The Citrix Web template enables you to easily configure Citrix access using the Pulse Secure Citrix Services Client proxy, JSAM, or WSAM.
To create a resource profile using the Citrix template:
The system uses the values that you enter to automatically create a corresponding resource policy that enables access to the necessary resources:
When you select this option, the system uses all of the “allow” values that you enter in the resource profile’s Web access control autopolicy to automatically create a corresponding code-signing resource policy. Within this policy, the system uses the specified Web resources to create a list of trusted servers.
To secure traffic through the Juniper Citrix Terminal Services proxy or the Secure Application Manager, select one of the following options in the ICA Client Access section:
Note: If you are using a third-party Web server such as your company’s Intranet server to deliver the ICA file, make sure the Content-Type of the HTTP Response header is application/x-ica. Only then does the system automatically intermediate the ICA file and launch its Citrix Terminal Services client to tunnel the traffic.
Note: If you select this option, we recommend that you disable Citrix client downloads through the Citrix Web Interface. Otherwise, users could inadvertently start two different windows downloading two versions of the Citrix client simultaneously–one through the system (which automatically attempts to download the Citrix client if one is not present on the user’s computer) and one through the Citrix Web Interface.
When you select the ICA client connects over JSAM option, the system automatically enables the Secure Application Manager option on the Users > User Roles > Select_Role > General > Overview page of the admin console.
Note: You cannot enable WSAM and JSAM for the same role. Therefore, if you try to create a Citrix resource profile that uses one of these access mechanisms (for instance, JSAM) and another profile associated with role already uses the other access mechanism (for instance, WSAM), the system does not enable the new access mechanism (JSAM) for the role. Also note that you can only use WSAM or JSAM to configure access to one Citrix application per user role.
Note: To control access to local resources exclusively through your Citrix Metaframe server settings, clear the Configure access to local resources check box. When you clear the option, the Metaframe server settings take effect. Or, if you want to selectively override Citrix Metaframe server settings for the bookmark, select the Configure access to local resources check box and then specify the local resources to which you want to enable or disable access. Note that if you enable access to a local resource through the system, you still must enable access to it through the Metaframe server as well.
When you enable local resources through the terminal server, each user can only access his own local resources. For instance, user 1 cannot see user 2’s local directories.
When you select single sign-on, the WIClientInfo and WINGSession cookies are prepopulated automatically in addition to the POST Resource and URL.
Or, if you selected the non-Web interface option, you may optionally create your own single sign-on autopolicy.
The selected roles inherit the autopolicies and bookmarks created by the Citrix resource profile. If it is not already enabled, the system also automatically enables the Web option in the Users > User Roles > Select_Role > General > Overview page of the admin console and the Allow Java Applets option in the Users > User Roles > Select_Role > Web > Options page of the admin console for all of the roles you select.
Also enable the Terminal Services access feature under User Roles > Select_Role > General Overview. If the user role does not have this feature enabled, the Citrix ICA file is delivered as is (without being rewritten) and the Juniper Citrix component (CTS) will not start. In this case, the Citrix native client attempts to establish a connection with the back-end server directly (without going through the system) and will fail.
By default, the system creates a bookmark to the Web interface (NFuse) URL defined in the Web Interface (NFuse) URL field and displays it to all users assigned to the role specified in the Roles tab.