[THIN] Re: CAG AAC 4.2 fallback connection policies
- From: "Pavlo Ignatusha" <Pavlo.Ignatusha@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 3 Apr 2006 10:03:02 -0400
Hi group,
Just wanted to finalize this thread with information I obtained from
latest conference call with Citrix support. I will go by each question
we asked earlier.
1. Citrix confirmed that connection policies were not cumulative.
If a user has 2 connection policies assigned (ex. With different
endpoint scans) only the policy with highest priority is processed.
2. Citrix promised a workaround so user can get portal when
connection policy fails. I'll keep you posted.
3. Continuous scans are coming from Net6 appliance and EPA scans
are coming with Citrix MSAM. That is why you need VPN client up to do
continuous scans (thanks Carl).
4. Citrix will only continue to support a few major AV vendors in
their EPA scans. The rest is given away as an opportunity for partners
like www.epafactory.com <http://www.epafactory.com/> . These scans from
partners are not cheap though. Or you can use SDK from Citrix at your
own risk.
Long story short AAC turned out to be an uncompleted marriage of Net6
appliance and Citrix MSAM. Citrix rushed it to the market without a lot
of testing. Along the way we encountered some other interesting
confirmed bug when AAC portal login is case sensitive for home directory
share access. We are waiting for a hotfix for that as well. That's all
the story for now.
Thanks,
Pavlo Ignatusha
Systems Network Coordinator
Pembroke Regional Hospital
tel. +1 (613) 732-3675 ext.6150
fax. +1 (613) 732-9986
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: March 21, 2006 1:15 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CAG AAC 4.2 fallback connection policies
1) not sure on this as still investigating but I'm guessing your using
either policies or endpoint analysis wrong when setting up.
2) It's a vpn connection meaning your now local to the protected
network. if it was going to the CAG you'd be going outside of that. I
would think it's working the way it should.
3) Dunno, have to ask Citrix which I will do tonight since I'm chatting
with them on AAC.
4) download the SDK and good luck. I've heard it's not easy. This
link:
http://support.citrix.com/forums/thread.jspa?forumID=101&threadID=73893&;
tstart=0 has other links in it you may be interested in.
Jeff
On 3/21/06, Pavlo Ignatusha <Pavlo.Ignatusha@xxxxxxxxxxxxx> wrote:
Hi group,
Lately we were working on CAG with AAC policies. Along the way we
encountered a few difficulties and we thought we'd ask for your input.
Environment: CAG with AAC option v4.2 (no hotfix AAC420W001). PS4
3-server farm. Windows Server 2003 SP1 AD.
We would like to use some endpoint analysis and continuous scans in our
AAC policies. We also would like to configure a fallback type of access
so if the client device does not pass the requirements they still get
AAC portal with minimum of "Preview" access. Here is what we found:
Continuous scans seem to only work with Citrix Secure Access client
(VPN). In other words if you want to use continuous scan, the user must
fall under the requirements for a connection policy that launches the
client. You can have multiple connection policies, but it will only
look at the policy with the highest priority. Once that either fails or
passes, it will react accordingly. So, if you have one connection
policy that would say to launch the VPN client under restrictive
conditions (they have a certain antivirus running and a watermark in the
registry), and a connection policy with a lower priority that says not
to launch it under a less restrictive condition (such as that antivirus
is not installed, or that the watermark is not present), once the first
one passes or fails, it simply reacts to that policy rather then going
to next policy if the previous policy failed.
Now, when that initial policy that tries to connect to the VPN fails due
to the non-restrictive conditions, no VPN connection is made. This
would be satisfactory if the portal didn't react a certain way with a
VPN connection. Basically what happens is that when the Secure Access
client is launched, the portal automatically tries to redirect its
connection to:
https://aac_server_fqdn/citrixlogonpoint/logonpoint_name
And not the usual
https://appliance_fqdn/citrixlogonpoint/logonpoint_name
And that's not a problem if the VPN connection is established, but when
it fails, you suddenly don't have this network resource, and hence,
can't hit the portal anymore. This is also true if a continuous scan
detects an error after a VPN connection is established.
(Just an aside: When the VPN does make a connection and the user doesn't
have any network resources assigned through access policies, they have a
default resource of the AAC server. That way, when a VPN client is
connected, the users can then hit the AAC server fine, we're just not
sure WHY this happens this way.)
Using access policies and Endpoint Analysis scans it seems possible to
give different levels of access depending on the conditions that are
present on the client device (antivirus running, certain browser,
etc...). It is not too straightforward either as we had to create 1
filter for the condition of antivirus, and 1 filter with NOT antivirus
(using the 'not' operator in the filter). Then we created 2 access
policies, one with each of the filters, so that when a user has an
antivirus present (that is based on our endpoint analysis), they receive
certain capabilities, and if they don't have it present, they receive
restricted capabilities.
So we have some questions...
1- How to configure fallback between connection policies?
So far we think that the server looks at the highest priority connection
policy, and then reacts accordingly without looking at any other
connection policy that is associated with that specified user. This way
it is completely useless to have a connection policy priority list and
also to have different connection policies applying to the same user
when they come from different devices (such as a less secure
environment).
2- Why does the portal try to connect to the FQDN of the AAC rather then
the FQDN of the appliance if the Citrix Secure Access client is engaged
(whether it be a successful connection or not, see previous question)?
Frankly, if this did not happen, then we really wouldn't be too worried
about a fallback connection policy when the initial connection policy
fails, as the user would still be able to access the portal as normal,
just not any network resources. This is exactly what we would setup as a
fallback connection policy anyways.
3- Why can't we also use continuous scans on access policies?
Is this simply because it needs a VPN connection to the user to
continuously check for these things?
4- How do we create custom endpoint analysis scans?
Ideally, if we can't get the continuous scan and fallback connection
policy stuff figured out, then we'd still like to check for registry
watermarks. This ability (registry checking) only seems to be in the
continuous scan, although, in the endpoint analysis, there is a section
for custom endpoint analyses. The problem with that is, is it's looking
for a *.cab file, which I have absolutely no idea how to create.
Thanks,
Pavlo Ignatusha & Curtis Brunet,
Pembroke Regional Hospital
tel. +1 (613) 732-3675 ext.6150
fax. +1 (613) 732-9986
--
The information in this email belongs to the Pembroke Regional Hospital
and may contain confidential and privileged information for the sole use
of the individual or organization to which it is addressed. If you are
not the intended recipient, you are hereby notified that any disclosure,
copying or distribution of the contents of this email is prohibited.
If you have received this email in error, please contact the sender and
destroy all copies of the original message.
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
--
The information in this email belongs to the Pembroke Regional Hospital
and may contain confidential and privileged information for the sole use
of the individual or organization to which it is addressed. If you are
not the intended recipient, you are hereby notified that any disclosure,
copying or distribution of the contents of this email is prohibited.
If you have received this email in error, please contact the sender and
destroy all copies of the original message.
Other related posts:
