NetScaler Command Policies are not extremely well documented and if you don’t know how to work with regular expressions you are doomed. Citrix gives you some ideas on how Command Policies work in this Citrix eDoc Article but there is no hint on how to limit shell and scp/sftp access.

Well the solution is easy if you know how to do it but it took me some time to figure out…

First create a new Command Policy and give it a name like “WinSCP”. Choose “ALLOW” as action and add the following regular expression in the Command Spec* panel.


Second create a new local user like “WinSCP”, set a password and give him login privileges. The other options are optional. Then bind the new “WinSCP” Command Policy to that user.

You’re done 🙂 This command policy allows only access through SCP, or SFTP tools like WinSCP and all other access (GUI, shell) is blocked.