Working with XenDesktop 7.x printing policies for external sessions

This post is specifically looking at printer policies to block external users from enabling printers. There is a lack of documentation and a bit of confusion when looking at the policies in XenDesktop.

Lets say you have a simple deployment, internal and external users.

 



Citrix StoreFront Deployment

Let’s focus on printing for now. You want to allow internal users to map printers and deny external users from mapping home printers. This would be a DLP strategy to keep data from leave the session from a remote location. Looking at the policies, you would think that just allowing internal and deny internal would work.

assign ctx policy 2 - incorrect

Wrong. Printing is actually enabled by default without a policy in place. I could not find this documented anywhere! That should be the first disclaimer onĀ http://support.citrix.com/proddocs/topic/xendesktop-7/ps-console-policies-rules-printer-clients-v2.html.

It took working with support for weeks to find the proper configuration to block printing from external clients. I even worked with the NetScaler teams, thinking the policy had to be tied to the SmartHost name.

The correct configuration is almost a double negative. Set “Client printer redirection – Prohibit” and “Auto-create client printers – Do not create client printers”.

define ctx policy

Set the access controller filter to “Allow with Netscaler” using asterisk (if you have just one NetScaler) as the farm name and access condition. This is allowing the “deny printers” policy to apply to anyone who uses the NetScaler. If you want to use a specific NetScaler, use the SmartHost name for the Farm Name.

assign ctx policy 3

Also Apply a second filter to the Delivery Group with “Allow”.

assign ctx policy 4The final configuration should look like this:

assign ctx policy 5This will block external users from using home printers to printer data from a Citrix session. Users will also need to authenticate against the NetScaler when logging on from an external network. This is best practice, but you do have the option to authenticate directly against storefront (not recommended).

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *