Citrix DaaS

Adaptive access based on user’s network location - Preview

The Citrix Workspace platform adaptive access feature uses advanced policy infrastructure to enable access to Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) based on the user’s network location. The location is defined using the IP address range or subnet addresses.

Admins can define policies to either enumerate or not enumerate virtual apps and desktops based on the user’s network location. Admins can also control the user actions that can be performed on Citrix DaaS by enabling or disabling clipboard access, printers, client drive mapping and so on, based on the user’s network locations. For example, an admin can implement the following policies for accessing the applications:

  • Enumerate few sensitive applications only from corporate location or from their branch offices.
  • Do not enumerate sensitive applications if the employees are accessing the workspace from an outside network.
  • Disable printer access from the branch offices.
  • Disable clipboard access and printer access when the users are outside the corporate network.

Prerequisites

Recommendations

On your Citrix DaaS deployment;

  • Identify a test delivery group or create a delivery group to implement this capability.
  • Create a policy or identify a policy that can be used with a test delivery group.

Points to note

  • If you select the option Leave user management to Citrix Cloud, you cannot apply Smart Access policies (for example, adaptive access to Citrix DaaS based on the network location). This is because the delivery groups become library offerings and therefore not handled by Web Studio anymore.
  • If you plan to selectively enumerate Citrix DaaS based on network location, then user management has to be performed for those delivery groups using Citrix Studio policies instead of workspace. When creating a Delivery group, in Users setting, either choose Restrict use of this Delivery Group to the following users or Allow any authenticated users to use this Delivery Group. This enables the Access Policy tab under Delivery Group to configure adaptive access.

Note: This is not needed if you plan to use adaptive access to restrict user controls like disabling clipboard access, printer redirection, client drive mapping, based on the network location.

Create delivery group

How to configure

At a high level, you must perform the following steps.

  1. Define the adaptive access policies that you want to implement based on the user locations.
  2. Configure your corporate and branch office network locations from where you plan to implement adaptive access.
  3. Use the network locations defined to configure adaptive access policies for virtual apps and desktops in Citrix Studio.

Define adaptive policies you like to implement

Let us take the following example:

Location Access or user controls
Internal Enumerate all applications
BranchOffice Enumerate all applications
External Do not enumerate few sensitive applications and disable clipboard printer access to all applications

Configure network locations

You can configure network locations by using the Network Locations service in Citrix Cloud https://citrix.cloud.com/networksites. You can create the sites and can define if the sites must be treated as internal or external sites depending on the network connectivity. You can then attach tags to the sites. Once the sites are created, each client IP address must be associated with a set of tags.

Configure network locations

Note:

  • It is recommended that you define the network locations from which the users have more privileged access rather than defining external networks. Use the network locations to define your internal networks, your branch offices, and so on to give preferential access from these locations.
  • Define tags for each network location or site. For example “BranchOffice.” These tags are used to configure the adaptive access policies in Citrix Studio. The default tags defined are LOCATION_external and LOCATION_internal. Note: In Citrix Studio, you must prefix the tag name with “LOCATION_TAG_”. For example if you have defined a network location with the tag “BranchOffice”, then while configuring the filter option on Citrix Studio policy use the name “LOCATION_TAG_BranchOffice.”

Configure adaptive access policy on Citrix Studio

Note: This is not the exhaustive configuration, but a sample how to use the tag names to configure Studio policies.

The network location tags defined in the previous step are used to configure adaptive access policies on Citrix Studio. This step is similar to configuring a SmartAccess policy with the on-premises gateway. You must replace Citrix Gateway with workspace under “FARM” and session policy with Network location tags under “Filter”.

At this step choose the Citrix Studio policy (existing or new one) and associate it with a delivery group (existing or new one). To create a delivery group, see Create delivery groups. To create a policy, see Create Policies.

Configure adaptive access policy for virtual apps and desktops enumeration

Let’s use the previous example and create a policy to enumerate sensitive applications only from the corporate network (In this case, BranchOffice) To assign the tag, LOCATION_TAG_BranchOffice, to the delivery group identified for testing adaptive access policies, perform the following.

  1. Sign in to Citrix Cloud.
  2. Select My Services > DaaS.
  3. Click Manage.
  4. Create delivery groups as per your requirement. For details, see Create delivery groups.
  5. Select the delivery group that you have created and click Edit Delivery Group.
  6. Click Access Policy.
  7. Click Add and select the following:

    • workspace in Farm
    • LOCATION_TAG_BranchOffice in Filter

    Edit delivery group

    Note: You can add multiple filters to the same farm. The Farm must be always set to workspace and the filter must have any of the adaptive access tags that are created based on the network location configuration.

  8. For customers using adaptive access within Citrix Workspace platform, do the following to restrict access for a delivery group to internal networks only.

    • Select the Connections through NetScaler Gateway check box and then select the Connections meeting any of the following filters check box.
    • Enter the appropriate tags for internal locations.

    Note: If you select the All connections not through NetScaler Gateway, you can see your apps irrespective of whether you are coming from the internal or external network. It is recommended that customers using adaptive access with the Citrix Workspace platform, do not rely on the All connections not through NetScaler Gateway option to restrict access for a Delivery Group to internal networks only.

Configure adaptive access policies to define end-user controls while accessing the virtual apps and desktops

Let’s use the previous example and create a policy to disable copy-paste functionality from branch offices only.

To disable copy-paste functionality for users coming from location, LOCATION_TAG_BranchOffice, perform the following.

  1. On the Citrix DaaS configuration page, Click the Manage tab.
  2. Click the Policies tab.
  3. Select Create Policy.
  4. In Select Settings, select Client Clipboard Redirection.
  5. In Edit Setting, select Prohibited, and then click OK.

    Edit setting

  6. In the Users and Machines page, click Select user and machine objects, and then assign this policy to Access control.

  7. Enter a name for the policy (or accept the default). Consider naming the policy according to who or what it affects, for example Accounting Department or Remote Users. Optionally, add a description.

The policy is enabled by default. You can disable it. Enabling the policy allows it to be applied immediately to users logging on. Disabling prevents the policy from being applied. If you must prioritize the policy or add settings later, consider disabling the policy until you are ready to apply it.

To assign an adaptive access policy to an external location (LOCATION_external)

If you want to apply an access policy for an external location, for example to disable clipboard access for users coming from locations not configured (other than LOCATION_TAG_BranchOffice, LOCATION_internal), then you just have to assign the policy to LOCATION_external (as none of the defined network locations are hit, LOCATION_external is returned).

Assign policy

How to validate your policy configuration

Validate the adaptive policies to make sure that the policies are working as intended before widely implementing these policies. In the configuration example;

  • For the users coming from the network location LOCATION_Internal, the apps must be enumerated for those users. Also the copy-paste functionality must be available for these users.
  • For the users coming from the network location LOCATION_TAG_BranchOffice, the apps must be enumerated for those users. The copy-paste functionality must be disabled for these users.
  • For the users coming from the location LOCATION_external, the apps must not be enumerated.
Adaptive access based on user’s network location - Preview