Citrix Policies (USB Drives) filter/conditions

[Stefan Johnen]

Currently we have a Citrix policy to allow USB redirection into Citrix. There is a filter set to an AD users group "Ctx USB allowed".

 

Now we would like to avoid users with private clients using this option, so I added "Domaincomputers" AD-group to this Policy's Filter. I thought it would be an AND condition, so both conditions must be met.

It doesn't work - Users allowed to connect USB can still do so using a private device.

 

Is there a way to create such an AND-condition within policies?

[Koenraad Willems]

Hi,

 

No, I don't think there is a way to have the policy's filters working in a boolean way.

A way would be to set a Deny rule on the Policy's Filter, but since I guess these private computers are not domain joined, that won't work, as there is no list of them.

So the only thing that I could think of, is putting the private clients in a separate IP range, then set a Deny filter on that range. It's not very elegant, but it will do the job.

 

Best,

 

Koenraad

[Stefan Johnen]

9 hours ago, Koenraad Willems said:

A way would be to set a Deny rule on the Policy's Filter, but since I guess these private computers are not domain joined, that won't work, as there is no list of them.

 

So the only thing that I could think of, is putting the private clients in a separate IP range, then set a Deny filter on that range. It's not very elegant, but it will do the job.

 

The Problem is, I see only four options to "target" client devices in filter options:

 

1. IP-Range

 - Is there a way to tell Netscaler to give "Domaincomputers" IP-Range "A" and everything NOT in "Domaincomputers" IP-Range "B"?

 

2. Connection source

 - Check if connection comes from Netscaler; but that doesn't differ corp. from private devices

 

3. Clientname

 - Could easily be fooled, because it doesn't check/accept FQHN like "*.domain.com"

 

4. AD-Group

 - I would need a DENY with a negative filter like "NOT" in "domaincomputers", but I can only positively check for groups 

 

 

>> I guess #1 could be my only chance?

>> Is there no real "best practise" for a scenario like this?

[Koenraad Willems]

Hi,

 

I think there are a couple of ways to achieve, but it will depend on your topology and how and from where your users access the resources.

A couple of questions:

• Do all users always go through NetScaler, both internal and external?
• Are the users with the BYOD devices usually connecting from internal, external, or both?

Best,

 

Koenraad

[Stefan Johnen]

1 minute ago, Koenraad Willems said:

• Do all users always go through NetScaler, both internal and external?
• Are the users with the BYOD devices usually connecting from internal, external, or both?

I need to check/proove, but let's say:

 

Netscaler only for external Users (CoDs, BYODs).

Internal Network only contains CoDs.

 

What would you suggest?

I can only think of: Different IP-Ranges given by Netscaler => DENY USB policy with filter for BYODs-IP-Range.

 

Completly different approach:

Add a block to the Logonscript, that checks the client device for domain membership: If not -> run script to deny usb redirection etc..

[Koenraad Willems]

Hi,

 

Then indeed you'll have to make sure you segregate/differentiate the BYOD devices/users from the other ones.

I think the easiest would be to use specified source IP for the connection from NetScaler to the Citrix server:

https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-manage-clienttraffic/use-specified-srcip.html#create-a-net-profile

I don't mean the client's source IP, but depending on the device (domain joined or BYOD), use specific source IP, that can then be identified on the Citrix server.

 

I think you'll need to use the NetScaler Pre-Authentication, then use that information for the net profile:

https://support.citrix.com/article/CTX220961

 

I don't think that the logon script approach won't work, since the server doesn't have a lot of knowledge about the client device.

 

Best,

 

Koenraad

[Stefan Johnen]

After different approaches in our test farm we came to the point that the requested filter cannot be applied with the customer because of limitations in this environment.

 

So we tried to make things easier: Instead of  differentiate private and corp. clients, we are asked to deny usb policies for everyone using Netscaler.

 

To achieve this I edited the policies, that ALLOW USB redir. for certain user groups by adding a DENY for Netscaler connections.

It doesn't work....

 

I want to understand WHY..

 

Bbut this use case is not taken care of by Citrix's help page: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/policies-create.html

 

1st Example: Assignments of like type with differing modes ("Deny takes precedence")
2nd Example: Assignments of differing type with like modes ("connection must satisfy at least one assignment of each type")

I have a different case: I have assignments of differing type with differing modes.

I was hoping for the result of "example 1" but users that are allowed via AD group to access thier usb drives from Citrix session can still do so when connected via Netscaler.

 

I am really sick and tired tinkering with filter types + modes.

The VERY last thing I can think of now that HAS to work is (so I believe): Leave every policies as they where (allow for certain AD groups) and add a new Policy with highest priority that denies all drive redirections (filter for Access control).

 

 

Still I am curious for a full set of examples and explanations of different Citrix policies/filter combinations..
Is there anyone with a good hint of where to find this information?