Smart Access Control Policy Not Working on XenApp Server
Article ID: CTX217424
Updated On:
Description
A customer was trying to launch a Citrix session and trying to copy data from the the Citrix session to clipboard on their local machine.
They have a smart access policy on the XenApp server to block this clipboard functionality when traffic is coming from Access Gateway (Citrix Gateway):
Resolution
XenApp was not detecting that this Citrix session was from a Citrix Gateway.
In the XenApp server registry there is a term 'AGinUse' which should be SET when that session is being proxied through a Citrix Gatewat for ICA. But this was not observed.
Usually during session brokering, XenApp is told by StoreFront that a session is originating from Citrix Gateway. StoreFront will use the callback URL defined on the Citrix Gateway object defined within StoreFront and bound to the Store, and if there is a response then we know that the session is from Citrix Gateway.
The callback connection will look similar to this:
POST /CitrixAuthService/AuthService.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.18408)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://citrix.com/SecureAccessManager/AuthenticationService/V3.0/GetAccessInformation"
Host: nsg.repro.lab
Content-Length: 475
Expect: 100-continue
Connection: Keep-Alive
HTTP/1.1 100 Continue
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAccessInformation xmlns="http://citrix.com/SecureAccessManager/AuthenticationService/V3.0"><sessionId>c3cdd88dc158a49c75d8745840360541</sessionId><username>administrator</username><domain>repro</domain></GetAccessInformation></soap:Body></soap:Envelope>
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/xml; charset=utf-8
Connection: close
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAccessInformationResponse xmlns="http://citrix.com/SecureAccessManager/AuthenticationService/V3.0"><GetAccessInformationResult><StatusCode>0</StatusCode><StatusString>Success</StatusString>
<ClientAddress>10.107.100.133</ClientAddress><FarmName>NSG_repro</FarmName><FarmId>10.107.100.138</FarmId><MpsAccessMode>Direct</MpsAccessMode><SmartAccessConditions><string>NSG_repro_policyns_true</string><string>SETVPNPARAMS_POL</string>
</SmartAccessConditions></GetAccessInformationResult></GetAccessInformationResponse></soap:Body></soap:Envelope>
In the XenApp server registry there is a term 'AGinUse' which should be SET when that session is being proxied through a Citrix Gatewat for ICA. But this was not observed.
Usually during session brokering, XenApp is told by StoreFront that a session is originating from Citrix Gateway. StoreFront will use the callback URL defined on the Citrix Gateway object defined within StoreFront and bound to the Store, and if there is a response then we know that the session is from Citrix Gateway.
The callback connection will look similar to this:
POST /CitrixAuthService/AuthService.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.18408)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://citrix.com/SecureAccessManager/AuthenticationService/V3.0/GetAccessInformation"
Host: nsg.repro.lab
Content-Length: 475
Expect: 100-continue
Connection: Keep-Alive
HTTP/1.1 100 Continue
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAccessInformation xmlns="http://citrix.com/SecureAccessManager/AuthenticationService/V3.0"><sessionId>c3cdd88dc158a49c75d8745840360541</sessionId><username>administrator</username><domain>repro</domain></GetAccessInformation></soap:Body></soap:Envelope>
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/xml; charset=utf-8
Connection: close
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAccessInformationResponse xmlns="http://citrix.com/SecureAccessManager/AuthenticationService/V3.0"><GetAccessInformationResult><StatusCode>0</StatusCode><StatusString>Success</StatusString>
<ClientAddress>10.107.100.133</ClientAddress><FarmName>NSG_repro</FarmName><FarmId>10.107.100.138</FarmId><MpsAccessMode>Direct</MpsAccessMode><SmartAccessConditions><string>NSG_repro_policyns_true</string><string>SETVPNPARAMS_POL</string>
</SmartAccessConditions></GetAccessInformationResult></GetAccessInformationResponse></soap:Body></soap:Envelope>
Problem Cause
In checking the StoreFront configuration, it was noted that no callback URL was defined for the Citrix Gateway in use. Upon configuring the callback URL to a Citrix Gateway vServer on the appliance, and confirming the StoreFront servers can reach it on HTTPS, the Smart Access policies began working as expected when establishing new Citrix sessions.
Was this article helpful?
Yes
No
Powered by
