Product Documentation

Restrict access to machines in a Delivery Group

Feb 27, 2014

You can restrict access to a Delivery Group's machines. Any changes you make supercede previous settings, regardless of the method you use.

  • Restrict access for administrators using Scopes to control administrator access to groups of objects such as machine catalogs, Delivery Groups, and Resources. You can create and assign a scope that lets administrators access all applications, and another that provides access to only certain applications.
  • Restrict access for users through:
    • SmartAccess policy expressions that filter user connections made through NetScaler Gateway. Your policy administrator can perform this task in the Policy node in Studio, or through policy settings as described in Policy Settings: Quick Reference Table.
    • Exclusion filters on access policies that you set with the XenDesktop Software Development Kit (SDK). Access policies are applied to Delivery Groups to refine certain aspects of virtual desktop connections. For example, you can restrict machine access to a subset of the users listed on the Delivery Group's End user settings page, and you can specify the allowed user devices that can connect to machines. Access policies achieve similar results to, but are different from, XenDesktop policies.

      Using exclusion filters further refines access policies. For example, for business or security reasons you can deny access to a subset of users or devices. By default, exclusion filters are disabled and can be set using the SDK.

To restrict administrator access through scopes

  1. In Studio in the Delivery Groups node, select the Delivery Group you want to restrict.
  2. Click Edit Delivery Group and then click Scopes.
  3. Select an existing scope.
  4. Add or remove objects to include in the scope.
  5. To select a object's subset, click the left-arrow to display and select sub-objects and then click OK.

To restrict user access through SmartAccess policy expressions

Use SmartAccess policy expressions through the NetScaler Gateway.
  1. In Studio under Delivery Groups, select the Delivery Group you want to restrict.
  2. Click Edit Delivery Group and then click Access policy.
  3. On the Access Policy page, select Connections through NetScaler Gateway. Only connections through the NetScaler Gateway are allowed.
  4. To choose a subset of those connections, select Connections meeting any of the following filters and:
    1. Define the NetScaler Gateway site.
    2. Add, edit, or remove the SmartAccess policy expressions that define the allowed user access scenarios for the Delivery Group. For more information about NetScaler Gateway and SmartAccess policy expressions see the Configuring SmartAccess on NetScaler Gateway.

To restrict user access through exclusion filters

You can use exclusion filters through the SDK.

In this example, there is a teaching lab on a subnet within the corporate network, and you want to prevent any access from that lab to a certain Delivery Group regardless of who is using the machines in the lab. To do so, enter the following SDK command:

 Set-BrokerAccessPolicy -Name  
VPDesktops_Direct -ExcludedClientIPFilterEnabled  
$True - 
Note: You can also use the asterisk (*) as a wildcard to match all tags that start with the same policy expression. For example, if you added the tag VPDesktops_Direct to one machine and VPDesktops_Test to another, setting the tag in the Set-BrokerAccessPolicy script to VPDesktops_* applies the filter to both machines.

See the About the XenDesktop SDK for more information about using the SDK.