Jump to content
Welcome to our new Citrix community!

delivery group access policy "All connections not through Netscaler Gateway" not working

Mark Verbeek

Recommended Posts

I used to have a Delivery Group Access Policy set to:
YES = All connections not through Netscaler Gateway

NO = Connections through Netscaler Gateway


So this Delivery Group would allow internal connections only.


However with 1912 LTSR CU1 (all components) and Citrix Gateway (ADC VPX) this isn't working anymore.

Don't know if this is since 1912 LTSR CU1 (step 1) or since Citrix Gateway (step 2, few months later)


Anyone noticed this behavior? How to repair this functionality?





Link to comment
Share on other sites

Hi Carl,

Thanks for responding.


No. This setting is blank.

But as far as I understood this isn't used with Logon type = Domain.

...callback URL is not needed unless SmartAccess is being used


This has been working for several years prior to 1912 LTSR and/or ADC VPX 13.0

Link to comment
Share on other sites

mjverbeek - just using the access policy page == smart access policies. Same feature/different names.  but if you are just doing the external vs internal, you will NOT need to configure any gateway policies for the gateway condition.


General SmartAccess requirements:

- Callback URL configured

- Site Properties (Powershell): trustxmlservicerequests $true (the property name may be slightly off but check your get-brokersite settings

- Properly configured storefront beacons (settings like using a single fqdn for gateway and storefront can throw this detection off) 


When you said it stopped working, is it allowing internal and external access or no access to this delivery group?

What version of the XD/CVAD and NS were you running before going to 1912 LTSR CU1 and whichever version of gateway you are on? (as its not obvious which versions you changed from.)





Link to comment
Share on other sites

Hi Rhonda,

Thanks for the reply.


We sometimes have some guests who can use a XD in the office. But we don't want them to login outside of the office.

Internal access only used to work with settings in the screenshot.

Version XD 7.15 LTSR CU4 and NetScaler 10.x (not sure about the x)

But now CVAD 1912 LTSR CU1 and ADC 13.0 these settings allow internal and external access.



I will delve further into smartaccess.


Link to comment
Share on other sites

So from NS 10 to ADC 13 and 7.15 to 1912.


There might be a bug as that is a lot of version changing.  


You know the main thing that changed between NS10 to NS13 would be possibly in whether your StoreFront identified the gateway source ip by VIP or SNIP?

And are you using the SAME adc to do gateway AND storefront load balancing. If so, check if your gateway settings on the storefront server identify the gateway "SNIP" or gateway VIP as the source ip and change it the gateway VIP. This may be part of the behavior that changed.


From a config standpoint (and not something maybe as a bug in one of the components), that's the only other setting I can think of that might be affected by the upgrade.

Hopefully, Carl or someone can weigh in if there is something else.

Or support might be needed if a bug is suspected.


Here's a summary of the main settings and the callback is needed even if you are only doing the internal vs external only (and not just the gateway session filters):


The ica only setting shown is not necessarily required unless you only have ICA Proxy licenses and no vpn universal licenses (show ns license to see what type you have).

This might also have "changed" since 10.0 which is a very old build.





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...