I recently enabled VPN in Access Gateway Enterprise for another way to get into my corporate environment since myself and a handful of engineers support the environment.  We already had the Citrix Receiver setup and working through Access Gateway.  Once I began testing my access (before rolling out to others) after enabling VPN by testing the different methods of access, I started getting errors and wasn’t able to logon using the Citrix Receiver.  In this blog post I am going to go over Access Gateway Enterprise with AAA Groups and the Citrix Receiver.

In Access Gateway I have two session policies bound to the Access Gateway Virtual Server.  One session policy is for the Citrix Receiver and the other session policy is for Web Interface ICA/HDX access only.   No issues with connecting to the environment using the Citrix Receiver or Web Interface ICA/HDX access only.  I recently enabled the option to use VPN or Web Interface ICA/HDX access with Client Choices by using AAA Groups with a session policy in Access Gateway for testing.  VPN and Web Interface ICA/HDX access worked fine but I could not logon using the Citrix Receiver.  I tested the Citrix Receiver from the iPad and Android mobile devices.  See the screenshots below for the different errors on each device.

Citrix Receiver error on the iPad.

Citrix Receiver error on Android.

After reviewing my configuration, a session policy conflict was found between the Citrix Receiver session policy bound to the Access Gateway Virtual Server and a session policy bound to an AAA Group.  The session policies both had the same priority of 0.  See the screenshots below for the Access Gateway Virtual Server and AAA Group session policies configurations.

Access Gateway Virtual Server session policies.

Access Gateway AAA Group session policy.

After some configuration changes and testing, there are two ways to fix the issue.  One option is to make the AAA Group session policy a lower priority by giving it a higher priority number than the Access Gateway Virtual Server Citrix Receiver session policy.  The other option is to configure the AAA Group session policy with a policy expression of REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver.  See the screenshots below for the AAA Group session policies configuration options.

AAA Group lower priority session policy

AAA Group policy expression session policy

By using either of the options above for the AAA Group session policy, you should now be able to connect using the Citrix Receiver without any errors.  I wish Access Gateway had a resultant set of policy tool like XenApp and XenDesktop has.

If you have found this article interesting or if you have any other insights, please feel free to contact me via email.