Restricting access to a published application
When using thin-clients within school, it is usual for them to be configured to connect to a published XenApp desktop (usually called Desktop). However, this application will also be available externally, which means that all users will have remote access. If you want to restrict access to members of certain groups do this:
- Determine the groups you want to give access to
- Publish another desktop (New > Published Application within Access Management Console), then type Server desktop. Call it DesktopRemote. Assign all application servers as usual, but only give access to the groups you want to access remotely.
- Use DesktopRemote as the published application to connect to remotely (if using NetManager ICA access, make sure you are using a recent version as earlier versions did not connect to specific applications).
- Ensure that Non-administrators only launch published applications is ticked on the ICA settings tab of the ICA-tcp connection withint Terminal Services Configuration (this stops users connecting in directly to servers).
- Create a load evaluator called Internal Network in Presentation Server Console (XenApp Advanced Configuration).
- Use IP Range as the metric for the load evaluator and then use the Allow access from clients whose IP addresses are within the specified address ranges field(s) to enter your internal network address.
- Back in Access Management Console, choose the DesktopRemote application and click on Load manage application. Assign the Internal Network load evaluator to all the servers hosting this application