Citrix NetScaler Expression Session Policies for CloudGateway

Alexander Ervik Johnsen AppController, Citrix, Cloud, CloudGateway, NetScaler, VDI, XenApp, XenDesktop 2013-01-18

Let’s face it, NetScaler is a great product, no doubt, but there is a big configuration difference between Access Gateway and NetScaler. For techies that are used to setting up regular CAG there is a big difference. In Citrix NetScaler we need to use session policies, and as a result, there is more things we need to keep in mind.

I’ve searched and searched for a good overview of the required session policies for NetScaler Access Gateway, that make CloudGateway work with iOS, Android, Windows and Mac OSx. So, Edward and I wanted to give you a article that highlights these policies.

How to Configure Session Policies and Profiles for CloudGateway

We learned the hard way, and we want to give Bjarne Træholt a big heads up, our NetScaler Guru above all from Arrow ECS Denmark! To allow connections through Access Gateway Enterprise(NetScaler VPX or MPX) from the different versions of Receiver, you need to create session policies and profiles for CloudGateway with specific rules to enable the connections to work.
We need to create separate session policies and profiles for :

Receiver for Windows and Receiver for Mac
Receiver for Android
Receiver for iOS
Receiver for Web
Access Gateway Plug-in

The following table shows the policy expression to configure based on the version of Receiver and the Access Gateway Plug-in you are using :

Receiver version does not support StoreFront services protocols	`REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS`
Receiver version supports StoreFront services protocols	`REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS`
Access Gateway Plug-in for Windows Access Gateway Plug-in for Mac	`REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS`
Receiver for Web	`REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS`

When you configure the policy expression for Receiver versions, you can distinguish between the Receiver type in the policy expression.

Receiver for Windows	`REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Windows/`
Receiver for Mac	`REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS MacOSX/`
Receiver for iOS	`REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS iOS/`
Receiver for Android	`REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Android/`

If you configure a session policy that supports StoreFront services protocols and Receiver for iOS, the expression might look like the following:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS iOS/

Next we need to configure expressions in session policies

When you configure the expression for a session policy, you can use the following methode for CloudGateway Express and CloudGateway Enterprise deployments.

In the Create Access Gateway Session Policy dialog box, select Advanced Free-Form and then click Add.
In the Add Expression dialog box, use the following parameters as a guideline for the expression:After you save the first expression, click And in the Create Access Gateway Session Policy dialog box to add && to the expression and then click Add.
1. In Expression Type, select General.
2. In Flow Type, select REQ.
3. In Protocol, select HTTP.
4. In Qualifier, select Header.
5. In Operator, select CONTAINS, NOTCONTAINS, EXISTS, or NOTEXISTS depending on the expression.
6. In Value, type the parameter, such as CitrixReceiver.
7. In Header Name, type User-Agent and then click OK.
Repeat Step 2 to configure the second rule.
When you finish adding the rules, click Create and then click Close.

Configuring Session Profiles

When you configure session profiles for use with a session policy, you need to configure parameters that are specific for the type of connection the profile supports.

When you finish configuring the policy and profile, you then bind the session policy to the virtual server. You also need to assign a priority number for each session policy.

The session profiles you configure have different settings for CloudGateway Enterprise and CloudGateway Express.

If you run into problems be sure to check out How to Enable Receiver Logging to Troubleshoot StoreFront Activation/Provisioning

Citrix NetScaler Expression Session Policies for CloudGateway

How to Configure Session Policies and Profiles for CloudGateway

Related Posts

DoS and RCE Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway multiple CVE´s

Citrix NetScaler is back

Citrix and FireEye Mandiant Launch Indicator of Compromise Scanner

Permanent fixes for CVE-2019-19781 – Vulnerability for Citrix ADC versions 11.1 and 12.0

CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway