I would say from a PS perspective that CAG/AAC is much more integrated
than any other product out there. Unfortunately, that integration does not
involve the actual published applications. It integrates from the
perspective of you can use the AAC filters to control what published
applications are seen from the web interface and what PS policies are
applied. Nothing in AAC allows the sort of control that your looking for
from within a published application in regards to thing like UNC paths. But
you'll notice that AAC filters can be used to assign PS policies so you
could control who gets client drive mappings, who gets printer autocreation,
etc. This would allow you to control what leaves the network.
Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
On 9/11/06, BRUTON, Malcolm, GBM <Malcolm.BRUTON@xxxxxxxx> wrote:
>
> Guys Thanks for the responses. We want to restrict unc paths when
> you are within a Citrix published app. We only want to do this when a a
> user comes in via our Juniper box.
>
> The reason for this is using Juniper we currently only use it to access
> citrix published apps. Of course we can 'publish' folders but could we then
> get it to launch a citrix app? Then we would have to restrict all access
> when you were within say word within citrix.
>
> Is a CAG/AAC more flexible than juniper and more easily integrated with
> PS? Any easy ways you can see on how to restrict access to some data and
> make sure it never leaves our own network in conjunction with citrix apps?
>
> Malcolm
>
> -----Original Message-----
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Steve Greenberg
> *Sent:* 10 September 2006 17:24
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
> Well the original post doesn't give a lot detail but keep in mind that
> it is possible to make PS use CAG/AAC so it can be done, i.e.
> distinguish where the user is coming from and assign the rights
> accordingly.....
>
>
>
>
>
> Steve Greenberg
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale, AZ 85262
>
> (602) 432-8649
>
> www.thinclient.net
>
> steveg@xxxxxxxxxxxxxx
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Sunday, September 10, 2006 6:44 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
>
>
> that is how I read it also which is why I keep specifying that, from
> within the published application, CAG and/or AAC would not be of any help.
> As well, I believe what Steve is saying is only available through CAG
> standalone not with AAC but I may be wrong on that but I'm pretty sure I'm
> not. heh
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
> Provision Networks VIP
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 9/10/06, *Andrew Wood* < andrew.wood@xxxxxxxxxxxxxxxx> wrote:
>
> Which is what the juniper does - but thats not what Malcolm wanted - he
> wanted to be able to control access to UNCs within the published app if I
> read it correctly.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Steve Greenberg
> *Sent:* 10 September 2006 00:32
>
>
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
>
>
>
> I was referring to VPN mode, you can make specific CIFS shares available
> as resources.....
>
>
>
> Steve Greenberg
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale, AZ 85262
>
> (602) 432-8649
>
> www.thinclient.net
>
> steveg@xxxxxxxxxxxxxx
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Saturday, September 09, 2006 9:31 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
>
>
> You can control UNC's from the NavUI but NOT from within published
> applications.
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
> Provision Networks VIP
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 9/8/06, *Steve Greenberg* < steveg@xxxxxxxxxxxxxx> wrote:
>
> But AAC can provide access to specific folders and files and apply
> granular read, print, save, edit, rights, etc.
>
>
>
> Also, it can provide access to only specific UNC paths when used in VPN
> mode....
>
>
>
>
>
> Steve Greenberg
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale, AZ 85262
>
> (602) 432-8649
>
> www.thinclient.net
>
> steveg@xxxxxxxxxxxxxx
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Friday, September 08, 2006 2:02 PM
>
>
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
>
>
> AAC doesn't do anything with published apps outside of letting you
> control what apps get published based on the AAC filters and applying Citrix
> policies based on AAC filters. It would not modify any sort of
> functionality within the application itself. You have misunderstood what I
> was trying to say.
>
>
>
> AAC can do checks but they are based on some sort of value. For
> instance, a version of McAfee or Firewall. If those values change on the
> client side, then you must also know the change has happened so you can
> adjust your EPA scans. Otherwise, the EPA's will fail and the users won't
> get access.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
> Provision Networks VIP
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 9/7/06, *Andrew Wood* < andrew.wood@xxxxxxxxxxxxxxxx> wrote:
>
> I thought AAC would allow you to do clever checks on the endpoint - I
> didn't realise it'd be able to modify functionality within an individual
> published application?
>
>
>
> The way I was thinking of would be to redirect your users to different
> citrix servers based on their source location. The sensitive users would be
> directed to servers with an lmhosts file that 'blocked' the UNC by
> overriding the source name's IP resolution.
>
>
>
> messy mind.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* 06 September 2006 18:41
>
>
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
>
>
>
> The only way that I'm aware of to control that type of access through
> Presetnation Server is using AAC. You can then use the filters within AAC
> on your published applications.
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
> Provision Networks VIP
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 9/6/06, *BRUTON, Malcolm, GBM* < Malcolm.BRUTON@xxxxxxxx > wrote:
>
> I asumme this is if you are publishing folders on Juniper? We publish
> Citrix apps on Juniper only....So the control really needs to be within the
> citrix session.
>
>
>
> Further ideas?
>
> -----Original Message-----
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Andrew Wood
> *Sent:* 06 September 2006 14:07
> *To:* thin@xxxxxxxxxxxxx
>
> *Subject:* [THIN] Re: UNC Blocking with external access only
>
> A Juniper device'll let you do it as well won't it? You can allow unc
> access and then define roles that would allow access to those resources. You
> could either allow full network browse access - or publish the folder
> themselves iirc.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *BRUTON, Malcolm, GBM
> *Sent:* 06 September 2006 13:51
> *To:* ' thin@xxxxxxxxxxxxx'
> *Subject:* [THIN] UNC Blocking with external access only
>
>
>
> All
>
>
>
> We are after a product that will allow us block sensitive unc's for
> users. This of course needs to differ depending on if the user is internal
> or external.
>
>
>
> When they are external they connect to Citrix via Juniper. When they
> are internal they use either normal desktops or Citrix.
>
>
>
> I believe by using CAG with AAC we can do this.
>
>
>
> Can anybody suggest any other software\hardware\methods that we could to
> achieve this?
>
>
>
> Malcolm
>
>
***********************************************************************************
>
> The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered
Office: 36 St Andrew Square, Edinburgh EH2 2YB.
>
> Authorised and regulated by the Financial Services Authority
>
>
>
>
>
>
>
>
> This e-mail message is confidential and for use by the
>
>
>
> addressee only. If the message is received by anyone other
>
> than the addressee, please return the message to the sender
>
>
>
> by replying to it and then delete the message from your
>
> computer. Internet e-mails are not necessarily secure. The
>
>
> Royal Bank of Scotland plc does not accept responsibility for
>
>
>
>
> changes made to this message after it was sent.
>
>
>
>
>
>
>
>
> Whilst all reasonable care has been taken to avoid the
>
> transmission of viruses, it is the responsibility of the recipient to
>
>
>
>
> ensure that the onward transmission, opening or use of this
>
>
>
>
>
>
> message and any attachments will not adversely affect its
>
> systems or data. No responsibility is accepted by The
>
>
> Royal Bank of Scotland plc in this regard and the recipient should carry
>
>
>
>
>
> out such virus and other checks as it considers appropriate.
>
>
>
> Visit our websites at:
>
>
>
>
> <http://www.rbos.com/>
>
> *http://www.rbos.com*
>
>
>
> <http://www.rbsmarkets.com/>
>
> *
> http://www.rbsmarkets.com*
>
>
>
>
***********************************************************************************
>
>
>
>
>
>
>
>
>
>
