Based on the XenDesktop 7 Blueprint, we have created a definition of our user layer. The next step is to define how users will access their environment. Just like a house, you have doors and locks. To access it, you must have the right key for the right door.
Definition of the access layer is mainly focused on the required access policies for internal and external users against. What is an access policy? It is simply to set the following 4 items:
- Point Authentication: Where users first enter their credentials. Typically, this is either NetScaler StoreFront or gateway
- The authentication policy :. How many and what type of authentication is to provide users before access is granted. username, password, RADIUS, etc.
- The policy of the session: Is that different devices have different access levels? Some people want to provide different access experience based on their devices being either (iOS, Android or Microsoft tablets and phones) mobile and non-mobile (such as Windows, Mac, Linux). To do this, the gateway NetScaler must be able to determine endpoint device type. This is accomplished by using the following expressions:
- Mobile Devices: The expression is set to "User-Agent CONTAINS REQ.HTTP.HEADER CitrixReceiver" which is given a higher priority than the device not -Mobile policy to ensure mobile devices are paired while non-mobile devices are
- non-mobile devices: .. the term is set to "ns_true" which means that it should be applied to all traffic that is sent to it
- session profile: what the users network connection will be provided. full VPN or Proxy ICA provides complete VPN end point with full access to the internal network while ICA Proxy allows access only to the ICA protocol.
as you can imagine, there are many options for these 4 elements, but here's what most people use
users connecting from ... | local, trusted network | remote, untrusted network |
item authentication | StoreFront | NetScaler gateway |
authentication Policy | Simple authentication (username and password) | multi-factor authentication (user name, password and token) |
session Policy | Not applicable | mobile and non-mobile |
session profile | not applicable | ICA Proxy |
and with that, our scheme continues to evolve
We have now included the following:
- location of the user group
- endpoint device user group
- communication the full access layer
- NetScaler added as a gatekeeper to the control layer
Stay tuned for the resource layer ...
Daniel - Lead Architect
Follow @djfeller
0 Komentar