XenApp PowerShell SDK & NetScaler Smart Access Filters

Configuring Published Resources for access from NetScaler Gateway: Using PowerShell.

1.0                XenApp 6.5 PowerShell SDK

First thing’s first. You need to have the SDK installed. It can be downloaded from here. In theory, this can be installed on any machine that can access your Citrix Farm, however if you run the cmdlets from a machine that doesn’t have XenApp installed, you’ll need to specify –ComputerName, giving the name of a server with XenApp installed such as a ZDC.

Although fine for reading (Get-XA…), I was getting a cryptic error when running cmdlets from non-XenApp servers and the ZDCs:

Set-XAAdministrator : Error writing administrator DomainADGroupName (0x8000003C)

Basically, this means that it can’t access the configuration log database to update the changes, so although a given property will show as changed in your PowerShell console, the change will not be reflected in the Farm. For me, I was able to get the Set-XA… cmdlets to work from our XenApp servers.

2.0                Smart Filters – XenApp Access Control

Figure 1 – Access Control Dialogue: Correlation between PS cmdlets and GUI.

3.0                PowerShell Cmdlets
3.1                   “Get” Cmdlets
3.1.1              List all properties of cmdlet

1 [PS] C:>   Get-XAApplication | Get-Member –MemberType Property

3.1.2              List all published resources staring with a given name

2 [PS] C:>   Get-XAApplication –BrowserName “MS*”

BrowserName maps to “Application Name” in the GUI. This should be unique for every published resource.

3.1.3              List all properties related to the Access Control dialogue

3 [PS] C:>   Get-XAApplication | FL ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, AccessSessionConditions, OtherConnectionsAllowed

3.1.4              Export all Access Control properties to CSV

4 [PS] C:>   get-xaapplication -BrowserName “MS*” | Select BrowserName, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, AccessSessionConditions, OtherConnectionsAllowed | Export-Csv C:TempPubApps-MW.csv –NoTypeInformation

AccessSessionConditions is an array, therefore it needs to be expanded. http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/15/see-why-powershell-can-t-export-some-properties-to-csv.aspx

5 [PS] C:>   $apps = Get-XAApplication -BrowserName “MS*” | Select-Object BrowserName, AccessSessionConditions, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, OtherConnectionsAllowed
6 [PS] C:>   $apps | select BrowserName, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, OtherConnectionsAllowed, @{LABEL=’AccessSessionConditions’;EXPRESSION={$_.AccessSessionConditions}} | Export-CSV C:TempPubApps-MW.csv

Creates a PubApps-MW.csv in C:Temp, expanding AccessSessionConditions.

3.1.5              Export all Access Control properties to XML

As there can be a 1:N relationship between the other properties and AccessSessionConditions, it may be better to export as an XML:

7 [PS] C:>   Get-XAApplication -BrowserName “MS*” | Select-Object BrowserName, ConnectionsThroughAccessGatewayAllowed, AccessSessionConditionsEnabled, AccessSessionConditions, OtherConnectionsAllowed | Export-Clixml C:TempPub-Apps.xml

The result is a rather messy looking XML file.

3.1.6              Filter resources, accessible through Access (NetScaler) Gateway

8 [PS] C:>   Get-XAApplication | ?{$_.ConnectionsThroughAccessGatewayAllowed -eq $true} | ft BrowserName,FolderPath

Returns BrowserName & FolderPath (The folder location in AppCenter console, not the path to the Published App’ executable.

3.1.7              Filter resource, not accessible through Access Gateway but accessible internally

9 [PS] C:>   Get-XAApplication | ?{$_.ConnectionsThroughAccessGatewayAllowed -eq $False -AND $_.OtherConnectonsAllowed -eq $True} | FT BrowserName,FolderPath –AutoSize

Returns BrowserName & FolderPath.

3.1.8              Lists Published Resources with a Session Policy

10 [PS] C:>  Get-XAApplication | ?{$_.AccessSessionConditions -ne $null} | ft BrowserName, FolderPath -AutoSize

Returns BrowserName & FolderPath.

3.2                   Set Cmdlets

The basis of set is “Set-XAApplication”. In the main, the output of Get-XAApplication can be piped into the input of Set-XAApplication.

3.2.1              Deny remote access to all applications beginning “MS”

11 [PS] C:>  Get-XAApplication –BrowserName “MS*” | Set-XAApplication –ConnectionsThroughAccessGatewayAllowed $False

Tip: If you are checking the results in Citrix AppCenter GUI, don’t forget to refresh first.

3.2.2              Allow remote access to all applications beginning “MS” for “Any Connection”

12 [PS] C:>  Get-XAApplication –BrowserName “MS*” | Set-XAApplication –ConnectionsThroughAccessGatewayAllowed $True –AccessSessionConditionsEnabled $False

3.2.3              Allow remote access to all applications beginning “MS” for a particular AccessSessionCondition:

13 [PS] C:>  Get-XAApplication –BrowserName “MS*” | Set-XAApplication –ConnectionsThroughAccessGatewayAllowed $True –AccessSessionConditionsEnabled $True –AccessSessionConditions NS-Gateway-VIP:CTX_REC_SF_PLAYBOOK_policy

Note: This will overwrite any existing entries for AccessSessionConditions.

3.2.4              Allow remote access to all applications beginning “MS” with several access conditions (appending)
Set up a variable ($asc):

14 [PS] C:>  $asc = Get-XAApplication –BrowserName “MS*” | Select-Object AccessSessionSessionConditions

Add a new condition to the object “AccessSessionConditions”:

15 [PS] C:>  $asc.AccessSessionConditions += “NS-Gateway-VIP:CTX_REC_SF_IOS_policy”

Repeat for each additional session condition.

Check $asc contains existing and new Session Conditions:

16 [PS] C:>  $asc
{NS-Gateway-VIP:CTX_REC_SF_PLAYBOOK_policy, NS-Gateway-VIP:CTX_REC_SF_IOS_policy, NS-Gateway-VIP:CTX_REC_SF_OSX_policy , NS-Gateway-VIP:CTX_SF_WIN8_policy}

Set the Access Session Conditions:

17 [PS] C:>  Set-XAApplication –BrowserName “MS*” –AccessSessionConditions $asc.AccessSessionConditions

3.2.5              Set AccessSessionConditions for the first 3 applications beginning “MS”

Sorted in alphabetical order, where ConnectionsThroughAccessGatewayAllowed = True

18 [PS] C:>  Get-XAApplication -BrowserName “MS*” | ?{$_.ConnectionsThroughAccessGatewayAllowed -eq $true} | Sort-Object BrowserName | Select-Object BrowserName,FolderPath -First 3 | Set-XAApplication -AccessSessionConditions $asc.AccessSessionConditions

3.2.6              Clear AccessSessionConditions for all applications beginning MS
There appears to be no way to clear AccessSessionConditions. However, setting -AccessSessionConditionsEnabled to $false will have the desired affect. I was only able to remove the AccessSessionConditions from the GUI or overwriting with another value.

3.2.7              Set AccessSessionConditions based on values in previously export CSV.

Due to AccessSessionConditions being a NoteProperty, it was easier to make this into a script. Probably not the post efficient use of PowerShell, but it does the trick. Much more functionality could be added, but it got the job done. Please feel free to improve and share.


Add-PSSnapinCitrix.XenApp.Commands -ErrorAction ‘SilentlyContinue’

function Set-AccessControl([string]$csvPath,[string]$XenAppServer,[boolean]$AppendAccessSessionConditions){

  if(Test-Path -Path $csvPath){
     $oCSV = $Null
     $oCSV = Import-Csv -Path $csvPath
     foreach ($app in $oCSV) {
        # Convert “TRUE / FALSE” value from CSV to $True / $False
        $ConnectionsThroughAccessGatewayAllowed = $app.ConnectionsThroughAccessGatewayAllowed
       $ConnectionsThroughAccessGatewayAllowed =[System.Convert]::ToBoolean($ConnectionsThroughAccessGatewayAllowed)
        $AccessSessionConditionsEnabled = $app.AccessSessionConditionsEnabled
       $AccessSessionConditionsEnabled =[System.Convert]::ToBoolean($AccessSessionConditionsEnabled)
       $OtherConnectionsAllowed = $app.OtherConnectionsAllowed
       $OtherConnectionsAllowed =[System.Convert]::ToBoolean($OtherConnectionsAllowed)

       # Sets Access Control parameters, except AccessSessionCondition

       Set-XAApplication  -ComputerName $XenAppServer `
                           -BrowserName $app.BrowserName `
                           -ConnectionsThroughAccessGatewayAllowed $ConnectionsThroughAccessGatewayAllowed `
                           -AccessSessionConditionsEnabled $AccessSessionConditionsEnabled `
                           -OtherConnectionsAllowed $OtherConnectionsAllowed

       # Sets AccessSessionConditions
       $AccessSessionConditions = $app.AccessSessionConditions.Split(” “) # Reads AccessSessionConditions from CSV
       if($AccessSessionConditions -ne $null){
         # Creates a list of AccessSessionConditions, delimited by a space and puts them into a useable object.
         #Sets one (the first) AccessSessionCondition, essentially wiping what was there before.
         if($AppendAccessSessionConditions -eq $False){
            Set-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName -AccessSessionConditions $AccessSessionConditions[0]
         # Sets the remaining AccessSessionConditions
         $asc = Get-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName | Select-ObjectAccessSessionConditions
         foreach($condition in $AccessSessionConditions){
           $asc.AccessSessionConditions += $condition
         Set-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName -AccessSessionConditions $asc.AccessSessionConditions
         Write-Host “AccessSessionCondition column in CSV is empty.”
    # Confirms settings.
    Write-Host “New Settings…”
    Get-XAApplication -ComputerName $XenAppServer -BrowserName $app.BrowserName |
    Select-Object     BrowserName,
    Write-Host “Cannot find $csvPath”

Set-AccessControl -csvPath C:TempPubApps.Applied-MW.csv” -XenAppServer “lvvsx6513” -AppendAccessSessionConditions $false

The function, Set-AccessControl, takes three arguments:

-csvPath = Path to CSV file that should look like:

MS Word 2013
MS Excel 2013
MS Visio 2013
MS Project 2013


It is best to export the current settings to CSV and then modify as required using the cmdlets given above.

The AccessSessionConditions do not have any spaces in them. The space between each policy is used by the script to generate an array.

-XenAppServer = A XenAppServer that a) can write to the configuration database, b) has the required XenApp65 SDK installed. For some reason the ZDC would not work in our environment.

AppendAccessSessionConditions = $True, $False. Used to overwrite existing AccessSessionConditions ($False) or append what is in the CSV to what already exists ($True). I couldn’t find a way of “nulling” the AccessSessionCondition property. It looks like Citrix Developers force it to have a colon. The GUI can be used to null the property.

 3.3                   Key

? = Where-Object
FT = Format-Table
FL = Format-List

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

This site uses Akismet to reduce spam. Learn how your comment data is processed.