They say simplicity is the best form of security.
The less complex your access controls, the fewer gates there are to open or close, the more invisible the security checks and the greater your chances of maintaining a highly secure, yet user-friendly environment. That has been the philosophy driving the seamless integration between NetScaler and XenApp-XenDesktop.
In this post, we’ll discuss a step-by-step guide that helps you demonstrate this goodness in your own setup, and do it with minimal effort.
SmartAccess has long been a cornerstone of the Citrix value in “securing remote access from any location, on any device”. A granular system of triggers is the basic building block of this security strategy. The Citrix ICA protocol contains multiple virtual channels within a single TCP connection, each responsible for a different aspect of the user interaction such as keyboard or mouse input, screen display, USB devices, multimedia, and so on. SmartAccess uses a number of active directory and network conditions to disable/enable each of these virtual channels for a given group of users.
Thanks to the deep visibility from XenApp and XenDesktop, NetScaler has the right data to make intelligent decisions about user access to resources, even in the face of dynamically changing conditions. For instance, User A has full access to a server when inside the office but if they access from outside, it automatically turns into a “read-only” access. Or take another example, where User B can access sensitive database servers from a locked-down corporate device, but the access is blocked if the same user tries to login from an unknown device. It may still allow email and basic app access from the unknown device. This is a sophisticated system that can respond dynamically to security and access needs, with minimal administrative intervention.
SmartAccess can be deployed in multiple ways. It can be enforced on the StoreFront alone, where NetScalers are not used in the environment. Naturally, to include network-level information into the decision-making, deploy an integrated NetScaler Gateway. It can also be used to deploy a NetScaler with Unified Gateway. In this case, not only is the network a factor in the analysis, enforcement is also performed at the network edge. This has multiple advantages: a large number of XenApp and XenDesktop sites can be secured with a single unified gateway; a rogue connection is dropped at the network edge before it even enters the application server; and, it can extend SmartAccess to other services beyond XenApp and XenDesktop. Hence, this method is branded as “SmartControl”.
Irrespective of the SmartAccess strategy chosen, they can all enhance security in common scenarios and greatly reduce administrative overhead thanks to an intelligent, hands-free policy engine. The actual steps will differ a little, which is where this guide comes handy. This guide shows you how to setup and successfully demonstrate common scenarios. It also includes a step-by-step guide to integrate XenApp and XenDesktop site with a NetScaler Gateway VPX Appliance.
Let’s have a look at a couple of common scenarios:
Scenario 1 – Employee A wants to connect a USB device to her machine. Let’s say we want to enforce a policy that the user will be able to copy data to and from USB devices only while in the office. When Employee A connects the USB device she should be able to see it inside her session and access the data from it. But when she tries to connect the same device from her home, she is denied access by blocking redirection of the USB device into the session.
Scenario 2 – Sales Rep A wants to print a file on share in the office network from a remote location. Let’s say we want to enforce a policy that users will only be able to copy data to an from their devices into their sessions, if the antivirus application is installed on them. When Sales Rep A connects from a device at a client location that does not have the antivirus installed she should not be able to copy data on the machine into the session. But when she tries to connect from her laptop that has the antivirus (even if its from her home), she is would be allowed access by enabling clipboard redirection to the session.
The simple fact is that users are not as static as their Active directory group assignment. Users travel from office to office, access internal files from client locations, and take work home with them to continue from personal owned devices. In case their corporate device breaks, some users may borrow a temporary device to get work done, in which case you want to balance their productivity with compliance policies of your organization. SmartAccess and SmartControl take the guesswork out of your security, and help you translate security compliance policies into an adaptive and intelligent remote access solution.
Download the free product trials now, and use these guides to give it a spin. You may be surprised how simple it is to maintain the five-star security you must, and the user delight they deserve.