Classification Rules

In deployments, users must be allowed to access HyWorks resources (such as desktop pools, applications, and reservations) only when the connection originates from known networks or devices. In such cases, Classification rules can be used to restrict access to HyWorks resources.

Once classification rules are defined and configured, the resources (desktop pools and virtual applications) will be accessible only from endpoints that meet the criteria.

Classification rules can be created based on the following:

LAN IP (Applicable for HyWorks Clients only)
WAN IP (Applicable HyWorks Clients and HyLite for future releases)
MAC Address (Applicable for HyWorks Clients only)

Add Classification rule

Go to Devices > Classification Rules
Click Add
Enter a name for the Classification rule to be uniquely identified in the system
Enter a description if required
Select Active to activate the Classification rule
Click Add New Rule to add a new rule for the Classification rule
1. Select the rule type from the list, and click Add New Rule
  
  Three types of rules can be created:
  - MAC Address: Enter multiple comma-separated MAC addresses. A maximum of 500 MAC addresses can be supported at a time. Examples of valid MAC formats are 48:2C:6A:1E:59:3D and 48-2C-6A-1E-59-3D.
  - LAN IP Address: Enter multiple comma-separated LAN IP addresses. A maximum of 500 IP addresses can be supported at a time. Examples of valid IP formats are 192.168.0.241, 192.168.0.1/16, and 192.168.0.1-192.168.0.255.
  - WAN IP Address: Enter multiple comma-separated WAN IP addresses. A maximum of 500 IP addresses can be supported at a time. Examples of valid IP formats are 192.168.0.241, 192.168.0.1/16, and 192.168.0.1-192.168.0.255.
  - Directory Group (v3.4-SP2 or above): Search and add directory groups from the configured authorization server. The use case of directory groups is explained later in this document. Directory group support is available in v3.4-SP2 or later.
  Note
  - Rule type can be configured only once, but adding or deleting addresses from the rule is possible.
After configuring the required rules, click Save to save the Classification rule.

Update Classification rule

Go to Devices > Classification rule.
Select the group you want to edit and click Edit.
Modify as per your requirement.
Click Update.

Delete Classification rule

Go to Devices > Classification rule.
Select the group that you want to delete.
Click Delete.
Confirm and click Delete

Association of Classification Rules

Classification rules can be applied to the following objects of HyWorks:

Administration Portal:
Reservation Management Portal (HyLabs):
- Reservation - Gold Master.

Logical ANDing and ORing of Rules

The following statements can be used to combine multiple rules to correctly restrict access to resources logically:

Configure multiple classification rules on resources to allow access from devices satisfying any of the configured classification rules.
- If multiple classification rules are configured on a resource, they are evaluated using logical OR.
Configure different types of classification rules in a single classification rule to allow access to them from devices that satisfy all rules inside the classification rule.
- If multiple rule types (e.g., MAC and LAN IP) are specified in a classification rule, it will be treated as an AND logical operator. Thus, the resource will be accessible only from those devices, satisfying both conditions.

Usage of the Directory Group Feature

The directory group type has been added in classification rules specifically for the following use case:

Allowing users access to assigned desktops or applications, even when they connect from unpermitted networks or devices, and hence using directory groups as an exception.

Use Case:

The user temporarily travels and then wants to access their assigned desktops or virtual apps, even when connecting from a network location that is not allowed.
Option #1: To allow this user, the administrator must always know their IP address and must keep adding or removing it from the classification rule.
Option #2: Directory Group. The resources can have one additional classification rule (a logical OR), and this rule will be assigned to a directory group.
- Whenever such user(s) are given access to resources outside the defined network, they can be added to the directory group.
- Once the exception is removed, the user can be removed from the directory group.

Important

In previous versions, the Directory group feature was not supported with HyLabs. The feature support has now been extended to HyLabs in v4.0.

Import Classification Rules CSV

It can be done from the HyLabs portal if needed to import classification rules.

In HyLabs > CSV Configurations, the option to import the Classification rule CSV has been added. The rest of the configurations, e.g., CSV Format and CSV Location details, will remain the same.

The following types of parameters can be used to define a Classification rule:

LAN IP (Applicable for HyWorks Clients only)
MAC Address (Applicable for HyWorks Clients only)
WAN IP (Applicable for HyLite and HyWorks Clients)
A single Classification rule can have one or multiple types of parameters
Below are some examples of CSV entries:

ClientGroupName	Para-Type	Add / Delete	Para-Value
CG_LAB-AE-MAC	M	A	aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC	M	A	aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC	M	A	aa:bb:cc:dd:ee:12
CG_LAB-AE-MAC	M	A	aa:bb:cc:dd:ee:13
CG_LAB-BE-LAN	L	A	172.16.0.16
CG_LAB-BE-LAN	L	A	172.16.0.0/24
CG_LAB-BE-LAN	L	A	172.16.1.2-172.16.1.127
CG_LAB-BE-WAN	W	A	192.168.0.0/16
CG_LAB-BE-WAN	W	A	123.201.54.132
CG_LAB-BE-WAN	W	A	123.201.54.133
CG_LAB-BE-WAN	W	A	123.201.54.134
CG_LAB-CSE-MIX	L	A	172.17.0.1-172.17.0.254
CG_LAB-CSE-MIX	L	A	192.168.0.10
CG_LAB-CSE-MIX	M	A	aa:bb:cc:dd:xy:13
CG_LAB-CSE-MIX	M	A	aa:bb:cc:dd:xy:14

So now there will be four Classification rule definitions:

CG_LAB-AE-MAC: aa-bb-cc-dd-ee-11 aa:bb:cc:dd:ee:12 aa:bb:cc:dd:ee:13
CG_LAB-BE-LAN: 172.16.0.16 172.16.0.0/24 172.16.1.2-172.16.1.127
CG_LAB-BE-WAN: 192.168.0.0/16 123.201.54.132 123.201.54.133 123.201.54.134
CG_LAB-CSE-MIX: (172.17.0.1-172.17.0.254 192.168.0.10) aa:bb:cc:dd:xy:13 aa:bb:cc:dd:xy:14

CSV Import Wizard

The following options are available in the CSV Import Wizard in HyLabs. To enable the Classification rule import, check the option in the CSV Import Profile and place the appropriate file in the defined CSV location. For more details about CSV import, see the CSV configurations section.

Classification Rule Examples

Consider the above Classification rules, which are associated with different reservations as described below: 1. RES#1 - CG_LAB-AE-MAC 2. RES#2 - CG_LAB-BE-LAN 3. RES#3 - CG_LAB-BE-WAN 4. RES#4 - CG_LAB-CSE-MIX 5. RES#5 – CG_LAB-AE-MAC, CG_LAB-BE-LAN

RES#1: Users logging in from a device with MAC addresses defined for the Classification rule “CG_LAB-AE-MAC” will have access, whereas any user logging in from HyLite or other devices will be unable to access.
RES#4: will only be accessible from clients whose MAC address is either aa:bb:cc:dd:xy:14 or aa:bb:cc:dd:xy:13, and whose IP is 172.17.0.1-172.17.0.254 or 192.168.0.10.
- A single Classification rule defines multiple parameters, and both types of conditions should be met to grant access.
RES#5: Will be accessible from clients having MAC addresses defined in CG_LAB-AE-MAC or clients having IP addresses defined in CG_LAB-BE-LAN
- If a reservation has multiple Classification rules, members of any Classification rule can access the reservation.

Workflow in Reservation Management (HyLabs)

The following flow can be used to define and use Classification rule restrictions:

Import the Classification rule CSV with appropriate entries, or add using the Classification rule screen
Configure gold master access to selected Classification rules: To restrict all the reservations from the gold master
Configure reservations with Classification rules: To restrict the reservation access to selected Classification rules only