【VDI】Contextual Policies Configuration Guide_V5.9.1_R2_EN
Introduction
This feature applies when you want to configure the policies for users and VMs based on the clients’ access environment. For example:
- Different policies are applied to access from the WAN and LAN.
- Different policies are applied to access from different IP address segments over LAN.
- Different policies are applied to access via different clients.
- Different policies are applied to access from different login page URLs.
Contextual policies apply to the above scenarios. When the access environment meets certain conditions, you can assign corresponding policies (including Virtual & Local Desktop Policy, Remote App & Session-Based Desktop Policy, and Secondary Authentication) to users or VMs to improve access security.
Prerequisites
None.
Precautions
When a contextual policy conflicts with a user policy or VM policy, the priority of the policies is as follows:
Temp Permissions > Contextual Policies > Policy Sets (associated with specific VMs) > Policy Sets (associated with specific users).
Configuration
- Log in to the VDC console, go to Security Enhancement > Contextual Policies, and click New.
- Enter the basic information of the policy.
- Select the applicable Object, either User/Group or VM.
| Object | Description |
|---|---|
| User/Group | When User/Group is selected, the policy will be applied to specific users. The available options for conditions include Login IP Range, Endpoint IP Range, Login page URL (when Users use different login pages is enabled), and Client Type. The available options for actions include Virtual & Local Desktop Policy, Remote App & Session-Based Desktop Policy, and Secondary Authentication. |
| VM | When VM is selected, the policy will be applied to virtual desktops. The available options for conditions include Login IP Range, Endpoint IP Range, and Client Type. For actions, only Virtual & Local Desktop Policy is available. |
- In the Applicable Clients and Action section, enable VDC Local Configuration and specify the condition and action as required.
a) The available options for conditions include Login IP Range, Endpoint IP Range, Login page URL (when Users use different login pages is enabled), and Client Type. Click Add to configure multiple conditions and set the condition relationship to AND or OR. A condition relationship can be configured for up to two conditions.
| Object | Description |
|---|---|
| Login IP Range | Identify the final source IP address of data packets retrieved from VDC when users access aDesk VDI. It is used to identify the source of user access over WAN and applies to the following scenarios: 1. Remote Working: When a user accesses VDC, the gateway replaces the source IP address of data packets with a public IP address, which is then identified as a public IP address by VDC. As a result, the user’s access from the user IP segment is not identified as LAN access, although it is the same as that of the company LAN. 2. Access via VPN: When a user accesses aDesk VDI using a VPN, the VPN gateway converts the source IP address of data packets to a VPN gateway address, which is then identified as the IP address of the VPN gateway by VDC.  |
| Endpoint IP Range | Identify the local IP address of the endpoint when a user accesses aDesk VDI. It applies to LAN access scenarios to identify the user’s specific access location within the company. |
| Login page URL | Identify the login page URL when a user accesses aDesk VDI, and it is available only if you select User/Group for the Object. It applies to scenarios where Users use different login pages is enabled and can be used to specify the corresponding action. |
| Client Type | Identify the client type when a user accesses aDesk VDI, and it helps determine whether different policies shall apply. The Remote App & Session-Based Desktop Policy and Distributed Firewall rules cannot be selected as the Scaling Action when this option is selected. |
b) The available options for Scaling Action include Virtual & Local Desktop Policy, Remote App & Session-Based Desktop Policy, and Secondary Authentication. Click Add to execute different types of actions.
| Object | Description |
|---|---|
| Virtual & Local Desktop Policy | Define the policy set applying to virtual desktop resources when specific conditions are met. It applies to scenarios where the user access permissions in virtual desktops are restricted based on the access environment. Either User/Group or VM can be selected for the Object. |
| Remote App & Session-Based Desktop Policy | Define the policy set applying to remote apps and session-based desktop resources when specific conditions are met. It applies to scenarios where the user access permissions in remote apps or session-based desktops are restricted based on the access environment. Only User/Group can be selected for the Object. |
| Secondary Authentication | Specify whether to enable secondary authentication for users when accessing aDesk VDI if specific conditions are met. It applies to scenarios where the authentication security level is changed based on the access environment. Only User/Group can be selected for the Object.  |