[THIN] Re: Restricting CAG access

Restricting CAG accessAs a matter of interest are you using the AG as a 
replacement for Secure Gateway? or are you using the AG client to get access to 
your Corporate network ? or both ?

Im doing both of the above.
I use LDAP Authentication and Authorisation configured in the AG.
You can then create Groups for each type of AG access. 
What you then do is create those AD groups on the AG and set the properties of 
each group (Access Policy Manager Tab).
If your using the AG client you can control what users access using 

The admin guide is a little flaky in places but it is very good and well worth 
a read. 

Regards

  ----- Original Message ----- 
  From: Evan Mann 
  To: thin@xxxxxxxxxxxxx 
  Sent: Friday, December 09, 2005 7:09 PM
  Subject: [THIN] Re: Restricting CAG access


  If I used CAG local users, and said only those users can use WI portal.  Does 
that take effect for EVERY CAG connection, or is there a way I can specify that 
the CAG local users are not looked at if you are coming from certain subnets 
(they are ingored, or automatically granted access).


------------------------------------------------------------------------------
  From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf 
Of Steve Greenberg
  Sent: Friday, December 09, 2005 1:12 PM
  To: thin@xxxxxxxxxxxxx
  Subject: [THIN] Re: Restricting CAG access


  You can create local users on the VAG box and set it so only they can access, 
or, creat a new group in AD that the remote user must be part of to get to WI. 
Define the resources they can access, such as the WI portal, subnet, etc and 
apply them to the policy for that group.....

  Steve Greenberg
  Thin Client Computing
  34522 N. Scottsdale Rd. suite D8453
  Scottsdale, AZ 85262
  (602) 432-8649
  (602) 296-0411 fax
  steveg@xxxxxxxxxxxxxx







------------------------------------------------------------------------------
  From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf 
Of Evan Mann
  Sent: Friday, December 09, 2005 9:47 AM
  To: thin@xxxxxxxxxxxxx
  Subject: [THIN] Restricting CAG access


  I'm in a situation where I need to restrict who can access WI through CAG, 
based on approval to work from home.  Currently, any users granted Citrix 
access (via an AD security group), can hit the CAG and use Citrix, from any 
system that a Citrix client can be installed.  This means users can go home and 
use Citrix.  I need to prevent this because not everyone is authorized to work 
from home, and I need to restrict those unauthorized users from working from 
home. 

  Users don't have static IP's, so I can't use any form of IP restrictions.  It 
needs to be user or group based. 

  I'm still learning about CAG, so I don't know if it has some internal 
features to do something like this.  If not, can anyone think of a way to 
accomplish this?

  I thought about removing the external DNS entry for the CAG FQDN. I'd publish 
a separate FQDN that hit an IIS website and checked against an SG, If you were 
in the SG, it could redirect to the CAG URL, but if no external DNS for the CAG 
URL, that wouldn't work.  I could use a secondary external FQDN for CAG, and 
have it redirect to that, and do it in a way that the URL doesn't show in the 
browser.  This would prompt an SSL mismatch, which I'm OK with, but this still 
doesn't prevent the more savvy end user frm figuring out the external FQDN 
directly to CAG.

  Thoughts?

Other related posts: