Chapter 5: SmartAccess Policy Development
This chapter will review SmartAccess policy development. Before we start to configure our Citrix Access Gateway Advanced Edition solution it is necessary to identify and document your organization’ user communities, the corporate resources they need to do their job and the various access scenarios. This allows us to understand how to configure SmartAccess policies to meet your projects business requirements. This chapter will focus on how to develop a SmartAccess policy matrix and a decision tree. A SmartAccess policy matrix as well as a decision tree help us understand how to map business requirements to SmartAccess policies.
The development of a SmartAccess policy matrix as well as a decision tree will assist to ensure that your Citrix application delivery solution meets or exceeds expectations. You organization’ enterprise architecture can be used as a blueprint to develop both the SmartAccess policy matrix and the decision tree, which is used to map business requirements to you SmartAccess policies and filters using Citrix’ management console.
The goal of a SmartAccess policy matrix is to document your organizations user communities, the corporate resources they need to do their job and the various access scenarios. The development of a SmartAccess policy matrix is a critical step to effectively understand how your Citrix application delivery solution will meet your business requirements and provide a blueprint to configure SmartAccess policies.
Table 5.1 shows an example policy matrix with three individual policies; EmployeeClientless, ContractorClientless and FinicalData and the resources that are associated with each policy.
|
Page 1 |
Policy Name |
Policy Name |
Policy Name |
|||
|
EmployeeClientless |
ContractorClientless |
FinancialData |
||||
|
Available Resources |
Policy Settings |
Available Resources |
Policy Settings |
Available Resources |
Policy Settings |
|
|
Web Resources |
||||||
|
SharePoint |
* |
* |
* |
|||
|
Web Interface |
* |
* |
* |
|||
|
Sugar CRM |
* |
* |
||||
|
File Shares |
||||||
|
Engineering |
* |
* |
||||
|
Human Resources |
* |
* |
||||
|
MyDocuments |
* |
* |
||||
|
Financial |
* |
|||||
|
Sales |
||||||
|
Web Email |
||||||
|
OWA |
* |
* |
||||
|
Allow Logon |
||||||
|
Resource Group |
||||||
|
Filters |
||||||
|
AD User Group |
||||||
Table 5.2 explains each component of the above SmartAccess Policy matrix.
|
Attribute |
Description |
|
Policy Name |
There are two types of policies, Access and Connection Policies. Access policies control the resources available within the NAV UI and Connection policies control the traffic through the layer 3 tunnel. Policies should have descriptive names allowing administrators to easily recognize what the policy represents. For example the above Policy matrix has three Access policies named Employee, Contractor and Confidential Data. Each of the policies is configured with specific resources, filters and users. Access and Connection Policy names should reflect the specific user or resource group which it controls.
|
|
Web Resource |
Web resources can be published to the NAV UI. A Web resource is an internal or external web resource. SmartAccess policies can be enforced on web resources that use URL rewriting, which is configured during the creation of a Web resource. |
|
File Shares |
File Shares can be published to the NAV UI. A File Share is an internal File Share that is webified and made available in the NAV UI. |
|
Web Email |
Web email allows clientless access (Web browser only) to Exchange and iNotes mail servers. Web mail supports iNotes, OWA and the Citrix mail client. iNotes and OWA use URL rewriting. |
|
Available Resource |
This attribute of either yes or no determines if a resource will be visible in the NAV UI. |
|
Resource Groups |
Resource Groups allow resources to be grouped based on user community. |
|
Filters |
Filters allow corporate security policies to apply to target Logon points. |
|
Users |
This attribute allows an administrator to associate a user group to a policy. |
One important aspect of the SmartAccess policy matrix is the policy settings. Each resource category can have unique values to reflect different access requirements. For example, a policy for confidential data may deny the download, email as attachment, and upload settings in contrast to public data policy which may allow all of the aforementioned settings.
The following examples SmartAccess policy matrix show three policies, EmployeeClientless, ContractorClientless and FinancialData and their policy settings. Each policy is configured with specific resources, filters and users.
Table 5.3 shows an access policy matrix with three policies for clientless access.
|
Page 1 |
Policy Name |
Policy Name |
Policy Name |
||||||||||||||||||||||||||||||||||||||||||
|
EmployeeClientless |
ContractorClientless |
FinancialData |
|||||||||||||||||||||||||||||||||||||||||||
|
Policy Settings |
Policy Settings |
Policy Settings |
|||||||||||||||||||||||||||||||||||||||||||
|
Network |
|
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Web Resources |
|
|
|
||||||||||||||||||||||||||||||||||||||||||
|
File Shares |
|
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Web-Based Email |
|
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Email Sync |
|
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Allow Logon |
|
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Resource Group |
|||||||||||||||||||||||||||||||||||||||||||||
|
Filters |
|||||||||||||||||||||||||||||||||||||||||||||
|
AD User Group |
Table 5.4 shows each resource’s settings and its possible value.
|
Web Resource |
File Share |
Web Mail |
|||
|
Settings |
Values |
Settings |
Values |
Settings |
Values |
|
Access |
Allow All Deny All |
Download |
Allow All Deny All |
Web-based Email |
Allow All Deny All |
|
Download |
Allow All Deny All |
Email As Attachment |
Allow All Deny All |
Access |
Allow All Deny All |
|
Email As Attachment |
Allow All Deny All |
File Type Association |
Allow All Deny All |
Download |
Allow All Deny All |
|
File Type Association |
Allow All Deny All |
HTML Preview |
Allow All Deny All |
File Type Association |
Allow All Deny All |
|
HTML Preview |
Allow All Deny All |
Live Edit |
Allow All Deny All |
HTML Preview |
Allow All Deny All |
|
Live Edit |
Allow All Deny All |
Upload |
Allow All Deny All |
Live Edit |
Allow All Deny All |
A policy value can be set on each individual resource setting or the entire resource.
The next section will review how to create a decision tree.
Decision Tree
The goal of a decision tree is to map out various access scenarios and the desired resource entitlements. Once a decision tree has been built, SmartAccess policies, filters and scans can be developed and tested to validate the settings in your SmartAccess policy matrices and decision tree.
Figure 5.1 shows an example decision tree.
The development of a decision tree is critical to understand how users access corporate resources and how to develop and implement Smart Access policies.
