Smart Access Basic Setup with ICA Proxy Enabled

by Ray Davis

One thing I’ve learned is that the Gateway vServer doesn’t really need ICA Proxy unchecked for what I am trying to do. I am not using EPA scans or anything advanced yet. But, you could do it to save a step later. Now I understand this may not be the best way, but sometimes you have to do what you need to do to secure things.

0. Check the Trust Request on the Brokers and enable it if it’s not already enabled.

1. Open POSH and add asnp citrix* and Run Get-brokersite. If it’s set to false, then run #3 command

2. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

3. Create a NetScaler gateway Dummy VIP (Some organizations don’t allow SF to talk back to the DMZ NetScaler’s vServer. If yours does, then use the current Gateway and ignore the dummy VIP/vServer.)

Added IP and Port

Add STA Brokers

Added DNS Record.

Go to StoreFront Servers > click on Manage Citrix Gateways

Click edit

Add the Call Back URL ( For me is the Dummy VIP I created) Which resolved to a layer 2 IP address on the same Subnet as my Citrix Environment.

Propagate changes on Storefront

Go to the DDC, and create a policy. For me, I used the baked in one from Citrix called ” Security Control”

Remember the Allow or Deny mode is a bit confusing. “Allow” means that the settings in the policy are to be applied to the NetScaler Gateway connection.
“Deny” means the settings prohibiting something will not be applied to users connecting via Citrix Gateway.

My bandwidth went up some when I applied more Security settings, Red is applying the filter, and green is off.