Limit users to XD/XA resources in Web Interface 5.4

Let’s take a look at how we can limit access to multiple Farms via Citrix Web Interface 5.4

In the example below… I will be configuring a Web Interface Services Site (PNAgent) in preparation to allow mobile users access to XenApp/XenDesktop via mobile devices such as the iPad, iPhone and Android (yuck). For details on how to configure a Service Site go to the following link.

As you probably know, there are several ways of limiting access via the NetScaler AGEE, however the new CAG Standard edition (5.0.x) has a limitation when utilizing basic logon points.


  • Create your AD groups such as CitrixXenAppUsers and CitrixXenDeskUsers
  • Create a new Web Interface Service Site (PNAgent) such as PrivateCloudPNA
  • Configure your new site with access to your Farms, in this case XenApp6.5 and a XenDesktop 5.6
  • Configure your site to utilize your CAG, with Gateway access
  • Configure your Access Gateway basic logon point to forward to your new site “PrivateCloudPNA
  • Ensure you can launch published Apps and Desktops
  • Edit your WI site by opening the WebInterface.conf file located under C:\inetpub\wwwroot\Citrix\NameOfYourSite\conf\
  • Search for Farm1Groups and remove the “#”
  • Set Farm1Groups=nameofyourdomain\CitrixXenAppUsers
  • Since we have a XenDesktop farm in this example, we also need to set access to it by entering¬†Farm2Groups=nameofyourdomain\CitrixXenDeskUsers
Now lets get fancy… go to the Citrix Mobile Receiver URL Generator and create a link that you can email the mobile users. ¬†This will automatically configure the Citrix Receiver (after installing it of course) to your newly created site.