Product Documentation

Configuring Compound Client Security Expressions

You can combine client security strings to form compound client security expressions.

The Boolean operators that are supported in Citrix Gateway are:

  • And (&&)
  • Or (   )
  • Not (!)

For greater precision, you can group the strings together using parentheses.

Note: If you use the command line to configure expressions, use parentheses to group security expressions together when you form a compound expression. The use of parentheses improves the understanding and debugging of the client expression.

Configuring Policies with the AND (&&) Operator

The AND (&&) operator works by combining two client security strings so that the compound check passes only when both checks are true. The expression is evaluated from left to right and if the first check fails, the second check is not carried out.

You can configure the AND (&&) operator using the keyword ‘AND’ or the symbols ‘&&’.

Example:

The following is a client security check that determines if the user device has Version 7.0 of Sophos AntiVirus installed and running. It also checks if the netlogon service is running on the same computer.

CLIENT.APPLICATION.AV(sophos).version==7.0 AND CLIENT.SVC(netlogon) EXISTS

This string can also be configured as:

CLIENT.APPLICATION.AV(sophos).version==7.0 && CLIENT.SVC(netlogon) EXISTS

Configuring Policies with the OR ( || ) Operator

The OR (   ) operator works by combining two security strings. The compound check passes when either check is true. The expression is evaluated from left to right and if the first check passes, the second check is not carried out. If the first check does not pass, the second check is carried out.
You can configure the OR (   ) operator using the keyword ‘OR’ or the symbols ‘   ’.

Example:

The following is a client security check that determines if the user device has either the file c:\file.txt on it or the putty.exe process running on it.

client.file(c:\\\\file.txt) EXISTS) OR (client.proc(putty.exe) EXISTS

This string can also be configured as

client.file(c:\\\\file.txt) EXISTS)   (client.proc(putty.exe) EXISTS

Configuring Policies Using the NOT ( ! ) Operator

The NOT (!) or the negation operator negates the client security string.

Example:

The following client security check passes if the file c:\sophos_virus_defs.dat file is NOT more than two days old:

!(client.file(c:\\\\sophos_virus_defs.dat).timestamp==2dy)