[THIN] Re: Deny XenApp connections through access gateway

  • From: Tom Sorenson <tsorenson99@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Mon, 18 Mar 2013 07:21:42 -0500

Thanks Jeremy,

That was helpful.  I'm curious what you mean by "allowing you to do more
smarts from the Netscaler side of things."  I thought about having
authentication at the netscaler, but I couldn't replicate what management
wanted on the NS WI login page.

I'm also curious how to deny connections with access gateway filters.  I
can't seem to find clear documentation on how this works (or in my case
doesn't work).

On Sun, Mar 17, 2013 at 6:13 PM, Jeremy Saunders <
jeremy@xxxxxxxxxxxxxxxxxxxx> wrote:

> Hi Tom,****
>
> ** **
>
> You have a couple of options, but from what you’ve explained, I’m assuming
> that it’s setup as a CSG replacement and not for smart access. You’ve also
> got it setup for authentication at web interface, which is not the
> recommended configuration. You’d be better off setting authentication at
> Access Gateway (using an Authentication service URL back to the NetScaler),
> which will handle single sign on for the Web Interface, allowing you to do
> more smarts from the Netscaler side of things.****
>
> ** **
>
> You are right, the documentation is not brilliant. The following
> deployment guides will assist with the overall understanding of the
> configuration process:****
>
>    - ICA Proxy for XenApp:
>    
> http://community.citrix.com/download/attachments/81134385/Citrix_AGEE_ICAProxyXenApp.pdf
>    ****
>    - ICA Proxy for XenApp & XenDesktop for Citrix Receiver for iPhone,
>    iPod, iPad:
>    
> http://community.citrix.com/download/attachments/115345826/Citrix_AGEE_ICAProxyXAXDReceiver.pdf
>    ****
>    - ICA Proxy for XenApp Citrix Receiver for iPhone:
>    
> http://community.citrix.com/download/attachments/102236255/Citrix_AGEE_ICAProxyXenAppiPhone.pdf
>    ****
>    - ICA Proxy for Citrix Receiver:
>    
> http://community.citrix.com/download/attachments/116032624/Citrix_AGEE_ICAProxyReceiver.pdf
>    ****
>
> The following knowledgebase articles will assist with the overall
> understanding of the configuration process:****
>
>    - CTX120164 - How to Implement Single Sign-on with Access Gateway
>    Enterprise Edition 9.x and Web Interface 
> 5.x<http://support.citrix.com/article/CTX120164>
>    **
>
> ** **
>
> Note that the screen shots in these documents may not match exactly what
> you have.****
>
> ** **
>
> However, from what you’ve explained, without changing your config too
> much, your best option is to use the good old description field in the
> published app with the associated code in Web Interface as described here:
> http://support.citrix.com/article/CTX122133****
>
> ** **
>
> To get this right, regardless of the method you choose, you’ll need at
> least two Web Interface sites (not servers). One for Internal Access, and
> one for External Access. Once again, this depends on your setup and the
> environment, but this is how I would probably do it with the limited
> information you’ve provided.****
>
> ** **
>
> Cheers,****
>
> Jeremy****
>
> ** **
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Tom Sorenson
> *Sent:* Sunday, 17 March 2013 11:28 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Deny XenApp connections through access gateway****
>
> ** **
>
> HELP!
>
> I need to be able to deny connections to some published apps coming
> through the access gateway (external connections).  I've enabled trusting
> XML service requests on the servers I want to deny access to and unchecked
> allowing connections to the published app in the published app properties.
> It doesn't work.  Can anyone tell me what I'm doing wrong?  Unfortunately
> the citrix documentation on doing this is as clear as a cup of turkish
> coffee.
>
> Here's my environment
>
> Netscaler 9.3
> Web Interface 5.4 (authentication at web interface)
> XenApp 6.5 rollup 1
>
>
> Thanks for the help!****
>

Other related posts: