Product Documentation

Configuring SmartControl

Jul 14, 2015

Overview

Smart Control allows administrators to define granular policies to configure and enforce user environment attributes for XenApp and XenDesktop on NetScaler Gateway. Smart Control allows administrators to manage these policies from a single location, rather than at each instance of these server types.

Smart Control is implemented through ICA policies on NetScaler Gateway. Each ICA policy is an expression and access profile combination that can be applied to users, groups, virtual servers, and globally. ICA policies are evaluated after the user authenticates at session establishment.

The following table lists the user environment attributes that Smart Control can enforce:

ConnectClientDrives Specifies the default connection to the client drives when the user logs on.
ConnectClientLPTPorts Specifies the automatic connection of LPT ports from the client when the user logs on. LPT ports are the Local Printer Ports.
ClientAudioRedirection Specifies the applications hosted on the server to transmit audio through a sound device installed on the client computer.
ClientClipboardRedirection Specifies and configures clipboard access on the client device and maps the clipboard on the server.
ClientCOMPortRedirection Specifies the COM port redirection to and from the client. COM ports are the COMmunication ports. These are serial ports.
ClientDriveRedirection Specifies the drive redirection to and from the client.
Multistream Specifies the multistream feature for specified users.
ClientUSBDeviceRedirection Specifies the redirection of USB devices to and from the client (workstation hosts only).
ClientPrinterRedirection Specifies the client printers to be mapped to a server when a user logs on to a session.

ICA Access Profile

An ICA profile defines the settings for user connections.

Access profiles specify the actions that are applied to a user's XenApp or XenDesktop environment ICA if the user device meets the policy expression conditions. You can use the configuration utility to create ICA profiles separately from an ICA policy and then use the profile for multiple policies. You can only use one profile with a policy.

You can create Access Profiles independently of an ICA policy. When you create the policy, you can select the Access profile to attach to the policy.

Creating an Access Profile with the configuration utility

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  In the details pane, click the Access Profiles tab and then click Add.

3.    Configure the settings for the profile, click Create and then click Close. After you create a profile, you can include it in an ICA policy.

Add an Access Profile to a policy using the configuration utility

1.  In the configuration utility, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  On the Policies tab, do one of the following:

o   Click Add to create a new ICA policy.

o   Select a policy and then click Open.

3.  In Action menu, select an Access Profile from the list.

4.  Finish configuring the ICA policy and then do one of the following:

a.  Click Create and then click Close to create the policy.

b.  Click OK and then click Close to modify the policy.

Smart Control Operations

Smart Control operates using the following three tabs:

 

 

localized image

Policies

An ICA policy specifies an Action, Access Profile, Expression and optionally, a Log Action. The following commands are available from the Policies tab:

Add

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

localized image

2.  In the details pane, on the Policies tab, click Add.

localized image

3. The following screen appears. In the Name dialog box, type a name for the policy. This is a required field. All required fields are indicated by an asterisk.

localized image

4. Next to Action do one of the following:

  • Click the > icon to select an existing action. For details see Select an action.
  • Click the + icon to create a new action. For details see Create a new action.
  • The pencil icon is disabled.

5. Create an expression. For details see Expressions.

6. Create a Log Action. For more details see Create a Log Action.

7. Enter a message into the Comments box. The comment writes to the message log. This field is optional.

8. Click Create.  

Edit

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  Select the ICA policy from the list.

3.  In the details pane, on the Policies tab, click Edit.

localized image

4. Verify the policy name.

localized image

5. To revise the Action do one of the following:

6. Revise the Expression as desired. For details see Expressions.

7. To revise the Log Action do one of the following:

8. Revise the comments as desired.

9. Click OK.  

Delete

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  Select the desired ICA policy from the list.

In the details pane, on the Policies tab, click Delete.

localized image

4. Confirm that you want to delete the policy by clicking Yes.

localized image

Show Binding

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2.  Select the ICA policy from the list.

3.  In the details pane, on the Policies tab, click Show Bindings.

localized image

Policy Manager

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

2. Select the desired ICA policy from the list.

3. In the details pane, on the Policies tab, click Policy Manager

localized image

4. From the Bind Point dialog box, select a policy from the drop down menu. These are the following choices:

  • Override Global
  • VPN Virtual Server
  • Cache Redirection Virtual Server
  • Default Global

5. From the Connection Type dialog box, select a binding policy from the drop down menu.

6. If you select either the VPN Virtual Server or the Cache Redirection Virtual Server, you connect to the server using the drop down box.

7. Click Continue.

localized image

Add Binding

1.     After selecting Continue, this screen appears.

2.     Select a Policy to attach the Binding.

3.     Select Add Binding. 

localized image

Policy Binding

1.     After selecting Done, this screen appears.

localized image

Unbind Policy

1. Select the policy you want to unbind, and click the Unbind button.

localized image

2. Click Done

3. Click the Yes button on the pop-up screen to confirm that you desire to unbind the selected entity.

localized image

Bind NOPOLICY

1.Select policy that requires NOPOLICY, and click the Bind NOPOLICY button.

localized image

2.Click Done

Edit

You can edit from the ICA Policy Manager.

1. Select the policy you want to edit, and select Edit.

localized image

2. You have the option to make the following edits: Edit Binding, Edit PolicyEdit Action.

localized image

For more information see Edit BindingEdit PolicyEdit Action.

Edit Binding

1.. With the policy selected, click Edit Binding.

2. Verify that you are editing the desired policy. This Policy Name is not editable. 

localized image

3. Set the Priority as desired.

4. Set Goto Expression as desired.

5. Click the Bind button.

Edit Policy

1. With the policy selected, click Edit Policy.

2. Verify the policy Name to ensure you are editing the desired policy. This field is not editable.

localized image

3. To revise the Action policy, do one of the following:

4. Revise the Expression as desired. For more details see Expressions.

5. Select the desired type of message from the drop down menu. To create a Log Action, do one of the following:

6. Enter Comments about the ICA Policy.

7. Click OK when the edit is complete.

Edit Action

1. With the policy selected, click Edit Action.

2. Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

3. Next to Access Profile do one of the following:

4. Click OK.

localized image

Action

The Policies>Action commands are used to rename the action.

1.  Select the desired ICA Action from the list.

2.  On the ICA Policies tab, click Action. Select Rename from the drop-down menu.

localized image

3. Rename the action.

localized image

4.  Click OK

Action

An Action connects a policy with an Access Profile. The following commands are available from the Policies tab:

 

 

Add

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

localized image

2. In the details pane, on the Action tab, click Add.

localized image

    3. In Name, type a name for the Action.

    4. Next to Access Profile do one of the following:

  • Click the > icon to select an existing Access Profile. For detail see Select an existing Access Profile.
  • Click the + icon to create a new Access Profile. For detail see Create a Access Profile.
  • The pencil icon is disabled for this screen.

    5. Click Create.

localized image

Edit

1. Select the desired ICA policy from the list.

localized image

2.  In the details pane, on the Action tab, click Edit.

Configure Action

3.  Verify the Action Name to confirm you are editing the desired Action. This field is not editable.

4.  Next to Access Profile do one of the following:

5.  Click OK.

localized image

Delete

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Action and then click ICA.

2.  Select the desired ICA Action from the list.

3. In the details pane, on the Action tab, click Delete.

localized image

4. Confirm the Action you want to delete the policy by clicking Yes.

localized image

Action

The ICA Action>Action commands are used to rename the action.

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Action and then click ICA.

2.  Select the desired ICA Action from the list.

3.  In the details pane, on the Action tab, click Action.

localized image

4.  Select Action>Rename from the drop-down menu.

5.  Rename the action.

localized image

6.  Click OK

Access Profiles

An Access Profile specifies the resources available to a user. The following commands are available from the Policies tab:

Add

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click ICA.

localized image

2. In the details pane, on the Access Profiles tab, click Add.

localized image

3. In Name, type a name for the Access Profile. This is a required field.

localized image

4.  Select Default or Disable from the pull down menus shown to create the Access Profile.

5.  Click Create.

Edit

1.  Select the Access Profile you want to edit.

2.  In the details pane, on the Access Profiles tab, click Edit.

localized image

Configure Access Profile

3. Verify that the Name is the one you want to revise.

localized image

4. Select Default or Disable from the pull down menu to configure as required.
5. Click OK.
 

Delete

1.  In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Action and then click ICA.

2.  Select the desired ICA Action from the list.

3. In the details pane, on the Action tab, click Delete.

localized image

4. Confirm the Access Profile you want to delete by clicking Yes

Common Processes

Create a new action

1. Type a Name for the Action. 

2. Select one of the following to supply the Access Profile:

• Click the > to select an existing Access Profile. See for details Select an existing Access Profile.

• Click the + to create a new Access Profile. See for details Create an Access Profile.

• The pencil icon is disabled.

3. Click Create.

localized image

Select an action

1.     Select an Action by clicking the radio button to the left of it.  The associated Access Profile specifies the allowed user functions.

2.     Click the Select button.

localized image

Create an Access Profile

1. Name the Access Profile.

localized image

2. You have the option to configure the Access Profile from this menu.
3. Click Create.

Select an existing Access Profile

1.  Select an Access Profile by clicking on it.

localized image

2. Click Edit.

3. Configure the Access Profile. For details see Configure Access Profile.

Expressions

1. To create or revise an existing Expression, select Clear.

These are the typical ICA Expressions. For the HTTP expressions enter the name with the “” and remove the ().
 

    CLIENT.TCP.DSTPORT.EQ (enter port number) Specifies the destination of current port traffic.
    CLIENT.TCP.DSTPORT.EQ (enter port number).not Does not specify port traffic to a destination.
    CLIENT.IP.DST.EQ(enter ip address here) Specifies the destination of current IP traffic.
    CLIENT.IP.DST.EQ(enter ip address here).NOT Does not specify IP traffic to a destination.
    HTTP.REQ.USERNAME.CONTAINS(“enter username”) Specifies the resources for a username. Specifies the username accessing resources.
    HTTP.REQ.USERNAME.CONTAINS(“”).NOT Specifies the resources for a username
    HTTP.REQ.USER.IS_MEMBER_OF(“groupname”) Specifies if the user is a member of a defined group.
    HTTP.REQ.USER.IS_MEMBER_OF(“”).NOT Specifies if the user is NOT a member of a group.

2. Simultaneously, select Control and the Space bar; then your options are visible.

localized image

3. Type the period. Make your selection, and press the Space bar.
4. At each period of the expression in the table above, type the period. Make your selection, and press the Space bar.
5. Click OK.

localized image

Group Identification

Expression with a groupname variable are defined by the Preauthentic or Session functions.

Preauthentication

1. Select Preauthentication from the configuration pane.

localized image

2. Select a name from the Preauthentication Policies.
3. Select Edit from the Preauthentication Policies tab.

localized image

4. Select the pencil icon or + next to the Request Action dialoge box.

localized image

5. Define the (“<groupname>”) in the Default EPA Group dialoge box.

localized image

Session

1. Select Session from the configuration pane.

localized image

Create a Log Action

1. In the Configure Policy screen, next to the Log Action dialog box select the + icon

localized image

Create Audit Message Action

2. The Create Audit Message Action screen appears. Name the Audit Message. The Audit message only accepts numbers, letters or an underscore character.
3. From the pull-down menu specify the Audit Log Level.

Emergency Events that indicate an immediate crisis on the server.
Alert Events that might require action.
Critical Events that indicate an imminent server crisis.
Error Events that indicate some type of error.
Warning Events that require action in the near future.
Notice Events that the administrator should know about.
Informational All but low-level events.
Debug All events, in extreme detail.

4. Enter an Expression. The Expression defines the format and content of the log.
5. The check boxes
• Check the Log in newnslog to send the message to a new ns log.
• Check Bypass Safety Check to bypass the safety check. This allows unsafe expressions.

6. Click Create.

localized image

Revise a Log Action

1. In the Configure Policy screen, next to the Log Action dialog box click the icon.

localized image

Configure Audit Message Action

The following are editable fields:
2. From the pull-down menu specify the Audit Log Level.
3. Enter an Expression. The Expression defines the format and content of the log.
4. The check boxes:
• Check the Log in newnslog to send the message to a new ns log.
• Check Bypass Safety Check to bypass the safety check. This allows unsafe expressions.
5. Click OK.

localized image

Select an existing policy

1. Click the > icon to select an existing policy.

localized image

2. Select the radio button of the desired policy.

localized image

Create a new policy

1. In Name, type a name for the policy. This is a required field.
2. Click the + to create a new policy.

localized image

3. Create an Action. For details see Create a new action.
4. Name the Access Profile.

localized image

5. Configure the Access Profile from this menu.
6. Click Create.
7. Click Bind.

localized image