When you add a filter to a policy, the policy's settings are applied to connections according to specific criteria or rules. If no filter is added, the policy is applied to all connections.
|Filter Name||Filter Description||Policy Scope|
|Access Control||Applies a policy based on the access control conditions through which a client is connecting.||User policies only|
|Client IP Address||Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session.||User policies only|
|Client Name||Applies a policy based on the name of the user device from which the session is connected.||User policies only|
|User||Applies a policy based on the user or group membership of the user connecting to the session.||User policies only|
|Worker Group||Applies a policy based on the worker group membership of the server hosting the session.||
When a user logs on, XenApp identifies the policies that match the filters for the connection. XenApp sorts the identified policies into priority order, compares multiple instances of any policy setting, and applies the policy setting according to the priority ranking of the policy. XenApp recalculates the policy every 90 minutes after the user logs on to the farm.
Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.
By default, XenApp provides Unfiltered policies for Computer and User policy settings. The settings added to this policy apply to all connections.
If you use Active Directory in your environment and use the Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all farm servers and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the farm, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of the Sales-US GPO.
If you use the Delivery Services Console to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers and connections in the farm.
A filter's mode determines whether or not the policy is applied only to connections that match all the filter criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the filter criteria. If the mode is set to Deny, the policy is applied if the connection does not match the filter criteria. The following examples illustrate how filter modes affect Citrix policies when multiple filters are present.
In policies with two filters of the same type, one set to Allow and one set to Deny, the filter set to Deny takes precedence, provided the connection satisfies both filters. For example:
Because the mode for Filter B is set to Deny, the policy is not applied when the Sales manager logs on to the farm, even though the user is a member of the Sales group.
In policies with two or more filters of differing types, set to Allow, the connection must satisfy at least one filter of each type in order for the policy to be applied. For example:
When the Sales manager logs on to the farm from the office, the policy is applied because the connection satisfies both filters.
When the Sales manager logs on to the farm from the office, the policy is not applied because the connection does not satisfy Filter F.
The policy is applied the next time the relevant users establish a connection.