A policy is a set of security rules used to control security configurations when regular users use cloud desktops. Policies improve data security. This topic describes the configuration items of security rules that are contained in a policy and provides some security rule examples.

A policy contains a basic policy (USB redirection and watermarks) and one or more network control rules (inbound and outbound traffic rules). The following table describes the parameters in a policy.
Parameter Description
USB Redirection Specifies whether to enable the USB redirection feature. If regular users set this parameter to Enable, they can access USB flash drives that are connected to on-premises machines from their cloud desktop.
Watermark Specifies whether to use watermarks. If regular users set this parameter to Enable, they can configure the information and transparency of watermarks that are displayed on a cloud desktop.
Local Disk Mapping Specifies whether to allow read and write operations on the mapped drives of local disks on a cloud desktop.
Clipboard Specifies whether to allow copy operations between on-premises machines and cloud desktops.
Allow Preemption Specifies whether a regular user can preemptively log on to a cloud desktop to which another regular user is logged on.
Image Display Quality Specifies the display quality for Windows desktops.
HTML5 Client Access Specifies whether a regular user can log on to a cloud desktop by using a web browser.
HTML5 Client File Transfer Specifies whether files can be transferred between on-premises machines and cloud desktops when a regular user logs on to a cloud desktop by using a web browser.
Note This parameter is applicable only to Windows cloud desktops. If a regular user wants to use the file transfer feature on the Linux cloud desktop, the user must associate the default system policy with the cloud desktop.
Security Group Control A regular user can add inbound and outbound security group rules to control the inbound and outbound traffic of a cloud desktop. By default, cloud desktops deny all inbound access requests and allow all outbound access requests.
Domain name whitelist and blacklist A regular user can add domain names to the blacklist or whitelist to restrict the domain names that a cloud desktop can access. By default, cloud desktops are allowed to access all domain names.
Client IP Whitelist A regular user can add the CIDR block to which the client belongs to allow access to cloud desktops. By default, cloud desktops allow all inbound connections from all CIDR blocks.

USB redirection

The USB redirection configuration determines whether regular users can access USB flash drives that are connected to their on-premises machines from their cloud desktops.
  • Disable: If this feature is disabled, regular users cannot connect USB flash drives to cloud desktops.
  • Enable: If this feature is enabled, users can connect USB flash drives to cloud desktops.

Watermark

Watermarks are overlaid on cloud desktops to reduce the risk of data leaks due to screenshots and photos. You can configure the watermark information (username and desktop ID) and transparency (light, medium, and dark).
  • Disable: If this feature is disabled, watermarks are not displayed on cloud desktops.
  • Enable: If this feature is enabled, watermarks are tiled across the display of cloud desktops, as shown in the following figure. Watermark

Local disk mapping

The local disk mapping configuration determines whether to grant regular users read and write permissions on the mapped drives of local disks on cloud desktops.
Note This feature is not applicable to regular users who use web browsers to log on to cloud desktops.
  • Disable: The mapped drives of local disks are not accessible from cloud desktops.
  • Read-only: The mapped drives of local disks are accessible from cloud desktops. You can only read or copy local files, but you cannot modify local files.
  • Read/Write: The mapped drives of local disks are accessible from cloud desktops. You can read, copy, or modify local files.

Clipboard

The clipboard configuration determines whether to grant regular users the permissions to copy files between on-premises machines and cloud desktops.
  • Disable: Regular users cannot copy files between on-premises machines and cloud desktops.
  • Read-only: Regular users can copy files only from on-premises machines to cloud desktops.
  • Read/Write: Regular users can copy files between on-premises machines and cloud desktops.

User preemption

The user preemption configuration specifies whether to allow a user to log on to a cloud desktop to which another regular user is logged on.
  • Enabled: When a regular user is logged on to a cloud desktop, other regular users can log on to the cloud desktop. The original user is disconnected, and the cloud desktop window is closed.
  • Disabled: When a regular user is logged on to a cloud desktop, other regular users cannot log on to the cloud desktop. Preemption prohibited

Image display quality

The image display quality configuration specifies the display quality of a Windows desktop. You can specify this parameter based on your business requirements and bandwidth. Valid values: Adaptive, LD, HD, and Lossless.

HTML5 client access

The HTML5 client access configuration includes the following permissions:
  • Access permission: controls whether you can log on to cloud desktops by using a browser.
    • Enabled: You can log on to a cloud desktop by using a web browser.
    • Disabled: You cannot log on to a cloud desktop by using a web browser. When you log on to the cloud desktop and go to the desktop list page by using the browser, the cloud desktop is not displayed.
  • File transfer permission: specifies whether files can be transferred between a cloud desktop and an on-premises machine when you log on to the cloud desktop by using a web browser.
    • Disable: Files cannot be transferred between a cloud desktop and the on-premises machine.
    • Allow Upload: Local files can be uploaded to a cloud desktop, but the files in a cloud desktop cannot be downloaded to the on-premises machine.
    • Allow Download: Files in a cloud desktop can be downloaded to the on-premises machine, but files cannot be uploaded to a cloud desktop.
    • Allow Upload/Download: Files can be uploaded to a cloud desktop, and files can be downloaded from the cloud desktop to the on-premises machine.
    Note This feature is only applicable to Windows cloud desktops.

Security group rules

The security group rules are used to control the inbound and outbound traffic of a cloud desktop. To define a network control rule, you must specify properties such as the rule direction, priority, CIDR block, protocol type, port range, and authorization policy. Before a connection for data communication is established for a cloud desktop, the system matches access requests against the security group rules in the policy associated with the cloud desktop to determine whether to allow the access requests. Access requests are allowed or denied based on the matched network control rule:
  • If access requests match a network control rule whose Authorization Policy is set to Allow, the access requests are allowed.
  • If access requests match a network control rule whose Authorization Policy is set to Deny, the access requests are blocked and data packets are dropped.
If no security group rules are added, cloud desktops deny all inbound access requests and allow all outbound access requests. You can add inbound or security group rules to limit the inbound and outbound traffic of a cloud desktop. The following examples describe the common configurations of security group rules:
  • Example 1: Allow a cloud desktop to access only specific IP addresses.
    By default, cloud desktops allow all outbound access requests. You can add the following outbound rules to allow a cloud desktop to access only specific IP addresses:
    • Rule 1: Deny all outbound access requests. The following table describes an example of this configuration.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Outbound 2 0.0.0.0/0 All -1/-1 Deny
    • Rule 2: Allow outbound access to specific IP addresses. The priority of Rule 2 must be higher than that of Rule 1. The following table describes an example of this configuration.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Outbound 1 The allowed destination IP address, such as 192.168.1.1/32. Select a protocol type. Specify a port range. Allow
  • Example 2: Allow access from specific IP addresses to a cloud desktop.
    By default, cloud desktops deny all inbound access requests. You can add an inbound rule that allows access from specific IP addresses. The following table describes an example of this configuration.
    Rule direction Priority CIDR block Protocol type Port Authorization policy
    Inbound 1 The allowed source IP address, such as 192.168.1.1/32. Select a protocol type. Specify a port range. Allow
  • Example 3: Enable mutual access between cloud desktops that are associated with different policies.
    For example, Cloud Desktop A is associated with Policy A, and Cloud Desktop B is associated with Policy B. Cloud Desktop A and Cloud Desktop B cannot access each other because cloud desktops deny all inbound access requests by default. You can add the following inbound rule to Policy A and Policy B to enable mutual access between the two cloud desktops:
    • Add an inbound rule to Policy A to allow access from Cloud Desktop B. The following table describes an example of this configuration.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Inbound 1 The IP address of Cloud Desktop B. Select a protocol type. Specify a port range. Allow
    • Add an inbound rule to Policy B to allow access from Cloud Desktop A. The following table describes an example of this configuration.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Inbound 1 The IP address of Cloud Desktop A. Select a protocol type. Specify a port range. Allow

Domain names in the whitelist and blacklist

The domain name blacklist and whitelist control whether cloud desktops can access domain names. By default, cloud desktops are allowed to access all domain names. You can specify the domain names in the blacklist and whitelist based on your actual requirements.
  • If neither the blacklist nor the whitelist is configured, cloud desktops are allowed to access all domain names.
  • If you specify domain names in the blacklist, cloud desktops cannot access the domain names that are specified. For example, if an enterprise does not allow employees to access some video streaming websites on cloud desktops, the enterprise can add the domain names of these video streaming websites to the blacklist. Then, if employees visit these websites, error code 404 is returned on these web pages. However, employees can visit other websites whose domain names are not specified in the blacklist.
  • If you specify domain names in the whitelist, cloud desktops are allowed to access the domain names that are only specified. For example, if an enterprise allows employees to access some private websites within the enterprise or necessary websites on cloud desktops, add the domain names of these websites to the whitelist. Then, if employees visit these websites, the web pages properly appear. However, error code 404 is returned on other websites whose domain names are not specified in the whitelist.
Notice The blacklist and whitelist are mutually exclusive. Only one list takes effect at any time. If you attempt to set both, only the list you configured last takes effect.

Client IP whitelist

The client IP whitelist configuration controls whether the source CIDR block to which the client belongs can be connected to cloud desktops. By default, all CIDR blocks to which the client belongs can be connected to cloud desktops. You can also configure the IPv4 CIDR blocks of the public network and private network to connect to cloud desktops based on your business requirements. Examples: 139.196.XX.XX/32 and 10.0.XX.XX/8.