So when creating a delivery group in Studio you have limited capabilities into how we can control who gets access to a certain delivery group or application. NOTE This is not using Smart Access on the Netscaler, this is purely a Citrix Studio feature
. We have for instance filtering on users
And after we have created the delivery group we also have the option to define access rules, and as by default there are two rules that are created pr delivery group.
One rule that allows access using Access Gateway and one for direct connections using Storefront. So what if we need more customization options ? Enter PowerShell for Citrix…
First before doing anything we need to import the Citrix module in Powershell,
asnp citrix.*
Then we use the command Get-BrokerAccessPolicyRule (by default there are two rules for each delivery group. one called NAME_AG and one called NAME_Direct. The AG one is used for access via Netscaler Gateway, the other for direct to Storefront.
From this OS_AG Policy we can see that it is enabled, and allowedconnections are configured to be via Netscaler Gateway. And that it is filtered on Domain users.
We can see from the other policy, OS_Direct that it is set to enabled and that it is for connections notviaAG.
So how do we hide the delivery group for external users? The simples way is to set the accesspolicy true for AG connections to disable.
Set-BrokerAccessPolicyRule -name OS_AG -Enabled $false
Via Netscaler
Via Storefront
Or what if we want to exclude it for certain Active Directory User Group? For instance if there are some that are members of many active directory groups but are not allowed access to external sessions.
Set-BrokerAccessPolicyRule -Name OS_AG-ExcludedUserFilterEnabled $True -ExcludedUsers “TESTDomain Admins”
This will disable external access to the delivery group for alle members of Domain Admins, even if they are allowed access by another group membership.