[Requirements for Access Filter in Policies (Q: Smart Access / Callback / Loopback..)]

On 8/14/2020 at 4:00 PM, Carl Stalhood1709151912 said:

The Callback URL can be any FQDN assuming it resolves to a Gateway VIP on the same appliance that authenticated the user and that the certificate on the Gateway matches the callback FQDN.

  

Thanks for you reply, Carl.

So I will continue with that (Option 2: Create new Callback URL instead of fiddling with the public/base address and HOSTS files).

What if: For any reason the entered callback URL wont work, I read it will make Storefront stop working correctly; could I just remove the URL from setting to go back to normal as before? Of course I will check the conection from both SFs to the newly defined Callback URL (DNS resolution, access to :443 and the correct certifiate).

 

If it will be requested later, what would I need to seperate corp. from private devices?

I guess I need a Session Policy (?) on Netscaler filtering for "not domain joined" computers? So then in Citrix Policy filtering I cat relate to this filter on Netscaler?

[Requirements for Access Filter in Policies (Q: Smart Access / Callback / Loopback..)]

The customer uses Netscaler for external access and internal als LB for two Storefronts.

 

I want to apply New Policies with a filter for Netscaler-Connections (maybe even Domain-joined PCs, but that's later).

I read the CTX227055 and also this old thread: XenDesktop Access Control Policy Filter

 

I'm asking for assistance/if I'm getting this right:

1.) NETSCALER: Nothing to do (?)

 - Netscaler officially needs to run in Smart Access mode

 -- but forum posts state that it's not essentially required, so I'm leaving this out for now.

 -- It is said that the Site needs to be configured to trust XMLRequest => already in place

 - To Filter Domain-Joined PCs I would need a new session policy at Netscaler (maybe later)

 

2.) Storefront:

Needs a callback address defined, but there is a problem in the environment at this point:

There is only one address internally and externally: https://citrix.customer.inc

Externally it resolves to publish Netscaler and performs remote access.

Internally it resolves to NS load-balancing the  Storefronts.

Also the Storefront Base URL is the same.

 

Now because of any reason LOOPBACK is enabled at Storefront config and also inside the HOSTS files on both SFs.

If I would now enter citrix.customer.inc as callback URL, they would resolve to localhost instead of Netscaler => Won't work

 

OPTION1: Can I savely remove the HOSTS' files entry? I would keep the option enabled inside SF Config, but I need to get rid the manual DNS resolution.

 

OPTION2: Alternatively: Can I specify any other URL that points to Netscaler internally? I just need to make sure the URL listens to 443 and uses the same SSL cert (*.customer.inc)?

 

Could you please help me figure this out? I don't have access to Netscaler so I would prefer OPT1 without the need to touch it..

[Citrix Policies (USB Drives) filter/conditions]

After different approaches in our test farm we came to the point that the requested filter cannot be applied with the customer because of limitations in this environment.

 

So we tried to make things easier: Instead of  differentiate private and corp. clients, we are asked to deny usb policies for everyone using Netscaler.

 

To achieve this I edited the policies, that ALLOW USB redir. for certain user groups by adding a DENY for Netscaler connections.

It doesn't work....

 

I want to understand WHY..

 

Bbut this use case is not taken care of by Citrix's help page: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/policies-create.html

 

1st Example: Assignments of like type with differing modes ("Deny takes precedence")
2nd Example: Assignments of differing type with like modes ("connection must satisfy at least one assignment of each type")

I have a different case: I have assignments of differing type with differing modes.

I was hoping for the result of "example 1" but users that are allowed via AD group to access thier usb drives from Citrix session can still do so when connected via Netscaler.

 

I am really sick and tired tinkering with filter types + modes.

The VERY last thing I can think of now that HAS to work is (so I believe): Leave every policies as they where (allow for certain AD groups) and add a new Policy with highest priority that denies all drive redirections (filter for Access control).

 

 

Still I am curious for a full set of examples and explanations of different Citrix policies/filter combinations..
Is there anyone with a good hint of where to find this information?

[Citrix Policies (USB Drives) filter/conditions]

1 minute ago, Koenraad Willems said:

• Do all users always go through NetScaler, both internal and external?
• Are the users with the BYOD devices usually connecting from internal, external, or both?

I need to check/proove, but let's say:

 

Netscaler only for external Users (CoDs, BYODs).

Internal Network only contains CoDs.

 

What would you suggest?

I can only think of: Different IP-Ranges given by Netscaler => DENY USB policy with filter for BYODs-IP-Range.

 

Completly different approach:

Add a block to the Logonscript, that checks the client device for domain membership: If not -> run script to deny usb redirection etc..

[Citrix Policies (USB Drives) filter/conditions]

9 hours ago, Koenraad Willems said:

A way would be to set a Deny rule on the Policy's Filter, but since I guess these private computers are not domain joined, that won't work, as there is no list of them.

 

So the only thing that I could think of, is putting the private clients in a separate IP range, then set a Deny filter on that range. It's not very elegant, but it will do the job.

 

The Problem is, I see only four options to "target" client devices in filter options:

 

1. IP-Range

 - Is there a way to tell Netscaler to give "Domaincomputers" IP-Range "A" and everything NOT in "Domaincomputers" IP-Range "B"?

 

2. Connection source

 - Check if connection comes from Netscaler; but that doesn't differ corp. from private devices

 

3. Clientname

 - Could easily be fooled, because it doesn't check/accept FQHN like "*.domain.com"

 

4. AD-Group

 - I would need a DENY with a negative filter like "NOT" in "domaincomputers", but I can only positively check for groups 

 

 

>> I guess #1 could be my only chance?

>> Is there no real "best practise" for a scenario like this?

[Citrix Policies (USB Drives) filter/conditions]

Currently we have a Citrix policy to allow USB redirection into Citrix. There is a filter set to an AD users group "Ctx USB allowed".

 

Now we would like to avoid users with private clients using this option, so I added "Domaincomputers" AD-group to this Policy's Filter. I thought it would be an AND condition, so both conditions must be met.

It doesn't work - Users allowed to connect USB can still do so using a private device.

 

Is there a way to create such an AND-condition within policies?