Printing is naturally one of the very basic functions with computing that we always expect to work. Not a rocket science here however what if we don't want users to be able to print in certain situation in order to prevent data being taken out of the premises easily.

This applies to remote connections since printing on the office premises is rather always allowed

The example I will describe below is proabably more relevant for small office however it could also work in enterprise environment.

Suppose that we have small satelite office that connects through Xendesktop (7.5) to the office resoures using external link - either through Access Gateway or Netscaler device.

The office doesn't have VPN tunnel to the datacentre or your HQ office where citrix resources are installed.

You have not more than 20 clients be that dektops PCs or thin clients in that office. You need citrix desktops to pick up the local network printer in the office that is attached to each PC or think client.

You need the users in that office connecting through external link to be able to print in the office but not when they connect through the same link from home.

Sounds bit complicated however citrix Studio policies allow us to achieve this goal.

Before you start - create Active Directory secuirty group. Name with some meaningful name like: 'Allow Citrix external Printing' or similar.

1. First - make sure you have the policy in Studio that allows Xendesktop to pick up local printer from the client and print. This can be part of your main policy with other settings. this policy would apply to internal connections through the 'Store' only.

2. Create another policy that prohibits the following: 'Auto-create client printers', 'Client printer redirection', 'Direct connections to print server'.

Give that policy priority one level lower than the main policy that allows printing

3. Apply the policy to all the 'Delivery Groups' and AD 'Organisational Units' where your Xendesktop VMs are located.

Use 'Access Control' function to apply the policy to the connection through Netscaler Gateway. Under 'Mode' choose 'Allow'. Under 'Connection type' - choose 'with Netscaler Gateway'. Specifiy relvant names under 'Netscaler Gateway farm name' and 'Access Condition'. 'Access Condition' refers to the default policy name on your Netscaler device.

This can be found on Netscaler device under: Configuration > VPN > Policies > Session. It might be under diffrent menu depending on the Netscaler device model and version but you will need to always find the main session policy.

4. Apply the policy to clients as well using 'Client name' function of the 'Assigned to' section of the policy. Add all your client names that are used in the office however 'Deny' the policy to them.

5. In the end use 'User or group' function of the policy assignment and add the AD security group you have created first. Deny the policy to that group.

This is it. Now everyone who connects to your Xendesktop virtual machines from your office clients is allowed printing because the 'no printing' policy is denied and the main policy that allows printing - applies.

If you want to allow someone to be able to print externally - if they connect, for example from their home client - just add them to the AD group you created and which you denied the 'no printing' policy to.

You need to remember that if you have more clients added to the office later - you need to add their names to the policy assigment and deny.

Normally in small offices you don't add clients often.

It is not possible to achieve this scenario goal with using AD security group only unless you create 2 groups. One will be allowed, the other one denied but in my opnion if the number of clients in the office doesn't change often - it is less to do and easier rather then adding and removing users from AD group when they leave or start with the company. It might get confusing sometimes.

Also some could argue it would be easier to use the IP address of the office LAN to control the policy assigment. However there is always a chance that someone's home LAN will have the same IP addressing as your office LAN (or savy user can change it on their home network) and in that case the above policy will not apply.

I hope this is helpful and thank you for reading. If you have any comments please contact us through here

#CitrixXendesktopPrinting