So what I did was point the default to a different portal page and that solved it.
Jeff Pitsch Microsoft MVP - Terminal Server
Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com
I'm getting into my CAG now and if I can't figure it out, I'll give Citrix a buzz. The CTP thing is good for this type of thing :)
Jeff Pitsch Microsoft MVP - Terminal Server
Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com
On 8/3/06, Schneider, Chad M <CMSchneider@xxxxxxxxx> wrote: > > WE have the other groups in CAG. They work fine. The trouble is the > default group, it is active, and for those not in my created group, > citrixag, they can still authenticate and make a connection. Heck, I have > logons on the shop floor, that could go home and make this connection and > launch their applications from home. I only want group citrixag to be able > to connect to this… > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jeff Pitsch > *Sent:* Thursday, August 03, 2006 8:38 AM > > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > If your using the default group then your getting exaclty what you > setup. Implement another group in the CAG. I tested this out last night > and it works just fine. Your implement is flawed if your doing this through > the default group. > > > > Jeff Pitsch > Microsoft MVP - Terminal Server > > Forums not enough? > Get support from the experts at your business > http://jeffpitschconsulting.com > > > > > > On 8/3/06, *Schneider, Chad M* < CMSchneider@xxxxxxxxx> wrote: > > Ok…I can require authentication to the portal page…but any user in the > AD, so long as they can authenticate, can log onto this Gateway. This is > the issue, I only want users in particular AD groups, which I have created > as local groups on the gateway, to be able to sign onto the gateway. It > should not be this hard to only allow domain group A to connect to this > unit. > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Steve Greenberg > *Sent:* Thursday, August 03, 2006 12:47 AM > > > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > You can set require authentication to the portal page, this will force > them to login at the very first stage before getting any options. > > > > Be sure to remove any resources from default group, do not set the > default group portal properties to go to WI, and, do not check "inherit > default group properties" for the other groups. > > > > That should do it. I think you must have set WI as the default portal > redirect and since you did not require authentication to get to this default > page, everyone got it!! > > > > Steve Greenberg > > Thin Client Computing > > 34522 N. Scottsdale Rd D8453 > > Scottsdale, AZ 85262 > > (602) 432-8649 > > www.thinclient.net > > steveg@xxxxxxxxxxxxxx > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Schneider, Chad M > *Sent:* Wednesday, August 02, 2006 10:01 PM > *To:* ' thin@xxxxxxxxxxxxx' > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > I have the default group, and 2 other groups, each having around 15 > users in the corresponding AD domain group. > > > > The users I have tested are not in either of the created local, nor AD > domain groups. They appear to be connecting using the default user group, > as I set that to change things like the the Gateway portal settings, and > that account uses the default settings. What I want is for no one to use > default group, only allow connection to ANYTHING, even sign onto my gateway, > if they are listed in a group I create and grant rights to. > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Steve Greenberg > *Sent:* Wednesday, August 02, 2006 11:52 PM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > This is confusing to me too. The behavior of either a VPN connection or > WI redirect are both triggered by groups. If you are using CAG without AAC > all you need to do is setup the LDAP authorization and authentication and > then create a local CAG group with the same name as the target AD group. > > > > Obviously if the group is something like Domain Users, everyone will get > in. I would suggest a simple test- create a new group in AD and create the > same group name on the CAG. Point it to some web link or resource, only but > one account in the group. I suspect that it will work as you want and that > there may be some other issue related to group membership going on here…. > > > > Steve Greenberg > > Thin Client Computing > > 34522 N. Scottsdale Rd D8453 > > Scottsdale, AZ 85262 > > (602) 432-8649 > > www.thinclient.net > > steveg@xxxxxxxxxxxxxx > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jeff Pitsch > *Sent:* Wednesday, August 02, 2006 3:25 PM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > so to put this in perspective, everything works if you don't go to WI. > say you allow vpn access to thsoe users, then the appropriate groups are > enforced. if you go straight to WI though then everyone gets through? Or > is that groups are not enforced at all? > > > > Jeff Pitsch > Microsoft MVP - Terminal Server > > Forums not enough? > Get support from the experts at your business > http://jeffpitschconsulting.com > > > > > > On 8/2/06, *Evan Mann* < emann@xxxxxxxxxxxxxxxxxxxxx> wrote: > > Sounds like you are asking for the same thing I asked about a while ago. > > > I have my CAG going straight to WI using SSO. (Hit CAG in browser, put > in username/password, click OK and you are dropped into WI and you see your > apps.) Qw don't use the VPN features of the CAG at all. > > > > The only thing I ever came up with was to direct requests to an IIS > server first and use NTFS security based on group membership to determine if > the basic auth to the IIS server would allow them to then redirect to the > CAG. A few issues can be caused by this (SSL and DNS in particular) > depending on the network location of the IIS server, CAG, and inside/outside > access needs. > > > > I never looked to see if this kind of functionality is available via > AAC, but this is such a simple request/option, I couldn't understand why > it's not available. > > > > Alternatively, you could just do this security on the WI server. I > suppose it's not as secure, because users you don't want through the CAG in > the first place get through, but at least you could block them from loading > the WI page unless they were in a particular NTFS group. > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Schneider, Chad M > > *Sent:* Wednesday, August 02, 2006 5:03 PM > > > *To:* ' thin@xxxxxxxxxxxxx' > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > > Sorry to be dense on this…just got HAMMERED down our windpipe… > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Schneider, Chad M > *Sent:* Wednesday, August 02, 2006 3:59 PM > *To:* ' thin@xxxxxxxxxxxxx' > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > We go to the CAG, it asks for credentials, we then go to our Web > interface URL rather than the default gateway portal…. > > > > Once in the WI, they click on their applications and launch a VPN > connected Citrix app. > > > > I must be missing something. > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jeff Pitsch > *Sent:* Wednesday, August 02, 2006 3:43 PM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > Oh so we aren't talking about the VPN connection. If you are going > direct to WI and not authenticating to the CAG before hand then this would > be as expected. > > > > Jeff Pitsch > Microsoft MVP - Terminal Server > > Forums not enough? > Get support from the experts at your business > http://jeffpitschconsulting.com > > > > > > On 8/2/06, *Schneider, Chad M* < CMSchneider@xxxxxxxxx> wrote: > > I created 2 groups, in the CAG. Each is working fine, however, ALL > users in the AD domain are able to get through it and into it as well. > > > > We have it set to go directly to our Web Interface page… > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jeff Pitsch > *Sent:* Wednesday, August 02, 2006 3:12 PM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Access Gateway 4.2 > > > > Is this simply the CAG? You can setup groups in the CAG that would > allow you to define who has access. > > > > Jeff Pitsch > Microsoft MVP - Terminal Server > > Forums not enough? > Get support from the experts at your business > http://jeffpitschconsulting.com > > > > > > On 8/2/06, *Schneider, Chad M* < CMSchneider@xxxxxxxxx> wrote: > > I have it configured for LDAP, working great…well…sort of… > > > > I want it to only allow the users/groups I grant rights to, the ability > to use this…not the ENTIRE LDAP directory… > > > > Can anyone assist? > > > > Chad Schneider > > Technology Analyst/Citrix Admin. > > Bemis Company, Inc. > > 920-303-7609 > > > > > > > > > > >