring settings for user connections, see Configuring Connections for the Citrix Secure Access client.
Configure security settings in a session profile
You can use the Security tab in a session profile to configure the following security settings:
- Default authorization action (allow or deny)
- Secure Browse for connections from iOS devices
- Quarantine groups
- Authorization groups
For more information about configuring authorization on NetScaler Gateway, see Configuring Authorization.
Configure Citrix Virtual Apps and Desktops settings in a session profile
You can use the Published Applications tab in a session profile to configure the following settings for connections to servers running Citrix Virtual Apps and Desktops:
- ICA Proxy, which is client connections using Citrix Workspace app
- Web Interface address
- Web Interface portal mode
- Single sign-on to the server farm domain
- Citrix Workspace app home page
- Account Services Address
For more information about configuring settings for connecting to published applications in a server farm, see Providing Access to Published Applications and Virtual Desktops Through the Web Interface.
You can create session profiles independently of a session policy. When you create the policy, you can select the profile to attach to the policy.
To create a session profile by using the GUI
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies, and then click Session.
- In the details pane, click the Profiles tab, and then click Add.
- Configure the settings for the profile, click Create, and then click Close.
After you create a profile, you can include it in a session policy.
To add a profile to a session policy by using the GUI
- In the configuration utility, in the navigation pane, expand Access Gateway > Policies and then click Session.
- On the Policies tab, do one of the following:
- Click Add to create a session policy.
- Select a policy, and then click Open.
- In Request Profile, select a profile from the list.
- Finish configuring the session policy, and then do one of the following:
- Click Create, and then click Close to create the policy.
- Click OK, and then click Close to modify the policy.