Using Filtering Rules

Filtering is a feature that allows you to control who can access a particular published resource. You can define filtering rules based on any of the following:

• User
• Client (managed client)
• IP address
• MAC address
• Gateway

By default, no filtering rules exist for a published resource, therefore the resource is available to anyone who is connected to a Parallels RAS farm. Once you specify a filtering rule for a published resource, only those users/computers who satisfy the criteria will be able to use it.

To create a filtering rule, select a published resource in the Published Resources tree and click the Filtering tab. In the Select Filtering Type drop-down list, select a criteria and then define a filtering rule as described below.

Filtering by User

To allow individual users or a user group to access the published resource:

1. Select User in the Search Filtering Type drop down list.
2. Select the Allow the following Users option.
3. Click Tasks > Add and specify a user or a group in the Select Users dialog. Click OK to add a user/group to the list on the Filtering tab page.
4. In the Default Object Type drop-down list, select whether this rule will applies to users, groups, or both.
5. In the Browse Mode drop-down list, select the browsing mode you would like to use to connect to Active Directory or Windows.

   The options are:

   • WinNT. WinNT is faster than LDAP but does not support group nesting. Used only for backward compatibility.
   • LDAP. LDAP supports group nesting but is slow. Used only for backward compatibility.
   • Secure Identifier. This is the preferred and fastest method. It supports group nesting and renaming.

To convert users or groups specified using WinNT or LDAP, select a user entry and then click Tasks > Convert.

Filtering by Client

To allow a specific client or a list or clients to access the published resource, follow these steps:

1. Select Client in the Search Filtering Type drop-down list.
2. Select the Allow the following Clients option. You can use the asterisk character (*) as a wildcard in a name. To include a wildcard in a name, select a client in the list and then click Tasks > Edit.
3. Click Tasks and choose one of the following:
   • Add from network browse. Opens a dialog where you can select a client from the list populated from the network.
   • Add from Active Directory. Opens a dialog where you can specify a computer or search the Active Directory for it.
   • Add from known devices. Opens a dialog where you can select a client from the list populated by previously connected clients.
   • Edit. Allows you to modify the name of a selected client. If you want to include a wildcard (*) in a name, you can do it using this option. If no client is selected in the list, the option is disabled.
   • Delete. Allows you to delete a selected client. If no client is selected in the list, the option is disabled.
4. Click OK to add your selection to the Client list.

Filtering by IP Address

To allow a specific IP address (or multiple addresses) or a range of IP addresses to access the published resource, follow these steps:

1. In the Search Filtering Type drop-down list, select IP Address.
2. Select the Allow the following IPs option.
3. Click Tasks > Add in the IPv4 and/or IPv6 sections to specify the IP address or a range of IP addresses and click OK.

Filtering by MAC Address

To allow a MAC address or a specific list of MAC addresses to access the published resource, follow these steps:

1. In the Select Filtering Type drop-down list, select MAC.
2. Select the Allow the following  MACs option.
3. Click Tasks > Add to select the MAC address(es) and click OK.

Filtering by Gateway

To allow users to connect to a published resource through a specific gateway, follow these steps:

1. Select the Gateway filtering type.
2. Select the Allow connections from the following gateway option.
3. Click Tasks > Add to specify the gateway and its IP address (if it has multiple IP addresses).

Configuring multiple filtering rules

If multiple filtering rules are configured for a specific published resource, the connecting user has to match ALL of them to be allowed access to the published resource.