Skip to content

Classification Rules

In deployments, where users must be allowed to access HyWorks resources (such as desktop pools, applications and reservations), only when the connection is initiated from some known networks or devices. In such cases, Classification rules can be used to restrict access of the HyWorks resources.

Once classification rules are defined and configured, the resources (Desktop pools and virtual applications) will be accessible from those endpoints only, which satisfy the criteria defined in classification rules.

Classification rules can be created based on:

  • LAN IP (Applicable for HyWorks Clients only)

  • WAN IP (Applicable HyWorks Clients and HyLite for future releases)

  • MAC Address (Applicable for HyWorks Clients only)

Add Classification rule

  1. Go to Devices > Classification Rules

  2. Click Add.

  3. Enter name for the Classification rule to uniquely identified in system.

  4. Enter description if required.

  5. Select Active to activate the Classification rule

  6. Click Add New Rule to add new rule for the Classification rule

    1. Select rule type from list, click Add New Rule

      Three types of rules cab be created:

      • MAC Address: Enter multiple comma separated MAC addresses. Maximum 500 MAC addresses are supported at a time. Examples of valid MAC format: 48:2C:6A:1E:59:3D, 48-2C-6A-1E-59-3D.

      • LAN IP Address: Enter multiple comma separated LAN IP addresses. Maximum 500 IP addresses are supported at a time. Examples of valid IP format: 192.168.0.241, 192.168.0.1/16, 192.168.0.1-192.168.0.255.

      • WAN IP Address: Enter multiple comma separated WAN IP addresses. Maximum 500 IP addresses are supported at a time. Examples of valid IP format: 192.168.0.241, 192.168.0.1/16, 192.168.0.1-192.168.0.255.

      Note

      • Rule type can be configured only once but it is possible add or delete addresses from the rule.

  7. After configuring required rules, click Save to save Classification rule.

Update Classification rule

  1. Go to Devices > Classification rule

  2. Select the group you want to edit and click Edit

  3. Modify as per your requirement

  4. Click Update

Delete Classification rule

  1. Go to Devices > Classification rule

  2. Select group that you want to delete

  3. Click Delete

  4. Confirm and click Delete

Association of Classfication Rules

Classification rules can be applied on following objects of HyWorks:

  1. Administration Portal:

  2. Reservation Management Portal (HyLabs):

    • Reservation - Gold Master.

Logical ANDing and ORing of Rules

The following statements can be used to logically combine multiple rules to correctly restrict access of resources:

  1. Configure multiple classification rules on resources to allow access of it from devices satisfying any of the configured classifications rules.

    • If multiple classification rules are configured on a resoruce, its logical OR.

  2. Configure multiple rules inside a single classification rule to allow access of it from devices satisfying all rules inside the classification rule.

    • If multiple rules (e.g., MAC and LAN IP) are specified in a classification rule, it will be logical AND. Thus the resource will be accessible only from those devices, which satisfies both conditions.

Import Classification Rules CSV

If it is needed to import classification rules, it can be done from HyLabs portal.

In HyLabs > CSV Configurations, option to import Classification rule CSV has been added. Rest of the configurations e.g. CSV Format, CSV Location details will remain same.

Following types of parameters can be used to define a Classification rule:

  • LAN IP (Applicable for HyWorks Clients only)

  • MAC Address (Applicable for HyWorks Clients only)

  • WAN IP (Applicable for HyLite and HyWorks Clients)

  • A single Classification rule can have one or multiple types of parameters

  • Below are some examples of CSV entries:

ClientGroupName Para-Type Add / Delete Para-Value RealmName
CG_LAB-AE-MAC M A aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC M A aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC M A aa:bb:cc:dd:ee:12
CG_LAB-AE-MAC M A aa:bb:cc:dd:ee:13
CG_LAB-BE-LAN L A 172.16.0.16
CG_LAB-BE-LAN L A 172.16.0.0/24
CG_LAB-BE-LAN L A 172.16.1.2-172.16.1.127
CG_LAB-BE-WAN W A 192.168.0.0/16
CG_LAB-BE-WAN W A 123.201.54.132
CG_LAB-BE-WAN W A 123.201.54.133
CG_LAB-BE-WAN W A 123.201.54.134
CG_LAB-CSE-MIX L A 172.17.0.1-172.17.0.254
CG_LAB-CSE-MIX L A 192.168.0.10
CG_LAB-CSE-MIX M A aa:bb:cc:dd:xy:13
CG_LAB-CSE-MIX M A aa:bb:cc:dd:xy:14

So now there will be four Classification rule definitions:

  1. CG_LAB-AE-MAC: aa-bb-cc-dd-ee-11 aa:bb:cc:dd:ee:12 aa:bb:cc:dd:ee:13

  2. CG_LAB-BE-LAN: 172.16.0.16 172.16.0.0/24 172.16.1.2-172.16.1.127

  3. CG_LAB-BE-WAN: 192.168.0.0/16 123.201.54.132 123.201.54.133 123.201.54.134

  4. CG_LAB-CSE-MIX: (172.17.0.1-172.17.0.254 192.168.0.10) aa:bb:cc:dd:xy:13 aa:bb:cc:dd:xy:14

CSV Import Wizard

Following options are available in CSV import wizard in HyLabs. To enable Classification rule import, option should be checked in CSV Import Profile and appropriate file should be placed at defined location of CSVs. Please see more details about CSV import in section CSV configurations.

Classification rule Examples

Consider the above Classification rules are associated with different reservations as described below: 1. RES#1 - CG_LAB-AE-MAC 2. RES#2 - CG_LAB-BE-LAN 3. RES#3 - CG_LAB-BE-WAN 4. RES#4 - CG_LAB-CSE-MIX 5. RES#5 – CG_LAB-AE-MAC, CG_LAB-BE-LAN

  • RES#1: Users logging-in from device with having MAC addresses defined for Classification rule “CG_LAB-AE-MAC” will have access whereas any user logging in from HyLite or other devices will not be able to access

  • RES#4: will only be accessible from clients where the MAC address is either aa:bb:cc:dd:xy:14 or aa:bb:cc:dd:xy:13 and having the IP as 172.17.0.1-172.17.0.254 or 192.168.0.10

    • With multiple types of parameters defined in single Classification rule, both types of conditions should meet to give the access

  • RES#5: Will be accessible from clients having MAC addresses defined in CG_LAB-AE-MAC or clients having IP defined in CG_LAB-BE-LAN

    • If a reservation is having multiple Classification rules, then member of any Classification rule will be able to access the reservations.

Workflow in Reservation Management (HyLabs)

Following flow can be used to define and use Classification rule restrictions:

  • Import Classification rule CSV with appropriate entries or Add using Classification rule screen

  • Configure gold master access to selected Classification rules: To restrict all the reservations from the gold master

  • Configure reservations with Classification rules: To restrict the reservation access to selected Classification rules only