Subtitles of the Movie

So now we'll right-click Filters again, and we will choose to Create a Filter. In this case we will name it Advanced Machine Domain Validation and we'll choose that it is a Custom filter and we'll hit Next. So first since we're essentially going to build the same filter as we did using the basic Wizard, let's click the Logon Point button and we're prompted to choose a Logon Point, in this case we only have the one, so we'll hit OK. And you'll notice that now we can't choose anything else, and again it's a pretty common mistake that a lot of people make. They forget to put an Operator at the beginning, either AND, OR, or NOT, and so they can only put a single criteria in the custom filter. So let's delete and we will choose AND at the top and from under here now we'll choose Logon Point. Now if we go back to AND we can now add something else. So we'll add SampleLogonPoint. We'll say the authentication strength is Windows authentication only. And the Endpoint Analysis output for Citrix Scans for Domain Membership. We also have another Filter button, which means that we can choose the output of another filter as one of the criteria for running this filter, much as you did when you were building the Endpoint Analysis Scans. In this case it would make no sense to add the same filter as a criteria, so we'll just hit Cancel, and you'll notice down here the Expression Preview shows that we have to be logging on from SampleLogonPoint AND we have to be using Windows authentication, AND we have to pass the Citrix Domain Membership check for Windows Operating Systems. And it has to be Verified. But what if we wanted to have all of these criteria and also say you have to pass all of this but NOT be running any Antivirus according to the Windows Security Center. This is very simple. You hierarch the AND here, you hit NOT, you choose Endpoint Analysis Output, chose the Citrix Scans for Windows Security Center Antivirus Scan, Antivirus enabled. So we'll be saying all of this has to be True AND you should not be running Antivirus. Now why would you want to create a filter like this in the real world? In the real world if you had multiple logon points you could have every Logon Point except one require that you be running Antivirus and then one Logon Point that is requiring that you're not running Antivirus but on the Machine Domain could point you to a custom portal page that all it does is allow you to download and install the Microsoft Antivirus or Norton, or McAfee or whatever Antivirus solution your company happens to use. Because like we mentioned at the beginning these filters can filter for inclusion or can filter for exclusion. For example you can build a filter that checks to see that you are a Domain Member and then apply that filter as a False Exclusion Filter in your Policy and that essentially would make it so that Policy only applies if you're not a member of the specified domain. Now another scenario you might find yourself in is say you want all of these conditions to be True and either be running Internet Explorer or have Antivirus enabled. This one's kind of tricky because you kind of have to think like Citrix wants you to think. In this case we'll highlight this AND, and we'll add another AND condition underneath that. And you can look down here in the Expression Preview. I honestly find that a little easier than trying to figure all of this out just by looking at the filter logical tree. You highlight this AND filter and you hit OR underneath it and then under OR we'll choose the endpoint analysis output of connecting with a specified version of Windows Explorer and then we'll also add the Antivirus check. And what this essentially says is you have to be using the SampleLogonPoint AND Windows authentication AND you have to be in the VTCTRAINING Domain AND you have to either be running an Antivirus OR be running Internet Explorer, or more accurately connecting with Internet Explorer. And again if you look down here in the Expression Preview it kind of spells that out for you using the parentheses and the parenthetical expressions down here. Like I said I personally find that a little easier. Some people might find it easier to look at the logical layout of the filters up top. At any rate, you can only get this complex if you do custom filters. Obviously you saw when we went through the basic filter Wizard you didn't have anything like this level of flexibility and for that reason most of your filters will be custom filters just simply because you can scan for the precise combination of conditions that you're looking for in your environment. Also remember, you can also use the other filter button to say, All of this stuff must be true AND this other filter has to be true as well if you can't get the exact combination you're looking for by stringing these scans together. So now that we've built all this we'll hit Finish and immediately get an error message that tells us we don't have the proper number of children under one of our filter nodes. I'm willing to bet it's this little guy here, because we only have a single AND condition, so we'll actually structure this properly, and even thought it might not look like I actually induced that error message to show you what would happen if you tried to do something that didn't make any logical sense to the Access Management Console. It'll just kind of bark at you like that. This is actually the proper way to build that filter. You make this an OR statement and if you look down here in the Expression Preview it looks almost exactly the same so that's why you have to really play with these filters somewhat to get them to work exactly like you want to sometimes. You hit Finish and it accepted that and like I said both filters seem to do the same thing but Citrix just wants you to do it one way. And this concludes our discussion on Access Filters.