Jump to content

Restrict Acces to vServer Connection via Policy


 li1709162908

Recommended Posts

To clarify you want the (vpn/citrix gateway) to 

1) stop copy out from vdi to endpoint

2) allow copy in from endpoint to vdi  (If you meant block; we can do that too but wording above is unclear)

and 3) but still allow a "small" amount of url info to be copied to vdi? (requires clipboard in is allowed; but restricted)

 

1 and 2 are possible via the CVAD policies to manage clipboard mapping and can be based on gateway vs non-gateway decisions as well.  There is a "secure clipboard" option that can allow copy in while preventing copy out.

You can also use the Gateway's own ICA Policies to to block clipboard virtual channel for gateway connections meeting certain critieria. It overrides the CVAD policies and just blocks the virtual channel; but it won't have the granularity of the CVAD setting. It will be more a of a block all clipboard.

 

The only way to accomplish (3) would be to allow clipboard into vdi and then limit allowed formats:  https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings.html.  This would have to be done in the cvad policies.

(otherwise, clipboard mapping is usually on or off for in or out).

https://james-rankin.com/articles/citrix-virtual-apps-and-desktops-clipboard-redirection/

and here:  https://docs.microsoft.com/en-us/windows/win32/dataxchg/standard-clipboard-formats

 

So, you can limit the format to text; its not going to be guaranteed to be restricted to urls only but just text formats without formating or other criteria.

 

Added note (to clarify):

the granular clipboard mapping is NOT done via the ICA policies on the gateway and is only managed from the CVAD clipboard policies.

They can still be based on gateway vs non-gateway connections via the "Access Control" filter in the policies.

The gateway can really only do the clipboard "off" override.

 

Edited by Rhonda Rowland
Added note
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...