Citrix Gateway

Configure session policies and profiles for Citrix Endpoint Management and StoreFront

To allow connections through Citrix Gateway from the different versions of the Citrix Workspace app and by using Secure Hub, you need to create session policies and profiles for Endpoint Management and StoreFront with specific rules to enable the connections to work. You can create separate session policies and profiles for the following:

  • Citrix Gateway plug-in
  • Citrix Workspace app for Android
  • Citrix Workspace app for BlackBerry 10 1.0
  • Citrix Workspace app for BlackBerry 2.2
  • Citrix Workspace app for Chromebook
  • Citrix Workspace app for HTML5
  • Citrix Workspace app for iOS
  • Citrix Workspace app for Linux
  • Citrix Workspace app for Mac
  • Citrix Workspace app for Playbook 1.0
  • Citrix Workspace app for Windows 8/RT
  • Citrix Workspace app for Web
  • Secure Hub

When you configure the expression for Secure Hub, Citrix Workspace app for Windows, Citrix Workspace app for Mac, or Citrix Workspace app for Web, the User-Agent header always starts with CitrixCitrix Workspace app. More recent versions of the Citrix Workspace app that recognize the native protocols in Citrix Endpoint Management also include a header called X-Citrix-Gateway. When you create a rule, you can use AND (&&) or OR (||) to specify the condition for the two configured expressions.

Important: Citrix recommends running the Quick Configuration wizard to configure the required policies for connections to Endpoint Management and StoreFront from Citrix Gateway. The following sections provide information about configuring the policies manually.

Configure virtual servers

If Endpoint Management is part of your deployment, you need to create two virtual servers:

  • The first virtual server is for users who connect by using Secure Hub. After user authentication occurs, this virtual server communicates directly with Endpoint Management.
  • The second virtual server is users who connect by using Citrix Workspace app for Web, Citrix Workspace app for Windows, or Citrix Workspace app for Mac. Citrix Workspace app communicates directly with StoreFront, instead of the Endpoint Management, after Citrix Gateway authenticates users.

On each Citrix Gateway virtual server, you must install a server certificate that has a unique fully qualified domain name.

Configure session policies

You configure session policies for Endpoint Management and StoreFront deployments. You can use the same policy expressions for both deployments, however the session profile settings are slightly different. The session policy expressions you configure depend on the version of the Citrix Workspace app and the Citrix Gateway plug-in you are using.

Some versions of the Citrix Workspace app do not fully support the StoreFront services protocols that allow direct connections through Citrix Gateway to stores in StoreFront. The earlier Citrix Workspace app versions that do not support these protocols include:

  • Citrix Workspace app for Windows 3.0 and earlier versions
  • Citrix Workspace app for Mac 11.4 and earlier versions
  • Citrix Workspace app for Android 3.0 and earlier versions
  • Citrix Workspace app for iOS 5.5 and earlier version

The following table shows the policy expression to configure based on the version of Citrix Workspace app and the Citrix Gateway plug-in you are using:

   
Citrix Workspace app version does not support StoreFront services protocols REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS
Citrix Secure Hub or Citrix Workspace app version supports StoreFront services protocols REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
Citrix Gateway plug-in for Windows; Citrix Gateway plug-in for Mac REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS
Citrix Workspace app for the Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS
Citrix Workspace app for Windows 8/RT REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS WindowsRT

When you configure the policy expression for Citrix Workspace app versions, you can distinguish between the Citrix Workspace app type in the policy expression.

   
Citrix Workspace app for Android REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Android
Citrix Workspace app for BlackBerry 2.2 REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Blackberry
Citrix Workspace app for Chromebook REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Chromebook
Citrix Workspace app for HTML5 REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS HTML5
Citrix Workspace app for iOS REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS iOS
Citrix Workspace app for Linux REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Linux
Citrix Workspace app for Mac REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS MacOSX
Citrix Workspace app for Playbook 1.0 REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Playbook
Citrix Workspace app for Windows 8/RT. 1.3 REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Win8
Citrix Workspace app for Windows REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Windows
Citrix Workspace app for Windows Phone 8 REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS WindowsPhone
Citrix Secure Hub REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Windows

If you configure a session policy that supports StoreFront services protocols and the Citrix Workspace app for iOS, the expression might look like the following:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS iOS/

Important:

When using advanced policies, to use “NOT” in an expression, you must select the NOT operator.

Example: HTTP.REQ.HEADER(“100”).CONTAINS(“CitrixReceiver”).NOT

To configure expressions in session policies

When you configure the expression for a session policy, use the following guidelines. You can use this procedure for Endpoint Management and StoreFront deployments.

  1. Go to Citrix Gateway > Policies > Session.
  2. In the details pane, click Add. Note: To modify a session policy, in the details pane, select the policy and then click Edit.
  3. In the Create Citrix Gateway Session Policies and Profiles, select the Session Policies tab and then click Add.
  4. In the Create Citrix Gateway Session Policy page, enter a name for the policy.
  5. In Profile, select an existing profile or click Add and create a new profile.

  6. Add an expression.

    If you select Classic Policy, perform the following:

    1. In the Add Expression dialog box, use the following parameters as a guideline for the expression:
    2. In Expression Type, select General.
    3. In Flow Type, select REQ.
    4. In Protocol, select HTTP.
    5. In Qualifier, select Header.
    6. In Operator, select CONTAINS, NOTCONTAINS, EXISTS, or NOTEXISTS depending on the expression.
    7. In Value, type the parameter, such as **CitrixReceiver**.
    8. In Header Name, type User-Agent and then click OK.

    If you select Advanced Policy, perform the following.

    1. Click Expression Editor.
    2. In Expression Editor, select the following in sequence. HTTP > REQ > HEADER and then type the parameter, such as **CitrixReceiver**.

    Note:

    To use “NOT” in an expression, you must select the NOT operator.

    Example: HTTP.REQ.HEADER(“100”).CONTAINS("CitrixReceiver").NOT

  7. Repeat the steps to configure the additional rules.
  8. When you finish adding the rules, click Create and then click Close.

Configure session profiles

When you configure session profiles for use with a session policy, you need to configure parameters that are specific for the type of connection the profile supports.

If the StoreFront IP address is a public IP address and if you disable split tunneling in the session profile, SSO functionality is internally disabled on Citrix Gateway. Users receive an access denied error message when they attempt to log on to StoreFront. Enable split tunneling to allow SSO from a public IP address.

When you finish configuring the policy and profile, you then bind the session policy to the virtual server. You also need to assign a priority number for each session policy.

The session profiles you configure have different settings for Endpoint Management and StoreFront. For more information, see the topics for Endpoint Management and StoreFront later in this section.

Configure session policies and profiles for Citrix Endpoint Management and StoreFront