Jump to content
Welcome to our new Citrix community!
  • 0

Requirements for Access Filter in Policies (Q: Smart Access / Callback / Loopback..)

Stefan Johnen


The customer uses Netscaler for external access and internal als LB for two Storefronts.


I want to apply New Policies with a filter for Netscaler-Connections (maybe even Domain-joined PCs, but that's later).

I read the CTX227055 and also this old thread: XenDesktop Access Control Policy Filter


I'm asking for assistance/if I'm getting this right:

1.) NETSCALER: Nothing to do (?)

 - Netscaler officially needs to run in Smart Access mode

 -- but forum posts state that it's not essentially required, so I'm leaving this out for now.

 -- It is said that the Site needs to be configured to trust XMLRequest => already in place

 - To Filter Domain-Joined PCs I would need a new session policy at Netscaler (maybe later)


2.) Storefront:

Needs a callback address defined, but there is a problem in the environment at this point:

There is only one address internally and externally: https://citrix.customer.inc

Externally it resolves to publish Netscaler and performs remote access.

Internally it resolves to NS load-balancing the  Storefronts.

Also the Storefront Base URL is the same.


Now because of any reason LOOPBACK is enabled at Storefront config and also inside the HOSTS files on both SFs.

If I would now enter citrix.customer.inc as callback URL, they would resolve to localhost instead of Netscaler => Won't work


OPTION1: Can I savely remove the HOSTS' files entry? I would keep the option enabled inside SF Config, but I need to get rid the manual DNS resolution.


OPTION2: Alternatively: Can I specify any other URL that points to Netscaler internally? I just need to make sure the URL listens to 443 and uses the same SSL cert (*.customer.inc)?


Could you please help me figure this out? I don't have access to Netscaler so I would prefer OPT1 without the need to touch it..

Link to comment

2 answers to this question

Recommended Posts

  • 0
On 8/14/2020 at 4:00 PM, Carl Stalhood1709151912 said:

The Callback URL can be any FQDN assuming it resolves to a Gateway VIP on the same appliance that authenticated the user and that the certificate on the Gateway matches the callback FQDN.


Thanks for you reply, Carl.

So I will continue with that (Option 2: Create new Callback URL instead of fiddling with the public/base address and HOSTS files).

What if: For any reason the entered callback URL wont work, I read it will make Storefront stop working correctly; could I just remove the URL from setting to go back to normal as before? Of course I will check the conection from both SFs to the newly defined Callback URL (DNS resolution, access to :443 and the correct certifiate).


If it will be requested later, what would I need to seperate corp. from private devices?

I guess I need a Session Policy (?) on Netscaler filtering for "not domain joined" computers? So then in Citrix Policy filtering I cat relate to this filter on Netscaler?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...