XenApp PowerShell SDK & NetScaler Smart Access Filters

Configuring Published Resources for access from NetScaler Gateway: Using PowerShell.


1.0                XenApp 6.5 PowerShell SDK

First thing’s first. You need to have the SDK installed. It can be downloaded from here. In theory, this can be installed on any machine that can access your Citrix Farm, however if you run the cmdlets from a machine that doesn’t have XenApp installed, you’ll need to specify –ComputerName, giving the name of a server with XenApp installed such as a ZDC.

Although fine for reading (Get-XA…), I was getting a cryptic error when running cmdlets from non-XenApp servers and the ZDCs:

Set-XAAdministrator : Error writing administrator DomainADGroupName (0x8000003C)

Basically, this means that it can’t access the configuration log database to update the changes, so although a given property will show as changed in your PowerShell console, the change will not be reflected in the Farm. For me, I was able to get the Set-XA… cmdlets to work from our XenApp servers.


2.0                Smart Filters – XenApp Access Control

Figure 1 – Access Control Dialogue: Correlation between PS cmdlets and GUI.

3.0                PowerShell Cmdlets
3.1                   “Get” Cmdlets
3.1.1              List all properties of cmdlet

1 [PS] C:>   Get-XAApplication | Get-Member –MemberType Property

3.1.2              List all published resources staring with a given name

2 [PS] C:>   Get-XAApplication –BrowserName “MS*”

BrowserName maps to “Application Name” in the GUI. This should be unique for every published resource.

3.1.3              List all properties related to the Access Control dialogue

3 [PS] C:>   Get-XAApplication | FL ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, AccessSessionConditions, OtherConnectionsAllowed


3.1.4              Export all Access Control properties to CSV

4 [PS] C:>   get-xaapplication -BrowserName “MS*” | Select BrowserName, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, AccessSessionConditions, OtherConnectionsAllowed | Export-Csv C:TempPubApps-MW.csv –NoTypeInformation

AccessSessionConditions is an array, therefore it needs to be expanded. http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/15/see-why-powershell-can-t-export-some-properties-to-csv.aspx

5 [PS] C:>   $apps = Get-XAApplication -BrowserName “MS*” | Select-Object BrowserName, AccessSessionConditions, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, OtherConnectionsAllowed
 
6 [PS] C:>   $apps | select BrowserName, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, OtherConnectionsAllowed, @{LABEL=’AccessSessionConditions’;EXPRESSION={$_.AccessSessionConditions}} | Export-CSV C:TempPubApps-MW.csv

Creates a PubApps-MW.csv in C:Temp, expanding AccessSessionConditions.

3.1.5              Export all Access Control properties to XML

As there can be a 1:N relationship between the other properties and AccessSessionConditions, it may be better to export as an XML:

7 [PS] C:>   Get-XAApplication -BrowserName “MS*” | Select-Object BrowserName, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, AccessSessionConditions, OtherConnectionsAllowed | Export-Clixml C:TempPub-Apps.xml

The result is a rather messy looking XML file.

3.1.6              Filter resources, accessible through Access (NetScaler) Gateway

8 [PS] C:>   Get-XAApplication | ?{$_.ConnectionsThroughAccessGatewayAllowed -eq $true} | ft BrowserName,FolderPath

Returns BrowserName & FolderPath (The folder location in AppCenter console, not the path to the Published App’ executable.

3.1.7              Filter resource, not accessible through Access Gateway but accessible internally

9 [PS] C:>   Get-XAApplication | ?{$_.ConnectionsThroughAccessGatewayAllowed -eq $False -AND $_.OtherConnectonsAllowed -eq $True} | FT BrowserName,FolderPath –AutoSize

Returns BrowserName & FolderPath.

3.1.8              Lists Published Resources with a Session Policy

10 [PS] C:>  Get-XAApplication | ?{$_.AccessSessionConditions -ne $null} | ft BrowserName, FolderPath -AutoSize

Returns BrowserName & FolderPath.

3.2                   Set Cmdlets

The basis of set is “Set-XAApplication”. In the main, the output of Get-XAApplication can be piped into the input of Set-XAApplication.


3.2.1              Deny remote access to all applications beginning “MS”

11 [PS] C:>  Get-XAApplication –BrowserName “MS*” | Set-XAApplication –ConnectionsThroughAccessGatewayAllowed $False

Tip: If you are checking the results in Citrix AppCenter GUI, don’t forget to refresh first.

3.2.2              Allow remote access to all applications beginning “MS” for “Any Connection”

12 [PS] C:>  Get-XAApplication –BrowserName “MS*” | Set-XAApplication –ConnectionsThroughAccessGatewayAllowed $True –AccessSessionConditionsEnabled $False


3.2.3              Allow remote access to all applications beginning “MS” for a particular AccessSessionCondition:

13 [PS] C:>  Get-XAApplication –BrowserName “MS*” | Set-XAApplication –ConnectionsThroughAccessGatewayAllowed $True –AccessSessionConditionsEnabled $True –AccessSessionConditions NS-Gateway-VIP:CTX_REC_SF_PLAYBOOK_policy

Note: This will overwrite any existing entries for AccessSessionConditions.

3.2.4              Allow remote access to all applications beginning “MS” with several access conditions (appending)
Set up a variable ($asc):

14 [PS] C:>  $asc = Get-XAApplication –BrowserName “MS*” | Select-Object AccessSessionSessionConditions

Add a new condition to the object “AccessSessionConditions”:

15 [PS] C:>  $asc.AccessSessionConditions += “NS-Gateway-VIP:CTX_REC_SF_IOS_policy”

Repeat for each additional session condition.

Check $asc contains existing and new Session Conditions:

16 [PS] C:>  $asc
 
AccessSessionConditions
———————————
{NS-Gateway-VIP:CTX_REC_SF_PLAYBOOK_policy, NS-Gateway-VIP:CTX_REC_SF_IOS_policy, NS-Gateway-VIP:CTX_REC_SF_OSX_policy , NS-Gateway-VIP:CTX_SF_WIN8_policy}


Set the Access Session Conditions:

17 [PS] C:>  Set-XAApplication –BrowserName “MS*” –AccessSessionConditions $asc.AccessSessionConditions


3.2.5              Set AccessSessionConditions for the first 3 applications beginning “MS”

Sorted in alphabetical order, where ConnectionsThroughAccessGatewayAllowed = True

18 [PS] C:>  Get-XAApplication -BrowserName “MS*” | ?{$_.ConnectionsThroughAccessGatewayAllowed -eq $true} | Sort-Object BrowserName | Select-Object BrowserName,FolderPath -First 3 | Set-XAApplication -AccessSessionConditions $asc.AccessSessionConditions


3.2.6              Clear AccessSessionConditions for all applications beginning MS
There appears to be no way to clear AccessSessionConditions. However, setting -AccessSessionConditionsEnabled to $false will have the desired affect. I was only able to remove the AccessSessionConditions from the GUI or overwriting with another value.

3.2.7              Set AccessSessionConditions based on values in previously export CSV.

Due to AccessSessionConditions being a NoteProperty, it was easier to make this into a script. Probably not the post efficient use of PowerShell, but it does the trick. Much more functionality could be added, but it got the job done. Please feel free to improve and share.

 

Add-PSSnapinCitrix.XenApp.Commands -ErrorAction ‘SilentlyContinue’

function Set-AccessControl([string]$csvPath,[string]$XenAppServer,[boolean]$AppendAccessSessionConditions){

  if(Test-Path -Path $csvPath){
     $oCSV = $Null
     $oCSV = Import-Csv -Path $csvPath
     foreach ($app in $oCSV) {
        # Convert “TRUE / FALSE” value from CSV to $True / $False
        $ConnectionsThroughAccessGatewayAllowed = $app.ConnectionsThroughAccessGatewayAllowed
       $ConnectionsThroughAccessGatewayAllowed =[System.Convert]::ToBoolean($ConnectionsThroughAccessGatewayAllowed)
        $AccessSessionConditionsEnabled = $app.AccessSessionConditionsEnabled
       $AccessSessionConditionsEnabled =[System.Convert]::ToBoolean($AccessSessionConditionsEnabled)
      
       $OtherConnectionsAllowed = $app.OtherConnectionsAllowed
       $OtherConnectionsAllowed =[System.Convert]::ToBoolean($OtherConnectionsAllowed)
          

       # Sets Access Control parameters, except AccessSessionCondition

       Set-XAApplication  -ComputerName $XenAppServer
                           -BrowserName $app.BrowserName

                           -ConnectionsThroughAccessGatewayAllowed $ConnectionsThroughAccessGatewayAllowed
                           -AccessSessionConditionsEnabled $AccessSessionConditionsEnabled

                           -OtherConnectionsAllowed $OtherConnectionsAllowed

       # Sets AccessSessionConditions
       $AccessSessionConditions = $app.AccessSessionConditions.Split(” “) # Reads AccessSessionConditions from CSV
       if($AccessSessionConditions -ne $null){
         # Creates a list of AccessSessionConditions, delimited by a space and puts them into a useable object.
                          
         #Sets one (the first) AccessSessionCondition, essentially wiping what was there before.
         if($AppendAccessSessionConditions -eq $False){
            Set-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName -AccessSessionConditions $AccessSessionConditions[0]
         }
         # Sets the remaining AccessSessionConditions
         $asc = Get-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName | Select-ObjectAccessSessionConditions
         foreach($condition in $AccessSessionConditions){
           $asc.AccessSessionConditions += $condition
         }     
         Set-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName -AccessSessionConditions $asc.AccessSessionConditions
    }else{
         Write-Host “AccessSessionCondition column in CSV is empty.”
    }
                       
    # Confirms settings.
    Write-Host “New Settings…”
    Get-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName |
    Select-Object     BrowserName,
                       ConnectionsThroughAccessGatewayAllowed,
                       AccessSessionConditionsEnabled,
                       OtherConnectionsAllowed,
                       @{LABEL=‘AccessSessionConditions’;EXPRESSION={$_.AccessSessionConditions}}
   }else{
    Write-Host “Cannot find $csvPath”
   }
  }
}

Set-AccessControl -csvPath C:TempPubApps.Applied-MW.csv” -XenAppServer “lvvsx6513” -AppendAccessSessionConditions $false

 
 
The function, Set-AccessControl, takes three arguments:

-csvPath = Path to CSV file that should look like:

BrowserName
ConnectionsThrough
AccessGatewayAllowed
AccessSession
ConditionsEnabled
OtherConnectionsAllowed
AccessSessionConditions
MS Word 2013
TRUE
TRUE
TRUE
NS-Gateway-VIP:CTX_REC_SF_IOS_policy
NS-Gateway-VIP:CTX_REC_SF_OSX_policy  
NS-Gateway-VIP:CTX_SF_WIN8_policy
MS Excel 2013
TRUE
TRUE
TRUE
NS-Gateway-VIP:CTX_REC_SF_IOS_policy  
NS-Gateway-VIP:CTX_REC_SF_OSX_policy  
NS-Gateway-VIP:CTX_SF_WIN8_policy
MS Visio 2013
FALSE
FALSE
TRUE
 
MS Project 2013
FALSE
FALSE
TRUE
 

Note:

It is best to export the current settings to CSV and then modify as required using the cmdlets given above.

The AccessSessionConditions do not have any spaces in them. The space between each policy is used by the script to generate an array.

-XenAppServer = A XenAppServer that a) can write to the configuration database, b) has the required XenApp65 SDK installed. For some reason the ZDC would not work in our environment.

AppendAccessSessionConditions = $True, $False. Used to overwrite existing AccessSessionConditions ($False) or append what is in the CSV to what already exists ($True). I couldn’t find a way of “nulling” the AccessSessionCondition property. It looks like Citrix Developers force it to have a colon. The GUI can be used to null the property.

 3.3                   Key

? = Where-Object
FT = Format-Table
FL = Format-List

Please feel free to leave a comment...