Jump to content


Hide resources when logging on from unsecure networks

Started by Ingvild Rutledal , 19 April 2017 - 07:21 AM
1 reply to this topic

Ingvild Rutledal Members

Ingvild Rutledal
  • 20 posts

Posted 19 April 2017 - 07:21 AM



I have a citrix environment consisting of three different desktops (with three different delivery groups, three different subnets and dedicated terminal servers, all managed from the same DDC and Site ).


I am running Xenapp 7.6, Storefront 3.0 and Netscaler VPX 11.1.


The solution is configured with 2 vServers on netscaler, one for internal use and one for external use. Both pointing to the same storefront server and store. This way the users are pointing to the same URL for logging on whether they are internal or external.


I want to hide desktop2 and desktop3 from users logging on from unsecure networks (both internal and external).


I have looked at this blogpost and tried Method #2 with IncludedIPs command.



The problem is that when users are logging on to the netscaler, and the query for which resources the users have is sent to the DDC, it seems like it's the netscaler vServer IP which is the source of the query. This way, any users will query for resources with the same source address and there is no way to tell the difference between them.


Is there any way to go around this? Or do I have to redesign my whole environment? Does anyone have any tips for me?





Paul Blitz Members

Paul Blitz
  • 3,915 posts

Posted 19 April 2017 - 09:05 AM

This sounds like what Smart Filters etc were designed to do.


When The user is passed from Netscaler to Storefront (ie after they have authenticated) then the Storefront can make an optional "callback" to the Netscaler. This retrieves the Vserver name and the session policy name, which can then be used in smart filters etc over on Storefront.


So, to make this work, on netscaler you need to use EPA policies to examine the client IP address, and match a different session policy / profile bases upon the source IP. The actual session profiles will be amazingly similar, but the different session profile names can be used by Storefront.... in your case to steer whether an app is made visible.



Carl: I'm sure you must have blogged about this?

Also tagged with one or more of these keywords: xenapp 7.6, netscaler vpx 11.1, storefront 3.0