If a user is in multiple groups (which are equivalent tiers), the priority resolves which group membership is most important. You can basically, change the processing order by manipulating the policies (for a given category such as session policies) regardless of bind point. with priorities, you ignore bind points and the priorities are the sole determining factor of importance as the priorities span bind points. without priorities, bind point precedence is aaa user > aaa group > vpn vserver > global (most to leat important) And the classic always had some surprises (advanced makes more predictable sense). Advanced engine deal with priorities and bind point precedence different from each other. Not sayin they would for proxy vs mobile, but your proxy users are being overridden by anything in the ssl vpn policy with these priorities.Ĭlassic vs. If a user fell into overlapping criteria. mobile/receiver users (priority 40), then ssl vpn policy (priority 50), then ICA Proxy users (priority 60) So based on your priorities, your policies evaluate from most important to least: You may also need Traffic Policies for more in depth SSO configuration and/or appropriate AAA nfactor policies.īecause you are in the CLASSIC engine, the priorities trump bind points on precedence. If you have ICA Proxy:OFF, and no storefront url defined, then you are mostly in VPN mode and the network connections tab and client settings tab will govern the vpn behavior, split tunnel, and sso behavior. If your Published Apps tab: ICA Proxy:ON and your storefront settings are defined, you will be mostly an ICA Proxy connection. IF your question is about the session profile, Or to do an EPA/OPSWAT scan, will be more challenging at this point.
SSL VPN VS GLOBAL VPN MAC
To filter on MAC specifically, using just the session policies, you would need to base it on a user-agent header. User-Agent CONTAINS CitrixReceiver & X-Citrix-Gateway EXISTS # services client User-Agent NOTCONTAINS CitrixReceiver & Referer EXISTS #web client Whereas receiver (services) or ica proxy users, typically look like this: User-Agent NOTCONTAINS CitrixReceiver & Referer NOTEXISTS
SSL VPN VS GLOBAL VPN FULL
If your gateway accepts both users who should connect with Full VPN and those who are doing ICA Proxy only, then you would need expressions like this: (These examples are in second link above)
SSL VPN VS GLOBAL VPN FREE
If you need more specific details, feel free to clarify. The gateway wizard will create default policies to filter gateway session policies based on full vpn or receiver connections and examples of this can be found in the gateway admin guide.įor EPA/OPSWAT scans, for the advanced policy engine as pre-authentication policies, you will need to incorporate AAA authentication vserver and advanced authentication policies.
One method of browser filters is ("user-agent"). Http object can be used for web request filters. You can use advanced policy expressions with session policies depending on what criteria you are looking for.Ĭlient object can be used for ip/port filters among other network criteria.
0 kommentar(er)
