The views expressed here are mine alone and have not been authorized by, and do not necessarily reflect the views of, Citrix.
Typically, an admin that implements the Access Gateway Enterprise Edition(AGEE), find themselves deciding how to lock down the environment that the users will connect to. I have been asked many times what the “Best Practice” would be to restrict or allow access to their users. What I like to explain is that the normal security guidelines come into play first, however each environment can differ based on company security policies and application delivery goals.
What I like most about the AGEE, aside from multiple vServers, automated failover, enterprise scalability, policy control, etc.. is the flexibility to provide secure remote access to Presentation Server applications without using a “VPN” client. The AGEE’s is called the Secure Access Client(SAC). The SAC is there if needed, and all of the granular access policies can be applied to the full “VPN” tunnel. The flexibility to give users access to just Presentation Server application and/or a full desktop experience is only outdone by the ease and flexibility of the policies that can determine the users logon session environment……. This is called SmartAccess and it gets performed via the AGEE appliance itself.
Bottom line with using policies is to make sure you start with a solid design. Included in that design should be what kind of users will be connecting and what resources they will need access to. From there, you will need to decide on if you need to run Pre-Authentication Policies to grant/deny access to the logon page as well as determining other features that the users will have during their session. In addition, you will need to determine if you need to setup any policies to run End-Point Analysis after their credentials are entered to filter Presentation Server applications and/or grant/deny access to other resources, including the entire session.
This is just the beginning, there are many other features provided by the AGEE as well as many different combinations of how to apply policy and dynamically create the users logon environment when connecting via the AGEE. I hope after reading this, you too will be excited about the power and flexibility of the AGEE and remember to keep in mind how important an initial design is to maximize the AGEEs full potential.