How to implement Locations and Devices based on wireless networks
How to implement Locations and Devices based on wireless networks Disclaimer Whilst every care has been taken by RES Software to ensure that the information contained in this publication is correct and complete, it is possible that this is not the case. RES Software provides the publication "as is", without any warranty for its soundness, suitability for a different purpose or otherwise. RES Software is not liable for any damage which has occurred or may occur as a result of or in any respect related to the use of this publication. RES Software may change or terminate this publication at any time without further notice and shall not be responsible for any consequence(s) arising there from. Subject to this disclaimer, RES Software is not responsible for any contributions by third parties to this publication. Copyright Notice Copyright © on software and all Materials 1998-2013 Real Enterprise Solutions Development BV, P.O. Box 33, 5201 AA `sHertogenbosch, The Netherlands. RES and the RES Software Logo are either registered trademarks or service marks of Real Enterprise Solutions Nederland B.V. in Europe, the United States and other countries. RES Automation Manager, RES Workspace Manager, Dynamic Desktop Studio, Virtual Desktop Extender and RES VDX are trade names of Real Enterprise Solutions Nederland B.V. in Europe, the United States and other countries. All other product and company names mentioned may be trademarks and/or service marks of their respective owners. Real Enterprise Solutions Development BV, The Netherlands has the following patents: U.S. Pat. "US 7,433,962", "US 7,565,652", "US 7,725,527", other patents pending or granted. ii About this paper The provided information in this paper applies to: Product Version Service Release RES Workspace Manager 2012 SR3 Microsoft Windows XP x86/x64 - Vista x86/x64 7 x86/x64 Please note that wireless network zone rules do not apply to Microsoft Terminal Server sessions and Citrix XenApp sessions. Audience RES Software documentation is carefully researched and written for a specific target audience and is intended primarily for Administrators. In this document, we assume that you are familiar with RES Workspace Manager and knows how to set up and configure different features, including Zones and Access Control. Finding product documentation RES Software provides product documentation for different stages of deployment: from designing the environment to installing, using and troubleshooting. After a product is released, information is provided via the integrated product help file, the Administration Guide and the online Knowledgebase, available at http://support.ressoftware.com. iii Contents About this paper iii 1. Introduction 1 2. Inventory 2 3. Assigning a printer based on connection to a specific wireless network 4 4. Assigning a printer based on nearest access point 6 5. Security considerations 10 Trusted access points ................................................................................. Connected network (SSID) ............................................................................ Nearest access point (BSSID) ......................................................................... Hidden wireless networks ............................................................................ 10 10 11 11 Restricting application availability to specific access points of a wireless network 12 Preventing interference with printer availability based on nearest access point 15 Maintenance 18 5.1 5.2 5.3 5.4 6. 7. 8. iv 1. Introduction Wireless networks can be excellent indicators of an end user's actual location. This means that the connection to wireless networks and the signal strength of wireless access points can be used to determine the User Context and provide the end user with the RES Workspace Manager features needed at specified locations. Wireless network zone rules were introduced in RES Workspace Manager 2012 SR3 to enable a very granular implementation of this type of location awareness. The purpose of this document is to provide assistance with the setup and implementation of Zones based on wireless network zone rules. The following wireless network zone rules are available: Rules based on Connected network (SSID) allow you to configure features (e.g. printers and applications) that are available if a session is running on a device connected to a specific wireless network. Rules based on Nearest access point (BSSID) allow you to configure features to be available if a session detects that a specific access point is the nearest, based on it having the greatest signal strength of all detected access points. This document describes some preparatory steps needed to get a good overview of the physical wireless network on site, and insight in the impact wireless network zone rules may have. Furthermore it covers the configuration, security options and signal detection options of wireless network zone rules with some examples. Steps to take When implementing zone rules that are based on wireless networks and access points take the following steps: Inventory: prior to the configuration of wireless network zone rules, it needs to be clear which wireless networks and access points are available on the departments or areas where the rules need to apply. This would also be a good time to review the wireless configurations to make sure that the coverage and signal strength is appropriate. Configure: based on this inventory, the availability of RES Workspace Manager features needs to be determined for all access points from each wireless network. The corresponding wireless zone rules and security settings can then be configured. Test: before the wireless zone rules are applied to an entire RES Workspace Manager environment, exploratory tests on the relevant areas may show possible mistakes in the configuration. Provision: when the wireless network zone rules provide the correct user context in all locations, the rules can be applied to the entire RES Workspace Manager environment. Copyright © 1998-2013 RES Software 1 2. Inventory Before you start using wireless network zone rules, you need to determine: which areas the wireless zone rules need to be operational. the wireless network coverage and access point signal strength at these areas. To gain this insight you may need to make an inventory of the wireless network(s) and the locations of wireless access points on site. Many administrative tools for wireless networks can provide this information, but you may need to perform a coverage scan on the target areas. You can use the RES Workspace Manager Workspace Preferences tool in an Agent session to perform such a scan. The Connection State-section of the Diagnostics-tab shows both the Connected and Detected wireless networks and access points. The Copy to clipboard-button allows you to copy the information for use in your future zone rules. Copyright © 1998-2013 RES Software 2 You may find that adjacent access points show large overlapping areas, making it difficult to predict what will be the access point with the greatest signal strength. In these areas, Agents may perceive network connectivity changes or signal strength fluctuations with only the slightest physical movement. You would prefer a situation where the amount of access points covering each area is limited, so that Agents switch networks within reasonable defined boundaries and Nearest access point rules are applied within clearly limited areas. Difficult to predict which access point (AP) will be detected as nearest by the Agent. At this point you may want to reconfigure your wireless access points to streamline their signal strength with the office outlines. Most wireless access points offer the possibility to configure their signal strengths. By default their signal strength is set to its maximum, but this can be changed to a lower level. Some access points (often with external antennas) also offer the possibility to steer their signal in a certain direction. When your scan is completed and your access points are configured, you need to determine how to convert the inventory findings into actual wireless network zone rules. You need to consider: which features should be configured with which wireless zone rules. how these features are applied to RES Workspace Manager sessions at each location. when and how sessions should respond if the wireless network connectivity or the nearest access point changes. what to do with external or unknown wireless networks or access points. In the following chapters these considerations are elaborated using some practical examples. Note Wireless network Zone rules can also be configured for the wireless home networks of company staff. You may want to include these networks in your inventory. Employees can provide the necessary information by copying the Diagnostics data from Workspace Preferences when running an RES Workspace Manager session at home. Copyright © 1998-2013 RES Software 3 3. Assigning a printer based on connection to a specific wireless network A basic implementation of wireless network zone rules is wireless connectivity. This chapter describes the configuration of a Zone that determines the availability of a printer located in the corridor of an office building that can be accessed by personnel only. The Zone will be based on a Connected network zone rule. Create a new Zone and enter its name, for example "Connected to company-private". On the Rules tab, click Add > Network > Wireless > Connected network (SSID). Use the browse button to select a Network (SSID) from a list of detected wireless networks. Alternatively, enter a Network (SSID) manually. Copyright © 1998-2013 RES Software 4 At Security, you configure which access points an Agent evaluates when applying the rule. Security options are detailed in Security considerations (on page 10). Select Must connect through a trusted access point if the rule applies only to Agents that connect to the specified wireless network through a trusted access point. An access point is trusted if an existing Nearest access point zone rule has been enabled in your RES Workspace Manager Console. This prevents interference from external access points that have been configured (spoofed) with the specified SSID. Select May connect through any access point, if the rule may be applied on Agents connected to any wireless network with the specified SSID. In this example, select May connect through any access point, because the printer must be available as long as the Agent is connected to the wireless network, regardless of the access point it connects to. This way, you do not need to create a full list of access points. Your Zone may now look like this: If you apply this Zone to a printer, that printer will be available on Agents connected to the specified wireless network. Copyright © 1998-2013 RES Software 5 4. Assigning a printer based on nearest access point Location awareness can be achieved by determining which detected wireless access point has the greatest signal strength. This chapter covers the configuration of printer availability based on Zones containing Nearest access point zone rules. The printers are located on different floors of an office building that is accessible to personnel only. Create a Zone for the first floor and enter its name, for example "Wireless first-floor". On the Rules tab, click Add > Network > Wireless > Nearest access point (BSSID). Use the browse button to select an Access point (BSSID) from a list of detected networks. Alternatively, enter an Access point (BSSID) manually. If you selected an access point from the list, the associated Network (SSID) is automatically selected. Otherwise, enter the Network (SSID) manually. Please note that if your wireless network SSID is hidden, you have to leave the Network (SSID) empty (see: Hidden wireless networks (on page 11)). Copyright © 1998-2013 RES Software 6 At Signal detection, you configure which access points an Agent evaluates when determining the access point with the greatest signal strength. Select Limit to trusted access points if you want to limit the evaluation to access points for which an enabled Nearest access point zone rule exists. Use this option to secure your wireless network zone rule implementation against interference from external access points. Select Do not limit to trusted access points if you want to evaluate all detected access points from networks with the same SSID. Use this option if external interference is not an issue and a full list of access points is not required. In this example, the Agent should evaluate all access points in the office building, so select Do not limit to trusted access points. Repeat these steps for every access point on the first floor. The Zone may now look like this: Copyright © 1998-2013 RES Software 7 Create a Zone rule for the second floor, "Wireless second-floor" and repeat the previous steps for all access points on the second floor. The Zone may look like this: Now your Locations and Devices node contains two Zones that are based on rules for the access points on each floor. Copyright © 1998-2013 RES Software 8 After you apply each Zone to the applicable printer, wireless Agents in your environment evaluate all access points within range. If one of the access points on the first floor has the strongest signal strength. the first floor printer will be available. If one of the second floor access points si strongest, the second floor printer is available. The printer is disconnected again if Agents move outside the range of the included access points or if Agents determine that another (external) access point with the same SSID has the greatest signal strength. RES Workspace Manager provides the ability to restrict your wireless zone rules to trusted access points to avoid interference from external access points. This is described in the next chapter: Security Considerations (on page 10). Copyright © 1998-2013 RES Software 9 5. Security considerations Typically, you restrict access to your private wireless network to authorized client devices. You may also have a public wireless network that allows visitors to access the internet. But in an increasingly mobile workplace the access points that belong to these networks may not be the only access point available on your site. Nowadays many mobile end user devices can be configured to act as a wireless access point. This may lead to interference from these devices when you are applying wireless network zone rules. For example, a student configures his mobile phone as a wireless access point and uses the same SSID as the university's private wireless network. When he roams the campus, RES Workspace Manager Agents may determine that this mobile phone is the access point with the greatest signal strength. If you configured wireless network zone rules that allow any access point, Agents will include the mobile phone in their evaluation of access points. This may cause a change in the wireless network zone rule that applies to the RES Workspace Manager session, and features may become available or unavailable. 5.1 Trusted access points To protect your wireless network zone rule implementation against this type of external interference, RES Workspace Manager can limit the configuration of your wireless network zone rules to trusted access points. Trusted access points are access points for which an enabled Nearest access point zone rule exists in your RES Workspace Manager Console. In general, the use of trusted access points makes your wireless zone rule implementation more secure because it disregards connections to external wireless networks with the same SSID. However, the option to use any access point makes the wireless zone rule implementation more granular. When using Trusted access points, you need to define a full set of Nearest access point rules for all relevant access points. 5.2 Connected network (SSID) Connected network (SSID) zone rules configure the use of trusted access points with the Security option: May connect through any access point. The zone rule applies if the Agent is connected to a wireless network with the specified SSID. This may or may not be your organization’s wireless network, because wireless network SSIDs are not globally unique. Must connect through a trusted access point. The zone rule applies if the Agent’s connection to a wireless network with the specified SSID uses a trusted access point. This makes it possible to disregard connections to other wireless networks with the same SSID, because they will not be accessible through your trusted access points. Copyright © 1998-2013 RES Software 10 5.3 Nearest access point (BSSID) The use of trusted access points for Nearest access point (BSSID) zone rules is configured with the Signal detection option: Limit to trusted access points. When determining which detected access point has the greatest signal strength, evaluate only trusted access points. Do not limit to trusted access points. When determining which detected access point is the nearest, evaluate all detected access points from networks with the specified SSID. This may include mobile access points to other networks with the same SSID, because wireless network SSIDs are not globally unique. The next chapters describe how to set up and configure wireless network zone rules with trusted access points. 5.4 Hidden wireless networks To provide a basic measure of security, wireless networks can be hidden, i.e. wireless access points can be configured to stop broadcasting the network name (SSID). RES Workspace Manager Agents will detect such a network as if its SSID is an empty string. If there are multiple access points with a hidden SSID, the Agent will not be able to distinguish between the networks they belong to. In these cases, a rule for the nearest access point, configured with an empty SSID will cause the Agent to evaluate the nearest access points of ALL access points that hide their SSID (even if they belong to different networks). Note Wireless network zone rules are generally defined for internal wireless network(s) only. It is possible to define rules for external wireless networks to achieve a more granular location awareness, for example if another company's wireless network is within range in a specific part of your organization's office. Implementing wireless network zone rules based on external networks may cause unwanted changes to the end user context if the external party decides to alter their wireless network. Copyright © 1998-2013 RES Software 11 6. Restricting application availability to specific access points of a wireless network The following example describes the configuration of a Zone that limits the availability of a medical prescription application to the office of a General Practitioner (GP). For convenience, the GP gave his wireless home network the same name as the wireless network in the practice. But due to federal law, the GP is only allowed to write and print prescriptions at the practice, and not at home. To enforce this, you want to make sure that the application is available if the Agent is connected to the wireless network, but only if connected through the access point(s) in the practice. You also need to ensure that the application is unavailable when the Agent connects through any other access point. Create a new Zone, for example "GP's office". First, add Nearest access point (BSSID) rule(s). At Access point (BSSID), enter the MAC address of the access point in the GP's office or use the browse button to select it from the list of detected wireless networks. The associated Network (SSID) is automatically entered if you select the access point from the list. You may also enter the Network (SSID) manually. At Signal detection, select Do not limit to trusted access points, so that the Agent will also evaluate the access point from the wireless network at home. Copyright © 1998-2013 RES Software 12 With the setup of these Nearest access point zone rule(s), the configured access point(s) are now Trusted access points in your RES Workspace Manager environment. Next, add the Connected network (SSID) rule the printer will be based on. Enter the Network (SSID) manually, or select it from the list of detected wireless networks. At Security, you select Must connect through a trusted access point to ensure that connections through any other access point are ignored. Copyright © 1998-2013 RES Software 13 The Zone now looks like this: If assigned to the prescription application, the Agent will now evaluate the signal strength of any access point, but makes the application available only when it is connected to the wireless network through the specified access point(s). Copyright © 1998-2013 RES Software 14 7. Preventing interference with printer availability based on nearest access point Many wireless network zone rule implementations will have to deal with the presence of external access points on site. This example describes how to use the security options of wireless network zone rules to keep Agents in a medical center connected to printers when moving around in both public and private areas. The medical center has a private wireless network for its staff and a public wireless network for patients and visitors. For each printer a Zone has to be configured that contains Nearest access point rules for the access points in the surrounding areas. Create a new Zone and add a Nearest access point rule (BSSID) for all of the access points that cover the area around the printer. Enter or select the Access point (BSSID) and make sure the correct Network (SSID) is entered. At Signal detection, select Limit to trusted access points te ensure that Agents will only evaluate trusted access points to determine whether the printer connectivity has to be changed. Copyright © 1998-2013 RES Software 15 With Do not limit to trusted access points, the Agent would evaluate any access point with the configured SSID, and would disconnect the printer if an external access point happened to have the greatest signal strength, because no printer is assigned to that (external) access point. If a tablet (configured as access point) with the same SSID as the private wireless network crosses the path of the Agent and is detected as the nearest access point, the printer will be disconnected. Add a Connected network (SSID) zone rule for the private wireless network, that is limited to trusted access points. Copyright © 1998-2013 RES Software 16 After configuring the Zones for all printers, the list of Trusted access points shows all access point for which a Nearest access point zone rule has been created. Agents will only evaluate these access points when determining the ones with the greatest signal strength. All other access points, internal or external, will be ignored. Locations and Devices may now look like this: If the Zones are applied to the correct printers, Agents will connect to the printer nearest to the trusted access point with the greatest signal strength. The connection to a printer will be lost if the Agent is no longer connected to the private wireless network through a trusted access point. Please note that the connection to a printer will not change if an access point other than the trusted access points has the greatest signal strength. These access points are simply ignored. Please note that although there is no zone rule for Connected Network (SSID), there must be a connection to the wireless network to be able to print. Copyright © 1998-2013 RES Software 17 8. Maintenance Because of the immediate effects of wireless network zone rules on the available features of your RES Workspace Manager Agents these rules should be implemented with great care.This also applies to the maintenance of your wireless network and corresponding zone rules. Amongst others, the following situations may occur: Access points are added to the physical layout of your wireless network. This may cause changes in the behavior of rules that are not limited to trusted access points. Departments move to different locations. The wireless network zone rules have to be reconfigured to provide the same functionality on these new locations. If you configured wireless network zone rules for home networks, any modification to the home network of an employee may need changes in the configuration of the applicable rule. We recommend that you carefully plan and thoroughly test these type of changes before you implement the corresponding wireless zone rules. Copyright © 1998-2013 RES Software 18
© Copyright 2024