Jump to content
Welcome to our new Citrix community!
  • 0

Hide a Secure Desktop from a certain Virtual Server


Marc Kuhn

Question

Dear all

 

i got a CVAD 7.15 LTSR with Windows 2012 R2, where we have two Desktops available, a "Normal" and a "Secure". I have for each of them a MachineCatalog and a Deliverygroup. The visibility internally is done by a dedicated securitygroup. For the external access we would like to have besides the "Normal" Desktop as well the "Secure" Desktop available. We have now 2 Virtual Servers where we have a dedicated Store defined in the Session policy.

 

I could manage to limit the visibility with brokeraccessrules, which i configured by powershell. But i'm wondering, if it really isn't possible to limit the access to the Deliverygroup only via Netscaler AND ony from a dedicated VirtualServer. I think that would be my perfect configuration, but i didn't found a way to have it.

 

Does anyone have configured something like that?

 

Best regards,
Marc

Link to comment

13 answers to this question

Recommended Posts

  • 0

hey,

 

Either I really don't understand your problem or you seem to make it a lot more complex than it is :) Here's what I get from your question: You want 2 different published desktops of which certain people can only see 1 while others see both when they log in (either through external Netscaler access or through internal storefront).

 

In that case you simply make 2 delivery groups with their own VDA server resources and use a different dedicated Active Directory group for it's security. Done. People that are in both AD groups see both while people only in 1 only see 1.

 

Netscaler simply performs your security layer and 2-factor authentication check. After that the Netscaler sends you completely through to the Storefront server who will 'show' you the content you have access to (or not). Therefore all restrictions in terms of content are typically done on the storefront server, not on the Netscaler. Also for manageability and transparency during troubleshooting. 

 

Here's an example of what the delivery group AD security group restriction could look like:

 

image.thumb.png.c66c4033fe6d605fe3e5cec0b52cc61a.png

 

Does that clarify things for you ?

 

Link to comment
  • 0

Hi

 

thanks for that, but we have that already configured and this is working perfectly internally. But issue is, that i need to make sure, that the Secure desktop is only reachable within Switzerland while the Normal Desktop needs to be accessable from all over the world. So i configured two URL's to be able to do so with a GeoIP Filter on the Firewall for the Secure URL.

 

I need to make sure, that the Secure Desktop is only visible when logging into the Secure URL. So my guess was, that i can configure a Filter in the Access Policy of the Deliverygroup for it. In my case i think it would be the name or IP of the Virtual Server.

 

Does that make more sense now? I'm sorry, this is a little tricky to explain.

Link to comment
  • 0

No, that is not what i need. Just forgot the GeoFiltering, just wanted to tell you why i have two URL. Let's make it more simple:

 

I have a NS with two VirtualServers (2 VIP's) and i need to be able to hide a Desktop if a user is comming over VIP1, based on the VIP not based on a Securitygroup. Is that possible?

Link to comment
  • 0
13 hours ago, Marc Kuhn said:

Hi

 

thanks for that, but we have that already configured and this is working perfectly internally. But issue is, that i need to make sure, that the Secure desktop is only reachable within Switzerland while the Normal Desktop needs to be accessable from all over the world. So i configured two URL's to be able to do so with a GeoIP Filter on the Firewall for the Secure URL.

 

I need to make sure, that the Secure Desktop is only visible when logging into the Secure URL. So my guess was, that i can configure a Filter in the Access Policy of the Deliverygroup for it. In my case i think it would be the name or IP of the Virtual Server.

 

Does that make more sense now? I'm sorry, this is a little tricky to explain.

 

ah now I see the complete picture. Exactly. Configure 1 access Policy on the delivery group with the secure desktop vda's to restrict it further by allowing only connections from that specific corresponding access gateway:

 

image.thumb.png.b966f0cbfb12c468b8f13135052d4e31.png

Link to comment
  • 0

:-), yes, i know and would like to configure it there. But my problem is, that i have a Citrix Gateway HA, so the Hostname is the same, the only difference it the Virtual Server. How would i configure those two settings to achive that? Let's say the Netscalers are NSPROD01 & NSPROD02 and the VirtualServers are named normal and secure.

 

Best regars,
Marc

Link to comment
  • 0

That's perfect. The virtual Server name normal is exactly what you need to difference them and you enter this exact name in the "Farm"' field. In the "Filter" field you enter the exact name of the general Access Policy that you are using on the Netscaler. If you want you can even define a more granular one that for instance checks the ip address but it's not needed since you are already using separate virtual server access gateways anyway. 

 

Here's an example you can follow almost to the letter:

 

https://support.citrix.com/article/CTX227055

 

Hope that suffices

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...