Wednesday, January 23, 2013

CloudGateway Enterprise Session Policies - Android, iOS, OSX, Windows,Web Interface

As I prepare for Varrow Madness I've been working with our CloudGateway Deployment in the lab quite a bit, especially with NetScaler session policies designed to make this device or that device work properly when connecting through AGEE to the StoreFront server. Citrix has a pretty good POC Best Practices Guide that I would really recommend using if you are doing a first time lab type deployment, heck it's even a great setup for a small infrastructure. There's just one problem - the section on session policies ended up setting me up with session policies that didn't work for Andriod nor the native OSX receiver. After scouring the web for a while I've managed to come up with a set of session policies that got me going, hopefully this will save you some trouble. I've tested the policies on NS10, AppController 2.5 and 2.0 as well as StoreFront 1.2 and verified that they will allow you to connect via the receivers for Windows, OSX, Android, iOS, and via the Web Interface, including the HTML5 receiver if you have it installed. Keep in mind that these policies to depend on you having the legacy support option enabled in StoreFront. The bolded items will need to be altered to match your environment:

add vpn sessionAction Profile_PNA -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.gtclab.net/Citrix/PNAgent" -ntDomain gtc -clientlessVpnMode ON

add vpn sessionAction Profile_Desktop_Rec -defaultAuthorizationAction ALLOW -SSO ON -icaProxy OFF -ntDomain gtc -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT

add vpn sessionAction Profile_Web -defaultAuthorizationAction ALLOW -SSO ON -homePage "https://storefront.gtclab.net/Citrix/GTCWeb" -icaProxy OFF -ntDomain gtc -clientlessVpnMode ON

add vpn sessionAction Profile_AG -splitTunnel ON -defaultAuthorizationAction ALLOW -icaProxy OFF -wihome "https://storefront.gtclab.net/Citrix/GTCWeb"

add vpn sessionPolicy Policy_PNA_iOS "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS iOS" Profile_PNA

add vpn sessionPolicy Policy_PNA_Android "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Android" Profile_PNA

add vpn sessionPolicy Policy_Desktop_Rec "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" Profile_Desktop_Rec

add vpn sessionPolicy Policy_Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" Profile_Web

add vpn sessionPolicy Policy_AG "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" Profile_AG

Then you have to bind these policies to the Virtual Server in this order, replacing the bold vserver name with the name of your Virtual Server:

bind vpn vserver "StoreFront Services" -policy Policy_PNA_iOS -priority 80
bind vpn vserver "StoreFront Services" -policy Policy_PNA_Android -priority 90
bind vpn vserver "StoreFront Services" -policy Policy_Desktop_Rec -priority 100
bind vpn vserver "StoreFront Services" -policy Policy_Web -priority 110
bind vpn vserver "StoreFront Services" -policy Policy_AG -priority 120