Subtitles of the Movie

This is Citrix Access Gateway Advanced Edition 4.5 and in this video we're going to discuss Network Resources. Now Network Resources are different from all the other resources we've discussed so far, whereas with File Share Resources and Web resources you access them through the Web Interface to the Access Farm, network Resources are accessible through an Access Gateway Appliance using the Secure Access Client. Network Resources provides users access to Network Segments and Servers, access to these resources can limited by specifying a specific port or protocol that must be used to access the resource. So let's step through setting up a Network Resource. We go to the Access Management Console and we highlight the Network Resources Tab. Over on the right you'll see an entire Network Resource, if we look at the properties for this we'll see that it allows full access to any server on any network inside the organization. This particular resource cannot be edited as you just saw, it also cannot be deleted. It's there as a placeholder so that you can grant access to the entire network. In small organizations this probably not a big deal if you're running a network that has 50 users and 50 workstations and you just want everybody that comes to be able to access everything that's on the network. Obviously you would just create a policy that says anyone that comes in can access the entire Network Resource. However in larger organizations where security is a concern you would want to limit the Networks and or Servers that your Remote Users can access and we'll show you how to do that as we set up the Network Resource. So we'll right click on Network Resources and we will say Create Network Resource. As always we have to give it a name and a description and so we'll give it a workstation IP Name and give it a description of the workstation IP Range. Now for our example we're going to assume that all of our workstations are on a separate segment then all the servers and we're going to grant all of the Remote Users access to all the workstations so that they can remote into the network and remote control their workstations to get their job done. So we'll hit Next, we'll specify Server Imports, so we will hit New because we're going to specify New Item in this list. Now when you specify a Network Resource you can either specify the destination as a fully qualified Domain Name, for example, VTC -CAGAA VTCTraining.com which is the host we're running on, but again it works for an example. You could not put an IP Address in here; those can be entered down here for single IP Address. If you had just a single IP Address that did not have a DNS Resolution you could put it in here, in this case 10.10.1.1 for example or you can say I want to grant access to an entire Network Range. In this case we'll assume that all of our workstations are on the 10.10.10.0 network and is Class C Network. We're going to allow all three protocols types through TCP, UDP and ICMP, if you only wanted to allow RDP through for example, you could say I only want to allow TCP through and I only want to allow Port 3389 through and this would allow your users coming in from the Remote Networks to only access your workstation Network Segment using TCP Protocol on port 3389. So now that we've set this up which is a very consistent restriction here we'll hit OK and you'll notice we have a summary in here that says what protocols, what ports etcwe can get to using this Network Resource. Now as with the other types of resources you can specify multiple Network or Server IP Addresses in the same resource so that you can group for example all of your SQL Servers in one resource and all of your Workstations in another and all of your Domain Controllers in a third and then just by granting access to those three Network Resources or one of those three Network Resources you can grant access to your Remote Users to, for example all of your Workstations. Now one thing to keep in mind here, we'll open up this Network Resource just as a point of reference. You'll notice that we can specify TCP, UDP and ICMP port 3389, the Access Gateway does not know what these ports are. For example if you have a virus running around your Network and it happens to open up port 3389, if you allow access to through on port 3389, then the Access Gateway could not possibly care less what traffic is going across there. It could be virus traffic, it could be Anti-Virus, it could be RDP in this case, all it knows is, if it meets these Criteria I'm going to let it through and I'm not going to interfere with the traffic in the least. That's something to keep in mind if you're using non-standard ports for some of your applications, you need to make sure that those non-standard ports are allowed through and not just say well it's a SQL Server so it should just allow anything that has to do with SQL through as well. To be honest not a lot of organizations where I've seen this deployed use the port and the protocols, generally they'll just restrict to an IP Address. They'll say this group of users can access these Network Resources on every port and every protocol. Very rarely will you see a restriction put in place and that's only for very highly sensitive servers that have a lot of secure data on them. But most of the time its just far too much of an administrative nightmare to keep track of all the different ports on all the different servers through out the network. That's really the only thing to remember when you're setting up a network Resource. So we've added this Network Resource, so we'll hit Next and we'll choose to create a default policy which again you could lock down later on and we will as we go through the lab elsewhere in the course. So once we've done this we now have another resource over here in our Network Resources and you can administer it as with all the others by right clicking and choosing Edit. And this concludes our discussion of Network Resources.