Prioritize, model, compare, and troubleshoot policies

You can use policies to customize your environment to meet the needs of users based on the following:

• Job functions
• Geographic locations
• Connection types

For example, for improved security, place restrictions on user groups who regularly interact with sensitive data.

You can also create a policy that prevents users from saving sensitive files on their local client drives. You can create another policy for users in the user group who needs to access to their local drives. You then rank the two policies to control which one takes precedence. When using many policies, you must determine:

• How to prioritize the policies
• How to create exceptions
• How to view the effective policy when policies conflict

Prioritize policies

Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The identification of all policies that match the assignments for the connection happens when a user signs on to the system. The identified policies and their associated settings are sorted into priority order. Each setting is applied according to the priority ranking of the policy.

You can prioritize policies by giving them different priority numbers in theWeb Studio. By default, a new policy gets the lowest priority. If there are conflicts among settings of policies, a policy with a higher priority overrides a policy with a lower priority. A policy with the priority number of 1 is the highest priority policy. Policy settings are merged according to the following:

• Priorities of the policies
• Conditions specified in the filters of the policies

To prioritize policies, follow these steps:

1. SelectPoliciesin the left pane.
2. On thePoliciestab, selectChange Policy Prioritiesin the action bar. TheChange Policy Priorities页面出现。

3. In the priority list, use the following ways to change the priority for a policy:

   • Drag the policy to a desired position.
   • To move it up or down by one position, click the Up or Down arrow icon respectively.
   • To move it to the top or bottom of the list, click the Top or Bottom arrow icon respectively.
   • To change the priority number, click theEditicon, enter a number as needed, and then clickSave.
4. ClickSave.

Exceptions

When you create policies and use filters to assign them to groups of users, user devices, or machines, you might find that some members of the group need exceptions to some policy settings. You can create exceptions by:

• Creating a policy only for specific group members who need exceptions and then ranking that policy higher than the policy for the entire group
• Using theDenymode for an assignment added to the policy

An assignment with the mode set toDenyapplies a policy only to connections that don’t match the assignment criteria. For example, a policy includes the following assignments:

• Assignment Ais a client IP address assignment that specifies the range208.77.88.*. The mode is set toAllow.
• Assignment Bis a user assignment that specifies a particular user account. The mode is set toDeny.

The policy applies to all users who signs n to the site with IP addresses in the range that is specified inAssignment A. However, the policy doesn’t apply to the user who signs on to the site with the user account specified inAssignment B.

Note:

During theAssign Policystep, if you deselect the enable check box, assignment is disabled for the policy. If the only assignment for the policy is disabled, it is the same as not having any assignment, and, therefore, the policy applies to all objects in the site.

Determine which policies apply to a connection

Sometimes a connection does not respond as expected because multiple policies apply. If a higher priority policy applies to a connection, it can override the settings you configure in the original policy. You can calculate theResultant Set of Policyand determine how the final policy settings are merged for a connection.

You can calculate theResultant Set of Policyin the following ways:

• Use theCitrix Group Policy Modeling Wizardto simulate a connection scenario and discern how Citrix policies might be applied. You can specify conditions for a connection scenario such as:
  • Users
  • Citrix policy assignment evidence values
• UseGroup Policy Resultsto create a report describing the Citrix policies in effect for a given user and Virtual Delivery Agent (VDA).

Site policy settings created usingWeb Studioaren’t included in theResultant Set of Policywhen you run theCitrix Group Policy Modelingwizard from theGroup Policy Managementconsole. To verify that you obtain the most comprehensiveResultant Set of Policy, Citrix recommends starting theCitrix Group Policy Modelingwizard from theWeb Studio, unless you create policies using only theGroup Policy Managementconsole.

Use the policy modeling wizard

Policy modeling helps you simulate enabled policies with filters for planning and testing purposes. Only enabled policies with filters are modeled. Disabled policies are never applied and enabled policies without filters are always applied.

Perform the following steps to open thePolicy Modelingwizard:

1. In Full Configuration, selectPolicies.
2. Select theModelingtab.
3. SelectPolicy Modelingin the action bar.
4. Read theIntroductionpage and clickNext.
5. Select users or computers. You can browse for containers or specific users or computers. ClickNext.
6. Choose your filter evidence. You can optionally get more granular with your simulation by entering additional details, such asDelivery group,Tags,Client IP address, and so on. ClickNext.
7. Review the summary of your selections and clickRun.

After you clickRun, the wizard generates a report of the modeling results. While viewing this report, you can:

• Select if you would like to viewAll settings,Computer settings, orUser settingsin the drop-down menu.
• Use the search bar to look for specific settings.
• Click a specific setting to view details of that setting. For example, if all user settings were not applied for a specific policy, theDetailspane shows you the reason why the settings were not applied.
• ClickExportto export the modeling results in JSON format, HTML format, or both.

运行策略建模后,更多的选择available to you. You can:

• 可变利益实体w Modeling Report: This opens the same modeling report from above so you can view it again or export it.
• Rerun Policy Modeling: This allows you to rerun policy modeling with the same set of criteria selected previously and generate new modeling results. This is useful if some policies have changed and you would like to see how those changes affect your current model.
• Delete Modeling Report: This deletes the current modeling report.

Compare policies and templates

You can compare the settings in a policy or template with the settings of the other policies or templates. For example, you might want to verify setting values to maintain compliance with best practices. You might also want to compare settings in a policy or template with the default settings.

1. SelectPoliciesin theWeb Studionavigation pane.
2. Click theComparisontab and then clickSelect.
3. Choose the policies or templates to compare. To include default values in the comparison, select theCompare to default settingscheck box.
4. After you clickCompare, the configured settings are displayed in columns.
5. To see all settings, selectShow All Settings. To return to the default view, selectShow Common Settings.

Troubleshoot policies

Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. This scenario can result in conflicts where a policy might not behave as expected. When you run theCitrix Group Policy Modelingwizard, you might discover that no policies apply to user connections. In such a scenario, policy settings doesn’t apply to the users who connect to their applications and desktops under conditions that match the evaluation criteria of the policy. This situation happens when:

• No policies have assignments that match the evaluation criteria of the policy.
• Policies that match the assignment don’t have any settings configured.
• Policies that match the assignment are disabled.

If you want to apply policy settings to the connections that meet the specified criteria, make sure:

• The policies you want to apply to those connections are enabled.
• The policies you want to apply have the appropriate settings configured.

Note:

第二跳双跳转场景,信用卡诈骗罪r that a single-session OS VDA connects to multi-session OS VDA. In this case, Citrix policies act on the single-session OS VDA as if it were the user device. For example, consider policies are set to cache images on the user device. In this example, the images cached for the second hop in a double-hop scenario are cached on the single-session OS VDA machine.

Director

Non-administrators can use the Director to view policies that applies to a user session.