Policy Filtering and Assignment

Policy Filtering and Assignment

Before the rules in a policy can be applied to someone logging on to a MetaFrame server, you must decide what users, clients , and/or servers will be affected. You must then define the appropriate filters to enforce this assignment. You can filter a policy on any combination of the following:

  • Client IP address You can define specific IP addresses or a range of addresses on which to filter.

  • Client name The MPS client name can be used as a filter. Although, in most cases, this name will match the device host or computer name, this does not always have to be true. Make sure you specify the MPS client name when using this filter.

  • Username or group name You can also filter on individual usernames or a group containing multiple users.

  • MetaFrame server name You can filter certain rules to apply only when users log on to a specific MetaFrame server.

Multiple instances of each filter type can be used to create a filter that applies a policy to a specific subset of MetaFrame connections in the environment.

Figure 7.4 shows the policy filter dialog box. You open this dialog box either by highlighting a policy and pressing Alt+T, or right-clicking and selecting Apply This Policy To from the context menu. Selecting an available filter type in the left pane displays the associated window on the right where the filter can be enabled for this policy and the appropriate filter options defined.

Figure 7.4. Filters must be created for a policy before it can be applied to user connections in the farm.

Allow and Deny Access

All the supported filter types, with the exception of servers, allow you to specify whether a particular filter entry has a setting of Allow or Deny. When an entry has Allow access, the rules in the policy are applied to that entry. If an entry has Deny access, it is excluded from the filter and the corresponding policy rules are not applied.

Deny ensures that a particular policy is not applied to one or more objects that might otherwise be included as part of another filter condition. For example, you might specify that all members of the Remote Site group have a certain policy applied (they have Allow access), but you want to ensure that anyone using the special client devices with the names SECURE1 and SECURE2, regardless of whether they are in that group, are excluded from the policy. You would then add these two client names to the policy filter, but you would assign Deny access instead of Allow access. Figure 7.5 shows how these two client name entries would appear.

Figure 7.5. The Deny property ensures that particular objects (users, IP addresses, or client names) are excluded from a policy that might otherwise be applied to them.

Client IP Address

The Client IP Address filter allows you to specify individual IP addresses, a range of addresses, or through a single click, all client IP addresses that connect to the server. Multiple addresses from different networks can be used, allowing you to create a filter that applies only to users from a particular network subnet.

Client Name

You can define one or more client names, or you can select the check box that enables the rule for all client names. When entering a client name, you can specify the wildcard asterisk (*) character to include multiple names that are similar. For example, if all client names in the California office begin with the prefix CAL, you could add the client name CAL* to this filter, and it would automatically include all clients that matched this name. A network icon appears beside a wildcard name instead of the individual computer icon.

Client names are not case sensitive, but you must type them correctly. There is no mechanism for validating whether a client name you have entered actually matches an existing client name.

Alert

Contrary to what is found in the online help for MPS 3.0, you can use client names to filter on users connecting through the Web Interface for MPS. All Web Interface users are assigned a client name that begins with WI_ followed by 15 randomly generated ASCII characters . By specifying the client name WI_* you can create a filter that includes all users who may connect via the Web Interface.


Servers

When choosing to filter a policy based on servers, you are presented with a tree view showing all available MetaFrame servers in the farm, along with a check mark beside each entry (see Figure 7.6). A check mark corresponds to the default filter setting Apply to This Server, which is conceptually equivalent to the Allow property for the other policy filters. By clicking the drop-down icon next to a server name, you can toggle between the Apply and Do Not Apply to Server properties. From the root servers folder you can also enable or disable application of filters to all servers simultaneously .

Figure 7.6. MetaFrame servers are included or excluded from a filter by selecting the Apply or Do Not Apply settings. By default, all servers are included when the filter is first enabled.

Users

The final policy filter in the policy filters dialog box is the Users filter (see Figure 7.7). A user filter can be configured with the following information:

  • All explicit (nonanonymous) users This represents all MetaFrame users who log on to a server in the farm with a user ID password, regardless of whether they are administrators or regular users. You filter on this setting simply by clicking the corresponding check box under the Users filter.

  • Anonymous users A filter can be defined so that it is applied only to those users who connect to a server via an anonymous Citrix user account. When anonymous logons have been enabled, a user is immediately logged on to a MetaFrame server without first being required to provide user ID and password information. You enable this filter option by selecting the Apply to Anonymous Users check box.

  • User groups Filters can also be defined based on a user's membership in a domain or local server group. The Users filter allows you to drill into the desired group location and select one or more groups to include in the filter. Groups can be configured with the Allow or Deny setting.

  • User accounts In addition to groups, you can also select individual users to include in the filter. As with groups, individual users may be set with the Allow or Deny setting. A common reason for including individual users is to explicitly allow or deny them access to this policy. Sometimes it is easier to include a single domain group that contains a large number of users and allow or deny a small subset than it is to create an entirely new group that excludes these few users.

Figure 7.7. The Users filter provides you with a number of different assignment options.



Citrix CCA MetaFrame Presentation Server 3. 0 and 4. 0 Exam CramT (Exams 223 and 256)
Citrix CCA MetaFrame Presentation Server 3. 0 and 4. 0 Exam CramT (Exams 223 and 256)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 199

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net