Jump to content
Welcome to our new Citrix community!

Locking down Receiver for Web Policy

Campbell Kay

Recommended Posts

Hi Guys,


i have a requirement to lock down the Web Session Policy to certain IP(s) only.


Does anyone know where or how I go about doing this.


i see there is a CLIENT.IP.SRC in the Expression policy would this work?


Can i do this in the session policy somewhere?




Link to comment
Share on other sites

If this is just the session policy to apply certain settings to a range of allowed source ips, then for a small number construct the expression as:

client.ip.src.eq(x.x.x.x) || client.ip.src.eq(y.y.y.y) || client.ip.src.eq(z.z.z.z)


This is an advanced engine expression and can be in session policies on vpn vserver (global, aaa group, and aaa user); but only if all other session policies are also advanced engine. If you have issues binding, then we have to convert other session policies from classic to advanced.


For a long list, a patternset or dataset can be used.


If you need more specific conditions,s hare details and we can provide more info.


Depending on other criteria to restrict access to the vpn vserver, you can potentially use responder policies (if you want them to filter before authentication, you have to have a aaa vserver as well). If you just want this particular ips to get a specific session policy, then the above expression will work. 

Link to comment
Share on other sites

What exactly are you trying to accomplish and then we can confirm your expression?


If this is a gateway connection and you want to only a specific list of IPS to connect when NOT using the Citrix receiver (aka web browser connections only), while preventing anyone else using this session policy (regardless of client type?  (The ands vs ors are important here, so if this isn't what you describe the expression won't work).

If you are trying to prevent vpn access, you would have to be sure the session profile is in ica proxy only mode (or additional expressions may be needed to exclude vpn connection too)


(require these ips) AND (ensure they are web clients only)

(client.ip.src.eq(x.x.x.x) || client.ip.src.eq(y.y.y.y) || client.ip.src.eq(z.z.z.z)) && (HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT)


Statement is TRUE:  client ip in allowed list && (not using citrixreceiver client)

Statement is FALSE: any client ip not in the list (regardless of client type in use)

Statement is FALSE: for any of the allowed client ips && (not using citrixreceiver)   << this one should result in web connections (but the vpn client could look like this too; not an issue if you aren't configured for vpn connections; but its a gray area).


Link to comment
Share on other sites



i think that is exactly what i am after.


we have a requirement to block Citrix Web Access, except for a specific use / case using the HTML5 client. 


all our users use Citrix Workspace App, so they shouldn't be effected by that policy.


i want to allow client IP(s) as you specified to only access web client. which is what you have given me.


ill test that out, thank you for the fast response. 

Link to comment
Share on other sites


So my only concern, is that that expression doesn't restrict access to HTML5 clients only.  Any user doing ICA Proxy with the web features of the Citrix Receiver will get in to, because during web connections it will present a user-agent header based on the browser.   It will prevent use of the CitrixReceiver in services mode; but its not necessarily HTML5 only.  And technically, not excluding vpn connections.


So, your session policy would have to ensure ICA Proxy only connections (and prevent vpn access).

For HTMl5 restrictions, the storefront store you connect to, should be configured for HTML5 only (if a separate store). I don't know if there is a header we can use to separate out HTML5 from other Receiver Web connections.


If this vpn is only being used for these specific ips to this client, then you should be fine if other users can get in, you may need some other policies. I would just test the boundary conditions and make sure you aren't opening up something you didn't intend.



Here are some of the headers in use for gateway filters:  https://docs.citrix.com/en-us/citrix-gateway/current-release/storefront-integration/ng-clg-session-policies-overview-con.html

The HTML5 only header might in fact be this one:  REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS HTML5


So your, new expression:  (allowed ips) && (only html5 client) might need this:

(client.ip.src.eq(x.x.x.x) || client.ip.src.eq(y.y.y.y) || client.ip.src.eq(z.z.z.z)) && (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS HTML5)

This actually includes "citrix receiver" and "html5" both; instead of web browser only.

There is a chance, the guide is wrong and that is supposed to be "NOT citrix receiver"...but I would start with this one first and have a test case for each of the following to make sure the right allow/deny is occurring:

<allowed ips> && html5 test   >>> result connects

<allowed ips> && "receiver for web" >>> result should fail

<allowed ips> && "citrixreceiver/services connection" >>> result should fail




So its going to be one of those we looked at; but you would need to test and maybe run a trace (decrypted) to see if you can identify the headers in use to revise.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...