Jump to content
Welcome to our new Citrix community!
  • Smart Access Basic Setup with ICA Proxy Enabled


    cugcblogs

    raydavis22rnd-1.jpg by Ray Davis

    One thing I've learned is that the Gateway vServer doesn’t really need ICA Proxy unchecked for what I am trying to do. I am not using EPA scans or anything advanced yet. But, you could do it to save a step later. Now I understand this may not be the best way, but sometimes you have to do what you need to do to secure things.

    0. Check the Trust Request on the Brokers and enable it if it’s not already enabled.

     

    1. Open POSH and add asnp citrix* and Run Get-brokersite. If it’s set to false, then run #3 command

    2. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

    davis071720-01.png.3bc4701855058ec2dc7bfd766f2c323f.png

    3. Create a NetScaler gateway Dummy VIP (Some organizations don’t allow SF to talk back to the DMZ NetScaler’s vServer. If yours does, then use the current Gateway and ignore the dummy VIP/vServer.)

    davis071720-02.png.9d3f75a0f648a5f94f55ca631af68327.png

    Added IP and Port

    davis071720-03.png.319b6801bb8d29d06331a4d167ad5f45.png

    Add STA Brokers

    davis071720-04.png.ac6f0f5873944dac5a276b6fbcdaa4ee.pngdavis071720-05.png.c536c697c788da5f2c37b10728fe418a.png

    Added DNS Record.

    davis071720-06.png.ef9773cb0585419893eed37c5c0b43d6.png

    Go to StoreFront Servers > click on Manage Citrix Gateways

    davis071720-07.png.16a5c455016968cc348b01aed98aafaa.png

    Click edit

    davis071720-08.png.456c64e84f8f2046cf51f9b2627a3188.png

    Add the Call Back URL ( For me is the Dummy VIP I created)  Which resolved to a layer 2 IP address on the same Subnet as my Citrix Environment.

    davis071720-09.png.765802f15e5249756feaab3e9a03062f.png

    Propagate changes on Storefront

    davis071720-10.png.c1966a9fc9c4b8d3476d8cb04915bf75.png

    Go to the DDC, and create a policy. For me, I used the baked in one from Citrix called ” Security Control”

    davis071720-11.png.cd88b24947fc05678ff2fff2b050ac78.pngdavis071720-12.png.5ae4eea32e09b0dfed8123125fb99005.pngdavis071720-13.png.4a9725d16884285328fd540be36bea20.png
    • Remember the Allow or Deny mode is a bit confusing. "Allow" means that the settings in the policy are to be applied to the NetScaler Gateway connection.
    • "Deny" means the settings prohibiting something will not be applied to users connecting via Citrix Gateway.

     

    My bandwidth went up some when I applied more Security settings, Red is applying the filter, and green is off.

    davis071720-14.png.63535b4bc997907ff8dc13ceca860b04.png

    On

    davis071720-15.png.e21c7fcb028beabfc6f62f3c6d4d672f.png

    Off

    davis071720-16.png.7a495d91193f3819e09b1dff380854f1.png

    Testing with it off (Deny the Policy

    davis071720-17.png.eb42f053669bc7ed6f860f0ab607a620.png

    Here are my local machine printers

    davis071720-18.png.54a531d148325d46f35d5cc79efce542.png

    Now log into the VDA

    davis071720-19.png.2bf6a26a4082ad4cca81ffc538b7a37d.png

    Now lets set the Filter to Allow (Allow the policy)

    davis071720-20.png.2f2b9ac972cc46e02635bb866d66bb68.png

    Now log into the VDA – No printers from my local machine were able to come in.

    davis071720-21.png.8c16b14bfa84de0a091c92ec8c571d88.png
    1. Remember this is a very basic setup, and it’s just to show what it can do. There is much more than what I am showing here.

    Then my research and questions on Slack (If you’re not on this, you’re missing out). A lot of really sharp guys on here.

    davis071720-22.png.e1e3f73d1c2ffa4bd575f144dd90dfa2.png

    Acknowledgments:

    Just wanted to thank the Slack community for all the help along my way. So many talented people, and it's an amazing adventure.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...