Gateway

Configure SmartControl

SmartControl allows administrators to define granular policies to configure and enforce user environment attributes for Citrix Virtual Apps and Desktops on NetScaler Gateway. SmartControl allows administrators to manage these policies from a single location, rather than at each instance of these server types.

SmartControl is implemented through ICA policies on NetScaler Gateway. Each ICA policy is an expression and access profile combination that can be applied to users, groups, virtual servers, and globally. ICA policies are evaluated after the user authenticates at session establishment. To enable SmartControl, you must associate the ICA policy to a VPN virtual server.

Note:

When the client detection feature is enabled, avoid using ICA policies with rules that include authentication, authorization, and auditing expressions (such as AAA.USER, AAA.GROUP).

The following table lists the user environment attributes that SmartControl can enforce:

     
ConnectClientDrives Specifies the default connection to the client drives when the user logs on.  
ConnectClientLPTPorts Specifies the automatic connection of LPT ports from the client when the user logs on. LPT ports are the Local Printer Ports.  
ClientAudioRedirection Specifies the applications hosted on the server to transmit audio through a sound device installed on the client computer.  
ClientClipboardRedirection Specifies and configures clipboard access on the client device and maps the clipboard on the server.  
ClientCOMPortRedirection Specifies the COM port redirection to and from the client. COM ports are the COMmunication ports. COM ports are serial ports.  
ClientDriveRedirection Specifies the drive redirection to and from the client.  
Multistream Specifies the multistream feature for specified users.  
ClientUSBDeviceRedirection Specifies the redirection of USB devices to and from the client (workstation hosts only).  
Localremotedata Specifies the HTML5 file upload download capability for the Citrix Workspace app.  
ClientPrinterRedirection Specifies the client printers to be mapped to a server when a user logs on to a session.  
ClientTWAINDeviceRedirection Allows default access or disables TWAIN devices, such as digital cameras or scanners, on the client device from published image processing applications.  
WIARedirection Allows default access or disables WIA scanner redirection.  
DragAndDrop Allows default access or disables drag and drop between client and remote applications and desktops.  
SmartCardRedirection Allow default access or disable smart card redirection. Smart card virtual channel is always allowed in CVAD.  
FIDO2Redirection Allows default access or disable FIDO2 redirection.  
Policies Action Access Profiles
Add Edit Delete
Show Bindings Policy Manager Action

ICA Policies and Profiles

ICA policy

An ICA policy specifies an Action, Access Profile, Expression and optionally, a Log Action. You can perform the following ICA policy configurations:

Configure an ICA policy by using the GUI

  1. Navigate to NetScaler Gateway > Policies and click ICA.
  2. In the ICA Policies section, click Add. The Create ICA Policy page appears.
  3. In the Name field, specify a name for the ICA policy.
  4. Next to the Action field, do one of the following:
    • Click the > icon to select an existing action.
    • Click Add to create an action.
  5. Add an expression.
  6. Create a log action.
  7. Configure the remaining parameters as required and click OK.

Configure an ICA policy by using the CLI

add ica policy smartaccess_policy -rule TRUE -action smartaccess_action

Bind the ICA policy to a bind point by using the GUI

  1. Navigate to NetScaler Gateway > Policies > NetScaler Gateway > ICA Policies and Profiles > ICA Policies. Click Policy Manager.
  2. Select the bind point and the virtual server, and click Continue.
  3. In the Policy Binding section, select the ICA policy that you need to associate to a bind point.
  4. Click Bind and then click Done.

To verify the binding, click Show Bindings in the ICA Policies section. You can view the list of bind points associated with the ICA policy.

Bind the ICA policy to a VPN virtual server by using the CLI

bind vpn vserver vpnvserver -policy smartaccess_policy -type ICA_REQUEST -priority 10

ICA action

Configure an ICA action by using the GUI

  1. Go to NetScaler Gateway > Policies and then click ICA.
  2. In the ICA Actions tab, click Add. The Create ICA Action page appears.
  3. In the Name field, specify a name for the ICA policy.
  4. Next to the ICA Access Profile field, do one of the following:
    • Click the > icon to select an existing ICA access profile.
    • Click Add to create an ICA access profile.
  5. Create an ICA latency profile to associate it to the ICA action.
  6. Click Create.

Configure an ICA action by using the CLI

add ica action smartaccess_action -accessProfileName smartaccess_profile

ICA access profile

An ICA profile defines the settings for user connections. Access profiles specify the actions that are applied to a user’s Citrix Virtual Apps and Desktops environment ICA if the user device meets the policy expression conditions. You can use the GUI to create ICA profiles separately from an ICA policy and then use the profile for multiple policies. You can only use one profile with a policy.

You can create access profiles independent from an ICA policy. When you create the policy, you can select the access profile to attach to the policy. An access profile specifies the resources available to a user.

Starting from release 14.1-8.x, NetScaler Gateway extends the capabilities of the SmartControl feature to more ICA virtual channels of Citrix Virtual Apps and Desktops. This extension improves the interaction between NetScaler Gateway and the ICA virtual channels.

To leverage the capability of the extended SmartControl feature, you can configure the following settings on the ICA access profile.

  • ClientTWAINDeviceRedirection
  • WIARedirection
  • DragAndDrop
  • SmartCardRedirection
  • FIDO2Redirection

Configure an ICA access profile by using the GUI

  1. Navigate to NetScaler Gateway > Policies > NetScaler Gateway ICA Policies and Profiles > Access Profiles and click Add. The Create ICA Access Profile page appears.
  2. Provide a name for the ICA access profile, configure the following parameters, and click Create.
    • Connect Client LPT Ports: Allow or block the automatic connection of Line Print Terminal (LPT) ports from the client when the user logs on.
    • Client Audio Redirection: Allow or block applications hosted on a server to play sounds through a sound device installed on the client computer. This setting also allows or blocks users from recording audio inputs.
    • Local Remote Data Sharing: Allow or block file or data sharing through the Citrix Workspace app for HTML5.
    • Client Clipboard Redirection: Allow or block the clipboard on the client device to be mapped to the clipboard on the server.
    • Client COM Port Redirection: Allow or block the Communication (COM) port redirection to and from the client.
    • Client Drive Redirection: Allow or block the drive redirection to and from the client.
    • Client Printer Redirection: Allow or block printers to be mapped to a server when a user logs on to a session.
    • Multistream: Allow or block the multi-stream feature for the specified users.
    • Client USB Drive Redirection: Allow or block the redirection of USB devices to and from the client.
    • Client TWAIN Device Redirection: Allow or block TWAIN devices, such as digital cameras or scanners, on the client device from the published image processing applications.
    • WIA Redirection: Allow or block the Windows Image Acquisition (WIA) scanner redirection.
    • Drag and Drop: Allow or block the drag and drop action between client and remote applications and desktops.
    • Smart Card Redirection: Allow or block the smart card redirection. Smart card virtual channel is always allowed in Citrix Virtual Apps and Desktops.
    • FIDO2 Redirection: Allow or block Fast Identity Online 2 (FIDO 2) redirections.

Configure an ICA access profile by using the CLI

add ica accessprofile <name> [-ConnectClientLPTPorts ( DEFAULT | DISABLED )] [-ClientAudioRedirection ( DEFAULT | DISABLED )][-LocalRemoteDataSharing ( DEFAULT | DISABLED )][-ClientClipboardRedirection ( DEFAULT | DISABLED )][-ClientCOMPortRedirection ( DEFAULT | DISABLED )][-ClientDriveRedirection ( DEFAULT | DISABLED )][-ClientPrinterRedirection ( DEFAULT | DISABLED )] [-Multistream (DEFAULT | DISABLED )][-ClientUSBDriveRedirection ( DEFAULT | DISABLED)] [-ClientTWAINDeviceRedirection ( DEFAULT | DISABLED )][-WIARedirection ( DEFAULT | DISABLED )] [-DragAndDrop ( DEFAULT | DISABLED )] [-SmartCardRedirection ( DEFAULT | DISABLED )]
[-FIDO2Redirection ( DEFAULT | DISABLED )]

<!--NeedCopy-->

ICA latency profile

Configure an ICA latency profile by using the GUI

  1. Navigate to NetScaler Gateway > Policies > NetScaler Gateway ICA Policies and Profiles > ICA Latency Profiles.
  2. Update the required fields and click Create.

Configure an ICA latency profile by using the CLI

add ica latencyprofile [-l7LatencyMonitoring ( ENABLED | DISABLED )] [-l7LatencyThresholdFactor ] [-l7LatencyWaitTime ] [-l7LatencyNotifyInterval ] [-l7LatencyMaxNotifyCount ]

Configure SmartControl