As the name suggests, SmartAccess allows policies and resources to be intelligently applied based on different conditions such as the user’s location and endpoint software. The ability to dynamically adjust to changing conditions is a must have feature for any deployment that has users roaming between different locations and devices. SmartAccess allows you to strategically align with business priorities while offering users a better user experience.
In this blog post, I will be providing some real world scenarios where SmartAccess was used successfully. In addition, I will also provide details of the configuration so that you can replicate and expand upon these examples in your own environment. Be sure to check out the Smart Access video series that demos each of the examples below in greater detail. Also, for more information on how Citrix compares to the competition, check out this great webinar: Who has the best VDI? Compare View and XenDesktop.
Why SmartAccess is Superior to the Competition
XenDesktop & XenApp are uniquely positioned with their ability to offer context aware security based on granular policies. The key point here is the dynamic nature of the policies. Citrix also does have the ability to apply policies via Active Directory, but it is only one of many options for applying security policies.
VMware Horizon View does offer the ability to filter access to virtual desktops and applications, but this can only be accomplished via user group memberships, antiquated session scripts, or tagging security servers. This is a very static and restricted approach which simply doesn’t allow for the flexibility needed in a mobile workplace where we need to balance security and the overall user experience. This means that VMware cannot adequately address the business requirements in the scenarios we detail later in this blog post.
For a better understanding of the security features XenDesktop & XenApp have compared to VMware, let’s take a look at this table:
SmartAccess Real World Examples
As a Citrix Consultant traveling to customers, one of the things that I enjoy the most is seeing how our technologies are used in new and interesting ways to simplify how businesses operate. In the real world businesses have multiple policies configured at once that mustwork together seamlessly to support different user groups and devices while still conforming to their security protocols. This is why I thought it would be a great idea to develop SmartAccess scenarios that are all configured together simultaneously to demonstrate the seamless experience moving between different devices, locations, and software configurations.
These different example scenarios below are real life use-cases I’ve seen in my journeys in Consulting and show how customers have aligned Citrix technology with their business objectives. This provides a great starting point for developing access policies for your organization’s specific use cases and business requirements. To see even more examples for filtering access to applications and desktops, read this other great blog post from Citrix Consulting.
Location Based Citrix Policies (Video Walkthough)
Company A has six offices spread all across the country. Two of the offices are satellite locations with a very small number of employees. These two locations have a single T1 connection and are not connected to the corporate intranet. This means bandwidth is very limited and connections back to the main datacenter occur over the public Internet.
To allow these locations to access their virtual desktops in the most efficient manner possible, a SmartAccess policy was created that identifies the locations by their pubic IP address and then optimizes the Citrix session for low bandwidth. Since the low bandwidth policy is only applied to users when they are in the office, employees will not have the same policy applied if they are connecting from home or another office with a faster Internet connection.
To apply policies dynamically with Horizon View, VMware has a very antiquated method called “Session Scripts” which are far from easy to configure. I hope everyone remembers their Visual basic coding skills because you’re going to need them! Yes, this isn’t a joke, you have to create a custom script using Visual Basic to dynamically assign policies based on the IP address of the end user. With Citrix, this is simply done by configuring a policy filter inside the Citrix Studio GUI.
Secure Application Access by Location (Video Walkthrough)
Company A has recently merged with Company B, another large corporation that utilizes the same internal IP subnets. Instead of merging the two IP networks together, the decision has been made to allow access between the two networks via NetScaler Gateway. The applications users at Company B will be accessing are very secure sensitive that should not be able to be access when the user is outside Company B’s corporate office. Therefore, Company A has set a policy that only allows certain applications to be viewed when users at Company B are physically located in the office. When they connect remotely from home, the secure applications will not be listed and will be unavailable.
With VMware Horizon View’s static policy engine, it would not be possible to simply limit access to applications based on the user’s network subnet. Resources assignment (aka entitlements) can only controlled via user group membership. You could try hack together a solution by adding a second View Connection Server and use tagging. This method could provide different resource assignments for internal and external users, but that’s where the flexibility ends. This would not allow us to limit access to applications based on the user’s IP subnet. With Citrix, we were able to use the same user account and receive a different list of applications based on the location of the user.
Virus Scanning Verification (Video Walkthrough)
Company A’s has a strict policy that Antivirus software must be running on all computers on the corporate network. To allow users accessing their virtual desktops and applications from personal devices at remote locations to map their local drives, Company would like a policy that verifies McAfee Antivirus is running and its virus definitions have been updated within the last 3 days on the endpoint computer.
With VMware Horizon View’s static policy engine, you cannot run any endpoint scans to filter access to policies and resources. With Citrix, there is a dynamic and granular policy engine that allows Endpoint Analysis scans to be run on the endpoint device to validate the device is secure before Client Drive Redirection is enabled. Just as a side note: PCoIP (the default protocol of VMware View) does not support Client Drive Redirection. This means users must establish a connection with the Remote Desktop Protocol. This alone will tremendously degrade the user experience.
Behind the Scenes
To provide a better understanding of how SmartAccess policies are applied, I will detail the policy configuration on NetScaler Gateway and XenDesktop. First, session policies are configured on NetScaler Gateway containing expressions that will be evaluated against incoming requests. In one of the examples presented earlier, the session policy contains an expression to match an IP address. If this expression matches an incoming connection, the session policy will validated as true and the policy name will be passed onto XenDesktop. Below is a screenshot of the NetScaler Gateway session policy configuration:
On the XenDesktop side, policies and Delivery Groups can be filtered so that they are only applied under certain conditions. One of these conditions is the outcome (true/false) of the session policy on NetScaler Gateway. So for example, if the “Low Bandwidth Location” session policy expression is validated as true, the name of the session policy will be sent to XenDesktop where it can be used as a filter. In the screenshot below, an Access Policy has been configured on a XenDesktop policy that will apply when the “Low Bandwidth Location” policy is true and the connection comes from a NetScaler Gateway named “gateway”.
Below are the XenDesktop policies configured used for the examples scenarios discussed earlier. The “Managed Devices” policy allows Client Drive Redirection when the end user has the appropriate antivirus configuration. The “General Remote Users” policy applies to all remote connections through NetScaler Gateway. If the user connects in with valid a valid antivirus configuring through, the “Managed Devices” policy will override the Client Drive Redirection setting since the policy’s priority is higher. The “Low Bandwidth” policy will be applied when connections are made from the IP subnets listed in the “Low Bandwidth Locations” session policy on NetScaler Gateway.
Verifying the Policies Are Applied
Before deploying to production, it is important to validate the configuration using tools inside your Citrix session and on NetScaler. First, to validate that the SmartAccess filters are applying when logging in through NetScaler Gateway, the nsconmsg -d current -g pol_hits command can be run on the NetScaler console. This will display the names of any Session policies that are applied when a user logins. It is best to run this command in a test environment so that it only captures a single user test user rather than a large number of production users accessing the environment.
To validate that the appropriate policies are being applied inside the XenDesktop or XenApp session, I recommend using HDX Monitor. This tool will display the values of the policies being applied to each individual session. I used this tool inside the videos demoing each SmartAccess scenario to validate that the policies are different in each session.