One thing I've learned is that the Gateway vServer doesn’t really need ICA Proxy unchecked for what I am trying to do. I am not using EPA scans or anything advanced yet. But, you could do it to save a step later. Now I understand this may not be the best way, but sometimes you have to do what you need to do to secure things.
0. Check the Trust Request on the Brokers and enable it if it’s not already enabled.
1. Open POSH and add asnp citrix* and Run Get-brokersite. If it’s set to false, then run #3 command
2. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
3. Create a NetScaler gateway Dummy VIP (Some organizations don’t allow SF to talk back to the DMZ NetScaler’s vServer. If yours does, then use the current Gateway and ignore the dummy VIP/vServer.)
- Add STA Brokers
- Added DNS Record.
- Go to StoreFront Servers > click on Manage Citrix Gateways
- Click edit
- Add the Call Back URL ( For me is the Dummy VIP I created) Which resolved to a layer 2 IP address on the same Subnet as my Citrix Environment.
- Propagate changes on Storefront
- Go to the DDC, and create a policy. For me, I used the baked in one from Citrix called ” Security Control”
- Remember the Allow or Deny mode is a bit confusing. "Allow" means that the settings in the policy are to be applied to the NetScaler Gateway connection.
- "Deny" means the settings prohibiting something will not be applied to users connecting via Citrix Gateway.
My bandwidth went up some when I applied more Security settings, Red is applying the filter, and green is off.
- Testing with it off (Deny the Policy
- Here are my local machine printers
- Now log into the VDA
- Now lets set the Filter to Allow (Allow the policy)
- Now log into the VDA – No printers from my local machine were able to come in.
- Remember this is a very basic setup, and it’s just to show what it can do. There is much more than what I am showing here.
Then my research and questions on Slack (If you’re not on this, you’re missing out). A lot of really sharp guys on here.
Just wanted to thank the Slack community for all the help along my way. So many talented people, and it's an amazing adventure.