NetScaler Smart Access is an advanced feature of NetScaler Gateway. Usually, it needs to be used in the following 2 scenarios.

1. NetScaler End Point Analysis (EPA) is used.

2. Restrict user’s app/desktop visibility if the session is from NetScaler Gateway.

In this document, I will focus on scenario 2. And I will use StoreFront + XenDesktop as an example, for XenApp, please refer to CTX138110 - How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance for Use with XenApp.

End Point Analysis (EPA) is extensively covered in https://support.citrix.com/pages/netscaler-gateway-epa
 

Important: SmartAccess will occupy the license. 1 user session occupies 1 gateway user license.

Topics

1. Configuration
2. Detailed workflow and principle
3. Case sharing
4. Troubleshooting & hints

1) Configuration

NetScaler

NetScaler’s gateway configuration is very easy. Just enable Smart Access mode. Once when you enable smart access mode, it will occupy the license.

ICA Only: Checked means smart access is not enabled. Unchecked means smart access is enabled. So please keep it unchecked.

StoreFront

StoreFront needs to enable Callback.

Note: NetScaler Gateway’s virtual server must be HTTPS. StoreFront must be able to connect the NetScaler Gateway’s FQDN. And must trust NetScaler gateway’s certificate. Otherwise, “Can not complete your request” error will happen.

DDC

DDC’s configuration is the most complicated one. Access Policies are controlled here. I will introduce complex cases in section 3. In this section, I will make an easy example.
For user sessions from NetScaler Gateway. This user can see the desktop “New Desktop” only when this session is handled by virtual server “_XD_nssf.donnie.com” and hits policy “PL_WB_10.107.197.243” on NetScaler.

1. Enable Trust XML.
   

2. Right click the delivery group “New Desktop”, click “Edit Delivery Group”.
   Farm: NetScaler Gateway’s virtual server name:
   Filter: NetScaler Gateway’s policy name.
   
   
   

Back to top

2) Detailed Workflow and Principle

This figure is from section “2.3. Get the App List” of article “NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow”. Please check that document for the details of a – g. Here, I would like to focus on c and d.

c. Callback. We configured callback address on StoreFront, it’s used here. After StoreFront receiving the users credential from NetScaler Gateway, StoreFront callback NetScaler to retrieve more information (virtual server name and policy names) in this step.

<FarmName>: The “Farm” field we configured on DDC’s access rule.
<String>: The “Filter” field we configured on DDC’s access rule.

Note: Here, it may have multiple <string> entries. It’s because one session may hit multiple policies on NetScaler gateway. All of the policies’ names will be listed here even though the actions are not taken.

d. StoreFront POST the Farm and String information to DDC.

Then, DDC checks these entries and it’s access rule. Then provide the available apps/desktops to client.

Back to top

3) Case Sharing

Case 1: If sessions are from NetScaler Gateway, don’t allow them to see “New Desktop”

Configuration:

Method 1: Uncheck “Connections through NetScaler Gateway”

Method 2: Configure a non-exist virtual server name.

Any one of these 2 methods can work.
 

Case 2: If the session is from NetScaler Gateway, and if virtual server’s name is “_XD_nssf.donnie.com”, user is able to see “New Desktop”. Don’t check the policy name.

Configuration:

Use wildcard * for filter.

This case is a little complicated. We can use EPA policy on NetScaler to detect if the machine joins domain.

Configuration:

NetScaler

1. Create one Preauthentication policy on NetScaler to detect joined domain machines. Action is Allow.

2. Create a policy for not joined domain machines. Action is also allow. Otherwise, these PCs will be rejected by NetScaler.

3. Bind these 2 policies to the virtual server:

DDC

By default, there is only one access policy, we have configured it in the Studio. We can also use PowerShell to configure it.

Access policy configuration is in “IncludedSmartAccessTags” line. Format is “Farm:Filter”

We can configure it via the following steps.

1. When temp user uses the machine that joins domain, action is allow.
   
   After this step, all other users will not be able to see this desktop. So we need to create a new rule for all other users.

2. Add a new access policy for “New Desktop” delivery group, in previous step, we can see the DesktopGroupUid for this delivery group is 4:
   

3. Enable this policy, and set it for Domain Users
   

4. Configure this policy that will only take effect for sessions from NetScaler Gateway.
   

5. Exclude temp from this rule.
   

Verify:

1. Administrator, PC joins domain:

2. Administrator, PC doesn’t join domain:
   

3. temp, PC joins domain:

4. temp, PC doesn’t join domain:

Back to top 

4) Troubleshooting & hints

1. On NetScaler, we can run the following commands to check the hit policies.
   

2. On StoreFront, take a packet trace file to check the POST request. Make sure that Farm and Strings are correct.
   

3. NetScaler’s preauthentication policy is case sensitive.

4. DDC access policy rules. Some tips for “Exclude” and “Include”.

   1. “Exclude” has a higher priority than “Include”.

   2. Allow means should not hit any “Exclude” rule and needs to hit all “Include” rules.

   3. If session hits one “Exclude” rule, next policy will not be checked.

Back to top