Evaluating User Logon Options
When users log on, they can choose to skip the endpoint analysis scan. If users skip the scan, Citrix Gateway processes this action as a failed endpoint analysis. When users fail the scan, they can only have access to the Web Interface or through clientless access.
For example, you want to provide users access by using the Citrix Gateway Plug-in. To log on to Citrix Gateway with the plug-in, users must be running an antivirus application, such as Norton Antivirus. If the user device is not running the application, users can log on with Receiver only and use published applications. You can also configure clientless access, which restricts access to specified applications, such as Outlook Web Access.
To configure Citrix Gateway to achieve this logon scenario, you assign a restrictive session policy as the default policy. You then configure the settings to upgrade users to a privileged session policy when the user device passes the endpoint analysis scan. At that point, users have network-layer access and can log on with the Citrix Gateway Plug-in.
To configure Citrix Gateway to enforce the restrictive session policy first, perform the following steps:
Configure the global settings with ICA proxy enabled and all other necessary settings if the specified application is not running on the user device.
Create a session policy and profile that enables the Citrix Gateway Plug-in.
Create an expression within the rule portion of the session policy to specify the application, such as:
When users log on, the session policy is applied first. If endpoint analysis fails or the user skips the scan, Citrix Gateway ignores the settings in the session policy (the expression in the session policy is considered false). As a result, users have restricted access using the Web Interface or clientless access. If endpoint analysis passes, Citrix Gateway applies the session policy and users have full access with the Citrix Gateway Plug-in.