Blueprint for Accessing your desktops and apps

Based on the XenDesktop 7 Blueprint, we have already created a definition of our user layer. The next step is to define how users will access their environment. Just like a house, you have doors and locks. In order to gain entry, you have to have the right keys for the right door.

Defining the access layer is basically focusing on the required access policies for internal vs. external users. What’s an access policy? It is simply defining the following 4 items:

  • Authentication point: Where do users first enter their credentials. Typically, this is either StoreFront or NetScaler Gateway.
  • Authentication policy: How many and what type of authentication must users provide before access is granted. Username, password, RADIUS, etc.
  • Session policy: Will different devices receive different levels of access? Some people want to provide a different access experience based on their device being either mobile (iOS, Android or Microsoft tablets and phones) or non-mobile (such as Windows, Mac®, Linux). In order to do this, the NetScaler Gateway must be able to determine the endpoint device type. This is accomplished by using the following expressions:
    • Mobile Devices: The expression is set to “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver” which is given a higher priority than the non-Mobile device policy to ensure mobile devices are matched while non-Mobile devices are not.
    • Non-Mobile Devices: The expression is set to “ns_true” which signifies that it should apply to all traffic that is sent to it.
  • Session profile: What network connection will users be granted: Full VPN or ICA Proxy. Full VPN provides the endpoint with full access to the internal network while ICA Proxy only allows the ICA protocol access.

As you can imagine, there are many options for these 4 items, but here is what most people use

Users connecting from… Local, trusted network Remote, untrusted network
Authentication Point StoreFront NetScaler Gateway
Authentication Policy Simple authentication

(username and password)

Multi-factor authentication

(username, password and token)

Session Policy Not applicable Mobile and Non-Mobile
Session Profile Not applicable ICA Proxy

And with this, our diagram continues to evolve

We have now included the following:

  • User group location
  • User group end point device
  • Full Access layer communication
  • NetScaler added as an Access Controller in the Control Layer

Stay tuned for the Resource Layer…
Daniel – Lead Architect

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.