Configuring SmartControl

SmartControl allows administrators to define granular policies to configure and enforce user environment attributes for Citrix Virtual Apps and Desktops on Citrix Gateway. SmartControl allows administrators to manage these policies from a single location, rather than at each instance of these server types.

SmartControl is implemented through ICA policies on Citrix Gateway. Each ICA policy is an expression and access profile combination that can be applied to users, groups, virtual servers, and globally. ICA policies are evaluated after the user authenticates at session establishment.

The following table lists the user environment attributes that SmartControl can enforce:

ConnectClientDrives	Specifies the default connection to the client drives when the user logs on.
ConnectClientLPTPorts	指定的自动连接并口端口from the client when the user logs on. LPT ports are the Local Printer Ports.
ClientAudioRedirection	Specifies the applications hosted on the server to transmit audio through a sound device installed on the client computer.
ClientClipboardRedirection	Specifies and configures clipboard access on the client device and maps the clipboard on the server.
ClientCOMPortRedirection	Specifies the COM port redirection to and from the client. COM ports are the COMmunication ports. COM ports are serial ports.
ClientDriveRedirection	Specifies the drive redirection to and from the client.
Multistream	Specifies the multistream feature for specified users.
ClientUSBDeviceRedirection	Specifies the redirection of USB devices to and from the client (workstation hosts only).
Localremotedata	Specifies the HTML5 file upload download capability for the Citrix Workspace app.
ClientPrinterRedirection	Specifies the client printers to be mapped to a server when a user logs on to a session.
Policies	Action	Access Profiles
Add	Edit	删除
Show Bindings	Policy Manager	Action

Policies

An ICA policy specifies an Action, Access Profile, Expression and optionally, a Log Action. The following commands are available from thePoliciestab:

• Add
• Edit
• 删除
• Show Bindings
• Policy Manager
• Action

Add

1. Go toCitrix Gateway > Policiesand then clickICA.

   

2. In the details pane, on the Policies tab, clickAdd.

3. In theNamedialog box, type a name for the policy.

   

4. Next to Action do one of the following:

   • Click the>icon to select an existing action. For details see [Select an action] under (#common-processes).
   • Click the+icon to create an action. For details see [Create a new action] under (#common-processes).
   • Thepencilicon is disabled.

5. Create an expression.

6. Create aLog Action. For more details see创建一个日志ction.

7. Enter a message into the Comments box. The comment writes to the message log. This field is optional.

8. ClickCreate.  

Edit

1. Go toCitrix Gateway > Policiesand then clickICA.

2. Select the ICA policy from the list.

3. In the details pane, on thePoliciestab, clickEdit.

4. Verify the policy name.

   

5. To revise theActiondo one of the following:

   • Click the>icon to revise an existingAction. For detail see [Select an action] under (#common-processes).
   • Click the+to icon create anAction. For detail see [Create a new action] under (#common-processes).
   • Click thepencilicon to revise the [Access Profile].

6. Revise theExpressionas desired. For details see [Expressions] under (#common-processes).

7. To revise theLog Actiondo one of the following:

   • Click the + to create aLog Action.

   • Click thepencilicon to configure an Audit Message.

8. Revise the comments as desired.

9. ClickOK.  

删除

1. Go toCitrix Gateway > Policiesand then clickICA.

2. Select the desired ICA policy from the list.

3. In the details pane, on thePoliciestab, click删除.

4. Confirm that you want to delete the policy by clickingYes.

Show Binding

1. Go toCitrix Gateway > Policiesand then clickICA.

2. Select the ICA policy from the list.

3. In the details pane, on thePoliciestab, clickShow Bindings.

Policy Manager

1. Go toCitrix Gateway > Policiesand then clickICA.

2. Select the desired ICA policy from the list.

3. In the details pane, on the Policies tab, clickPolicy Manager

4. From theBind Pointdialog box, select one of the following policies.

   • Override Global
   • VPN Virtual Server
   • Cache Redirection Virtual Server
   • Default Global

5. From the Connection Type dialog box, select a binding policy from the menu.

6. If you select either the VPN Virtual Server or the Cache Redirection Virtual Server, you connect to the server using the menu.

7. ClickContinue.

   

Add Binding

1. After selecting Continue, this screen appears.

2. Select a Policy to attach the Binding.

3. Select Add Binding.

   

Policy Binding

1. After selecting Done, this screen appears.

• Click the>icon to select an existing policy. For detail seeSelect an existing policy.

• Click the+icon to create a policy. For detail seeCreate a policy.

  

Unbind Policy

1. Select the policy you want to unbind, and click theUnbindbutton.

   

2. ClickDone

3. Click theYesbutton on the pop-up screen to confirm that you desire to unbind the selected entity.

Bind NOPOLICY

1. Select policy that requires NOPOLICY, and click theBind NOPOLICYbutton.

   

2. ClickDone

Edit

You can edit from the ICA Policy Manager.

1. Select the policy you want to edit, and selectEdit.

   

2. You can make the following edits: [Edit Binding,][Edit Policy],[Edit Action].

   

Edit Binding

1. With the policy selected, clickEdit Binding.

2. Verify that you are editing the desired policy. This Policy Name is not editable.

   

3. Set the Priority as desired.

4. Set Goto Expression as desired.

5. Click theBindbutton.

编辑政策

1. With the policy selected, click编辑政策.

2. Verify the policy Name to ensure you are editing the desired policy. This field is not editable.

   

3. To revise the Action policy, do one of the following:

   • Click the>icon to select an existing Action. For details see [Select an action] under (#common-processes).
   • Click the+icon to create an action. For details see [Create a new action] under (#common-processes).
   • Click thepencilicon to revise the Access Profile. For details see [Select an existing Access Profile] under (#common-processes).

4. Revise the Expression as desired. For more details see [Expressions] under (#common-processes).

5. 从菜单中选择所需的类型的消息。To create a Log Action, do one of the following:

   • Click the+icon to create an action. For details see创建一个日志ction.
   • Click thepencilicon to revise the Configure Audit Message Action. For details seeConfigure Audit Message Action.

6. Enter comments about the ICA Policy.

7. ClickOKwhen the edit is complete.

Edit Action

1. With the policy selected, clickEdit Action.

2. Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

3. Next to Access Profile do one of the following:

   • Click the>icon to select a different Access Profile. For detail seeConfigure Action.
   • Click the+icon to select a new Channel Profile.Create an Access Profile.
   • Click thepencilicon to revise the Access Profile. For details see [Select an existing Access Profile] under (#common-processes).

4. ClickOK.

   

Action

ThePolicies > Actioncommands are used to rename the action.

1. Select the desired ICA Action from the list.

2. On the ICA Policies tab, clickAction. SelectRenamefrom the menu.

   

3. Rename the action.

4. ClickOK

Action

An Action connects a policy with an Access Profile. The following commands are available from thePoliciestab:

• Add
• Edit
• 删除
• Action

Add

1. Go toCitrix Gateway > Actionand then clickICA.

   

2. In the details pane, on the Action tab, clickAdd.

   

   • Click the>icon to select an existing Access Profile. For detail see [Select an existing Access Profile] under (#common-processes).

   • Click the+icon to create an Access Profile. For detail seeCreate an Access Profile..

   • Thepencilicon is disabled for this screen.

3. ClickCreate.

   

Edit

1. Select the desired ICA policy from the list.

   

2. In the details pane, on the Action tab, clickEdit.

Configure Action

1. Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

2. Next to Access Profile do one of the following:

   • Click the>to select an existing Access Profile. For detail see [Select an existing Access Profile] under (#common-processes).
   • Click the+to create an Access Profile. For detail seeCreate an Access Profile.
   • Click thepencilicon toConfigure Access Profile.

3. ClickOK.

   

删除

1. Go toCitrix Gateway > Actionand then clickICA.

2. Select the desired ICA Action from the list.

3. In the details pane, on the Action tab, click删除.

   

4. Confirm the Action you want to delete the policy by clickingYes.

Action

TheICA Action > Actioncommands are used to rename the action.

1. Go toCitrix Gateway > Actionand then clickICA.

2. Select the desired ICA Action from the list.

3. In the details pane, on the Action tab, clickAction.

   

4. SelectAction > Renamefrom the menu.

5. Rename the action.

6. ClickOK

Access Profiles

An ICA profile defines the settings for user connections.

Access profiles specify the actions that are applied to a user’s Citrix Virtual Apps and Desktops environment ICA if the user device meets the policy expression conditions. You can use the GUI to create ICA profiles separately from an ICA policy and then use the profile for multiple policies. You can only use one profile with a policy.

You can create Access Profiles independently of an ICA policy. When you create the policy, you can select the access profile to attach to the policy. An Access Profile specifies the resources available to a user. The following commands are available from thePoliciestab:

• Add
• Edit
• 删除

Creating an Access Profile with the GUI

1. Go toCitrix Gateway > Policiesand then clickICA.

2. In the details pane, click theAccess Profilestab and then clickAdd.

3. Configure the settings for the profile, click Create, and then clickClose. After you create a profile, you can include it in an ICA policy.

Add an Access Profile to a policy using the GUI

1. Go toCitrix Gateway > Policiesand then clickICA.

2. On the Policies tab, do one of the following:

   • ClickAddto create an ICA policy.

   • Select a policy and then clickOpen.

3. In theActionmenu, select an Access Profile from the list.

4. Finish configuring the ICA policy and then do one of the following:

   1. ClickCreateand then clickCloseto create the policy.

   1. ClickOKand then clickCloseto modify the policy.

Add

1. Go toCitrix Gateway > Policiesand then clickICA.

   

2. In the details pane, on the Access Profiles tab, clickAdd.**

   

3. In Name, type a name for the Access Profile.

   

4. Select Default or Disable from the menus shown to create the Access Profile.

5. ClickCreate.

Edit

1. Select the Access Profile you want to edit.

2. In the details pane, on the Access Profiles tab, clickEdit.

Configure Access Profile

1. Verify that theNameis the one you want to revise.

   

2. SelectDefaultorDisablefrom the menu to configure as required.
3. ClickOK.

删除

1. Go toCitrix Gateway > Action,and then clickICA.

2. Select the desired ICA Action from the list.

3. In the details pane, on theActiontab, click删除.

   

4. Confirm the Access Profile you want to delete by clickingYes.

Common Processes

Create an action

1. Type a Name for the Action.

2. Select one of the following to supply the Access Profile:

   • Click the>to select an existing Access Profile. See for details [Select an existing Access Profile] under (#common-processes).

   • Click the+to create an Access Profile. See for detailsCreate an Access Profile.

   • Thepencilicon is disabled.

3. ClickCreate.

   

Select an action

1. Select an Action by clicking the radio button to the left of it. The associated Access Profile specifies the allowed user functions.

2. Click theSelectbutton.

   

Create an Access Profile

1. Name the Access Profile.

   

2. You can configure the Access Profile from this menu.

3. ClickCreate.

Select an existing Access Profile

1. Select an Access Profile by clicking it.

   

2. Click Edit.

3. Configure the Access Profile. For details seeConfigure Access Profile.

Expressions

1. To create or revise an existing Expression, select Clear.

   The expressions are the typical ICA Expressions. For the HTTP expressions enter the name with the “” and remove the ().

   ICA.SERVER.PORT	This expression checks that the port specified matches the port number on the Citrix Virtual Apps and Desktops that the user is attempting to connect.
   ICA.SERVER.IP	This expression checks that the IP specified matches the IP address on the Citrix Virtual Apps and Desktops that the user is attempting to connect.
   HTTP.REQ.USER.IS\_MEMBER\_OF(“”).NOT	This expression checks that the current connection is accessed by a user that is NOT a member of the specified group name.
   HTTP.REQ.USER .IS_MEMBER_OF(“group name”)	This expression checks that the user accessing the current connection is a member of the specified group.
   HTTP.REQ.USER.NAME.CONTAINS(“”).NOT	This expression checks that the user accessing the current connection is NOT a member of the specified group.
   HTTP.REQ.USER.NAME.CONTAINS(“enteruser name”) Specifies the resources for a user name.	This expression checks that the current connection is accessed by the specified name.
   CLIENT.IP.DST.EQ(enter the IP address here).NOT	This expression checks that the destination IP of the current traffic is NOT equal to the specified IP address.
   CLIENT.IP.DST.EQ(enter the IP address here)	This expression checks that the destination IP of the current traffic is equal to the specified IP address.
   CLIENT.TCP.DSTPORT.EQ (enter port number).NOT	This expression checks that the destination port is NOT equal to the specified port number.
   CLIENT.TCP.DSTPORT.EQ (enter port number)	This expression checks that the destination port is equal to the specified port number.

2. Simultaneously, selectControland theSpacebar. Then your options are visible.

   

3. Type the period. Make your selection, and press theSpacebar.
4. At each period of the expression in the previous table, type the period. Make your selection, and press the Space bar.
5. ClickOK.

Group Identification

The preauthentic or session functions define the expression with a group name variable.

Preauthentication

1. Select Preauthentication from the configuration pane.

1. Select a name from the Preauthentication Policies.

2. SelectEditfrom the Preauthentication Policies tab.

   

3. Select thepencilicon or+next to the Request Action dialog box.

   

4. Define the (“<groupname>”) in the Default EPA Group dialog box.

   

Session

1. SelectSessionfrom the configuration pane.

创建一个日志ction

1. In theConfigure Policyscreen, next to theLog Actiondialog box select the+icon

Create Audit Message Action

1. TheCreate Audit Message Actionscreen appears. Name the Audit Message. The Audit message only accepts numbers, letters, or an underscore character.

2. From the menu specify the Audit Log Level.

Emergency	Events that indicate an immediate crisis on the server.
Alert	Events that might require action.
Critical	Events that indicate an imminent server crisis.
Error	Events that indicate some type of error.
Warning	Events that require action soon.
Notice	Events that the administrator must know about.
Informational	All but low-level events.
Debug	All events, in extreme detail.

1. Enter an Expression. The Expression defines the format and content of the log.

2. The check boxes.

   • Check the log innewnslogto send the message to a new ns log.
   • SelectBypass Safety Checkto bypass the safety check. This allows unsafe expressions.

3. ClickCreate.

Revise a Log Action

1. In the Configure Policy screen, next to the Log Action dialog box click the icon.

   

Configure Audit Message Action

The following are editable fields:

1. From the menu specify the Audit Log Level.

2. Enter an Expression. The Expression defines the format and content of the log.

3. The check boxes:

   • Check the Log innewnslogto send the message to a new ns log.

   • SelectBypass Safety Checkto bypass the safety check. This allows unsafe expressions.

4. ClickOK.

   

Select an existing policy

1. Click the>icon to select an existing policy.

   

2. Select the radio button of the desired policy.

   

Create a policy

1. InName, type a name for the policy.

2. Click the+to create a policy.

   

3. Create an Action. For details seeCreate a new action.

4. Name the Access Profile.

   

5. Configure the Access Profile from this menu.
6. ClickCreate.

7. ClickBind.

   

Configuring pre-authentication and post-authentication end point analysis

This section describes how to configure post-authentication and pre-authentication end point analysis (EPA).

配置发布一个uthentication EPA with SmartControl use theSmartgroupparameter from the VPN session action. The EPA expression is configured on the VPN session policy.

You can specify a group name for the smart group parameter. This group name can be any string. The group name does not need to be an existing group on the active directory.

Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF (“groupname”). Use the group name that was previously specified for the smart group.

To configure pre-authentication EPA with SmartControl use the Default EPA group parameter from the pre-authentication profile. The EPA expression is configured on the pre-authentication policy.

You can specify a group name for the Default EPA group parameter. This group name can be any string. The group name does not need to be an existing group on the active directory.

Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF (“groupname”), use the group name that was previously specified for the Default EPA Group.

Post-authentication configuration

Use the following procedure to set up smart groups for Post-authentication configuration.

1. Go toCitrix Gateway > Policies> Session.

   

2. Go toSession Profiles> Add.

   

Create Citrix Gateway Session Profile

1. Select the安全tab.

2. Enter aNamefor your Citrix Gateway Profile (action).

3. Select the box to the right of the menu and select the desiredDefault Authorization Action.

   Specify the network resources that users have access to when they log on to the internal network. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access. If you set the default authorization policy to DENY, you must explicitly authorize access to any network resource, which improves security.

4. Select the box to the right of the menu and select the desiredSecure Browse.

   Allow users to connect through Citrix Gateway to network resources from iOS and Android mobile devices with Citrix Workspace app. Users do not need to establish a full VPN tunnel to access resources in the secure network.

5. Select the box to the right of the menu and enter theSmartgroupname.

   This is the group in which the user is placed when the session policy associated with this session action succeeds. The VPN session policy does the post authentication EPA check and if the check succeeds the user is placed in the group specified with a smart group. The is_member_of (http.req.user.is_member_of) expression can then be used with policies to check if the EPA has passed on the user belonging to this smart group.

6. ClickCreate.

7. Go toCitrix Gateway > Policies > Session.

8. Go toSession Policies > Add.

9. Enter theNamefor the new session policy that is applied after the user logs on to Citrix Gateway.

10. Select theProfileaction using the menu.

    The Action applied by the new session policy if the rule criterion is met.

    Note:If the desired profile must be created select the +. For more details see Create Citrix Gateway Session Profile.

11. EnterExpressionin this field.

    This field defines the named expression that specifies the traffic that matches the policy. The expression can be written in either default or classic syntax. The maximum length of a literal string for the expression is 255 characters. A longer string can be split into smaller strings of up to 255 characters each, and the smaller strings concatenated with the + operator. For example, you can create a 500-character string as follows: ‘”” + “”’

    The following requirements apply only to the Citrix ADC CLI:

    • If the expression includes one or more spaces, enclose the entire expression in double quotation marks.
    • If the expression itself includes double quotation marks, escape the quotations by using the character.* Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.

12. ClickCreate.

13. Go toSession Policies.

14. Select theNameof the Session Policy.

15. SelectGlobal Bindingsfrom theActionmenu.

16. SelectAdd Binding.

17. Select the>to choose an existing policy.

    Note: Select + to create a policy. For more details see section Create Citrix Gateway Session Profile.

18. Choose a name from the list and press theSelectbutton.

19. Enter thePriorityand clickBind.

20. ClickDone

21. The check shows that your selection is Globally Bound.

    

Pre-authentication configuration

Use the following procedure to set up the pre-authentication configuration.

1. Go to Citrix NetScaler>Policies>Preauthentication.

   

2. Select thePreauthentication Profilestab and selectAdd.

   

3. Enter theNamefor the preauthentication action.

   The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.

   Note:The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks.

4. Select aRequest Actionthat the policy is to invoke when a connection matches the policy.

   Note:If you want to or create a Preauthentication Profile, select the +. For more information seeCreate Preauthentication Profile

5. Enter anExpressionthat is the name of the Citrix ADC named rule, or default syntax expression that defines the connections that match the policy.

6. ClickCreate.

7. Go to thePreauthentication Policiestab and select the desired policy.

8. SelectGlobal Bindingfrom theActionmenu.

9. SelectAdd Bindings.

10. Select the>to select an existing policy.

    Select + to create a policy. For more details see, Create Citrix Gateway Session Profile.

11. SelectPolicy.

12. Enter thePriorityand clickBind.

13. ClickDone.

14. The check shows that thePreauthentication PolicyisGlobally Bound.

Create Preauthentication Profile

1. Enter theNamefor the preauthentication action

   The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.

   Note: If the name includes one or more spaces, enclose the name in double or single quotation marks. This is applicable only to the Citrix ADC CLI:

2. Enter theActionfrom the menu.

   This option will Allow or Deny logon after endpoint analysis (EPA) results.

3. Processes to be Canceled

   这个选项标识一系列过程the endpoint analysis (EPA) tool must terminate.

4. Files to be deleted

   This option identifies a string specifying the paths and names of the files that the endpoint analysis (EPA) tool must delete.

5. Default EPA Group

   The default EPA group is the group that is chosen when the EPA check succeeds.

6. ClickCreate.