Product Documentation

Creating Policies for Access Scenario Fallback

To configure NetScaler Gateway for access scenario fallback, you need to create policies and groups in the following ways:

  • Create a quarantine group in which users are placed if the endpoint analysis scan fails.
  • Create a global Web Interface or StoreFront setting that is used if the endpoint analysis scan fails.
  • Create a session policy that overrides the global setting and then bind the session policy to a group.
  • Create a global client security policy that is applied if the endpoint analysis fails.

When configuring access scenario fallback, use the following guidelines:

  • Using client choices or access scenario fallback requires the Endpoint Analysis Plug-in for all users. If endpoint analysis cannot run or if users select Skip Scan during the scan, users are denied access. Note: The option to skip the scan is removed in NetScaler Gateway 10.1, Build 120.1316.e
  • When you enable client choices, if the user device fails the endpoint analysis scan, users are placed into the quarantine group. Users can continue to log on with either the NetScaler Gateway Plug-in or the Citrix Receiver to the Web Interface or StoreFront. Note: Citrix recommends that you do not create a quarantine group if you enable client choices. User devices that fail the endpoint analysis scan and are quarantined are treated in the same way as user devices that pass the endpoint scan.
  • If the endpoint analysis scan fails and the user is put in the quarantine group, the policies that are bound to the quarantine group are effective only if there are no policies bound directly to the user that have an equal or lower priority number than the policies bound to the quarantine group.
  • You can use different web addresses for the Access Interface and, the Web Interface or StoreFront. When you configure the home pages, the Access Interface home page takes precedence for the NetScaler Gateway Plug-in and the Web Interface home page takes precedence for Web Interface users. The Receiver home page takes precedence for StoreFront.

To create a quarantine group

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > User Administration, and then click AAA Groups.
  2. In the details pane, click Add.
  3. In Group Name, type a name for the group, click Create and then click Close. Important: The name of the quarantine group must not match the name of any domain group to which users might belong. If the quarantine group matches an Active Directory group name, users are quarantined even if the user device passes the endpoint analysis security scan.

After creating the group, configure NetScaler Gateway to fall back to the Web Interface if the user device fails the endpoint analysis scan.

To configure settings to quarantine user connections

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global NetScaler Gateway Settings dialog box, on the Published Applications tab, next to ICA Proxy, select OFF.
  4. Next to Web Interface Address, type the web address for StoreFront or the Web Interface.
  5. Next to Single Sign-On Domain, type the name of your Active Directory domain and then click OK.

After configuring the global settings, create a session policy that overrides the global ICA proxy setting and then bind the session policy to the quarantine group.

To create a session policy for Access Scenario Fallback

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
  2. In the details pane, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. On the Published Applications tab, next to ICA Proxy, click Override Global, select On and then click Create.
  6. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create and then click Close.

After creating the session policy, bind the policy to a quarantine group.

To bind the session policy to the quarantine group

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > User Administration, and then click AAA Groups.
  2. In the details pane, select a group and then click Open.
  3. Click Session.
  4. On the Policies tab, select Session, and then click Insert Policy.
  5. Under Policy Name, select the policy and then click OK.

After creating the session policy and profile enabling the Web Interface or StoreFront on NetScaler Gateway, create a global client security policy.

To create a global client security policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Security tab, click Advanced Settings.
  4. In Client Security, enter the expression. For more information about configuring system expressions, see Configuring System Expressions and Configuring Compound Client Security Expressions.
  5. In Quarantine Group, select the group you configured in the group procedure and then click OK twice.