Product Documentation

Applying Policies

Oct 09, 2015

When you add a filter to a policy, the policy's settings are applied to connections according to specific criteria or rules. If no filter is added, the policy is applied to all connections.

You can add as many filters as you want to a policy, based on a combination of criteria. The availability of certain filters depends on whether you are applying a Computer policy or a User policy. The following table lists the available filters:
Filter Name Filter Description Policy Scope
Access Control Applies a policy based on the access control conditions through which a client is connecting. User policies only
Client IP Address Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session. User policies only
Client Name Applies a policy based on the name of the user device from which the session is connected. User policies only
User Applies a policy based on the user or group membership of the user connecting to the session. User policies only
Worker Group Applies a policy based on the worker group membership of the server hosting the session.
  • Computer policies
  • User policies

When a user logs on, XenApp identifies the policies that match the filters for the connection. XenApp sorts the identified policies into priority order, compares multiple instances of any policy setting, and applies the policy setting according to the priority ranking of the policy. XenApp recalculates the policy every 90 minutes after the user logs on to the farm.

Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.

Unfiltered Policies

By default, XenApp provides Unfiltered policies for Computer and User policy settings. The settings added to this policy apply to all connections.

If you use Active Directory in your environment and use the Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all farm servers and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the farm, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of the Sales-US GPO.

If you use the Delivery Services Console to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers and connections in the farm.

Filter Modes

A filter's mode determines whether or not the policy is applied only to connections that match all the filter criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the filter criteria. If the mode is set to Deny, the policy is applied if the connection does not match the filter criteria. The following examples illustrate how filter modes affect Citrix policies when multiple filters are present.

Example: Filters of Like Type with Differing Modes

In policies with two filters of the same type, one set to Allow and one set to Deny, the filter set to Deny takes precedence, provided the connection satisfies both filters. For example:

Policy 1 includes the following filters:
  • Filter A is a User filter that specifies the Sales group and the mode is set to Allow.
  • Filter B is a User filter that specifies the Sales manager's account and the mode is set to Deny.

Because the mode for Filter B is set to Deny, the policy is not applied when the Sales manager logs on to the farm, even though the user is a member of the Sales group.

Example: Filters of Differing Type with Like Modes

In policies with two or more filters of differing types, set to Allow, the connection must satisfy at least one filter of each type in order for the policy to be applied. For example:

Policy 2 includes the following filters:
  • Filter C is a User filter that specifies the Sales group and the mode is set to Allow.
  • Filter D is a Client IP Address filter that specifies 10.8.169.* (the corporate network) and the mode is set to Allow.

When the Sales manager logs on to the farm from the office, the policy is applied because the connection satisfies both filters.

Policy 3 includes the following filters:
  • Filter E is a User filter that specifies the Sales group and the mode is set to Allow.
  • Filter F is an Access Control filter that specifies Access Gateway connection conditions and the mode is set to Allow.

When the Sales manager logs on to the farm from the office, the policy is not applied because the connection does not satisfy Filter F.

To apply a policy

You must add at least one filter to a policy for that policy to be applied.
  1. From the policy wizard, select the filter you want to apply and click Add.
  2. From the New Filter dialog box, click Add to configure filter elements.
  3. Select the mode for the filter.

The policy is applied the next time the relevant users establish a connection.