Product Documentation

Configuring SmartControl

Jul 14, 2015

Overview

Smart Control allows administrators to define granular policies to configure and enforce user environment attributes for XenApp and XenDesktop on NetScaler Gateway. Smart Control allows administrators to manage these policies from a single location, rather than at each instance of these server types.

Smart Control is implemented through ICA policies on NetScaler Gateway. Each ICA policy is an expression and access profile combination that can be applied to users, groups, virtual servers, and globally. ICA policies are evaluated after the user authenticates at session establishment.

The following table lists the user environment attributes that Smart Control can enforce:

ConnectClientDrives Specifies the default connection to the client drives when the user logs on.
ConnectClientLPTPorts Specifies the automatic connection of LPT ports from the client when the user logs on. LPT ports are the Local Printer Ports.
ClientAudioRedirection Specifies the applications hosted on the server to transmit audio through a sound device installed on the client computer.
ClientClipboardRedirection Specifies and configures clipboard access on the client device and maps the clipboard on the server.
ClientCOMPortRedirection Specifies the COM port redirection to and from the client. COM ports are the COMmunication ports. These are serial ports.
ClientDriveRedirection Specifies the drive redirection to and from the client.
Multistream Specifies the multistream feature for specified users.
ClientUSBDeviceRedirection Specifies the redirection of USB devices to and from the client (workstation hosts only).
Localremotedata Specifies the HTML5 file upload download capability for the receiver.
ClientPrinterRedirection Specifies the client printers to be mapped to a server when a user logs on to a session.

Smart Control Operations

Smart Control operates using the following three tabs:

 

 

localized image

Policies

An ICA policy specifies an Action, Access Profile, Expression and optionally, a Log Action. The following commands are available from the Policies tab:

Add

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

localized image

2.  In the details pane, on the Policies tab, click Add.

localized image

3. The following screen appears. In the Name dialog box, type a name for the policy. This is a required field. All required fields are indicated by an asterisk.

localized image

4. Next to Action do one of the following:

  • Click the > icon to select an existing action. For details see Select an action.
  • Click the + icon to create a new action. For details see Create a new action.
  • The pencil icon is disabled.

5. Create an expression. For details see Expressions.

6. Create a Log Action. For more details see Create a Log Action.

7. Enter a message into the Comments box. The comment writes to the message log. This field is optional.

8. Click Create.  

Edit

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  Select the ICA policy from the list.

3.  In the details pane, on the Policies tab, click Edit.

localized image

4. Verify the policy name.

localized image

5. To revise the Action do one of the following:

6. Revise the Expression as desired. For details see Expressions.

7. To revise the Log Action do one of the following:

8. Revise the comments as desired.

9. Click OK.  

Delete

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  Select the desired ICA policy from the list.

In the details pane, on the Policies tab, click Delete.

localized image

4. Confirm that you want to delete the policy by clicking Yes.

localized image

Show Binding

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  Select the ICA policy from the list.

3.  In the details pane, on the Policies tab, click Show Bindings.

localized image

Policy Manager

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2. Select the desired ICA policy from the list.

3. In the details pane, on the Policies tab, click Policy Manager

localized image

4. From the Bind Point dialog box, select a policy from the drop down menu. These are the following choices:

  • Override Global
  • VPN Virtual Server
  • Cache Redirection Virtual Server
  • Default Global

5. From the Connection Type dialog box, select a binding policy from the drop down menu.

6. If you select either the VPN Virtual Server or the Cache Redirection Virtual Server, you connect to the server using the drop down box.

7. Click Continue.

localized image

Add Binding

1.     After selecting Continue, this screen appears.

2.     Select a Policy to attach the Binding.

3.     Select Add Binding. 

localized image

Policy Binding

1.     After selecting Done, this screen appears.

localized image

Unbind Policy

1. Select the policy you want to unbind, and click the Unbind button.

localized image

2. Click Done

3. Click the Yes button on the pop-up screen to confirm that you desire to unbind the selected entity.

localized image

Bind NOPOLICY

1.Select policy that requires NOPOLICY, and click the Bind NOPOLICY button.

localized image

2.Click Done

Edit

You can edit from the ICA Policy Manager.

1. Select the policy you want to edit, and select Edit.

localized image

2. You have the option to make the following edits: Edit Binding, Edit PolicyEdit Action.

localized image

For more information see Edit BindingEdit PolicyEdit Action.

Edit Binding

1.. With the policy selected, click Edit Binding.

2. Verify that you are editing the desired policy. This Policy Name is not editable. 

localized image

3. Set the Priority as desired.

4. Set Goto Expression as desired.

5. Click the Bind button.

Edit Policy

1. With the policy selected, click Edit Policy.

2. Verify the policy Name to ensure you are editing the desired policy. This field is not editable.

localized image

3. To revise the Action policy, do one of the following:

4. Revise the Expression as desired. For more details see Expressions.

5. Select the desired type of message from the drop down menu. To create a Log Action, do one of the following:

6. Enter Comments about the ICA Policy.

7. Click OK when the edit is complete.

Edit Action

1. With the policy selected, click Edit Action.

2. Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

3. Next to Access Profile do one of the following:

4. Click OK.

localized image

Action

The Policies>Action commands are used to rename the action.

1.  Select the desired ICA Action from the list.

2.  On the ICA Policies tab, click Action. Select Rename from the drop-down menu.

localized image

3. Rename the action.

localized image

4.  Click OK

Action

An Action connects a policy with an Access Profile. The following commands are available from the Policies tab:

 

 

Add

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

localized image

2. In the details pane, on the Action tab, click Add.

localized image

    3. In Name, type a name for the Action.

    4. Next to Access Profile do one of the following:

  • Click the > icon to select an existing Access Profile. For detail see Select an existing Access Profile.
  • Click the + icon to create a new Access Profile. For detail see Create a Access Profile.
  • The pencil icon is disabled for this screen.

    5. Click Create.

localized image

Edit

1. Select the desired ICA policy from the list.

localized image

2.  In the details pane, on the Action tab, click Edit.

Configure Action

3.  Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

4.  Next to Access Profile do one of the following:

5.  Click OK.

localized image

Delete

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Action and then click ICA.

2.  Select the desired ICA Action from the list.

3. In the details pane, on the Action tab, click Delete.

localized image

4. Confirm the Action you want to delete the policy by clicking Yes.

localized image

Action

The ICA Action>Action commands are used to rename the action.

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Action and then click ICA.

2.  Select the desired ICA Action from the list.

3.  In the details pane, on the Action tab, click Action.

localized image

4.  Select Action>Rename from the drop-down menu.

5.  Rename the action.

localized image

6.  Click OK

Access Profiles

An ICA profile defines the settings for user connections.

Access profiles specify the actions that are applied to a user's XenApp or XenDesktop environment ICA if the user device meets the policy expression conditions. You can use the configuration utility to create ICA profiles separately from an ICA policy and then use the profile for multiple policies. You can only use one profile with a policy.

You can create Access Profiles independently of an ICA policy. When you create the policy, you can select the Access profile to attach to the policy. An Access Profile specifies the resources available to a user. The following commands are available from the Policies tab:

Creating an Access Profile with the configuration utility

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  In the details pane, click the Access Profiles tab and then click Add.

3.    Configure the settings for the profile, click Create and then click Close. After you create a profile, you can include it in an ICA policy.

Add an Access Profile to a policy using the configuration utility

1.  In the configuration utility, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  On the Policies tab, do one of the following:

o   Click Add to create a new ICA policy.

o   Select a policy and then click Open.

3.  In Action menu, select an Access Profile from the list.

4.  Finish configuring the ICA policy and then do one of the following:

a.  Click Create and then click Close to create the policy.

b.  Click OK and then click Close to modify the policy.

Add

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

localized image

2. In the details pane, on the Access Profiles tab, click Add.

localized image

3. In Name, type a name for the Access Profile. This is a required field.

localized image

4.  Select Default or Disable from the pull down menus shown to create the Access Profile.

5.  Click Create.

Edit

1.  Select the Access Profile you want to edit.

2.  In the details pane, on the Access Profiles tab, click Edit.

localized image

Configure Access Profile

3. Verify that the Name is the one you want to revise.

localized image

4. Select Default or Disable from the pull down menu to configure as required.
5. Click OK.
 

Delete

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Action and then click ICA.

2.  Select the desired ICA Action from the list.

3. In the details pane, on the Action tab, click Delete.

localized image

4. Confirm the Access Profile you want to delete by clicking Yes

Common Processes

Create a new action

1. Type a Name for the Action. 

2. Select one of the following to supply the Access Profile:

• Click the > to select an existing Access Profile. See for details Select an existing Access Profile.

• Click the + to create a new Access Profile. See for details Create an Access Profile.

• The pencil icon is disabled.

3. Click Create.

localized image

Select an action

1.     Select an Action by clicking the radio button to the left of it.  The associated Access Profile specifies the allowed user functions.

2.     Click the Select button.

localized image

Create an Access Profile

1. Name the Access Profile.

localized image

2. You have the option to configure the Access Profile from this menu.
3. Click Create.

Select an existing Access Profile

1.  Select an Access Profile by clicking on it.

localized image

2. Click Edit.

3. Configure the Access Profile. For details see Configure Access Profile.

Expressions

1. To create or revise an existing Expression, select Clear.

These are the typical ICA Expressions. For the HTTP expressions enter the name with the “” and remove the ().
 

ICA.SERVER.PORT

This expression checks that the port specified matches the port number on the XenApp/XenDesktop that the user is attempting to connect.

ICA.SERVER.IP

This expression checks that the IP specified matches the IP address on the XenApp/XenDesktop that the user is attempting to connect.

HTTP.REQ.USER.IS_MEMBER_OF(“”).NOT

This expression checks that the current connection is access by a user that is NOT a member of the specified group name.

HTTP.REQ.USER.IS_MEMBER_OF(“groupname”)

This expression checks that the user accessing the current connection is a member of the specified group.

HTTP.REQ.USERNAME.CONTAINS(“”).NOT

This expression checks that the user accessing the current connection is NOT a member of the specified group.

HTTP.REQ.USERNAME.CONTAINS(“enter username”) Specifies the resources for a username.

This expression checks that the current connection is access by the specified name.

CLIENT.IP.DST.EQ(enter ip address here).NOT

This expression checks that the destination IP of the current traffic is NOT equal to the specified IP address.

CLIENT.IP.DST.EQ(enter ip address here)

This expression checks that the destination IP of the current traffic is equal to the specified IP address.

CLIENT.TCP.DSTPORT.EQ (enter port number).NOT

This expression checks that the destination port is NOT equal to the specified port number.

CLIENT.TCP.DSTPORT.EQ (enter port number)

This expression checks that the destination port is equal to the specified port number.

2. Simultaneously, select Control and the Space bar; then your options are visible.

localized image

3. Type the period. Make your selection, and press the Space bar.
4. At each period of the expression in the table above, type the period. Make your selection, and press the Space bar.
5. Click OK.

localized image

Group Identification

Expression with a groupname variable are defined by the Preauthentic or Session functions.

Preauthentication

1. Select Preauthentication from the configuration pane.

localized image

2. Select a name from the Preauthentication Policies.
3. Select Edit from the Preauthentication Policies tab.

localized image

4. Select the pencil icon or + next to the Request Action dialoge box.

localized image

5. Define the (“<groupname>”) in the Default EPA Group dialoge box.

localized image

Session

1. Select Session from the configuration pane.

localized image

Create a Log Action

1. In the Configure Policy screen, next to the Log Action dialog box select the + icon

localized image

Create Audit Message Action

2. The Create Audit Message Action screen appears. Name the Audit Message. The Audit message only accepts numbers, letters or an underscore character.
3. From the pull-down menu specify the Audit Log Level.

Emergency Events that indicate an immediate crisis on the server.
Alert Events that might require action.
Critical Events that indicate an imminent server crisis.
Error Events that indicate some type of error.
Warning Events that require action in the near future.
Notice Events that the administrator should know about.
Informational All but low-level events.
Debug All events, in extreme detail.

4. Enter an Expression. The Expression defines the format and content of the log.
5. The check boxes
• Check the Log in newnslog to send the message to a new ns log.
• Check Bypass Safety Check to bypass the safety check. This allows unsafe expressions.

6. Click Create.

localized image

Revise a Log Action

1. In the Configure Policy screen, next to the Log Action dialog box click the icon.

localized image

Configure Audit Message Action

The following are editable fields:
2. From the pull-down menu specify the Audit Log Level.
3. Enter an Expression. The Expression defines the format and content of the log.
4. The check boxes:
• Check the Log in newnslog to send the message to a new ns log.
• Check Bypass Safety Check to bypass the safety check. This allows unsafe expressions.
5. Click OK.

localized image

Select an existing policy

1. Click the > icon to select an existing policy.

localized image

2. Select the radio button of the desired policy.

localized image

Create a new policy

1. In Name, type a name for the policy. This is a required field.
2. Click the + to create a new policy.

localized image

3. Create an Action. For details see Create a new action.
4. Name the Access Profile.

localized image

5. Configure the Access Profile from this menu.
6. Click Create.
7. Click Bind.

localized image

Configuring pre-authentication and post-authentication end point analysis

This section describes how to configure post-authentication and pre-authentication end point analysis (EPA).

To configure post-authentication EPA with Smartcontrol use the Smartgroup parameter from the VPN session action. The EPA expression is configured on the VPN session policy.

You can specify a groupname for the smartgroup parameter. This groupname can be any string. The groupname does not need to be an existing group on the active directory.

Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF ("groupname"). Use the groupname that was previously specified for the Smartgroup.

To configure pre-authentication EPA with Smartcontrol use the Default EPA group parameter from the pre-authentication profile. The EPA expression is configured on the pre-authentication policy.

You can specify a groupname for the Default EPA group parameter. This groupname can be any string. The groupname does not need to be an existing group on the active directory.

Configure the ICA policy with the expression, HTTP.REQ.IS_MEMBER_OF ("groupname"), use the groupname that was previously specified for the Default EPA Group.

Post- authentication configuration

Use the following procedure to set up smart groups for Post-authentication configuration.

1.     Go to NetScaler Gateway>Policies> Session.

localized image

2.     Go to Session Profiles> Add.

localized image

Create NetScaler Gateway Session Profile

3.     Select the Security tab.

4.     Enter a Name for your NetScaler Gateway Profile (action).

5.     Select the box to the right of the pull down menu and select the desired Default Authorization Action.

Specify the network resources that users have access to when they log on to the internal network. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access. If you set the default authorization policy to DENY, you must explicitly authorize access to any network resource, which improves security.

6.     Select the box to the right of the pull down menu and select the desired Secure Browse.

Allow users to connect through NetScaler Gateway to network resources from iOS and Android mobile devices with Citrix Receiver. Users do not need to establish a full VPN tunnel to access resources in the secure network.

7.     Select the box to the right of the pull down menu and enter the Smartgroup name.

This is the group in which the user is placed when the sessionpolicy associated with this session action succeeds. The vpn session policy will do the post auth EPA check and if the check succeeds the user is placed in the group specified with Smartgroup. The is_member_of (http.req.user.is_member_of) expression can then be used with policies to check if EPA has passed on the user belonging to this smartgroup.

8.     Click Create.

localized image

1.      Go to NetScaler Gateway> Policies >Session.

localized image

2.      Go to Session Policies> Add.

localized image

1.      Enter the Name in this field.

This the Name for the new session policy that is applied after the user logs on to NetScaler Gateway.

2.      Select the Profile action using the drop down menu.

This the Action applied by the new session policy if the rule criterion is met.

Note:  If the desired profile needs to be created select the +. For more details see Create NetScaler Gateway Session Profile.

3.      Enter Expression in this field.

This field defines the named expression that specifies the traffic that matches the policy. The expression can be written in either default or classic syntax. The maximum length of a literal string for the expression is 255 characters. A longer string can be split into smaller strings of up to 255 characters each, and the smaller strings concatenated with the + operator. For example, you can create a 500-character string as follows: '"" + ""'

Note: The following requirements apply only to the NetScaler CLI:
* If the expression includes one or more spaces, enclose the entire expression in double quotation marks.* If the expression itself includes double quotation marks, escape the quotations by using the character. * Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.

4.      Click Create.

localized image

1.     Go to Session Policies.

2.     Select the Name of the Session Policy.

3.     Select Global Bindings from the Action drop down menu.

localized image

4.     Select Add Binding.

localized image

5.     Select the > to choose an existing policy.

Note: Select the + to create a new policy. For more details see Create NetScaler Gateway Session Profile.

localized image

6.     Choose a name from the list and press the Select button.

localized image

7.     Enter the Priority and click Bind.

localized image

8.   Click Done

localized image

9.     The check shows that your selection is Globally Bound. 

localized image

Pre-authentication configuration

Use the following procedure to set up Pre-authentication configuration.

1.      Go to NetScaler Gateway>Policies> Preauthentication.

localized image

2.      Select the Preauthentication Profiles tab and select Add.

localized image

1.      Enter the Name

This is the Name for the preauthentication action. The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.

Note: The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks.

2.     Select a Request Action from the drop down menu. This is the action that the policy is to invoke when a connection matches the policy.

Note: If you want to or create a Preauthentication Profile, select the +. For more information see Create Preauthentication Profile

3.      Enter an Expression

This is the name of the NetScaler named rule, or default syntax expression that defines the connections that match the policy.

4.      Click Create.

localized image

5.      Go to the Preauthentication Policies tab and select the desired policy.

localized image

6.      Select Global Binding form the Action Drop down menu.

localized image

7.      Select Add Bindings.

localized image

8.      Select the > to select an existing policy.

Note: Select the + to create a new policy. For more details see Create NetScaler Gateway Session Profile.

localized image

9. Select Policy.

localized image

10.      Enter the Priority and click Bind.

localized image

11.      Click Done.

localized image

12.      The check shows that the Preauthentication Policy is Globally Bound.

localized image

Create Preauthentication Profile

1.      Enter the Name

This is the Name for the preauthentication action. The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after preauthentication action is created.

Note: The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks.

2.      Enter the Action from the drop down menu.

This option will Allow or Deny logon after endpoint analysis (EPA) results.

3.      Processes to be Cancelled

This option identifies a string of processes to be terminated by the endpoint analysis (EPA) tool.

4.      Files to be deleted

This option identifies a string specifying the path(s) and name(s) of the files to be deleted by the endpoint analysis (EPA) tool.

5.      Default EPA Group

This is the default group that is chosen when the EPA check succeeds.

6.      Click Create.

localized image