Adaptive access based on user’s network location - Preview

The Citrix Workspace platform adaptive access feature uses advanced policy infrastructure to enable access to Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) based on the user’s network location. The location is defined using the IP address range or subnet addresses.

管理员可以定义枚举或政策not enumerate virtual apps and desktops based on the user’s network location. Admins can also control the user actions that can be performed on Citrix DaaS by enabling or disabling clipboard access, printers, client drive mapping and so on, based on the user’s network locations. For example, an admin can implement the following policies for accessing the applications:

• Enumerate few sensitive applications only from corporate location or from their branch offices.
• Do not enumerate sensitive applications if the employees are accessing the workspace from an outside network.
• Disable printer access from the branch offices.
• Disable clipboard access and printer access when the users are outside the corporate network.

Prerequisites

• Citrix DaaS deployment accessing through Citrix Workspace platform.

• Sign up for adaptive access Preview using (https://podio.com/webforms/25412100/1884833).

  Note:This is only needed during Preview.

Recommendations

On your Citrix DaaS deployment;

• Identify a test delivery group or create a delivery group to implement this capability.
• Create a policy or identify a policy that can be used with a test delivery group.

Points to note

• If you select the optionLeave user management to Citrix Cloud, you cannot apply Smart Access policies (for example, adaptive access to Citrix DaaS based on the network location). This is because the delivery groups become library offerings and therefore not handled by Web Studio anymore.
• 如果你计划选择性地列举Citrix DaaS based on network location, then user management has to be performed for those delivery groups using Citrix Studio policies instead of Citrix Workspace. When creating a Delivery group, inUsers setting, either chooseRestrict use of this Delivery Group to the following usersorAllow any authenticated users to use this Delivery Group. This enables theAccess Policytab under Delivery Group to configure adaptive access.

Note:This is not needed if you plan to use adaptive access to restrict user controls like disabling clipboard access, printer redirection, client drive mapping, based on the network location.

How to configure

At a high level, you must perform the following steps.

1. Define the adaptive access policies that you want to implement based on the user locations.
2. Configure your corporate and branch office network locations from where you plan to implement adaptive access.
3. Use the network locations defined to configure adaptive access policies for virtual apps and desktops in Citrix Studio.

Define adaptive policies you like to implement

Let us take the following example:

Location	Access or user controls
Internal	Enumerate all applications
BranchOffice	Enumerate all applications
External	Do not enumerate few sensitive applications and disable clipboard printer access to all applications

Configure network locations

You can configure network locations by using the Network Locations service in Citrix Cloudhttps://citrix.cloud.com/networksites. You can create the sites and can define if the sites must be treated as internal or external sites depending on the network connectivity. You can then attach tags to the sites. Once the sites are created, each client IP address must be associated with a set of tags.

Note:

• Location tags are used to implement network location based contextual access. Location tags can be configured only if the customer/tenant has entitlement to Citrix Adaptive Authentication, else location tags remain hidden for the others.
• It is recommended that you define the network locations from which the users have more privileged access rather than defining external networks. Use the network locations to define your internal networks, your branch offices, and so on to give preferential access from these locations.
• Define tags for each network location or site. For example “BranchOffice.” These tags are used to configure the adaptive access policies in Citrix Studio. The default tags defined are LOCATION_external and LOCATION_internal.Note:In Citrix Studio, you must prefix the tag name with “LOCATION_TAG_”. For example if you have defined a network location with the tag “BranchOffice”, then while configuring the filter option on Citrix Studio policy use the name “LOCATION_TAG_BranchOffice.”

Configure adaptive access policy on Citrix Studio

Note:This is not the exhaustive configuration, but a sample how to use the tag names to configure Studio policies.

The network location tags defined in the previous step are used to configure adaptive access policies on Citrix Studio. This step is similar to configuring a SmartAccess policy with the on-premises gateway. You must replace Citrix Gateway with workspace under “FARM” and session policy with Network location tags under “Filter”.

At this step choose the Citrix Studio policy (existing or new one) and associate it with a delivery group (existing or new one). To create a delivery group, seeCreate delivery groups. To create a policy, seeCreate Policies.

Configure adaptive access policy for virtual apps and desktops enumeration

Let’s use the previous example and create a policy to enumerate sensitive applications only from the corporate network (In this case, BranchOffice) To assign the tag, LOCATION_TAG_BranchOffice, to the delivery group identified for testing adaptive access policies, perform the following.

1. Sign in to Citrix Cloud.
2. SelectMy Services > DaaS.
3. ClickManage.
4. Create delivery groups as per your requirement. For details, seeCreate delivery groups.
5. Select the delivery group that you have created and clickEdit Delivery Group.
6. ClickAccess Policy.

7. ClickAddand select the following:

   • workspace in Farm
   • LOCATION_TAG_BranchOffice in Filter

   

   Note:You can add multiple filters to the same farm. TheFarmmust be always set toworkspaceand the filter must have any of the adaptive access tags that are created based on the network location configuration.

8. For customers using adaptive access within Citrix Workspace platform, do the following to restrict access for a delivery group to internal networks only.

   • Select theConnections through NetScaler Gatewaycheck box and then select theConnections meeting any of the following filterscheck box.
   • Enter the appropriate tags for internal locations.

   Note:If you select theAll connections not through NetScaler Gateway, you can see your apps irrespective of whether you are coming from the internal or external network. It is recommended that customers using adaptive access with the Citrix Workspace platform, do not rely on theAll connections not through NetScaler Gatewayoption to restrict access for a Delivery Group to internal networks only.

Configure adaptive access policies to define end-user controls while accessing the virtual apps and desktops

Let’s use the previous example and create a policy to disable copy-paste functionality from branch offices only.

禁用用户comi复制粘贴功能ng from location, LOCATION_TAG_BranchOffice, perform the following.

1. On the Citrix DaaS configuration page, Click theManagetab.
2. Click thePoliciestab.
3. SelectCreate Policy.
4. In Select Settings, selectClient Clipboard Redirection.

5. In Edit Setting, selectProhibited, and then clickOK.

   

6. In the Users and Machines page, clickSelect user and machine objects, and then assign this policy to Access control.

7. Enter a name for the policy (or accept the default). Consider naming the policy according to who or what it affects, for example Accounting Department or Remote Users. Optionally, add a description.

The policy is enabled by default. You can disable it. Enabling the policy allows it to be applied immediately to users logging on. Disabling prevents the policy from being applied. If you must prioritize the policy or add settings later, consider disabling the policy until you are ready to apply it.

To assign an adaptive access policy to an external location (LOCATION_external)

If you want to apply an access policy for an external location, for example to disable clipboard access for users coming from locations not configured (other than LOCATION_TAG_BranchOffice, LOCATION_internal), then you just have to assign the policy to LOCATION_external (as none of the defined network locations are hit, LOCATION_external is returned).

How to validate your policy configuration

Validate the adaptive policies to make sure that the policies are working as intended before widely implementing these policies. In the configuration example;

• For the users coming from the network location LOCATION_Internal, the apps must be enumerated for those users. Also the copy-paste functionality must be available for these users.
• For the users coming from the network location LOCATION_TAG_BranchOffice, the apps must be enumerated for those users. The copy-paste functionality must be disabled for these users.
• For the users coming from the location LOCATION_external, the apps must not be enumerated.