I have users accessing WI through an Access Gateway. I have users on the domain who it this using a domain name that is set in AD to resolve to an internal IP, and they are coming across VPN's. When people leave my network, they are resolving to an external IP and hitting the same access gateway. The Access Gateway's are setup to require authentication, and then pass that through to WI for SSO. I'm trying to come up with a way that I can restrict users abilities to access the Citrix environment when off network, so I can prevent users from working from home. I can't prevent access from certain IP's, because home IP's are dynamic, and some people will be given access to work from home. Possibly some type of setup where they hit a website infront of the access gateway and it does a check based on the domain name used to access the site, references an AD security group, and forward the reqest to the Access Gateway as necessary? The issue this causes is the Access Gateway can only have 1 SSL certificate, so people working frm home would have an SSL popup with a mismtached domain name and need to say YES, but I would be OK with that. Would this work? Is there some better way to do it?