Access Gateway Enterprise with AAA Groups and the Citrix Receiver

Share Button

I recently enabled VPN in Access Gateway Enterprise for another way to get into my corporate environment since myself and a handful of engineers support the environment.  We already had the Citrix Receiver setup and working through Access Gateway.  Once I began testing my access (before rolling out to others) after enabling VPN by testing the different methods of access, I started getting errors and wasn’t able to logon using the Citrix Receiver.  In this blog post I am going to go over Access Gateway Enterprise with AAA Groups and the Citrix Receiver.

In Access Gateway I have two session policies bound to the Access Gateway Virtual Server.  One session policy is for the Citrix Receiver and the other session policy is for Web Interface ICA/HDX access only.   No issues with connecting to the environment using the Citrix Receiver or Web Interface ICA/HDX access only.  I recently enabled the option to use VPN or Web Interface ICA/HDX access with Client Choices by using AAA Groups with a session policy in Access Gateway for testing.  VPN and Web Interface ICA/HDX access worked fine but I could not logon using the Citrix Receiver.  I tested the Citrix Receiver from the iPad and Android mobile devices.  See the screenshots below for the different errors on each device.

Citrix Receiver error on the iPad.

Citrix Receiver error on Android.

After reviewing my configuration, a session policy conflict was found between the Citrix Receiver session policy bound to the Access Gateway Virtual Server and a session policy bound to an AAA Group.  The session policies both had the same priority of 0.  See the screenshots below for the Access Gateway Virtual Server and AAA Group session policies configurations.

Access Gateway Virtual Server session policies.

Access Gateway AAA Group session policy.

After some configuration changes and testing, there are two ways to fix the issue.  One option is to make the AAA Group session policy a lower priority by giving it a higher priority number than the Access Gateway Virtual Server Citrix Receiver session policy.  The other option is to configure the AAA Group session policy with a policy expression of REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver.  See the screenshots below for the AAA Group session policies configuration options.

AAA Group lower priority session policy

AAA Group policy expression session policy

By using either of the options above for the AAA Group session policy, you should now be able to connect using the Citrix Receiver without any errors.  I wish Access Gateway had a resultant set of policy tool like XenApp and XenDesktop has.

If you have found this article interesting or if you have any other insights, please feel free to leave comments on this article.
Share Button
  1. Daniel BinderDaniel Binder04-20-2011

    Hey Jarian – how’s it going? You visited us here at Commerce Bank a while back for a Citrix “health check”. We are looking to roll out Receiver for our remote users. I configured Receiver and Merchandising Server and have it working internally as a test but we need to have it available for Remote Users and Security will more than likely have us put Merchandising Server into a DMZ.

    Is there a good guide anywhere for getting Receiver working with Access Gateway Enterprise?

    I am assuming that is possible to have Merchandising Server push updates to Remote Receiver clients from within a DMZ…….??

  2. ShamSham03-09-2011

    Hi Jarian

    Can you send me the step how to configure the ipad,iphone and blackberry on the wi and access gateway into my email


  3. Bill SuttonBill Sutton01-04-2011

    Good information, Jarian. Thanks for sharing!

  4. Scott CochranScott Cochran12-29-2010

    Which option did you finally choose?

Leave a Reply