I'm getting into my CAG now and if I can't figure it out, I'll give
Citrix a buzz. The CTP thing is good for this type of thing :)
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
On 8/3/06, Schneider, Chad M <CMSchneider@xxxxxxxxx> wrote:
>
> WE have the other groups in CAG. They work fine. The trouble is the
> default group, it is active, and for those not in my created group,
> citrixag, they can still authenticate and make a connection. Heck, I have
> logons on the shop floor, that could go home and make this connection and
> launch their applications from home. I only want group citrixag to be able
> to connect to this…
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Thursday, August 03, 2006 8:38 AM
>
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> If your using the default group then your getting exaclty what you
> setup. Implement another group in the CAG. I tested this out last night
> and it works just fine. Your implement is flawed if your doing this through
> the default group.
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 8/3/06, *Schneider, Chad M* < CMSchneider@xxxxxxxxx> wrote:
>
> Ok…I can require authentication to the portal page…but any user in the
> AD, so long as they can authenticate, can log onto this Gateway. This is
> the issue, I only want users in particular AD groups, which I have created
> as local groups on the gateway, to be able to sign onto the gateway. It
> should not be this hard to only allow domain group A to connect to this
> unit.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Steve Greenberg
> *Sent:* Thursday, August 03, 2006 12:47 AM
>
>
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> You can set require authentication to the portal page, this will force
> them to login at the very first stage before getting any options.
>
>
>
> Be sure to remove any resources from default group, do not set the
> default group portal properties to go to WI, and, do not check "inherit
> default group properties" for the other groups.
>
>
>
> That should do it. I think you must have set WI as the default portal
> redirect and since you did not require authentication to get to this default
> page, everyone got it!!
>
>
>
> Steve Greenberg
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale, AZ 85262
>
> (602) 432-8649
>
> www.thinclient.net
>
> steveg@xxxxxxxxxxxxxx
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Schneider, Chad M
> *Sent:* Wednesday, August 02, 2006 10:01 PM
> *To:* ' thin@xxxxxxxxxxxxx'
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> I have the default group, and 2 other groups, each having around 15
> users in the corresponding AD domain group.
>
>
>
> The users I have tested are not in either of the created local, nor AD
> domain groups. They appear to be connecting using the default user group,
> as I set that to change things like the the Gateway portal settings, and
> that account uses the default settings. What I want is for no one to use
> default group, only allow connection to ANYTHING, even sign onto my gateway,
> if they are listed in a group I create and grant rights to.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Steve Greenberg
> *Sent:* Wednesday, August 02, 2006 11:52 PM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> This is confusing to me too. The behavior of either a VPN connection or
> WI redirect are both triggered by groups. If you are using CAG without AAC
> all you need to do is setup the LDAP authorization and authentication and
> then create a local CAG group with the same name as the target AD group.
>
>
>
> Obviously if the group is something like Domain Users, everyone will get
> in. I would suggest a simple test- create a new group in AD and create the
> same group name on the CAG. Point it to some web link or resource, only but
> one account in the group. I suspect that it will work as you want and that
> there may be some other issue related to group membership going on here….
>
>
>
> Steve Greenberg
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale, AZ 85262
>
> (602) 432-8649
>
> www.thinclient.net
>
> steveg@xxxxxxxxxxxxxx
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Wednesday, August 02, 2006 3:25 PM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> so to put this in perspective, everything works if you don't go to WI.
> say you allow vpn access to thsoe users, then the appropriate groups are
> enforced. if you go straight to WI though then everyone gets through? Or
> is that groups are not enforced at all?
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 8/2/06, *Evan Mann* < emann@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Sounds like you are asking for the same thing I asked about a while ago.
>
>
> I have my CAG going straight to WI using SSO. (Hit CAG in browser, put
> in username/password, click OK and you are dropped into WI and you see your
> apps.) Qw don't use the VPN features of the CAG at all.
>
>
>
> The only thing I ever came up with was to direct requests to an IIS
> server first and use NTFS security based on group membership to determine if
> the basic auth to the IIS server would allow them to then redirect to the
> CAG. A few issues can be caused by this (SSL and DNS in particular)
> depending on the network location of the IIS server, CAG, and inside/outside
> access needs.
>
>
>
> I never looked to see if this kind of functionality is available via
> AAC, but this is such a simple request/option, I couldn't understand why
> it's not available.
>
>
>
> Alternatively, you could just do this security on the WI server. I
> suppose it's not as secure, because users you don't want through the CAG in
> the first place get through, but at least you could block them from loading
> the WI page unless they were in a particular NTFS group.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Schneider, Chad M
>
> *Sent:* Wednesday, August 02, 2006 5:03 PM
>
>
> *To:* ' thin@xxxxxxxxxxxxx'
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
>
> Sorry to be dense on this…just got HAMMERED down our windpipe…
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Schneider, Chad M
> *Sent:* Wednesday, August 02, 2006 3:59 PM
> *To:* ' thin@xxxxxxxxxxxxx'
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> We go to the CAG, it asks for credentials, we then go to our Web
> interface URL rather than the default gateway portal….
>
>
>
> Once in the WI, they click on their applications and launch a VPN
> connected Citrix app.
>
>
>
> I must be missing something.
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Wednesday, August 02, 2006 3:43 PM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> Oh so we aren't talking about the VPN connection. If you are going
> direct to WI and not authenticating to the CAG before hand then this would
> be as expected.
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 8/2/06, *Schneider, Chad M* < CMSchneider@xxxxxxxxx> wrote:
>
> I created 2 groups, in the CAG. Each is working fine, however, ALL
> users in the AD domain are able to get through it and into it as well.
>
>
>
> We have it set to go directly to our Web Interface page…
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jeff Pitsch
> *Sent:* Wednesday, August 02, 2006 3:12 PM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Access Gateway 4.2
>
>
>
> Is this simply the CAG? You can setup groups in the CAG that would
> allow you to define who has access.
>
>
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
>
>
>
>
> On 8/2/06, *Schneider, Chad M* < CMSchneider@xxxxxxxxx> wrote:
>
> I have it configured for LDAP, working great…well…sort of…
>
>
>
> I want it to only allow the users/groups I grant rights to, the ability
> to use this…not the ENTIRE LDAP directory…
>
>
>
> Can anyone assist?
>
>
>
> Chad Schneider
>
> Technology Analyst/Citrix Admin.
>
> Bemis Company, Inc.
>
> 920-303-7609
>
>
>
>
>
>
>
>
>
>
>
