The IT Melting Pot!

Citrix has now released version 3.4 of the Receiver for Mac and Windows, but what is the main added value with this release?

First of I’d like to ask you to review my previous post where I questioned the Citrix SmartAccess story that I believe is not there end-to-end and that really is a lacking feature for scenarios where you’d for instance want to support more BYOD models etc. You need to determine the person accessing the service and also what what type of device it is, trusted or not etc. And I in the previous post I argued that Citrix doesn’t deliver according to their SmartAccess story;

#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

And for you that haven’t read about the new Receiver 11.7 or OS X and 3.4 for Windows check these posts:

Receiver for Windows 3.4 released

Receiver for Mac 11.7 Released

The table below is from the previous SmartAccess post and my theoretical review right now is that the SmartAccess story for Windows and Mac OS X clients have improved. As you can see in the two rows for Receiver 3.3 and 11.6 where you would access through a Receiver through an AGEE you would NOT be able to perform host checks using the EPA scans.

This was just not possible though the native Receiver didn’t have that capability to trigger the EPA scans. And the EPA plugin itself was not available in the native Receiver on the OS X, it was bundled into the Access Gateway plugin.

So if you ask me if this was an important release or not I’d have to say YES! But is the puzzle solved and is SmartAccess and the HDX/ICA traffic flow now “controllable” by us IT suppliers and admins? NO! You still need both the AGEE plugin and the Receiver installed on all devices (managed and unmanaged) to get a somewhat simple AGEE  and StoreFront design… and can you install the AGEE plugin on all devices in a simple way (does users have permissions etc..)?

And still we have an issue with the ICA traffic flow and control on how that can be ensured to either go in proxy mode through an AGEE or direct between the client and internal host if the client is on the internal network. How does the Receiver determine whether to go in proxy mode or direct mode? It’s based on where the authentication is done! If the Receiver starts up on a client on the internal network and can reach the StoreFront server then it will authenticate against it, then StoreFront will ensure that all ICA/HDX connections initiated will go in direct more (NO AGEE PROXY). If the authentication is done by an AGEE to StoreFront then the ICA/HDX traffic will always go in proxy mode through the AGEE.

So you can’t really control this in a simple and nice way, previously you could do a lot with session policies and profiles with EPA scans and then different Web Interface sites but it’s not feasible without major workarounds with StoreFront and DNS views etc.

If you ALWAYS want to do a host check (internally and externally) to control for instance ICA/HDX virtual channels depending if the device is trusted or untrusted you’re pretty much not gonna make that happen if you’re using the Receiver to access your stores. You could do it on Windows and force users to use Receiver for Web login only on internal and external AGEE vServers but you wouldn’t trigger EPA scans on the Mac then for instance…..

Ok, to summarise! Yes, the 3.4 and 11.7 release does add EPA scan possibilities for Mac and Windows Receiver access scenarios which is good. And it works together with the AGEE plugin so that only one login is required! Getting there Citrix, keep up the work and please solve the other scenarios as well in terms of controlling ICA/HDX traffic flow (proxy or direct mode) and also ensure that the Receiver can trigger the EPA scans, please! Then we have a SmartAccess story that works in real life!

//Richard