Citrix Xendesktop 5 HDX policy not granular enough? Try targeting thin clients by IP using Set-BrokerAccessPolicyRule

Running anything in an Educational organization can be a challenge, so when we implemented a mid-sized Citrix Xendesktop 5 deployment we knew we would have some mountains to climb.

In 99.9% of enterprises a single user will use a single computer to do their work, so targeting a Virtual Desktop at a specific user is an acceptable solution, in conjunction with XenApp to target those dynamic or expensive applications you might not want as part of your "Finance" or "HR" virtual images. This rule doesn't apply to Education, with different images requires for computing labs, science classes, junior school. We initially thought we could have multiple assignment groups and dynamically enable/disable them on a time schedule, but soon realized this would be a nightmare. The ideal situation would be to VLAN off a /25 and then target this VLAN this HDX policy, but this functionality is not available.  Trying to archive tasks like this via HDX Policy makes its functionality look very thin, never fear, PowerShell is here.

Hidden away from the friendly GUI's is a number of great powershell scripts that can help you achieve this goal. One such script is the Set-BrokerAccessPolicyRule script, which is a script capable of modifying existing rules in a sites access policies.





Using the Set-BrokerAccessPolicyRule PowerShell script to target clients by IP address
 
1. VLAN off your target thin clients into a /25 of a suitable VLAN range.


2. Launch a PowerShell console from Citrix Desktop Studio

3. For a full list of funtionality type

Set-BrokerAccessPolicyRule help

There are a HUGE list of functionality, what we want to look at today is the -IncludedClientIPFilterEnabled funtionality.

PS C:\Program Files\Citrix\Desktop Studio> help set-brokeraccesspolicyrule

NAME
    Set-BrokerAccessPolicyRule

SYNOPSIS
    Modifies an existing rule in the site's access policy.

SYNTAX
    Set-BrokerAccessPolicyRule [-InputObject] <AccessPolicyRule[]> [-PassThru]
...truncated..
    To see the examples, type: "get-help Set-BrokerAccessPolicyRule -examples".
    For more information, type: "get-help Set-BrokerAccessPolicyRule -detailed"
    .
    For technical information, type: "get-help Set-BrokerAccessPolicyRule -full
    ".


4. Grab the name of your Assignment group and assign them to a specific IP range as follows.

Set-BrokerAccessPolicyRule TargetGroupName -IncludedClientIPFilterEnabled $true -IncludedClientIPs 10.1.1.0/25


You could then repeat this process for multiple Assignment groups if required. Remember if you want to target a specific room with a image for all users, to add your domain users or generic users group to the Assignment group, essentially allowing all users to logon to that assignment group but using the IncludedClientIPFilterEnabled functionality to take care of your filtering.