[THIN] Re: Access Gateway 4.2

To a junk, non-existant page?

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jeff Pitsch
Sent: Thursday, August 03, 2006 9:36 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2

 

So what I did was point the default to a different portal page and that
solved it.

 

Jeff Pitsch
Microsoft MVP - Terminal Server

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 8/3/06, Jeff Pitsch <jepitsch@xxxxxxxxx <mailto:jepitsch@xxxxxxxxx> >
wrote: 

I'm getting into my CAG now and if I can't figure it out, I'll give Citrix a
buzz.  The CTP thing is good for this type of thing :)

 

Jeff Pitsch
Microsoft MVP - Terminal Server

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>  



 

On 8/3/06, Schneider, Chad M <CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx>  > wrote: 

WE have the other groups in CAG.  They work fine.  The trouble is the
default group, it is active, and for those not in my created group,
citrixag, they can still authenticate and make a connection.  Heck, I have
logons on the shop floor, that could go home and make this connection and
launch their applications from home.  I only want group citrixag to be able
to connect to this... 

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jeff Pitsch
Sent: Thursday, August 03, 2006 8:38 AM


To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: Access Gateway 4.2

 

If your using the default group then your getting exaclty what you setup.
Implement another group in the CAG.  I tested this out last night and it
works just fine.  Your implement is flawed if your doing this through the
default group. 

 

Jeff Pitsch
Microsoft MVP - Terminal Server

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 8/3/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote: 

Ok...I can require authentication to the portal page...but any user in the
AD, so long as they can authenticate, can log onto this Gateway.  This is
the issue, I only want users in particular AD groups, which I have created
as local groups on the gateway, to be able to sign onto the gateway.  It
should not be this hard to only allow domain group A to connect to this
unit. 

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Steve Greenberg
Sent: Thursday, August 03, 2006 12:47 AM


To: thin@xxxxxxxxxxxxx  <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: Access Gateway 4.2

 

You can set require authentication to the portal page, this will force them
to login at the very first stage before getting any options. 

 

Be sure to remove any resources from default group, do not set the default
group portal properties to go to WI, and, do not check "inherit default
group properties" for the other groups. 

 

That should do it. I think you must have set WI as the default portal
redirect and since you did not require authentication to get to this default
page, everyone got it!! 

 

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262 

(602) 432-8649

www.thinclient.net <http://www.thinclient.net/>  

steveg@xxxxxxxxxxxxxx  <mailto:steveg@xxxxxxxxxxxxxx> 

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 10:01 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2

 

I have the default group, and 2 other groups, each having around 15 users in
the corresponding AD domain group. 

 

The users I have tested are not in either of the created local, nor AD
domain groups.  They appear to be connecting using the default user group,
as I set that to change things like the the Gateway portal settings, and
that account uses the default settings.  What I want is for no one to use
default group, only allow connection to ANYTHING, even sign onto my gateway,
if they are listed in a group I create and grant rights to. 

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Steve Greenberg
Sent: Wednesday, August 02, 2006 11:52 PM
To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: Access Gateway 4.2

 

This is confusing to me too. The behavior of either a VPN connection or WI
redirect are both triggered by groups. If you are using CAG without AAC all
you need to do is setup the LDAP authorization and authentication and then
create a local CAG group with the same name as the target AD group. 

 

Obviously if the group is something like Domain Users, everyone will get in.
I would suggest a simple test- create a new group in AD and create the same
group name on the CAG. Point it to some web link or resource, only but one
account in the group. I suspect that it will work as you want and that there
may be some other issue related to group membership going on here.... 

 

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262 

(602) 432-8649

www.thinclient.net <http://www.thinclient.net/>  

steveg@xxxxxxxxxxxxxx <mailto:steveg@xxxxxxxxxxxxxx>  

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:25 PM
To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: Access Gateway 4.2

 

so to put this in perspective, everything works if you don't go to WI.  say
you allow vpn access to thsoe users, then the appropriate groups are
enforced.  if you go straight to WI though then everyone gets through?  Or
is that groups are not enforced at all? 

 

Jeff Pitsch
Microsoft MVP - Terminal Server

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 8/2/06, Evan Mann < <mailto:emann@xxxxxxxxxxxxxxxxxxxxx>
emann@xxxxxxxxxxxxxxxxxxxxx> wrote: 

Sounds like you are asking for the same thing I asked about a while ago.


I have my CAG going straight to WI using SSO.  (Hit CAG in browser, put in
username/password, click OK and you are dropped into WI and you see your
apps.)  Qw don't use the VPN features of the CAG at all. 

 

The only thing I ever came up with was to direct requests to an IIS server
first and use NTFS security based on group membership to determine if the
basic auth to the IIS server would allow them to then redirect to the CAG.
A few issues can be caused by this (SSL and DNS in particular) depending on
the network location of the IIS server, CAG, and inside/outside access
needs. 

 

I never looked to see if this kind of functionality is available via AAC,
but this is such a simple request/option, I couldn't understand why it's not
available. 

 

Alternatively, you could just do this security on the WI server.  I suppose
it's not as secure, because users you don't want through the CAG in the
first place get through, but at least you could block them from loading the
WI page unless they were in a particular NTFS group. 

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>  [mailto:
<mailto:thin-bounce@xxxxxxxxxxxxx>  thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Schneider, Chad M

Sent: Wednesday, August 02, 2006 5:03 PM


To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2


 

Sorry to be dense on this...just got HAMMERED down our windpipe...

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 3:59 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2

 

We go to the CAG, it asks for credentials, we then go to our Web interface
URL rather than the default gateway portal.... 

 

Once in the WI, they click on their applications and launch a VPN connected
Citrix app.

 

I must be missing something.

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:43 PM
To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: Access Gateway 4.2

 

Oh so we aren't talking about the VPN connection.  If you are going direct
to WI and not authenticating to the CAG before hand then this would be as
expected. 

 

Jeff Pitsch
Microsoft MVP - Terminal Server

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote: 

I created 2 groups, in the CAG.  Each is working fine, however, ALL users in
the AD domain are able to get through it and into it as well. 

 

We have it set to go directly to our Web Interface page...

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:12 PM
To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: Access Gateway 4.2

 

Is this simply the CAG?  You can setup groups in the CAG that would allow
you to define who has access.  

 

Jeff Pitsch
Microsoft MVP - Terminal Server

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote: 

I have it configured for LDAP, working great...well...sort of...

 

I want it to only allow the users/groups I grant rights to, the ability to
use this...not the ENTIRE LDAP directory...

 

Can anyone assist?

 

Chad Schneider

Technology Analyst/Citrix Admin.

Bemis Company, Inc.

920-303-7609

 

 

 

 

 





 

Other related posts: