Site icon BLOGS

Smart Access Basic Setup with ICA Proxy Enabled

by Ray Davis

One thing I’ve learned is that the Gateway vServer doesn’t really need ICA Proxy unchecked for what I am trying to do. I am not using EPA scans or anything advanced yet. But, you could do it to save a step later. Now I understand this may not be the best way, but sometimes you have to do what you need to do to secure things.

0. Check the Trust Request on the Brokers and enable it if it’s not already enabled.

1. Open POSH and add asnp citrix* and Run Get-brokersite. If it’s set to false, then run #3 command

2. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

3. Create a NetScaler gateway Dummy VIP (Some organizations don’t allow SF to talk back to the DMZ NetScaler’s vServer. If yours does, then use the current Gateway and ignore the dummy VIP/vServer.)

Added IP and Port

Add STA Brokers

Added DNS Record.

Go to StoreFront Servers > click on Manage Citrix Gateways

Click edit

Add the Call Back URL ( For me is the Dummy VIP I created)  Which resolved to a layer 2 IP address on the same Subnet as my Citrix Environment.

Propagate changes on Storefront

Go to the DDC, and create a policy. For me, I used the baked in one from Citrix called ” Security Control”


My bandwidth went up some when I applied more Security settings, Red is applying the filter, and green is off.

On

Off

Testing with it off (Deny the Policy

Here are my local machine printers

Now log into the VDA

Now lets set the Filter to Allow (Allow the policy)

Now log into the VDA – No printers from my local machine were able to come in.

  1. Remember this is a very basic setup, and it’s just to show what it can do. There is much more than what I am showing here.

Then my research and questions on Slack (If you’re not on this, you’re missing out). A lot of really sharp guys on here.

Acknowledgments:
Just wanted to thank the Slack community for all the help along my way. So many talented people, and it’s an amazing adventure.

Exit mobile version