We have three different features that we have gone through, and each of them gives us some functionality. For example, if we want all of the different features to be available to the user at the same time, and give the users the option to choose between different features.

If we want to have a single web portal where we want to give the users the ability to choose the kind of resource they need, we need to make a change to the default session policy that they use. Under the session policy, go to the request profile that is bound to it and then click on the Client Experience pane. Here, click on the Advanced button. In the menu, we have an option called Client Choices. By enabling this, the users will get an option to choose what type of feature they need when logging in to the web portal.

The options that are presented here are dependent on what is configured in the session policy. For example, if clientless access is not defined, it will not show up as an option here. If we have not entered a web interface address, Citrix XenApp will not show up as an option. Lastly, if we have set the vServer to basic mode, it will automatically go to the StoreFront server. Another option we have is to use expressions. We can use expressions to filter sessions based on user agents, IP addresses, and so on. For example, suppose we want to create a dedicated session policy to be applied only to Android devices, and the default session policy to be applied to all other devices that are connecting. For Android devices, the following CLI expression declares that the connecting client must have a user agent string, which contains Citrix Receiver and Android:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver&&REQ.HTTP.HEADER User-Agent CONTAINS Android/

Then, we create a custom session policy that is bound to that expression containing the specific configuration for our Android devices. We then use the general ns_true expression to apply to the rest and bind a session policy for the rest of the devices. Also, remember that the Android policy needs to have a lower priority than the other one, as ns_true applies to all clients that are connecting to the vServer, as shown in the following screenshot:

One last feature that we can use is the ability to filter based upon the Active Directory group. For example, suppose we want users who are part of the executives group to gain access to everything in the corporate network, and the regular users to gain access to some of the network. The way this operates is that when a user connects to the web portal, we can use NetScaler to get the list of the AD groups that the user is a member of from Active Directory, and find the first policy that is bound to one of the AD groups. It is important to note that user policies are processed before vServer and global policies. Therefore, if we have two session policies, one bound for the vServer and another for a user group, the user group policy will win.

In order to use this feature, we must first enable the authentication policy to get the list of the AD groups that the user who is connecting is a part of. This can be done by making sure that the memberOf attribute is entered in the authentication policy in the Group Attribute field. This is shown in the following screenshot:

After that is done, we need to go into the policy manager to create the AD groups. This can be found in the NetScaler Gateway pane. Here, we must first create an AAA group under Groups. The group name must be identical to the group name in the Active Directory. Now, we can start binding policies to the group by dragging them from the Available Policies/Resources pane to the Configured Policies/Resources pane. We can also create new custom policies as shown in the following screenshot and bind them accordingly: