Home > All, Citrix, CloudGateway, NetScaler, XenDesktop > #Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.

But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.

So a bit of background first to build my case…

Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.

And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…

And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!

This text is from the Citrix homepage about SmartAccess;

SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.

So let’s start of then with going back to the SmartAccess which is the topic of this blog!

First I’d like you to review the Requirements for StoreFront 1.2 which is interesting and really goes through the scenarios and client requirements that are for StoreFront, but it does NOT cover the requirements for being able to do E2E SmartAccess that includes EPA scans (host checks).

When can you expect a host-check/EPA scan to be triggered and supported for your access scenarios through AGEE (NetScaler)? I hope that I got this table right but I think it summarizes everything (not all clients and Receivers are in there but I think you’ll get the point):

Client Access method EPA/Host-check possible on AGEE Comment
Windows with Citrix Receiver for Windows 3.3 Receiver


You’ll never be able to do host-checks on this device if Receiver access is used!
OS X with Citrix Receiver for Mac 11.6 Receiver NO You’ll never be able to do host-checks on this device if Receiver access is used!
iPad or iPhone with Citrix Receiver for iOS 5.6 Receiver NO You’ll never be able to do host-checks on this device if Receiver access is used!

And how does it look if you where to use the same clients but instead use a browser that fulfils the StoreFront requirements to access the service?

Client Access method EPA/Host-check possible on AGEE Comment
Windows with Citrix Receiver for Windows 3.3 Browser to Receiver for Web site YES Yes, here the AGEE EPA scans will be triggered and works! You can also use them to pass the session policy to the backend and get true SmartAccess including host-checking! But why can’t we distinguish if a Windows device is trusted or untrusted when accessing through the Receiver?
OS X with Citrix Receiver for Mac 11.6 Browser to Receiver for Web site NO NO! Hmmm… why not? Well it so happens that the EPA client is built into the Access Gateway plugin for Mac, so in this case you’ve not triggered the login through the Access Gateway plugin so you’re all out of luck! To do host-check you must try to establish an SSL VPN tunnel!
iPad or iPhone with Citrix Receiver for iOS 5.6 Browser to Receiver for Web site NO NO! Same thing here… there is no EPA client/plugin for iOS. I don’t think that the scenario in which you want to distinguish between and managed and unmanaged iOS device is that big but could for some may be interesting.

So you as the architect has that great job of satisfying your stakeholders and their BYOD and SmartAccess vision now have a bit of a challenge! How are you going to be able to determine if the device that is accessing your service is trusted or not?

You’ll basically only be able to do so if you have a Windows device that is accessing your service using a web browser! The whole vision of the Receiver and being able to leverage SmartAccess is tough… You need to be creative and ellaborate with USER AGENT strings or other mechanisms to find you best workaround until this is solved.  But I have a lot of trust in that Citrix will fix this! And I really hope sooner than later!!!

For the Mac host-check that I mentioned a bit earlier in the table you can do Process and File checks if you establish an SSL VPN tunnel with the Access Gateway plugin, but not the following checks;

Endpoint analysis scans for antivirus, personal firewalls, antispam, Internet security, and EPAFactory scans are not supported for Mac OS X.

And of course you for Access Gateway have MORE to configure though there Citrix has the possibilities to leverage the Opswat scans (why not yet in the enterprise product???).

Now it’s time to stop rambling… but I’ll follow up this post if I find that I’m wrong on any details or that the prerequisites have changed!

Happy SmartAccess’ing! 😉


  1. ZigZag
    March 28, 2013 at 20:53

    I have been testing EPA with Smart Cards and it does not seem to work on Windows with a browser like a regular user/password login.

    Any ideas?

  1. January 2, 2013 at 20:23
  2. January 30, 2013 at 12:28

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: