Making limited use of Citrix SmartAccess without universal licenses can still benefit your Citrix environment. If you are using Citrix Gateway as ICA Proxy only than this article is for you. Learn how to configure SmartAccess in a Citrix Virtual Apps and Desktop environment for users connecting through Citrix Gateway (NetScaler Gateway). You do NOT need Universal licenses to use at least some of the SmartAccess features!
Enabling the full set of SmartAccess features revolves around the ICA Only setting on a vServer.
As per Citrix:
"When set to ON, it implies Basic mode where the user can log on using either Citrix Receiver or a browser and get access to the published apps configured at the XenApp/XenDesktop environment [...]. Users are not allowed to connect using the NetScaler Gateway Plug-in and end point scans cannot be configured. The numbers of users that can log in and access the apps are not limited by the license in this mode."
Most articles on the Internet state that you have to enable SmartAccess mode (change the ICA Only setting from true to false) on the vServer in order to use SmartAccess (here for example). This is both true and not true. There are two reasons why this can be confusing:
- The features that make up SmartAccess;
- The terminology used: Basic Mode, ICA Proxy and SmartAccess (mode)
Let's take a look at the features of SmartAccess first:
- Citrix Studio: Access policy on the Delivery Group
An Access policy allows you to show or hide all applications in a Delivery Group when connecting through Citrix Gateway. You can add a filter for more granular control. If you want to work with filters, SmartAccess mode needs to be enabled on the Citrix Gateway vServer. If your organization does not require any Endpoint Analysis scans than SmartAccess mode is not required, but your configuration is limited to either "show" or "hide" applications when a user connects through Citrix Gateway, nothing more.
- Citrix Studio/Active Directory: Access Control filters on Citrix policiesAn Access Control filter determines whether or not a user policy is applied to connections made through Citrix Gateway. You can add a filter for more granular control. If you want to work with filters, SmartAccess mode needs to be enabled on the Citrix Gateway vServer. If your organization does not require any Endpoint Analysis scans than SmartAccess mode is not required, but your configuration is limited to either "apply" or "deny" policies when a user connects through Citrix Gateway, nothing more.
- Citrix Gateway: Endpoint Analysis (EPA) scans
If your organization requires pre-authentication scans using a Preauthentication policy or post-authentication scans (within a Session policy) then SmartAccess mode is required. For example, when trying to bind a Preauthentication policy to your vServer without SmartAccess mode enabled the following error is displayed.
Now let's take a look at some of the terminology used. Citrix describes SmartAccess as follows:
"SmartAccess allows you to control access to published applications and desktops on a server through the use of Citrix Gateway session policies. You use pre-authentication and post-authentication checks as a condition, along with other conditions, for access to published resources. Other conditions include anything you can control with a Citrix Virtual Apps and Desktops policy, such as printer bandwidth limits, user device drive mapping, clipboard, audio, and printer mapping. You can apply a Citrix Virtual Apps and Desktops policy based on whether or not users pass an Citrix Gateway check."
So the SmartAccess feature-set is a combination between configurations on Citrix Gateway (the Endpoint Analysis scans) and Citrix Virtual Apps and Desktops (Delivery Group Access policies and Citrix policies). As mentioned, Endpoint Analysis scans and making use of filters in an Access policy and Access Control filter require SmartAccess mode to be enabled.
Other wording that is important to understand is that if SmartAccess mode is disabled (= ICA Only set to true on the vServer) you are running in Basic Mode (also called ICA proxy).
So what do you need to configure in your environment in order for SmartAccess to work without Universal licenses?
The Citrix Gateway vServer itself actually does not need any configuration, assuming that an ICA session can be launched successfully via NetScaler. ICA Only can be set to true. Just be aware that you will not be able to use Endpoint Analysis scans (pre- and post-authentication).
Make sure that you enter a callback URL to your Citrix Gateway configuration.
In all fairness, when no callback URL has been configured, a very clear warning message is displayed.
Make sure that the XML Service trusts requests that are sent without explicit authentication. Enable TrustRequestsSentToTheXmlServicePort on the Delivery Controller.
To check whether or not this setting has already been enabled, open a PowerShell window on a Delivery Controller and enter the following two commands:
The setting TrustRequestsSentToTheXmlServicePort should be set to true.
In case it is not, execute the following two commands to enable it:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Studio / Active Directory
Now that the prerequisites have been dealt with you can start using the SmartAccess features.
In Studio, configure an Access policy (without filters) if your organization requires it.
Do not let the Allow or Deny mode confuse you. Allow simply means that the settings in the policy are to be applied. In case the policy settings prohibit something, setting the mode to allow means that you allow the policy to prohibit something when connecting via Citrix Gateway. If you choose Deny, the settings prohibiting something will not be applied to users connecting via Citrix Gateway.
Remember that Access Control filters apply to user settings only!
Let's take a look at some examples how to use SmartAccess.
Example 1: enable drive mapping internally for all users, but not through Citrix Gateway
This configuration can be handled by one single policy.
Create a new policy and configure the settings in the File Redirection section as required in your organization.
Add an Access Control filter and set all Citrix Gateway connections to Deny.
The result is that no local drives will be available within the user's session when connecting through Citrix Gateway. Local drives are available when connecting internally through StoreFront.
Example 2: enable drive mapping internally for all users, but not through Citrix Gateway, except for some users
This configuration requires two policies.
First we create a policy where we allow drive mapping for all users (I know that drive mapping is allowed by default. This is just an example).
No filter is applied.
Now we create a second policy where we prohibit all drive mapping.
We will use two filters. We set one filter for connections through Citrix Gateway. Set the mode to Allow so the settings in the profile apply when connecting through Citrix Gateway.
Now add a second filter for User or Group. Add an Active Directory user group for which drive mapping through Citrix Gateway is allowed. Set the mode to Deny (because we do not want the settings within this policy to be applied to these users).
This policy now has two filters:
Last but not least, make sure that you set the priority correctly. The policy prohibiting the drive mapping should be higher than the one allowing it.
For more information on SmartAccess (and SmartControl, which I did not mention in this article on purpose) please see the following excellent articles by two esteemed Citrix CTPs:
- Carl Stalhood: SmartAccess / SmartControl – NetScaler Gateway 12
- George Spiers: SmartControl and SmartAccess
I hope this article was of some help to you.