Making limited use of Citrix SmartAccess without Universal licenses

Making limited use of Citrix SmartAccess without universal licenses can still benefit your Citrix environment. If you are using Citrix Gateway as ICA Proxy only than this article is for you. Learn how to configure SmartAccess in a Citrix Virtual Apps and Desktop environment for users connecting through Citrix Gateway (NetScaler Gateway). You do NOT need Universal licenses to use at least some of the SmartAccess features!

Enabling the full set of SmartAccess features revolves around the ICA Only setting on a vServer.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix Gateway vServer ICA Only true

As per Citrix:

"When set to ON, it implies Basic mode where the user can log on using either Citrix Receiver or a browser and get access to the published apps configured at the XenApp/XenDesktop environment [...]. Users are not allowed to connect using the NetScaler Gateway Plug-in and end point scans cannot be configured. The numbers of users that can log in and access the apps are not limited by the license in this mode."

Most articles on the Internet state that you have to enable SmartAccess mode (change the ICA Only setting from true to false) on the vServer in order to use SmartAccess (here for example). This is both true and not true. There are two reasons why this can be confusing:

  1. The features that make up SmartAccess;
  2. The terminology used: Basic Mode, ICA Proxy and SmartAccess (mode)

Let's take a look at the features of SmartAccess first:

  • Citrix Studio: Access policy on the Delivery Group
    An Access policy allows you to show or hide all applications in a Delivery Group when connecting through Citrix Gateway. You can add a filter for more granular control. If you want to work with filters, SmartAccess mode needs to be enabled on the Citrix Gateway vServer. If your organization does not require any Endpoint Analysis scans than SmartAccess mode is not required, but your configuration is limited to either "show" or "hide" applications when a user connects through Citrix Gateway, nothing more.Making limited use of Citrix SmartAccess without Universal licenses - Access Policy on Delivery Group
  • Citrix Studio/Active Directory: Access Control filters on Citrix policiesMaking limited use of Citrix SmartAccess without Universal licenses - Access Control filter on Citrix PolicyAn Access Control filter determines whether or not a user policy is applied to connections made through Citrix Gateway. You can add a filter for more granular control. If you want to work with filters, SmartAccess mode needs to be enabled on the Citrix Gateway vServer. If your organization does not require any Endpoint Analysis scans than SmartAccess mode is not required, but your configuration is limited to either "apply" or "deny" policies when a user connects through Citrix Gateway, nothing more.
  • Citrix Gateway: Endpoint Analysis (EPA) scans
    If your organization requires pre-authentication scans using a Preauthentication policy or post-authentication scans (within a Session policy) then SmartAccess mode is required. For example, when trying to bind a Preauthentication policy to your vServer without SmartAccess mode enabled the following error is displayed.Making limited use of Citrix SmartAccess without Universal licenses - Preauthentication policy not allowed without SmartAccess enabled

Now let's take a look at some of the terminology used. Citrix describes SmartAccess as follows:

"SmartAccess allows you to control access to published applications and desktops on a server through the use of Citrix Gateway session policies. You use pre-authentication and post-authentication checks as a condition, along with other conditions, for access to published resources. Other conditions include anything you can control with a Citrix Virtual Apps and Desktops policy, such as printer bandwidth limits, user device drive mapping, clipboard, audio, and printer mapping. You can apply a Citrix Virtual Apps and Desktops policy based on whether or not users pass an Citrix Gateway check."

So the SmartAccess feature-set is a combination between configurations on Citrix Gateway (the Endpoint Analysis scans) and Citrix Virtual Apps and Desktops (Delivery Group Access policies and Citrix policies). As mentioned, Endpoint Analysis scans and making use of filters in an Access policy and Access Control filter require SmartAccess mode to be enabled.

Other wording that is important to understand is that if SmartAccess mode is disabled (= ICA Only set to true on the vServer) you are running in Basic Mode (also called ICA proxy).

So what do you need to configure in your environment in order for SmartAccess to work without Universal licenses?

NetScaler Gateway

The Citrix Gateway vServer itself actually does not need any configuration, assuming that an ICA session can be launched successfully via NetScaler. ICA Only can be set to true. Just be aware that you will not be able to use Endpoint Analysis scans (pre- and post-authentication).

StoreFront

Make sure that you enter a callback URL to your Citrix Gateway configuration.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix Gateway callback URL

In all fairness, when no callback URL has been configured, a very clear warning message is displayed.

Making limited use of Citrix SmartAccess without Universal licenses - NetScaler Gateway callback URL warning

Delivery Controller

Make sure that the XML Service trusts requests that are sent without explicit authentication. Enable TrustRequestsSentToTheXmlServicePort on the Delivery Controller.

To check whether or not this setting has already been enabled, open a PowerShell window on a Delivery Controller and enter the following two commands:

asnp citrix*

followed by

Get-BrokerSite

The setting TrustRequestsSentToTheXmlServicePort should be set to true.

Making limited use of Citrix SmartAccess without Universal licenses - Get TrustRequestsSentToXmlServicePort

In case it is not, execute the following two commands to enable it:

asnp citrix*

followed by

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Making limited use of Citrix SmartAccess without Universal licenses - Set TrustRequestsSentToXmlServicePort

Studio / Active Directory

Now that the prerequisites have been dealt with you can start using the SmartAccess features.

In Studio, configure an Access policy (without filters) if your organization requires it.

Making limited use of Citrix SmartAccess without Universal licenses - Access Policy on Delivery Group

In Studio or Active Directory, add an Access Control filter to a Citrix policy (without specifying filters except for the * as a wildcard for both the farm name and the access condition).Making limited use of Citrix SmartAccess without Universal licenses - Access Control filter on Citrix Policy

Do not let the Allow or Deny mode confuse you. Allow simply means that the settings in the policy are to be applied. In case the policy settings prohibit something, setting the mode to allow means that you allow the policy to prohibit something when connecting via Citrix Gateway. If you choose Deny, the settings prohibiting something will not be applied to users connecting via Citrix Gateway.

Remember that Access Control filters apply to user settings only!

Let's take a look at some examples how to use SmartAccess.

Example 1: enable drive mapping internally for all users, but not through Citrix Gateway

This configuration can be handled by one single policy.

Create a new policy and configure the settings in the File Redirection section as required in your organization.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy allow drive mapping

Add an Access Control filter and set all Citrix Gateway connections to Deny.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy allow drive mapping Access Control filter deny 2

Making limited use of Citrix SmartAccess without Universal licenses - Access Control

The result is that no local drives will be available within the user's session when connecting through Citrix Gateway. Local drives are available when connecting internally through StoreFront.

Example 2: enable drive mapping internally for all users, but not through Citrix Gateway, except for some users

This configuration requires two policies.

First we create a policy where we allow drive mapping for all users (I know that drive mapping is allowed by default. This is just an example).

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy allow drive mapping

No filter is applied.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy allow drive mapping for all users

Now we create a second policy where we prohibit all drive mapping.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy prohibit drive mapping

We will use two filters. We set one filter for connections through Citrix Gateway. Set the mode to Allow so the settings in the profile apply when connecting through Citrix Gateway.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy prohibit drive mapping for all connections through Citrix Gateway

Now add a second filter for User or Group. Add an Active Directory user group for which drive mapping through Citrix Gateway is allowed. Set the mode to Deny (because we do not want the settings within this policy to be applied to these users).

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy allow drive mapping for all connections through Citrix Gateway

This policy now has two filters:

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy prohibit drive mapping two filters

Last but not least, make sure that you set the priority correctly. The policy prohibiting the drive mapping should be higher than the one allowing it.

Making limited use of Citrix SmartAccess without Universal licenses - Citrix policy prohibit drive mapping priority

For more information on SmartAccess (and SmartControl, which I did not mention in this article on purpose) please see the following excellent articles by two esteemed Citrix CTPs:

I hope this article was of some help to you.

Share this post:
Dennis Span on EmailDennis Span on LinkedinDennis Span on Twitter
Dennis Span
Dennis Span
Dennis Span works as a Senior Citrix Architect for a large insurance company in Vienna, Austria. He holds multiple certifications such as CCE-V, CCIA and CCEA. In 2017, Dennis became a Citrix Technology Advocate (CTA). In 2019, he became a Citrix Technology Professional (CTP). Besides his interest in virtualization technologies and blogging, he loves spending time with his family as well as snowboarding, playing basketball and rowing. He is fluent in Dutch, English, German and Slovak and speaks some Spanish.

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.