Based on the XenDesktop 7 Blueprint, we have already created a definition of our user layer. The next step is to define how users will access their environment. Just like a house, you have doors and locks. In order to gain entry, you have to have the right keys for the right door.
Defining the access layer is basically focusing on the required access policies for internal vs. external users. What’s an access policy? It is simply defining the following 4 items:
- Authentication point: Where do users first enter their credentials. Typically, this is either StoreFront or NetScaler Gateway.
- Authentication policy: How many and what type of authentication must users provide before access is granted. Username, password, RADIUS, etc.
Session policy: Will different devices receive different levels of access? Some people want to provide a different access experience based on their device being either mobile (iOS, Android or Microsoft tablets and phones) or non-mobile (such as Windows, Mac®, Linux). In order to do this, the NetScaler Gateway must be able to determine the endpoint device type. This is accomplished by using the following expressions:
- Mobile Devices: The expression is set to “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver” which is given a higher priority than the non-Mobile device policy to ensure mobile devices are matched while non-Mobile devices are not.
- Non-Mobile Devices: The expression is set to “ns_true” which signifies that it should apply to all traffic that is sent to it.
- Session profile: What network connection will users be granted: Full VPN or ICA Proxy. Full VPN provides the endpoint with full access to the internal network while ICA Proxy only allows the ICA protocol access.
As you can imagine, there are many options for these 4 items, but here is what most people use
|Users connecting from…||Local, trusted network||Remote, untrusted network|
|Authentication Point||StoreFront||NetScaler Gateway|
|Authentication Policy||Simple authentication
(username and password)
(username, password and token)
|Session Policy||Not applicable||Mobile and Non-Mobile|
|Session Profile||Not applicable||ICA Proxy|
And with this, our diagram continues to evolve
We have now included the following:
- User group location
- User group end point device
- Full Access layer communication
- NetScaler added as an Access Controller in the Control Layer
Stay tuned for the Resource Layer…
Daniel – Lead Architect