Configure access policies for the applications
Access policies allow you to enable or disable access to the apps based on the user/user groups or machine/machine groups. In addition, you can enable restricted access to the apps (HTTP/HTTPS and TCP/UDP) by adding the security restrictions.
- In the admin console, click Access Policies.
- Click Create Policy.
-
In the Create Access Policy page, select one of the following:
- Users/User groups
- Machines/Machine groups
Application access rules are enforced based on a user’s or machine’s context, based on the selection in the access policy.
You can select Machine/Machine groups to enable Always On connectivity. For Always On connectivity, you must have the device certificates enrolled. For details see Device certificate enrollment configuration.
For more information on the machine tunnel, see Always On VPN before Windows Logon.
-
- In Policy name, enter a name for the policy.
- In Applications, select the apps for which you want to enforce the access policies.
-
In Users conditions – Select the conditions and users or user groups based on which app access must be allowed or denied.
- Matches any of: Only the users/user groups or machines/machine groups that match any of the names listed in the field are allowed access.
- Does not match any: All users or groups except those listed in the field are allowed access.
-
Click Add condition to add another condition based on contextual tags. These tags are derived from the NetScaler Gateway.
-
In Actions, select one of the following actions that must be enforced on the app based on the condition evaluation.
- Allow access
- Allow access with restriction
- Deny access
Note:
- The action Allow access with restriction is not applicable for the TCP/UDP apps.
- When you select Allow access with restrictions, you must click Add restrictions to select the restrictions. For more information on each restriction, see Available access restrictions.
- Select the restrictions and then click Done.
- Select Enable policy on save. If you do not select this option, the policy is only created and not enforced on the applications. Alternatively, you can also enable the policy from the Access Policies page by using the toggle switch.
Access policy priority
After an access policy is created, a priority number is assigned to the access policy, by default. You can view the priority on the Access Policies home page.
A priority with a lower value has the highest preference and is evaluated first. If this policy does not match the conditions defined, the next policy with the lower priority number is evaluated and so on.
You can change the priority order by moving the policies up or down by using the up-down icon in the Priority column.
Device certificate enrollment configuration
Device certificates must be enrolled for Always On configurations to ensure that devices can consistently and securely connect to the network.
The following steps are involved in device certificate enrollment:
- The Active Directory Enterprise Certificate Authority issues a Device Certificate for machine authentication.
-
The certificate authority must have the LDAP URL published for the CRL distribution point (CDP) extension.
-
A certificate template in this certificate authority must be created to enroll the device certificate with the following details.
- Open the certification template snap-in and duplicate either the Computer or Workstation Authentication (preferred) template.
- Provide a new name for the certificate.
-
Switch to the Subject Name tab, change the Subject name format setting to Common name, and check User Principal Name (UPN) to be included in the alternate subject name.
-
Switch to the Security tab and add a security group (containing only computer accounts) to which you want to autoenroll the new certificate template. Select the added group and select Allow for Autoenroll.
Note:
In the preceding image, Authenticated Users (all computer objects) are permitted to enroll/autoenroll the new certificate template.
- (Optional) Create a group policy object (GPO) that allows for auto certificate enrollment and bind it to an organization unit (OU) or at the domain level.
Next steps
- Validate your configuration from the client machines (Windows and macOS).
- For the TCP/UDP apps, validate your configuration from the client machines (Windows and macOS) by logging into the Citrix Secure Access client.