[How to edit RDP Profile user downloads]

I have a customer with the exact same problem - Case with Citrix is open but progressing slowly and no bug aknowledgement as of now.

 

Carls section on Bookmarks includes a passage on how you can alter the RDP file https://www.carlstalhood.com/citrix-gateway-rdp-proxy/#createrdpbookmarks

However, with that it didnt replace but added and we ended up having two lines:

Alternate Shell: explorer.exe or empty (our custom value)

Alternate Shell: DefaultAltShell

...and RDP honored the second line - so error persisted.

[license engine not running]

Hi,

 

we had the same issue on the same hardware - the DL385 G10 has AMD Epyc CPUs - turns out VPX only supports Intel CPUs - look at the fineprint in the datasheet :-(

 

Regards,

Manuel

[if else statement for appexpert in messageaction]

Hi Faizal,

 

I never dealt much with DNS on Netscaler, so it's just a guess, but have you had a look into the DNS.* policy tree?

 

For example: DNS.REQ.QUESTION.TYPE

From the help: "Returns DNS Record type. This object provides Num operations and DnsType Enum operations on the DNS Record Type."

(Or any other thing within the DNS.* tree, theres quite a few more options avaiable there)

 

Manuel

[SMART card authentication with Netscaler and SF - Need to avoid 2nd PIN prompt at application launch]

Good question, I guess this would need to be tested.

However, I read the matrix as follows:

 - the behaviour only changes if the CRL is optional or missing

 - if you have a CRL configured, its online and up to date, then a revoked certificate will always be rejected

 

[SMART card authentication with Netscaler and SF - Need to avoid 2nd PIN prompt at application launch]

Hi, did you see the following? (Lower section)

https://docs.citrix.com/en-us/netscaler-gateway/12/authentication-authorization/configure-client-cert-authentication/ng-client-cert-smart-card-tsk.html

 

on the vserver-sc

 - disable mandatory SSL auth

 - add a CERT auth policy instead

 - allow SSL renegotiation (even though I would prefer the NONSECURE setting instead of NO as described in the article)

 

...that way the smart-card is only validated during authentication, not with every SSL handshake (i.e. ICA Session start, which causes the second prompt)

 

---

 

Another way is the described attempt of using a separate vserver-ICAonly.

You have to set this one up in Storefront as additional gateway and force sessions through it through "Optimal HDX Routing" (under Store-settings).

["Check Device Certificate" as a SmartAccess policy condition possible?]

On 5.12.2017 at 4:50 PM, Jonathan Clark1709155079 said:

If you want users who "Fail" device certificate checks to proceed with a secondary factor of authentication, check out nFactor with certificates

 

That's not quite right, nFactor can (currently) only realize such a scenario with user-certificates!

Source: https://support.citrix.com/article/CTX231256