Classification Rules

In deployments, users must be allowed to access HyWorks resources (such as desktop pools, applications, and reservations) only when the connection is initiated from known networks or devices. In such cases, Classification rules can be used to restrict access to the HyWorks resources.

Once classification rules are defined and configured, the resources (desktop pools and virtual applications) will be accessible from only those endpoints that satisfy the criteria.

Classification rules can be created based on the following:

LAN IP (Applicable for HyWorks Clients only)
WAN IP (Applicable HyWorks Clients and HyLite for future releases)
MAC Address (Applicable for HyWorks Clients only)

Add Classification rule

Go to Devices > Classification Rules
Click Add.
Enter a name for the Classification rule to be uniquely identified in the system.
Enter a description if required.
Select Active to activate the Classification rule
Click Add New Rule to add a new rule for the Classification rule
1. Select the rule type from the list, click Add New Rule
  
  Three types of rules can be created:
  - MAC Address: Enter multiple comma-separated MAC addresses. A maximum of 500 MAC addresses are supported at a time. Examples of valid MAC formats are 48:2C:6A:1E:59:3D and 48-2C-6A-1E-59-3D.
  - LAN IP Address: Enter multiple comma-separated LAN IP addresses. A maximum of 500 IP addresses are supported at a time. Examples of valid IP formats are 192.168.0.241, 192.168.0.1/16, and 192.168.0.1-192.168.0.255.
  - WAN IP Address: Enter multiple comma-separated WAN IP addresses. A maximum of 500 IP addresses are supported at a time. Examples of valid IP formats are 192.168.0.241, 192.168.0.1/16, and 192.168.0.1-192.168.0.255.
  - Directory Group (v3.4-SP2 or above): Search and add directory groups from the configured authorization server. The use case of directory groups is explained later in this document. Directory group support is available in v3.4-SP2 or later.
  Note
  - Rule type can be configured only once, but adding or deleting addresses from the rule is possible.
After configuring the required rules, click Save to save the Classification rule.

Update Classification rule

Go to Devices > Classification rule.
Select the group you want to edit and click Edit.
Modify as per your requirement.
Click Update.

Delete Classification rule

Go to Devices > Classification rule.
Select the group that you want to delete.
Click Delete.
Confirm and click Delete

Association of Classification Rules

Classification rules can be applied to the following objects of HyWorks:

Administration Portal:
Reservation Management Portal (HyLabs):
- Reservation - Gold Master.

Logical ANDing and ORing of Rules

The following statements can be used to combine multiple rules to correctly restrict access to resources logically:

Configure multiple classification rules on resources to allow access from devices satisfying any of the configured classification rules.
- If multiple classification rules are configured on a resource, it is logical OR.
Configure different types of classification rules in a single classification rule to allow access to them from devices that satisfy all rules inside the classification rule.
- If multiple types of rules (e.g., MAC and LAN IP) are specified in a classification rule, it will be logical AND. Thus, the resource will be accessible only from those devices, satisfying both conditions.

Usage of Directory Group Feature

Directory group type has been added in classification rules specifically for the following use case:

Allowing users access to assigned desktops or applications, even when they connect from unpermitted networks or devices, and hence using directory groups as an exception.

Use Case:

The user travels temporarily and then wants to access its assigned desktops or virtual apps, even when trying to connect from a network location that is not allowed.
Option# 1: To allow this user, the administrator must always know its IP address and keep adding or removing it from the classification rule.
Option# 2: Directory Group. The resources can have one more classification rule (which is a logical OR), and this rule will have a directory group.
- Whenever such user(s) are given access to resources outside the defined network, they can be added to the directory group.
- Once the exception is removed, the user can be removed from the directory group.

Important

Directory group feature does not work for HyLabs.

Import Classification Rules CSV

It can be done from the HyLabs portal if needed to import classification rules.

In HyLabs > CSV Configurations, the option to import Classification rule CSV has been added. The rest of the configurations, e.g., CSV Format and CSV Location details, will remain the same.

The following types of parameters can be used to define a Classification rule:

LAN IP (Applicable for HyWorks Clients only)
MAC Address (Applicable for HyWorks Clients only)
WAN IP (Applicable for HyLite and HyWorks Clients)
A single Classification rule can have one or multiple types of parameters
Below are some examples of CSV entries:

ClientGroupName	Para-Type	Add / Delete	Para-Value
CG_LAB-AE-MAC	M	A	aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC	M	A	aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC	M	A	aa:bb:cc:dd:ee:12
CG_LAB-AE-MAC	M	A	aa:bb:cc:dd:ee:13
CG_LAB-BE-LAN	L	A	172.16.0.16
CG_LAB-BE-LAN	L	A	172.16.0.0/24
CG_LAB-BE-LAN	L	A	172.16.1.2-172.16.1.127
CG_LAB-BE-WAN	W	A	192.168.0.0/16
CG_LAB-BE-WAN	W	A	123.201.54.132
CG_LAB-BE-WAN	W	A	123.201.54.133
CG_LAB-BE-WAN	W	A	123.201.54.134
CG_LAB-CSE-MIX	L	A	172.17.0.1-172.17.0.254
CG_LAB-CSE-MIX	L	A	192.168.0.10
CG_LAB-CSE-MIX	M	A	aa:bb:cc:dd:xy:13
CG_LAB-CSE-MIX	M	A	aa:bb:cc:dd:xy:14

So now there will be four Classification rule definitions:

CG_LAB-AE-MAC: aa-bb-cc-dd-ee-11 aa:bb:cc:dd:ee:12 aa:bb:cc:dd:ee:13
CG_LAB-BE-LAN: 172.16.0.16 172.16.0.0/24 172.16.1.2-172.16.1.127
CG_LAB-BE-WAN: 192.168.0.0/16 123.201.54.132 123.201.54.133 123.201.54.134
CG_LAB-CSE-MIX: (172.17.0.1-172.17.0.254 192.168.0.10) aa:bb:cc:dd:xy:13 aa:bb:cc:dd:xy:14

CSV Import Wizard

The following options are available in the CSV import wizard in HyLabs. To enable Classification rule import, the option should be checked in the CSV Import Profile, and the appropriate file should be placed at the defined location of CSVs. Please see more details about CSV import in the section CSV configurations.

Classification rule Examples

Consider the above Classification rules are associated with different reservations as described below: 1. RES#1 - CG_LAB-AE-MAC 2. RES#2 - CG_LAB-BE-LAN 3. RES#3 - CG_LAB-BE-WAN 4. RES#4 - CG_LAB-CSE-MIX 5. RES#5 – CG_LAB-AE-MAC, CG_LAB-BE-LAN

RES#1: Users logging in from a device with MAC addresses defined for the Classification rule “CG_LAB-AE-MAC” will have access, whereas any user logging in from HyLite or other devices will be unable to access.
RES#4: will only be accessible from clients where the MAC address is either aa:bb:cc:dd:xy:14 or aa:bb:cc:dd:xy:13 and having the IP as 172.17.0.1-172.17.0.254 or 192.168.0.10.
- A single Classification rule defines multiple parameters, and both types of conditions should be met to grant access.
RES#5: Will be accessible from clients having MAC addresses defined in CG_LAB-AE-MAC or clients having IP defined in CG_LAB-BE-LAN
- If a reservation has multiple Classification rules, then members of any Classification rule will be able to access the reservations.

Workflow in Reservation Management (HyLabs)

The following flow can be used to define and use Classification rule restrictions:

Import Classification rule CSV with appropriate entries or Add using Classification rule screen
Configure gold master access to selected Classification rules: To restrict all the reservations from the gold master
Configure reservations with Classification rules: To restrict the reservation access to selected Classification rules only