Citrix is committed to helping you find the right balance among security, user experience, and productivity. Citrix ADC, combined with Citrix Virtual Apps and Desktops, gives you a variety of security tools in addition to the policy filters embedded in Citrix Studio so you can focus on other tasks. What if I were to tell you that you can look for certain conditions on endpoints and that, based on those criteria, either hide or display certain content to your end users? For example, you can hide an entire delivery group with sensitive applications from external or untrusted locations and devices.

SmartAccess and SmartControl are your two best friends for achieving this level of security. SmartAccess enables you to take a condition on the external endpoint and use it to determine which resources are available or what the condition of the HDX connection will be. This feature is implemented at the delivery controller level with the use of Citrix policies. You can apply these policies based on the connecting user’s IP address, delivery group, client name, delivery group type, and the connection entry point, whether internally or externally, with Citrix Access Control.

SmartControl is a feature that enables you to manage the HDX connection by determining which channels to turn off and on. Considering that external access does present some security vulnerabilities, it is important to determine whether to enable client-file redirection, printer redirection, and/or clipboard redirection. If those channels are all active, they potentially offer data exposure to the outside world. SmartControl enables you to define a policy on the gateway and use the gateway as the access control point instead of relaying the Delivery Controller and using Citrix policies that may not necessarily satisfy your criteria.

What are some of the requirements for these two outstanding features?

  • A callback URL in the Citrix StoreFront store configuration
  • Enable Trust XML in your Citrix site
  • ADC Platinum edition for SmartControl (SmartAccess works with all editions of ADC)
  • Disable ICA only on the virtual server (NS gateway VIP)

How do we configure SmartAccess?

  • At the Delivery Controller, make sure the site has enabled Trust XML, as shown here:

  • Within Citrix Studio, look up the policy you want to implement. In this example, printer redirection will be disabled for external users only.

  • Under “Assign policy to,” click “Assign” next to Access Control.

At the next screen, you can specify the ADC gateway virtual server and session policy you want this setting applied to. This is used to accomplish more granularity in case of multiple ADC’s. If you’d like this setting applied to all ADC gateways in your site use * as shown below in the farm name and access condition columns.

At this point, client-printer redirection will be enabled for internal users and disabled altogether for all external connections from the gateway.

A SmartControl configuration guide is available to help you configure other functions you can leverage along with SmartAccess directly on the ADC appliance.

What are some items that can be enforced with SmartControl?

  • Client audio redirection
  • Client clipboard redirection
  • Client drive redirection
  • Client printer redirection
  • Client USB drive redirection
  • Client COM port redirection
  • Multistream

And finally, there’s an additional approach — authentication-based smart-access filters — you can learn more about in this Citrix blog post.

— Jorge Angulo, Customer Success Engineer