This is confusing to me too. The behavior of either a VPN connection or WI redirect are both triggered by groups. If you are using CAG without AAC all you need to do is setup the LDAP authorization and authentication and then create a local CAG group with the same name as the target AD group. Obviously if the group is something like Domain Users, everyone will get in. I would suggest a simple test- create a new group in AD and create the same group name on the CAG. Point it to some web link or resource, only but one account in the group. I suspect that it will work as you want and that there may be some other issue related to group membership going on here.. Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85262 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Wednesday, August 02, 2006 3:25 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Access Gateway 4.2 so to put this in perspective, everything works if you don't go to WI. say you allow vpn access to thsoe users, then the appropriate groups are enforced. if you go straight to WI though then everyone gets through? Or is that groups are not enforced at all? Jeff Pitsch Microsoft MVP - Terminal Server Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> On 8/2/06, Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx> wrote: Sounds like you are asking for the same thing I asked about a while ago. I have my CAG going straight to WI using SSO. (Hit CAG in browser, put in username/password, click OK and you are dropped into WI and you see your apps.) Qw don't use the VPN features of the CAG at all. The only thing I ever came up with was to direct requests to an IIS server first and use NTFS security based on group membership to determine if the basic auth to the IIS server would allow them to then redirect to the CAG. A few issues can be caused by this (SSL and DNS in particular) depending on the network location of the IIS server, CAG, and inside/outside access needs. I never looked to see if this kind of functionality is available via AAC, but this is such a simple request/option, I couldn't understand why it's not available. Alternatively, you could just do this security on the WI server. I suppose it's not as secure, because users you don't want through the CAG in the first place get through, but at least you could block them from loading the WI page unless they were in a particular NTFS group. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto: <mailto:thin-bounce@xxxxxxxxxxxxx> thin-bounce@xxxxxxxxxxxxx] On Behalf Of Schneider, Chad M Sent: Wednesday, August 02, 2006 5:03 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Access Gateway 4.2 Sorry to be dense on this.just got HAMMERED down our windpipe. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Schneider, Chad M Sent: Wednesday, August 02, 2006 3:59 PM To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> ' Subject: [THIN] Re: Access Gateway 4.2 We go to the CAG, it asks for credentials, we then go to our Web interface URL rather than the default gateway portal.. Once in the WI, they click on their applications and launch a VPN connected Citrix app. I must be missing something. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Wednesday, August 02, 2006 3:43 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Access Gateway 4.2 Oh so we aren't talking about the VPN connection. If you are going direct to WI and not authenticating to the CAG before hand then this would be as expected. Jeff Pitsch Microsoft MVP - Terminal Server Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx <mailto:CMSchneider@xxxxxxxxx> > wrote: I created 2 groups, in the CAG. Each is working fine, however, ALL users in the AD domain are able to get through it and into it as well. We have it set to go directly to our Web Interface page. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Wednesday, August 02, 2006 3:12 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Access Gateway 4.2 Is this simply the CAG? You can setup groups in the CAG that would allow you to define who has access. Jeff Pitsch Microsoft MVP - Terminal Server Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx <mailto:CMSchneider@xxxxxxxxx> > wrote: I have it configured for LDAP, working great.well.sort of. I want it to only allow the users/groups I grant rights to, the ability to use this.not the ENTIRE LDAP directory. Can anyone assist? Chad Schneider Technology Analyst/Citrix Admin. Bemis Company, Inc. 920-303-7609