Jump to content
Welcome to our new Citrix community!
  • 0

Restrict XenApp 7.15LTSR published apps access for domain-joined computers only

Kun Zhang




We have XenApp 7.15 LTSR

2 x Delivery Controllers

2 x StoreFront

2 x ADC virtual appliance (used for internal LB, and external Citrix Gateway)


Our XenApp flow is as following:


PC with Receiver > ADC LB vServer > StoreFront > Delivery Controller > Published Apps


PC with Receiver > Citrix Gateway vServer > StoreFront > Delivery Controller > Published Apps


Now, we would like to increase security by restricting only domain-joined computers to be able to connect to published apps.

For both internal and external access.

I'm not sure if this is feasible. 


Could anyone please provide some directions or guidance on how to accomplish the restrictions?



Link to comment

3 answers to this question

Recommended Posts

  • 0

Thank you so much Carl.


Can I use the same EPA with preauth policy for internal Citrix ADC virtual server? 

I would really hate to redirect all internal access traffic out towards DMZ (Citrix Gateway vServer) for it to come back into LAN.


Also, EPA is checking with domain name dns-suffix.

What if somebody just manually adds the domain dns-suffix into his computer name, without actually having the PC joined to AD domain, would this still successfully bypass EPA policy check?



Link to comment
  • 0

We've implemented and enable EPA preauthentication for domain check as per this CTX knowledge base



We had to install Citrix Gateway Endpoint Analysis plug-in on the test PC for EPA to perform the check.


When the preauthentication policy is enabled on the Citrix Gateway virtual server, we notice the following behaviours:

     > Access from external

          - Using web browser going to the external https URL, EPA does the check and shows the logon page only if computer is domain-joined.

          - Using Citrix Receiver or Citrix Workspace, it does not connect at all. Getting error message "Apps not available..."


     > Access from internal

          - There is no change at all. Because internal users are never hitting the Citrix Gateway virtual server (in DMZ) to request for XenApp access.

          - They are hitting the ADC virtual server (in LAN) for access requests. This is the normal traffic flow.


I have 2 questions.

Is it possible to have EPA check working for Citrix Receiver or Citrix Workspace from external?

Is it possible to implement the same type of domain check for internal access requests?


Thank you so much!!


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...