Product Documentation

Secure and restrict access to machines in a Delivery Group

Apr 26, 2015

To secure Delivery Groups with SecureICA

You can conceal all communications to and from machines in any Delivery Group using the SecureICA feature, which encrypts the ICA protocol.

When passing through public networks, Citrix recommend using additional encryption methods besides SecureICA. Citrix recommends using SSL/TLS encryption for traversing public networks. Also, SecureICA does not check data integrity.

By default, the system disables SecureICA. If you enable it, the default encryption level is 128-bit. You can configure the level using the SDK. See About the XenApp and XenDesktop SDK for detailed information.
  1. In Studio, select the Delivery Groups node and select the Delivery Group whose communications you want to secure.
  2. Click Edit Delivery Group and then click Basic settings.
  3. Select Enable Secure ICA.

To restrict administrator access through scopes

You can restrict access to a Delivery Group's machines. Any changes you make supercede previous settings, regardless of the method you use.

  • Restrict access for administrators using Scopes to control administrator access to groups of objects such as machine catalogs, Delivery Groups, and Resources. You can create and assign a scope that lets administrators access all applications, and another that provides access to only certain applications.
  • Restrict access for users through:
    • SmartAccess policy expressions that filter user connections made through NetScaler Gateway. Your policy administrator can perform this task in the Policy node in Studio, or through policy settings as described in Quick reference table.
    • Exclusion filters on access policies that you set with the Software Development Kit (SDK). Access policies are applied to Delivery Groups to refine certain aspects of virtual desktop connections. For example, you can restrict machine access to a subset of the users listed on the Delivery Group's End user settings page, and you can specify the allowed user devices that can connect to machines. Access policies achieve similar results to, but are different from policies.

      Using exclusion filters further refines access policies. For example, for business or security reasons you can deny access to a subset of users or devices. By default, exclusion filters are disabled and can be set using the SDK.

  1. In Studio in the Delivery Groups node, select the Delivery Group you want to restrict.
  2. Click Edit Delivery Group and then click Scopes.
  3. Select an existing scope.
  4. Add or remove objects to include in the scope.
  5. To select a object's subset, click the left-arrow to display and select sub-objects and then click OK.

To restrict user access through SmartAccess policy expressions

Use SmartAccess policy expressions through the NetScaler Gateway.
  1. In Studio under Delivery Groups, select the Delivery Group you want to restrict.
  2. Click Edit Delivery Group and then click Access policy.
  3. On the Access Policy page, select Connections through NetScaler Gateway. Only connections through the NetScaler Gateway are allowed.
  4. To choose a subset of those connections, select Connections meeting any of the following filters and:
    1. Define the NetScaler Gateway site.
    2. Add, edit, or remove the SmartAccess policy expressions that define the allowed user access scenarios for the Delivery Group. For more information about NetScaler Gateway and SmartAccess policy expressions, see Configuring SmartAccess on NetScaler Gateway.

To restrict user access through exclusion filters

You can use exclusion filters through the SDK.

In this example, there is a teaching lab on a subnet within the corporate network, and you want to prevent any access from that lab to a certain Delivery Group regardless of who is using the machines in the lab. To do so, enter the following SDK command:

 Set-BrokerAccessPolicy -Name  
VPDesktops_Direct -ExcludedClientIPFilterEnabled  
$True - 
Note: You can also use the asterisk (*) as a wildcard to match all tags that start with the same policy expression. For example, if you added the tag VPDesktops_Direct to one machine and VPDesktops_Test to another, setting the tag in the Set-BrokerAccessPolicy script to VPDesktops_* applies the filter to both machines.

See the About the XenApp and XenDesktop SDK for more information about using the SDK.

To remove the Shut Down command

Citrix recommends that you apply this Microsoft policy to all users who access Desktop OS machines. This prevents users from selecting Shut Down within a session and powering off the desktop, which would require manual intervention from the system administrator.

Locate this policy at User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down command and set it to Enabled.