RSS 

Configuring Policies in Presentation Server

Policies are one of the most powerful ways to granularly control and secure access to virtualized applications in Presentation Server. Setting these up properly also helps to ensure that end-users get the best, most consistent and reliable access experience. Brian Madden, an independent, well-known author and consultant specializing in Citrix solutions, hosts this detailed yet concise, technical, step-by-step overview of configuring policies. (Running time: 27:45 minutes)

Tags: technical video
Views: 1,278
Rating: 0

Transcript : Hello. This is Brian Madden, author of several books and hundreds of articles about Citrix and server-based computing. And I’d like to take a few minutes today to talk about Citrix Presentation Server policies. Policies provide a fantastic way for you to very granularly control the environment that users see when they connect into your Citrix servers. And this can apply both from a security standpoint, as far as what they are allowed and not allowed to do. And it can apply from a management environment, managing and controlling the environment that the users see. So I am right now on a Citrix Presentation Server 4 server. And I’m going to go ahead and fire up the management console. And from there we’ll step through the various policies configuration and look at some of the things that we can do. So we’ll take just about 20 minutes in total and kind of go over some of the basics. And after you watch this video, you should be able to implement policies successfully on your environment. So the first thing you’ll notice here, is notice that I have a Policies item on the tree in the left-hand pane. So I’ll click on Policies. My right-hand pane shows all the policies that I currently have configured inside my farm. So this is a new farm for me, so you’ll see that, by default, there are no policies configured. So the first thing we have to do in order to use policies, is we need to create a policy. And I’m going to go ahead and just right click on Policies, choose Create Policy, and we’ll give this a really happy name, like My First Policy. And so I can do that. I can push OK. And now you’ll see that that policy item exists inside my farms. So policies are stored in the IMA datastore, just like any other configuration information that you configure via this Presentation Server console. In order to use policies, there’s two key concepts that are important to understand. The first is that, once you create a policy, number one, you have to configure that policy for the specific settings that you want to enforce when that policy is applied. And then two, after that policy is created, you need to apply the policy to a specific set of users or servers or something like that. So I’ve created My First Policy here. So I’m going to go ahead and right click on My First Policy and go to Properties. This will show all the various things in this new window that pops up that I can configure with the policy. So, for example, I could configure this policy to turn off the desktop wallpaper. Or I could give myself session limits. Maybe I want to make this policy so that the client audio redirection is limited to only 10K per second. Or maybe I want my whole session to only be limited to 100K per second. Perhaps I want to disable client drive mapping. Or maybe I want to disable only hard drives, but allow clients to access their local floppy drives. I can do all these things within my policy itself. So once I have my policy configured in a way that I like it, I click OK. All of those settings I’ve just configured are now built into that specific policy object right there. So My First Policy object, right here, contains those settings that I have just configured. But that’s only the first step. Because, like I said, the first step is to configure your policy itself. Once your policy is actually configured, you now need to apply that policy to specific users or groups or computers. So in order to apply this policy somewhere, I right click on it, and I choose the option Apply this policy to. And you’ll see here I have actually five different targets that I can use to apply policies. And Citrix actually calls this filtering. So for example, let’s say that I just created this policy called My First Policy. Perhaps I want to apply this policy to a specific user group. So I can highlight Users. I can choose to filter this policy based on users. And filtering is Citrix’s terminology for applying this policy somewhere. And so now it looks at the domain. BMLAB.LOCAL is the domain that I am in right now. And I will look into my Users. And I have here a group called Citrix Users. So I’ll double click that. And now you see Citrix Users group is listed in the Configured Accounts here. And now that means that this policy I just created, called My First Policy, is now applied to users within the group of Citrix Users. So whenever a user from the Citrix Users group logs onto a server in my farm, the settings within My First Policy are going to apply. Now, I can actually create as many policies as I want within the Citrix server farm. And that’s actually probably the real value of these policies. So let’s create another one. We’ll call it My Second Policy. And I’ll click OK. And so now you see I have the second policy that just showed up on this list here. As I said, you can create as many policies as you want. And remember, each policy contains its own settings and is basically separate from all other policies. So I’ll right click on My Second Policy, and I’ll choose Properties. And now I can go in here. And maybe within this policy I want to, let’s say, enable encryption and enforce the 128-bit encryption. And, of course, I could make whatever changes within this policy I wanted. I could kind of change anything I wanted here. I’ll click OK. And now, of course, that policy contains those settings. And if I want to apply this policy to a group of users, or computers, or whatever the case may be, I would right click on that. I would choose Apply this policy to. And maybe, for instance, I want to apply this policy called My Second Policy to administrators. So I’ll click on Users. I’ll check my box to enable Filtering based on users. And I will double click through my active directory environment here, and let’s go down to Users. And let’s go to Domain Admins. And now click OK. And so now, My Second Policy is applied to Domain Admins. My First Policy is applied to Citrix Users. And so depending on what group I am when I log on to the environment, that’s going to dictate which policy is actually applying here. Now, let’s go ahead and create another policy. And so we’ll call this, how about My Third Policy. And as you can see, you can end up with as many policies as you want inside your farm. That’s key. Because a production farm environment, it may have tens, or 50, or even 100, or 150 policies, and that’s okay. Because what you’re doing with these policies, is each policy contains its own bucket of settings. And then you get very specific and very granular as far as which policies apply to which users, in which connections, in which situations. So I’m going to click, right click on My Third Policy. And I’ll go to Properties here. And let’s just…let’s say Session Limits. Let’s make an overall session limit of 200K. And I could make some other settings there. But just for now, we’ll make that setting change on My Third Policy. Now again, remember, so far I have changed the configuration of My Third Policy, but I have not actually applied that policy anywhere. So the fact that I just made that session bandwidth change, it doesn’t actually take effect until I apply it somewhere. So we’ll right click. I’ll choose Apply this policy to. Now previously, I was applying my policies to users or user groups. Well I can also apply my policies based on servers. Or I can apply them based on client names. So what this means is, if I apply a policy based on a client name, that’s going to apply to the specific ICA client names of the users that are connecting from their client devices. And it’s actually cool. The client names, I can even use wild cards. So, for example, if I have a bunch of thin client devices, and their computer names all start with the letter TC and then some number, I can make a policy that applied to TC*, and then that, of course, would apply to everyone connecting from a client with a name that began with the letters TC. I can also make policies based on client IP addresses. And client IP address policies are actually pretty cool, because I can set my policies so that they apply to all computers within a certain IP range, or all computers outside of a certain IP range. So perhaps I could actually make my environment so that client drive mapping is only enabled if you are connecting from IP addresses with inside my firewall. We also have the ability to apply policies based on access control. And this is a new feature that is built into Citrix Presentation Server version 4. I’m not going to go into that in today’s conversation, but that ties in to Citrix’s Advanced Access Control with the Citrix Access Gateway, and ties into the whole smart access capability of what Citrix offers. And, as I said, I think that’s a conversation for a future video. But that’s another great target we have for policies. But getting back to our environment, let’s look at servers. Because, remember, I built two policies before. And both of those policies I…My First Policy, My Second Policy, I filtered those. I applied those to user groups. Well, for My Third Policy, right click, Apply this policy to. And I’ll choose Servers from my list. And I’ll check this box to enable the filtering based on server. And you’ll notice here a little filter icon right here to show, as you’re clicking through this, which of the targets have been filtered. And in this environment, I just have my one server, BMLAB-MCM1. And you see right now this is checked, because I just checked this by default, and it checks that server. So I’m going to click OK. So by clicking OK, that now means that My Third Policy is applied as a filter to the server called BMLAB-MCM1. So now I’ve got three policies. They’re applied to three different targets. This first policy is applied to Citrix users, second policy is applied to domain admins, and third policy is applied to a server called MCM1. So what happens now, when users connect into the environment, the Citrix software actually looks at all of the policies that are configured for the server farm and figures out which specific policies are going to apply in that situation. So, for example, in our specific situation, let’s say that a user from the group Citrix Users logs on to this server called MCM1. Well that means My First Policy is going to apply, because it is applied to Citrix users. My Second Policy will not apply, because it’s applied to domain admins. My Third Policy will apply, because it is applied to the server called MCM1. So what happens is policy number…My First Policy and My Third Policy will both apply to a Citrix User connecting to the MCM1 server. And so then we have to look at the policy settings and kind of merge them together. And this is the, I guess, the second major key with Citrix policies--and the other thing that’s actually very important to understand--is that, whenever multiple policies apply, the Citrix software will actually look through those policies, look through all the individual settings, and merge those settings together. So you can actually get one sort of master set that applies to each user when they’re making a connection. So if I have, My First Policy has some settings, and My Third Policy has some settings, the system will merge those settings together to figure out the resultant policy to actually apply to that user making that connection. Now that’s all well and good. The only thing where you could potentially run into some trouble is, what happens if there’s conflicting settings? And as a matter of fact, I think you might remember that, if you look at My First Policy…I’ll look at Properties here. And if I look at my bandwidth, my session limit bandwidth for overall session, I limited to 100K. Well, remember My Third Policy, if I look at the same thing, that bandwidth for the overall session, I limited that to 200K. So remember, My Third Policy is applied to my server. My First Policy is applied to Citrix Users group. Well this means if I’m connecting as a Citrix user to the server where this policy is applied, I have conflicting settings. So which one takes precedence, because I’m saying that bandwidth of 100K here or 200K there? Well, if there is one setting that conflicts, then this is where this priority comes into play. So you’ll see here that every single policy has a priority. And notice for me as an administrator, I did not have the ability to enter a numeric value for the priority. The system automatically sets the priorities for these. And the quick way to understand priorities is that, when and only when, there is a conflict between multiple settings within a policy, whichever one has a higher priority, that is, whichever one is closer to the number one on the list, is going to take precedence. So in this case, because My First Policy has a higher priority than My Third Policy, priority 1 vs. priority 3, that means that the setting, if both policies are applying and then conflict, that means the setting for My First Policy is going to take precedence. But you see, there’s these arrows, these green up arrows. I can actually use these arrows to change the priority of my various policies. So I’m highlighted My Third Policy right now. I can click up, click up, and move policies up and down. And notice that the priorities change as I move the policies through the system. So I can move them down, I can move them up, I can move them however I want. And this is where the real power of policies can be realized. Because now, I can build several policies to apply to different users, and groups, and servers, and IP ranges, and all sorts of different things. And then I can adjust the priorities of my policies so that if there is a conflict, then the highest priority policy is going to win. Now, of course, you can imagine that once you get into using policies--you might have a dozen or several dozen policies--it can actually become fairly complex to sort of sort out and keep track of which policies are applying where. Well, fortunately, Citrix has provided, via this Presentation Server administration tool, Citrix has provided a really good way for us to view policies and search and find out which policies apply in which situations. So to see this, we need to right click on the word Policies over here and click the Search option. And so what this pulls up is, this little window here that’s pulled up, is now a search box that allows us to search for which specific policies will apply in specific situations. So notice here, I’ve got all five policy targets right here. I can actually enter criteria that I will search on, and then I can click the Search button to search to see what policies apply for that specific criteria. So, remember before, we were talking about policies, we had applied a policy to the user group called Citrix Users. Well, let’s do a search on Citrix Users. So I’ll highlight my User criteria. I’ll click Edit so I can enter the search criteria. And I will go into my Citrix Users group, and there they are. Click OK there. And, remember, my server also is MCM1. So if I want to find out what happens when Citrix users are logging on to server MCM1, I can do that. So I’ve now highlighted Server. I will click Edit. And I will highlight MCM1. Click OK. And that’s okay. And now what I can do, is I can click the Search button, and then I’m going to hit No at this box right here. That’s basically asking if I want to enumerate users, which I don’t want to do in this particular case. So now I see I’ve searched for all policies that apply to Citrix Users group logging on to server MCM1. And we’re gong to see My First Policy and My Third Policy. The reason we’re seeing both of these policies, again, is because those are the policies we’ll apply to this specific situation right here. So these are the two policies that are applying when I log on. And now I’ve got this great button down here called View Resultant Policy. So I can click the button to view the resultant policy set, and now I have a new window that pops up. And you see this new window, it’s much like the policy configuration window from before. It’s just that I do not have as many options right here. And the reason for that is, I do not have as many options right here, because this is just showing me the specific policy settings that are applying with these policies that I have right here. And so you’ll see, these are the settings that I have applied. Now look at…here’s what’s interesting. Notice for my overall session, the limit is 100K per second. And it’s showing me that it’s pulling that limit from My First Policy. Because if I click OK, remember that both My First Policy and My Third Policy both have limits that were set. But, of course, My First Policy is the one that is where the setting is being pulled from, because My First Policy has the higher priority. If, for example, I were to change this, and let’s move My Third Policy so that it has higher priority than My First Policy. So now I can go back in here. I’ll search again. And I will search on this specific server. And I will search on this specific user group. OK. Click Search. Click No. Cancel out of that. And now, here’s the policies again that are applying in my specific environment—same policies, of course. But when I do View resultant set of policies and look at bandwidth session limits, we will see that the overall session limit is now 200K per second and is coming from My Third Policy, whereas previously, it was coming from My First Policy. And the reason for that, of course, is because I’ve changed the priority. So now My Third Policy takes precedence over My First Policy. Now something that’s important to keep in mind when you are thinking about your policies and inheritance and priority and precedence, is that some settings within Citrix that you can control via policies, you also have the ability to control outside of policies. So what I’m talking about is you can go into your server farm and set farm properties or set server properties, and you might do things in this situation that conflict with policy settings. And, of course, if a Citrix policy setting conflicts with a farm setting, the most restrictive is going to apply. And that just is common sense. Because, of course, if you have a policy that enables a certain audio feature, but your farm setting is to have that disabled, then, of course, it’s disabled at the farm. It doesn’t matter what your policy says, the most restrictive setting is going to apply. The same thing happens with your connection configuration. So, remember, you can go into the Citrix connection configuration tool and specify the properties of a connection. Well, in that particular case, if you set a most restrictive setting at your connection level, then it doesn’t matter what your policy says. If your connection doesn’t support printing, then you’re not going to print. So, as you start to work with policies, you’ll realize they’re really very, very simple to work with. And so the last thing I want to leave you with, is I want to take a look a little bit closer into the policy setting…policy items itself. So I’m going to right click on Policies, and I’ll do Create Policy. I’ll create another policy, and let’s just call this policy, I guess, My Fourth Policy. And again, you would probably want to have names that are more descriptive for these in your specific environment. But for this purposes now, that’s okay. So, okay, I’m going to go ahead and right click on My Fourth Policy and go to Properties. And so now we’re looking at a brand new policy that has no settings configured. And this is what I want to point out here. Notice that for each policy item I have within the policy to configure, I have the option of Not Configured, Disabled, or Enabled. By default, you’ll notice that all options are not configured. And what the term not configured means, is that this specific item, this specific policy item does not have any settings. So if you have multiple policies that are applying in one situation, none of these settings will come out of this policy. The key is, as you are building your own policies, you will need to look at what specific items you want to work with in your environment, and you will have to explicitly disable or enable these specific policy items. So Not Configured is default, and then you need to disable or enable them. Now here’s where it gets kind of complex. Because some things like, let’s look at Audio right here, Microphones. Okay. Well, with the microphone policy, I can specifically enable the policy. But then clicking this Enabled button right here, all this means is that I am now controlling that setting via this policy. Whether I want to actually turn on turn off microphones, that is controlled by the policy setting down here. So I enable the policy, saying yes I am now enabling the control of this item via this policy, but I still need to click here and specify the policy that I’m enforcing now. Am I enforcing people to be able to use microphones, or to not use microphones? So in that way, it can be kind of confusing, because sometimes you are enabling a policy, which you may have then say to not use microphones. You kind of get a little bit of a double negative. The same thing might happen with some of these visual effects policies, like this one here, Turn off desktop wallpaper. Well, by default this is not configured. If I enable this policy, you’ll see enabling it checks the box called Turn Off Desktop Wallpaper. So because the phrasing of this policy name is negative, the phrasing is to turn it off, enabling the policy is enabling the turning off of the desktop wallpaper. So you enable the policy to turn off desktop wallpaper. If you, for instance, would like to enforce a policy that makes the desktop wallpaper be turned on, then you would have to disable the policy that’s turning it off. So this means, because this policy right here is turning it off, you’re disabling the turning it off, which essentially means you’re turning it on. So these can be kind of complex. There’s really no hard, fast rules for how this works. You just have to read the phrasing in here. So, is it a negative thing, where you’re enabling a policy that turns it off? Or is it something like this, where you enable it, and then you specify a limit? What’s interesting here, like take the limits, for example. If I enable this policy for the clipboard limit. When I enable it, I can enter any numeric value in here. Disabling that policy essentially makes an unlimited value for that limit. Disabling it means that you are technically disabling the maximum limit, which means you’re essentially letting it be wide open, and letting, in this case, the clipboard take as much space as it needs. Now, of course, a lot of people say, well, what’s the difference between not configured and disabled, because aren’t both of these settings meaning that you are letting the clipboard, in this case, take as much bandwidth as it needs? The answer is, yes, that’s absolutely correct that both of these settings are doing the same thing. However, remember that not configured is the default setting. So if you do not configure a clipboard bandwidth limit here, there may be another policy somewhere else that is enabling a limit that might be overriding your not configured. Whereas, if you explicitly disable the limit, this is a hard, fast configuration that says I am disabling the bandwidth limit, which means I am explicitly saying you can use as much bandwidth as you need. In that particular case, maybe there will be a lower policy that sets that bandwidth limit that you will then override by disabling the limit here. So you, again, can be very, very granular with the control that you can do with these policies. Okay. So now that you understand how policies work, let’s take a look at some real world examples that you can use to implement policies in your environment today. So let’s imagine two scenarios. For the first one, let’s say we have a remote office that is connecting via a WAN link, and we need to configure that office so that the users there do not consume too much bandwidth. So I’ll go ahead and create a new policy, and I’ll call this Remote Office. Click OK. And now I’ll right click on Remote Office. Choose Properties. And the kinds of things that I can control via policy, for example, are these visual effects. I can enable the policy that turns off desktop wallpaper. I can enable the policy that turns off menu animation, enable the policy that turns off window content while dragging. I can also go to the Client Devices area and look at Resources, and perhaps look at Audio. Maybe I want to enable the policy that controls sound quality and give my users the lowest sound quality so that they do not consume as much bandwidth. And, of course, I can spend some time poking through this policy list and enable other policy components that will make this work as well as possible over a low bandwidth environment. And I’ll go ahead here and click OK. So now I have this Remote Office policy. I need to right click and choose Apply this policy to. Now in this particular case, I might have a group at the remote office location of users. So my first thought is maybe I want to apply that policy to the remote users group. However, if I apply the policy to the remote users group, it would apply to those users regardless of where they log in, even if they come to the central office. And, of course, if I have central users who log in from the remote office, then they would not get that policy applied, even though they are remote. So a better way to implement the Remote Office policy is to do it by Client IP Address. So I’ll click the box to filter this policy based on client IP address. I’ll click Add. And I’ll add the IP address range of the ICA client devices that are connecting from my remote office. And by doing this, this will mean that all clients from within the IP range will get that policy. And, of course, if I want that policy to override all other policies, I can go ahead and move it to the top of my list. And that will ensure that any users connecting remotely will get this policy in place. Another great way that we can use policies, and something we can do today, is to help deal with contractors. And so let’s create a policy specifically for contractors. And there are many things that I may want to do for my contractors who connect into my environment. So I’ll go into that policy and look at the properties of that. Maybe one thing with contractors is I do not want my contractors to be able to access their local drives from within their session. So I’d go ahead and enable the policy that controls mappings and turn off all the different client drives. Along those same lines, I might want to configure the clipboard policy so that my contractors do not cut and paste sensitive information out of my Citrix environment onto their laptops. And, of course, again, I can go through these other policy items and configure as appropriate for contractors. So, again, I’ll click OK here. Now I will right click on my Contractors policy. Choose Apply this policy to. In this case, I’m going to do based on users, and so I’ll go ahead and click my box to filter based on users. And I’ll browse through my groups in active directory and find the Contractors group and apply it there. And I see it on the list. Click OK. And we’re ready to go. As I said, this was just a really high level introduction as to what you can do with policies and the power behind them. But I hope that you can go into your environment and start playing with policies. Remember that you have to create the policy object. You have to set the properties of the policy. Then you have to apply the policy somewhere. And then, of course, once you start getting multiple policies in your environment, don’t forget about that tool where you can right click and go into view the resultant set of policies, and search filters, and see specifically how the policies will apply within your environment. So with that, thank you so much for your time, and happy configuration.

anonymous - Great video how about re-doing it in Xenapp 6

Log In