Improve Security with Netscaler Smartaccess

In this blog I will show you how to use Citrix Smart access on the Netscaler to improve security by blocking client drive redirection from external connections that come through the Netscaler gateway. Internal connections that come through Citrix Storefront either using receiver for web or using Citrix Receiver client drive redirection will still be allowed. Citrix smart access allows you to change ICA connection behaviour for example disable drive redirection /printer redirection based on how users connect to the Netscaler gateway. Decisions are  based on NS GW virtual server name, Session policy name and EPA

Some prerequisites must be in place for smartaccess to work correctly

1 ) Make sure TrustrequestsSentToTheXmlServicePort is set to true if its set to false it can changed use the set-brokersite  TrustRequestsSentToTheXmlServicePort $True cmdlet

smartaccess3

2) ICA only must be turned off on the Netscaler gateway virtual server smartaccess4

3) Universal licenses on the Netscaler must be available

smartaccess5

4) Session policy name and NS GW Virtual server (Farm Name) must be known in this instance the NS GW virtual server is called remote.c4rm0.com and the session policy is called 192.168.2.50_443_POLsmartaccess6smartaccess7

5) Callback URL must be configured on NS GW Appliance within Storefront

smartaccess2

 

Default behaviour

When i connect through the Netscaler gateway https:\\remote.c4rm0.com my client drives from my Desktop PC  are redirected into my Citrix session and the files are accessible. This is obviously a security issue as you wouldn’t want to expose that data to your internal Network/infrastructure especially from connections that come from non corporate machines such as users personal laptops/desktops

smartaccess

smartaccess1

New Behaviour 

When connecting through the Netscaler gateway from an external connection client drive redirection will be blocked. Internal Connections that come through the Storefront server directly rather than the Netscaler gateway client drive redirection will be allowed

1 ) Create a Citrix policy that blocks client drive redirection

smartaccess9

2 ) On the policy Assigned to… use the Access control filter under mode set to allow and connection type to Netscaler gateway with the farm name and session policy as the access condition we gathered earlier. In this example the farm name is remote.c4rm0.com and the Access condition is 192.168.2.50_443_POL which is our Netscaler session policysmartaccess8

 

3 ) Connecting to the Netscaler gateway https://remote.c4rm0.com and launching the published desktop you can see client drive redirection is now not allowed as none of my client drives from my client PC have been redirected into the sessionsmartaccess10

4 ) Checking session details under Citrix Director shows the policy we created has been applied correctly. The smart access filters shows the farm name and session policy name we used on the access control on the Citrix policy

smartaccess12      smartaccess13

5 ) Logging in directly into Storefront via Receiver for web internally and launching the same published desktop client drive redirection is allowed and the policy we created that will only apply through connections from the Netscaler gateway hasn’t applied

smartaccess14

smartaccess15

As you can see Citrix smart access is extremely powerful and useful when you want to control ICA connection behaviour for external connections that go through the Netscaler gateway vs those internal connections that go directly to storefront.  Typically you would block Drive redirection , Clipboard redirection, Printer redirection, USB redirection for external clients on non corporate machines connecting through the Netscaler gateway and allow client drive/printer redirection for corporate machines on the LAN connecting directly to storefront . You can also use smart access to allow/disallow applications within delivery groups to be launched externally via the Netscaler gateway. In the below example we are setting the access policy on the Delivery group which means you wouldn’t be able to launch any applications published to this delivery group through storefront. You would only be able to launch the applications published to the delivery group via the Netscaler gateway https://remote.c4rm0.com again this is a useful feature if you have applications that you don’t want to used externally through the Netscaler

smartaccess22

 

Job done 🙂