Jump to content
Welcome to our new Citrix community!
  • 0

Split/Share apps for Internal/External Help

EC Saw


Hi, I would to know what is the simplest setup for a small shop when publishing applications only for both internal and external users?


For example, internal users connect to Storefront directly and external users connect via Netscaler which redirects to the same Storefront.


1.) There is a requirement that for some applications, the user is allowed to connect internally but not externally. Example, I can connect to Notepad internally but not from external (from home).

2.) I cannot use Limited Visibility as the domain ID is allowed to see it when internal, so it will also apply externally.

3.) Hence, do we segregate it via another Delivery Group or another Storefront? If DG, it means we publish the same application twice, once for internal and once for external correct?

4.) If Storefront, NS point to the external Storefront, and then we control via? Seems to be going back to the DG so we need another RDSH just for this DG?


Would appreciate any thoughts on this, thanks!

Link to comment

6 answers to this question

Recommended Posts

  • 0
1 hour ago, George Spiers1709154522 said:

On the Delivery Group you have options under "Access Policy" such as "Allow all connections not through NetScaler Gateway" and "Allow connections through NetScaler Gateway".


Yes, that's right...but unfortunately we realized that would completely block off the application from external as well. What we're trying to get to is :


1.) User A can connect to Notepad from internal

2.) User A can NOT connect to Notepad from external

3.) User B can connect to Notepad from internal as well as from external


All based on the AD domain ID. So the only alternative I can see if building another DG at least, just not sure if another Storefront is needed? Citrix Live Chat said we should build another farm (Storefront + Delivery Group) Thanks.



Link to comment
  • 0

here is some food for thought


how about an Additional Store in Storefront. Hide apps that you don’t want accessible externally from the store entirely



On the NetScaler, you could create separate session policies, one for each storefront store

You could then use AAA groups to dictate who gets what policy, and thus who’s sees what apps externally


It wouldn’t be granular, but it would work. You would simply have a store that has no access to certain apps, and your specific users would land on that store from external


Internally you leave them on the normal store

Link to comment
  • 0

On the Delivery Group you have options under "Access Policy" such as "Allow all connections not through NetScaler Gateway" and "Allow connections through NetScaler Gateway".

You can check both boxes, then use the filters box to control access to resources in that group for users coming in externally.


Add a filter, with farm name set to your NetScaler Gateway vServer, and the filter set to a Session Policy on NetScaler.


That Session Policy is attached to an AAA Group (which matches the name of an internal AD group which contains UserA). Now when UserA logs on from external, he doesn't see notepad, however users outside of the AAA Group continue to see notepad because they trigger a second Session Policy which is not filtered. Also when UserA browses StoreFront internally he sees notepad.


Alternatively, instead of using AAA Groups you can use an expression directly on the Session Policy that is tagged under the filters box. That expression could be something like "HTTP.REQ.USER.IS_MEMBER_OF("UserAGroup") - UserAGroup is an AD group which contains UserA. When userA logs on, they match the criteria for SessionPol1 to be evaulated, and from there Notepad is not displayed as an icon because the filter is also matched, as set on the Delivery Group.


This will allow you to have one farm, and one StoreFront store.

Link to comment
  • 0

Thanks George and James.


Tried the Session Policy but didn't get much headway into it. Hence we just made the additional Store in Storefront as mentioned above. Pointed Netscaler to the new Store, filtered the applications by keyword and restricted access via user visibility. Slightly more management work but easier to setup for now.

Link to comment
  • 0

Each DG has 2 levels of access control. one for internal and other for external AG access


DGName-Direct - this is for internal direct storefront access

DGName-AG - this is for extenral access through NEtscaler AG.


in DGName-Direct - grant access to all the users using IncludedUsers filter

in DGName-AG- grant access to only who are authorized users for access using IncludedUser filter


use Get-BrokerAccessPolicyRule command for any delivery and see the properties


this cannot be done through GUI.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...