How Clientless Access Policies Work

You configure clientless access to web applications by creating policies. You can configure the settings for a clientless access policy in the configuration utility. A clientless access policy is composed of a rule and a profile. You can use the preconfigured clientless access policies that come with Citrix Gateway. You can also create your own custom clientless access policies.

Citrix Gateway provides preconfigured policies for the following:

  • Outlook Web Access and Outlook Web App
  • SharePoint 2007
  • All other Web applications


OWA 2016 and SharePoint 2016 are supported only using advanced clientless access.

Keep in mind the following characteristics of the preconfigured clientless access policies:

  • They are configured automatically and cannot be changed.
  • Each policy is bound at the global level.
  • Each policy is not enforced unless you enable clientless access either globally or by creating a session policy.
  • You cannot remove or modify global bindings, even if you do not enable clientless access.

Support for other web applications depends on the rewrite policies you configure on Citrix Gateway. Citrix recommends testing any custom policies that you create to ensure that all components of the application rewrite successfully.

If you allow connections from Receiver for Android, Receiver for iOS, or Citrix Secure Hub, you must enable clientless access. For Citrix Secure Hub that runs on an iOS device, you must also enable Secure Browse within the session profile. Secure Browse and clientless access work together to allow connections from iOS devices. You do not have to enable Secure Browse if users do not connect with iOS devices.

The Quick Configuration wizard configures the correct clientless access policies and settings for mobile devices. Citrix recommends running the Quick Configuration wizard to configure the correct policies for connections to StoreFront and Citrix Endpoint Management.

You can bind custom clientless access policies either globally or to a virtual server. If you want to bind clientless access policies to a virtual server, you need to create a custom policy and then bind it. To enforce different policies for clientless access either globally or for a virtual server, change the priority number of the custom policy so it has a lower number than the preconfigured policies, thus giving the custom policy higher priority. If no other clientless access policies are bound to the virtual server, the preconfigured global policies take precedence.

Note: You cannot change the priority numbers of the preconfigured clientless access policies.

How Clientless Access Policies Work