Ray Davis Sr. Systems Engineer Citrix Technology Advocate (CTA)

Adaptive Access, which has now reached the General Availability (GA) stage, is a notable development in the realm of security and access control. This solution empowers organizations to enhance their security posture by introducing a dynamic and intelligent approach to granting access to applications and desktops. The core idea behind Adaptive Access is to provide organizations with the capability to control and govern access based on various factors, such as network locations and tags. By doing so, it introduces an additional layer of security that adapts to different contextual situations. In essence, Adaptive Access is a valuable tool in the arsenal of cybersecurity measures that organizations can employ. It’s a forward-looking solution that acknowledges the importance of contextual awareness in modern security strategies. By leveraging network locations and tags to make access decisions, it takes a proactive stance in safeguarding an organization’s digital assets and data. With its transition to GA, organizations now have the opportunity to explore and implement this innovative security approach to further fortify their defenses and adapt to the ever-evolving security landscape. This will be a quick POC to show you how it works and give you a step-by-step on how to get started.

But for now, my goal is to test the following:

1. Citrix App/Desktop restrictions based on an internal office vs. an external WFM use case.
   • Block a Desktop going through Citrix GaaS (Gateway Service) on a WFM test.
2. Citrix Policies based on security relaxed on internal offices vs. Security hardened for WFM users.
   • Block Clipboard going through GaaS on a WFM test.
   • Before I go through these steps, I will show you that I can copy and paste by default while working from home. I set this up to guide you in my testing, so show you how it works from a policy aspect.
   • Copy text from my location machine.
   • 
   • I was able to paste it into my VDA session.
   • 

Licensing Entitlements

Ensure you meet the licensing entitlements. The Adaptive Access feature is available for customers with the following licenses.

• Citrix DaaS deployment accessing through the Citrix Workspace platform.
• DaaS Premium / Premium Plus
• Secure Private Access Advanced

Enable the Adaptive Access Feature

• Log in to Citrix Cloud.
• Select Workspace Configuration from the hamburger menu.
• Adaptive Access toggle is turned off by default. Turn the Adaptive Access toggle on.
• Click Yes and enable adaptive access on the confirmation message.

Network locations

Many of you have probably been using this now. This means defining Networking locations for internal users to bypass the Citrix GaaS and make the direct workload connection (Client to VDA). Please read this blog to understand what I mean.

• Optimize connectivity to workspaces with Direct Workload Connection (citrix.com)
• Users from both internal and external networks establish connections to Virtual Delivery Agents (VDAs) via an external gateway. This gateway can either be located on-premises within your organization or be a service provided by Citrix, integrated into the resource location within Citrix Cloud. Through Network Locations (Direct Workload Connection), this allows internal users to bypass the gateway, connecting directly to the VDAs. This helps minimize latency for internal network traffic.

Network locations with Location Tags

When adaptive access is enabled, you can define the location tags for adaptive access.

Citrix Cloud > Network Locations > Add a Network Location > Location tags.

Example

1. Add Network location.
2. Add your Public IP of the location. This means go to https://whatismyipaddress.com/, and it will display it. But a better option is to get it from the network engineer team to ensure you have the correct range and mask. But know that you can add a range. For example, I searched my public IP information and found the range with the subnet mask. This is my home range. XX.XX.0.0 – XX.XX.255.255. CIDR is XX.XX.0.0/16. I have hidden my public IP information here. But you need the Public IP from the Internal or External Network locations. When it says internal, it’s not the private IP range. It is the Public IP range that the internal user uses for the outbound NAT. As mentioned, work with your Network team to get the internal(Egress) Public IP ranges for all the Office Locations.
3. Location Tags: create a name that helps you define what the tag is for. In this example, I am using RDWFM. This means that I will apply policies restricting me, being I am coming in externally.
4. Choose a network connectivity type: Based on my Tag name, it will be external for me. You have two options.
   • Internal
   • external
   • 
   • 
5. Before I go and set the TAG Locations setup. I am going to log into my Workspace URL and show you I can see my resource that I am going to be filtering down below. The W10_HAADJ Desktop is listed for me, as it is part of a DG, and the other apps do not have the filter applied.
   • 
6. Now, in this next section, my screenshots will be different from what the link shows on the DG. The reason is I am testing something new in Tech Preview. But I will do my best to correlate the difference here for you.
7. In my screenshots below, here is the Adaptive Access Policy defined on the DG. I am currently testing another tech preview, and you probably will not see this. It will look different than what the Adaptive access link shows. But it’s the same with a facelift.
8. In my view, these are my steps.
   • Select the delivery group you’ve created and click Edit Delivery Group.
     • If you don’t have one, create one like usual.
     • Click Access Policy on the Left side of the menu.
     • Click Edit on the “Citrix Gateway Connections.”
     • Add and select the following:
       • Value: LOCATION_TAG_RDWFM (this is what I defined in Network locations already)
       • Filter: Workspace (this is saying filter my resource via Workspace services)
   • 
   • 
   • I am still logged into my Workspace URL about 10 seconds later, after a browser refreshed, and It disappeared. The W10_HAADJ is gone.
   • 
   • Most of you will show this view, as it’s what it looks like normally.
   • 
9. But the process is almost the same, for the normal view these are the quick steps.
   • Select the delivery group that you’ve created and click Edit Delivery Group.
     • Click Access Policy.
     • Click Add and select the following:
       • Farm: Workspace
       • Filter: LOCATION_TAG_OFFICE
       • Click Add and select the following:
       • Farm: Workspace
       • Filter: LOCATION_TAG_RDWFM

Policy

1. Policy Test restrictions POC.
   • Now, I will remove the filter to hide the Desktop and show you how to apply an adaptive access tag to policies.
   • Because I needed to apply a copy-and-paste restriction, I used a quick watermark as well to show you the Adaptive access policy is applied.
2. I created a new DaaS policy to restrict clipboard and to apply a watermark for external users.
   • 
3. As you can see, my “Access Control” defines this:
   • 
   • 
   • Mode: Allow
   • Connection type: Citrix Gateway
   • Farm: Workspace
   • Access Condition: LOCATION_TAG_RDWFM
     • Upon logging into the VDA, I could see right away my watermark was applied. I could not copy and paste any more. This was great for me in my testing.
     • 
4. Let’s Check Citrix Monitor (Director)
   • • 
5. To ensure what I applied is in fact working correctly, I will edit the DaaS studio policy and remove the Tag. Once I removed the Policy with the TAG from DaaS studio, the VDA went back to normal.
   • 
6. The next test is to put the policy back into the DaaS studio, but I will remove the Network location.
   • Gone
   • 
   • DaaS policy still here
   • 
7. Log into the VDA and the watermark is gone, and I have the paste option back.
   • 
   • 
8. Citrix Monitor (Director) show the following as well.
   • As you can see, even though the policy is applied. It has no idea how to use it. I also now have the LOCATION_Undefined Where before I did not. Network locations associate the Tag for the incoming information and then the Citrix DaaS policies understand how to apply it.
   • 
9. Added the Network location back to confirm this is accurate.
   • 
10. Log back into the VDA and paste is grayed out, and my watermarks are back.
    • 
    • 
11. Checking Citrix Monitor (Director) now to see what the Smart Filter(Adaptive access) shows that the correct tag is back.
    • 
    • 

Block All External Connections

If you just wanted to block all connections to External folks. The Network Locations service provides the following tags by default.

• Default tags: These tags are defined on the Network Locations service. The following default tags are available.
  • Location_internal: Tag sent by default when the network connectivity type is set as INTERNAL.
  • Location_external: Tag sent by default when the network connectivity type is set as EXTERNAL.
  • Location_undefined: Tag sent for an IP address that is not defined in the policy but is coming through the Network Locations service. Launch for these users are the same as what is defined in the resource group. This was why I received Undefined in my testing when I removed it from the network locations.
• Custom tags: Admins can define custom tag names in the policies. Example: office, home, branch
• Examples:
  • Default tags: LOCATION_INTERNAL, LOCATION_EXTERNAL, LOCATION_UNDEFINED
  • Custom tags: LOCATION_TAG_OFFICE, LOCATION_TAG_HOME

You could create a policy and define this, and it would apply to all External users by default to block ICA policies.

Adaptive Access – external “Location”. This is the default tag Workspace adds if nothing matches the “internal” locations for network locations.

The same principle applies to the Delivery group.

Replace the Value with LOCATION_external

References

• Adaptive access based on the user’s network location (citrix.com)
• Optimize connectivity to workspaces with Direct Workload Connection (citrix.com)