Just realized I'm going about this all wrong. All I need to do is make a webpage that is hit prior to hitting the access gateway. This package has NTFS security applied based on the AD group with which I want to restrict uses. If you can successfully login to that page, it will just redirect you to the Access Gateway where you can auth to that. Or, I can possibly grab the username/password from the first login attempt, and pass it to the WI. > _____________________________________________ > From: Evan Mann > Sent: Monday, October 10, 2005 11:18 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: Restrict access to WI > > I have users accessing WI through an Access Gateway. I have users on > the domain who it this using a domain name that is set in AD to > resolve to an internal IP, and they are coming across VPN's. > > When people leave my network, they are resolving to an external IP and > hitting the same access gateway. > > The Access Gateway's are setup to require authentication, and then > pass that through to WI for SSO. > > I'm trying to come up with a way that I can restrict users abilities > to access the Citrix environment when off network, so I can prevent > users from working from home. I can't prevent access from certain > IP's, because home IP's are dynamic, and some people will be given > access to work from home. > > Possibly some type of setup where they hit a website infront of the > access gateway and it does a check based on the domain name used to > access the site, references an AD security group, and forward the > reqest to the Access Gateway as necessary? The issue this causes is > the Access Gateway can only have 1 SSL certificate, so people working > frm home would have an SSL popup with a mismtached domain name and > need to say YES, but I would be OK with that. > > Would this work? Is there some better way to do it? > > > >