Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Using Citrix Policies Part Two


In part one of the article series Using Citrix Policies we walked through the creating and configuration of Citrix policies. In this second article I will show you how the policies will be applied by using filters summarize the advantages of Citrix policies and provide you with some best practices information.

Filter the policy

Now we configured a policy you need to apply a filter to the policy. The filter configuration part can only be reached out of the main console. You again select the policy right click with the mouse and choose the option Apply this policy to.

A policy can be applied (or filtered) based again on five levels.


Figure 10: Apply Policy to Filters

On every level you need to enable the filter with the checkbox option before you can add the filter settings. There is also a checkbox available to apply the policies to all objects on that level (for example all authenticated users or all client names). Filtering can be reached by creating a filter for the target group and allow the policy (I personally would called the option Apply) or create a filter for the group that do not apply to the policy and select Deny for that filter. Using which method depends how much configuration is needed to gain your goal with the filter.

Let's do a quick walkthrough the available filter levels. The first level can be used if you have a Citrix Access Gateway with Advanced Access Control configured, just like your are used on the Published Application properties. Possible scenario for using this level is for example a policy where client drive mapping is disabled with filter when no anti virus software is found (or not up to date).

Secondly you can create a filter based on IP address or an IP range. Example for using this level is applying a policy to a specific location or floor level. Third one is also related to the client, but now on the name of the client. This filter will only be applied when users connect via the Web Interface. It is possible to use wildcard to create a filter for a group of clients. For example you could use WI_* for users connecting via the web interface.

Next policy can also be applied to specific servers. When you enable this policy the available server in the farm are displayed and per you need to configure if this policy will be applied or not. This filer is not used much but can be used for specific silo servers with high security demands for example.

The last level is probably the most used, filtering on user and/or user groups. The filter can be applied to all explicated or anonymous users via the checkboxes. In the filtering you can select groups out of active directory. If it is necessary to specify individual users you need to check the box "Show Users" otherwise only AD groups will be showed in the GUI.

Resultant Set of Policies

Just like Group Policy Object it is sometimes difficult to find out via which policy a user gets his configuration. We were all very happy when Microsoft released the Group Policy Management console with the feature Group Policy Results. If the user logged in you could determine which settings the user got and from which policy it came from. Citrix has built in a similar option called View Resultant Policy. The feature is little bit hidden and also named strange. You can reach the feature via right clicking the policies component in the left pane and select search.

In the following screen you fill in details at the filter levels to determine which policy will be applied to that configuration. Of course you only fill in the fields which are necessary. In the following figure I would like to know which policies are applied to testuser2, connecting from workstation WS0001 with IP address Also here it is possible to use wildcards in the criteria.

Figure 11: Searching will policies will be applied to the defined search criteria.

When pressing the search button in the window the policies will be shown which will be applied to the configuration specified in the search criteria. To see which settings will be applied you need to push the button View Resultant Policy.

Figure 12: Resultant Policy Properties

In the meantime the well known policy windows will be showed again, but now you will see all the settings combined in this screen. When you select a setting you also can see from which policy the setting is taken over from.

Why using Citrix Policies

Now we configured the policies you probably already know why it is a good thing to use Citrix polices for your infrastructure. I will summarize the most important reasons why you should use Citrix policies:

  • With Citrix policies it is possible to define several settings for users groups, locations which can be applied on the same server by using the filter options.
  • Just like GPO's Citrix policies can be combined and settings will be overwritten if a policy has a higher
  • With Citrix policies you have centralized management in stead of manual settings on the protocol it selves setting on a server basis
  • With Citrix Policies Bandwidth can be set up in detail basis per client device and a total amount for the whole session.
  • Settings introduced in the later versions can only be configured via the Citrix policies.
  • Citrix Policies are included with a good feature to see which settings will be applied to the object selected in the View of Resultant Policy window.

Best Practices

As promised into the introduction we will finalize this article series about the Citrix policies with some best practices when using Citrix policies.

  • A Citrix policy is showing by default the status enabled, but this does not imply that the policy will be applied to the sessions. At least one filter need to be configured, before the configuration will be applied.
  • Define as less policies as possible. Just like GPO all policies need to be processed by the system before the user will get his session. How fewer policies are defined how quicker it goes.
  • To keep less policies it my best practice to create one basis policy with all the default settings in it and apply that one to all users. Only for the exceptions and/or additions I'm creating separate policies with a strict filter attached to it.
  • Also to load the policies as quick as possible do not configure settings for a virtual channel/Client mapping that you disabled at the client device component, because they are not used.
  • Read the description carefully of the policy. Just like Microsoft policies some policies have Turn Off or Disable in the name, so you need to enable the policy to turn off the feature. For example disable the policy called Turn Off Com Ports actually means Enabling Com Port mappings.
  • If you would like to enable PDA synchronization be sure the policy Turn Off Com Ports mapping is disabled or not configured. PDA synchronization requires Com Port mapping to function.
  • Within Citrix Policies you can easily see on which components settings are created. The higher components will get an arrow picture at the frond while the setting it selves also got a symbol which shows the current configuration.
  • Disable/Enable remote drives in the mapping within the subcomponent drives configured network mappings only. USB Drives or removable hard disks are through Citrix policies normal hard drives.
  • To apply the (dangerous) Streamed Application will not be applied when a server filter is applied to it.


Via this articles series I gave a basic overview of the possibilities of Citrix policies, how you can advantage with Citrix Policies and some best practices for configuring the policies in your environment. Hopefully when I will visit your company for a consulting job I will see nice configured Citrix policies in place.