Configuring SmartControl
SmartControl allows administrators to define granular policies to configure and enforce user environment attributes for Citrix Virtual Apps and Desktops on Citrix Gateway. SmartControl allows administrators to manage these policies from a single location, rather than at each instance of these server types.
SmartControl is implemented through ICA policies on Citrix Gateway. Each ICA policy is an expression and access profile combination that can be applied to users, groups, virtual servers, and globally. ICA policies are evaluated after the user authenticates at session establishment.
Note:
When the client detection feature is enabled, avoid using ICA policies with rules that include authentication, authorization, and auditing expressions (such as AAA.USER, AAA.GROUP).
The following table lists the user environment attributes that SmartControl can enforce:
ConnectClientDrives | Specifies the default connection to the client drives when the user logs on. | |
ConnectClientLPTPorts | Specifies the automatic connection of LPT ports from the client when the user logs on. LPT ports are the Local Printer Ports. | |
ClientAudioRedirection | Specifies the applications hosted on the server to transmit audio through a sound device installed on the client computer. | |
ClientClipboardRedirection | Specifies and configures clipboard access on the client device and maps the clipboard on the server. | |
ClientCOMPortRedirection | Specifies the COM port redirection to and from the client. COM ports are the COMmunication ports. COM ports are serial ports. | |
ClientDriveRedirection | Specifies the drive redirection to and from the client. | |
Multistream | Specifies the multistream feature for specified users. | |
ClientUSBDeviceRedirection | Specifies the redirection of USB devices to and from the client (workstation hosts only). | |
Localremotedata |
Specifies the HTML5 file upload download capability for the Citrix Workspace app. | |
ClientPrinterRedirection | Specifies the client printers to be mapped to a server when a user logs on to a session. | |
Policies | Action | Access Profiles |
Add | Edit | Delete |
Show Bindings | Policy Manager | Action |
Policies
An ICA policy specifies an Action, Access Profile, Expression and optionally, a Log Action. The following commands are available from the Policies tab:
- Add
- Edit
- Delete
- Show Bindings
- Policy Manager
- Action
Add
-
Go to Citrix Gateway > Policies and then click ICA.
-
In the details pane, on the Policies tab, click Add.
-
In the Name dialog box, type a name for the policy.
-
Next to Action do one of the following:
- Click the > icon to select an existing action. For details see [Select an action] under (#common-processes).
- Click the + icon to create an action. For details see [Create a new action] under (#common-processes).
- The pencil icon is disabled.
-
Create an expression.
-
Create a Log Action. For more details see Create a Log Action.
-
Enter a message into the Comments box. The comment writes to the message log. This field is optional.
-
Click Create.
Edit
-
Go to Citrix Gateway > Policies and then click ICA.
-
Select the ICA policy from the list.
-
In the details pane, on the Policies tab, click Edit.
-
Verify the policy name.
-
To revise the Action do one of the following:
- Click the > icon to revise an existing Action. For detail see [Select an action] under (#common-processes).
- Click the + to icon create an Action. For detail see [Create a new action] under (#common-processes).
- Click the pencil icon to revise the [Access Profile].
-
Revise the Expression as desired. For details see [Expressions] under (#common-processes).
-
To revise the Log Action do one of the following:
-
Click the + to create a Log Action.
-
Click the pencil icon to configure an Audit Message.
-
-
Revise the comments as desired.
-
Click OK.
Delete
-
Go to Citrix Gateway > Policies and then click ICA.
-
Select the desired ICA policy from the list.
-
In the details pane, on the Policies tab, click Delete.
-
Confirm that you want to delete the policy by clicking Yes.
Show Binding
-
Go to Citrix Gateway > Policies and then click ICA.
-
Select the ICA policy from the list.
-
In the details pane, on the Policies tab, click Show Bindings.
Policy Manager
-
Go to Citrix Gateway > Policies and then click ICA.
-
Select the desired ICA policy from the list.
-
In the details pane, on the Policies tab, click Policy Manager
-
From the Bind Point dialog box, select one of the following policies.
- Override Global
- VPN Virtual Server
- Cache Redirection Virtual Server
- Default Global
-
From the Connection Type dialog box, select a binding policy from the menu.
-
If you select either the VPN Virtual Server or the Cache Redirection Virtual Server, you connect to the server using the menu.
-
Click Continue.
Add Binding
-
After selecting Continue, this screen appears.
-
Select a Policy to attach the Binding.
-
Select Add Binding.
Policy Binding
1. After selecting Done, this screen appears.
- Click the > icon to select an existing policy. For detail see Select an existing policy.
-
Click the + con to create a policy. For detail see Create a policy.
Unbind Policy
-
Select the policy you want to unbind, and click the Unbind button.
-
Click Done
-
Click the Yes button on the pop-up screen to confirm that you desire to unbind the selected entity.
Bind NOPOLICY
-
Select policy that requires NOPOLICY, and click the Bind NOPOLICY button.
-
Click Done
Edit
You can edit from the ICA Policy Manager.
-
Select the policy you want to edit, and select Edit.
-
You can make the following edits: [Edit Binding,] [Edit Policy], [Edit Action].
Edit Binding
-
With the policy selected, click Edit Binding.
-
Verify that you are editing the desired policy. This Policy Name is not editable.
-
Set the Priority as desired.
-
Set Goto Expression as desired.
-
Click the Bind button.
Edit Policy
-
With the policy selected, click Edit Policy.
-
Verify the policy Name to ensure you are editing the desired policy. This field is not editable.
-
To revise the Action policy, do one of the following:
- Click the > icon to select an existing Action. For details see [Select an action] under (#common-processes).
- Click the + icon to create an action. For details see [Create a new action] under (#common-processes).
- Click the pencil icon to revise the Access Profile. For details see [Select an existing Access Profile] under (#common-processes).
-
Revise the Expression as desired. For more details see [Expressions] under (#common-processes).
-
Select the desired type of message from the menu. To create a Log Action, do one of the following:
- Click the + icon to create an action. For details see Create a Log Action.
- Click the pencil icon to revise the Configure Audit Message Action. For details see Configure Audit Message Action.
-
Enter comments about the ICA Policy.
-
Click OK when the edit is complete.
Edit Action
-
With the policy selected, click Edit Action.
-
Verify the Action Name to confirm you are editing the desired Action. This field is not editable.
-
Next to Access Profile do one of the following:
- Click the > icon to select a different Access Profile. For detail see Configure Action.
- Click the + icon to select a new Channel Profile. Create an Access Profile.
- Click the pencil icon to revise the Access Profile. For details see [Select an existing Access Profile] under (#common-processes).
-
Click OK.
Action
The Policies > Action commands are used to rename the action.
-
Select the desired ICA Action from the list.
-
On the ICA Policies tab, click Action. Select Rename from the menu.
-
Rename the action.
-
Click OK
Action
An Action connects a policy with an Access Profile. The following commands are available from the Policies tab:
- Add
- Edit
- Delete
- Action
Add
-
Go to Citrix Gateway > Action and then click ICA.
-
In the details pane, on the Action tab, click Add.
-
Click the > icon to select an existing Access Profile. For detail see [Select an existing Access Profile] under (#common-processes).
-
Click the + icon to create an Access Profile. For detail see Create an Access Profile..
-
The pencil icon is disabled for this screen.
-
-
Click Create.
Edit
-
Select the desired ICA policy from the list.
-
In the details pane, on the Action tab, click Edit.
Configure Action
-
Verify the Action Name to confirm you are editing the desired Action. This field is not editable.
-
Next to Access Profile do one of the following:
- Click the > to select an existing Access Profile. For detail see [Select an existing Access Profile] under (#common-processes).
- Click the + to create an Access Profile. For detail see Create an Access Profile.
- Click the pencil icon to Configure Access Profile.
-
Click OK.
Delete
-
Go to Citrix Gateway > Action and then click ICA.
-
Select the desired ICA Action from the list.
-
In the details pane, on the Action tab, click Delete.
-
Confirm the Action you want to delete the policy by clicking Yes.
Action
The ICA Action > Action commands are used to rename the action.
-
Go to Citrix Gateway > Action and then click ICA.
-
Select the desired ICA Action from the list.
-
In the details pane, on the Action tab, click Action.
-
Select Action > Rename from the menu.
-
Rename the action.
-
Click OK
Access Profiles
An ICA profile defines the settings for user connections.
Access profiles specify the actions that are applied to a user’s Citrix Virtual Apps and Desktops environment ICA if the user device meets the policy expression conditions. You can use the GUI to create ICA profiles separately from an ICA policy and then use the profile for multiple policies. You can only use one profile with a policy.
You can create Access Profiles independently of an ICA policy. When you create the policy, you can select the access profile to attach to the policy. An Access Profile specifies the resources available to a user. The following commands are available from the Policies tab:
- Add
- Edit
- Delete
Creating an Access Profile with the GUI
-
Go to Citrix Gateway > Policies and then click ICA.
-
In the details pane, click the Access Profiles tab and then click Add.
-
Configure the settings for the profile, click Create, and then click Close. After you create a profile, you can include it in an ICA policy.
Add an Access Profile to a policy using the GUI
-
Go to Citrix Gateway > Policies and then click ICA.
-
On the Policies tab, do one of the following:
-
Click Add to create an ICA policy.
-
Select a policy and then click Open.
-
-
In the Action menu, select an Access Profile from the list.
-
Finish configuring the ICA policy and then do one of the following:
- Click Create and then click Close to create the policy.
1. Click OK and then click Close to modify the policy.
Add
-
Go to Citrix Gateway > Policies and then click ICA.
-
In the details pane, on the Access Profiles tab, click Add.**
-
In Name, type a name for the Access Profile.
-
Select Default or Disable from the menus shown to create the Access Profile.
-
Click Create.
Edit
-
Select the Access Profile you want to edit.
-
In the details pane, on the Access Profiles tab, click Edit.
Configure Access Profile
-
Verify that the Name is the one you want to revise.
- Select Default or Disable from the menu to configure as required.
- Click OK.
Delete
-
Go to Citrix Gateway > Action, and then click ICA.
-
Select the desired ICA Action from the list.
-
In the details pane, on the Action tab, click Delete.
-
Confirm the Access Profile you want to delete by clicking Yes.
Common Processes
Create an action
-
Type a Name for the Action.
-
Select one of the following to supply the Access Profile:
-
Click the > to select an existing Access Profile. See for details [Select an existing Access Profile] under (#common-processes).
-
Click + to create an Access Profile. See for details Create an Access Profile.
-
The pencil icon is disabled.
-
-
Click Create.
Select an action
-
Select an Action by clicking the radio button to the left of it. The associated Access Profile specifies the allowed user functions.
-
Click the Select button.
Create an Access Profile
-
Name the Access Profile.
-
You can configure the Access Profile from this menu.
-
Click Create.
Select an existing Access Profile
-
Select an Access Profile by clicking it.
-
Click Edit.
-
Configure the Access Profile. For details see Configure Access Profile.
Expressions
-
To create or revise an existing expression, select Clear.
The expressions are the typical ICA Expressions. For the HTTP expressions enter the name with the “” and remove the ().
ICA.SERVER.PORT This expression checks that the port specified matches the port number on the Citrix Virtual Apps and Desktops that the user is attempting to connect. ICA.SERVER.IP This expression checks that the IP specified matches the IP address on the Citrix Virtual Apps and Desktops that the user is attempting to connect. AAA.USER.IS_MEMBER_OF(“”)
.NOTThis expression checks that the current connection is accessed by a user that is NOT a member of the specified group name. AAA.USER.IS_MEMBER_OF(“ group name
”)This expression checks that the user accessing the current connection is a member of the specified group. AAA.USER.NAME.CONTAINS(“”).NOT This expression checks that the user accessing the current connection is NOT a member of the specified group. AAA.USER.NAME.CONTAINS(“enter user name
”) Specifies the resources for a user name.This expression checks that the current connection is accessed by the specified name. CLIENT.IP.DST.EQ(enter the IP address here).NOT This expression checks that the destination IP of the current traffic is NOT equal to the specified IP address. CLIENT.IP.DST.EQ(enter the IP address here) This expression checks that the destination IP of the current traffic is equal to the specified IP address. CLIENT.TCP.DSTPORT.EQ (enter port number).NOT This expression checks that the destination port is NOT equal to the specified port number. CLIENT.TCP.DSTPORT.EQ (enter port number) This expression checks that the destination port is equal to the specified port number. -
Simultaneously, select Control and the Space bar. Then your options are visible.
- Type the period. Make your selection, and press the Space bar.
- At each period of the expression in the previous table, type the period. Make your selection, and press the Space bar.
- Click OK.
Group Identification
The preauthentic or session functions define the expression with a group name variable.
Preauthentication
- Select Preauthentication from the configuration pane.
-
Select a name from the Preauthentication Policies.
-
Select Edit from the Preauthentication Policies tab.
-
Select the pencil icon or + next to the Request Action dialog box.
-
Define the (“<
groupname
>”) in the Default EPA Group dialog box.
Session
- Select Session from the configuration pane.
Create a Log Action
- In the Configure Policy screen, next to the Log Action dialog box select the + icon
Create Audit Message Action
-
The Create Audit Message Action screen appears. Name the Audit Message. The Audit message only accepts numbers, letters, or an underscore character.
-
From the menu specify the Audit Log Level.
Emergency | Events that indicate an immediate crisis on the server. |
Alert | Events that might require action. |
Critical | Events that indicate an imminent server crisis. |
Error | Events that indicate some type of error. |
Warning | Events that require action soon. |
Notice | Events that the administrator must know about. |
Informational | All but low-level events. |
Debug | All events, in extreme detail. |
-
Enter an Expression. The Expression defines the format and content of the log.
-
The check boxes.
- Check the log in
newnslog
to send the message to a new ns log. - Select Bypass Safety Check to bypass the safety check. This allows unsafe expressions.
- Check the log in
-
Click Create.
Revise a Log Action
-
In the Configure Policy screen, next to the Log Action dialog box click the icon.
Configure Audit Message Action
The following are editable fields:
-
From the menu specify the Audit Log Level.
-
Enter an Expression. The Expression defines the format and content of the log.
-
The check boxes:
-
Check the Log in
newnslog
to send the message to a new ns log. -
Select Bypass Safety Check to bypass the safety check. This allows unsafe expressions.
-
-
Click OK.
Select an existing policy
-
Click the > icon to select an existing policy.
-
Select the radio button of the desired policy.
Create a policy
- In Name, type a name for the policy.
-
Click + to create a policy.
-
Create an Action. For details see Create a new action.
-
Name the Access Profile.
- Configure the Access Profile from this menu.
- Click Create.
-
Click Bind.
Configuring pre-authentication and post-authentication end point analysis
This section describes how to configure post-authentication and pre-authentication end point analysis (EPA).
To configure post-authentication EPA with SmartControl use the Smartgroup
parameter from the VPN session action. The EPA expression is configured on the VPN session policy.
You can specify a group name for the smart group parameter. This group name can be any string. The group name does not need to be an existing group on the active directory.
Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF (“groupname
”). Use the group name that was previously specified for the smart group.
To configure pre-authentication EPA with SmartControl use the Default EPA group parameter from the pre-authentication profile. The EPA expression is configured on the pre-authentication policy.
You can specify a group name for the Default EPA group parameter. This group name can be any string. The group name does not need to be an existing group on the active directory.
Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF (“groupname
”), use the group name that was previously specified for the Default EPA Group.
Post-authentication configuration
Use the following procedure to set up smart groups for Post-authentication configuration.
-
Go to Citrix Gateway > Policies > Session.
-
Go to Session Profiles> Add.
Create Citrix Gateway Session Profile
-
Select the Security tab.
-
Enter a Name for your Citrix Gateway Profile (action).
-
Select the box to the right of the menu and select the desired Default Authorization Action.
Specify the network resources that users have access to when they log on to the internal network. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access. If you set the default authorization policy to DENY, you must explicitly authorize access to any network resource, which improves security.
-
Select the box to the right of the menu and select the desired Secure Browse.
Allow users to connect through Citrix Gateway to network resources from iOS and Android mobile devices with Citrix Workspace app. Users do not need to establish a full VPN tunnel to access resources in the secure network.
-
Select the box to the right of the menu and enter the
Smartgroup
name.This is the group in which the user is placed when the session policy associated with this session action succeeds. The VPN session policy does the post authentication EPA check and if the check succeeds the user is placed in the group specified with a smart group. The is_member_of (aaa.user.is_member_of) expression can then be used with policies to check if the EPA has passed on the user belonging to this smart group.
-
Click Create.
-
Go to Citrix Gateway > Policies > Session.
-
Go to Session Policies > Add.
-
Enter the Name for the new session policy that is applied after the user logs on to Citrix Gateway.
-
Select the Profile action using the menu.
The Action applied by the new session policy if the rule criterion is met.
Note: If the desired profile must be created select the +. For more details see Create Citrix Gateway Session Profile.
-
Enter Expression in this field.
This field defines the named expression that specifies the traffic that matches the policy. The expression can be written in either default or classic syntax. The maximum length of a literal string for the expression is 255 characters. A longer string can be split into smaller strings of up to 255 characters each, and the smaller strings concatenated with the + operator. For example, you can create a 500-character string as follows: ‘”” + “”’
The following requirements apply only to the Citrix ADC CLI:
- If the expression includes one or more spaces, enclose the entire expression in double quotation marks.
- If the expression itself includes double quotation marks, escape the quotations by using the character.* Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.
-
Click Create.
-
Go to Session Policies.
-
Select the Name of the Session Policy.
-
Select Global Bindings from the Action menu.
-
Select Add Binding.
-
Select the > to choose an existing policy.
Note: Select + to create a policy. For more details see section Create Citrix Gateway Session Profile.
-
Choose a name from the list and press the Select button.
-
Enter the Priority and click Bind.
-
Click Done
-
The check shows that your selection is Globally Bound.
Pre-authentication configuration
Use the following procedure to set up the pre-authentication configuration.
-
Go to Citrix Gateway > Policies > Preauthentication.
-
Select the Preauthentication Profiles tab and select Add.
-
Enter the Name for the preauthentication action.
The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.
Note: The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks.
-
Select a Request Action that the policy is to invoke when a connection matches the policy.
Note: If you want to or create a Preauthentication Profile, select the +. For more information see Create Preauthentication Profile
-
Enter an Expression that is the name of the Citrix ADC named rule, or default syntax expression that defines the connections that match the policy.
-
Click Create.
-
Go to the Preauthentication Policies tab and select the desired policy.
-
Select Global Binding from the Action menu.
-
Select Add Bindings.
-
Select > to select an existing policy.
Select + to create a policy. For more details see, Create Citrix Gateway Session Profile.
-
Select Policy.
-
Enter the Priority and click Bind.
-
Click Done.
-
The check shows that the Preauthentication Policy is Globally Bound.
Create Preauthentication Profile
-
Enter the Name for the preauthentication action
The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.
Note: If the name includes one or more spaces, enclose the name in double or single quotation marks. This is applicable only to the Citrix ADC CLI.
-
Enter the Action from the menu.
This option will Allow or Deny logon after endpoint analysis (EPA) results.
-
Processes to be Canceled
This option identifies a string of processes that the endpoint analysis (EPA) tool must terminate.
-
Files to be deleted
This option identifies a string specifying the paths and names of the files that the endpoint analysis (EPA) tool must delete.
-
Default EPA Group
The default EPA group is the group that is chosen when the EPA check succeeds.
-
Click Create.
In this article
- Policies
- Configure Action
- Creating an Access Profile with the GUI
- Add an Access Profile to a policy using the GUI
- Add
- Edit
- Configure Access Profile
- Delete
- Common Processes
- Session
- Create a Log Action
- Select an existing policy
- Create a policy
- Configuring pre-authentication and post-authentication end point analysis
- Create Citrix Gateway Session Profile
- Create Preauthentication Profile