Jump to content
Welcome to our new Citrix community!

Netscaler/Xenapp Policies question - radius two factor - client drives

Sean Ritter

Recommended Posts

I have a couple of objectives I've been given to implement.


Company owned client machines do not need to get prompted for radius two factor.  Right now it is configured, and all machines are prompted.


Company owned client machines can use such things as client drives, but non-company machines should not.  Right now, all machines are allowed.


On of the options I was thinking of is non-company machines are only allowed to use HTML5.  However, I would like everyone to be able to use the full client, just with settings enabled/disabled depending on source machine type.


We are not currently licensed for SmartControl (no platinum license).  However, if this is the only way to implement such things, we can upgrade.

Link to comment
Share on other sites

You still need to figure out which epa expression you are going to use for corporate vs non-corporate devices.


SmartAccess allows you to use the EPA scans and pass the results to trigger policies in XenDesktop - which can be used to turn drive mapping on/off based on company vs. non-company owned machines.  This can be done without SmartControl (platinum/premium) license.  VPN user licenses will have to be used.  

On the gateway, you define the session policy and expression you need and it either points to a blank session profile or one that handles other settings you need.

On XD site, you enable the -trustxmlservicerequests setting in the site properties via powershell (not the exact parameter name but close), and then in the AccessControl policy filter for your user policy settings in XD, specify connection with Gateway meeting condition <VPN vserver name> and <session policy name>.  This would be the entity name of the vpn vserver and the session policy on the NS (not the FQDN of the gateway vip).  Then the gateway policy expression being true or false will or won't trigger the XD policy.


For HTML5 vs. native client, this would require you to have two different storefront stores: Store-1 (HTML5 only) and Store-2 (native only or native with html5 fallback option).

Using your epa scan OR a connection fallback option, you would determine which session policy to hit session_pol_store1 or session_pol_store2 which would direct the users to an appropriate store.  Have the corporate owned policy at higher priority than the html5 only policy, and if you can't tell if they are corporate owned than html5 can be default. 

There are a couple of different ways to do this, but to reduce the number of epa scans it might be worth trying to combine this with an authorization group or quarantine group setting.


You might consider whether you actually want 2 separate gateway access points for "company" vs. "non-company" devices, to simplify some of the policies and authentication flows. And this would make the single-factor vs two-factor easier to implement without the epa scans.  But both scenarios should be able to be implemented, but the conditions for the epa scans might be a little tricky. 





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...