Thanks Jeremy, That was helpful. I'm curious what you mean by "allowing you to do more smarts from the Netscaler side of things." I thought about having authentication at the netscaler, but I couldn't replicate what management wanted on the NS WI login page. I'm also curious how to deny connections with access gateway filters. I can't seem to find clear documentation on how this works (or in my case doesn't work). On Sun, Mar 17, 2013 at 6:13 PM, Jeremy Saunders < jeremy@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi Tom,**** > > ** ** > > You have a couple of options, but from what you’ve explained, I’m assuming > that it’s setup as a CSG replacement and not for smart access. You’ve also > got it setup for authentication at web interface, which is not the > recommended configuration. You’d be better off setting authentication at > Access Gateway (using an Authentication service URL back to the NetScaler), > which will handle single sign on for the Web Interface, allowing you to do > more smarts from the Netscaler side of things.**** > > ** ** > > You are right, the documentation is not brilliant. The following > deployment guides will assist with the overall understanding of the > configuration process:**** > > - ICA Proxy for XenApp: > > http://community.citrix.com/download/attachments/81134385/Citrix_AGEE_ICAProxyXenApp.pdf > **** > - ICA Proxy for XenApp & XenDesktop for Citrix Receiver for iPhone, > iPod, iPad: > > http://community.citrix.com/download/attachments/115345826/Citrix_AGEE_ICAProxyXAXDReceiver.pdf > **** > - ICA Proxy for XenApp Citrix Receiver for iPhone: > > http://community.citrix.com/download/attachments/102236255/Citrix_AGEE_ICAProxyXenAppiPhone.pdf > **** > - ICA Proxy for Citrix Receiver: > > http://community.citrix.com/download/attachments/116032624/Citrix_AGEE_ICAProxyReceiver.pdf > **** > > The following knowledgebase articles will assist with the overall > understanding of the configuration process:**** > > - CTX120164 - How to Implement Single Sign-on with Access Gateway > Enterprise Edition 9.x and Web Interface > 5.x<http://support.citrix.com/article/CTX120164> > ** > > ** ** > > Note that the screen shots in these documents may not match exactly what > you have.**** > > ** ** > > However, from what you’ve explained, without changing your config too > much, your best option is to use the good old description field in the > published app with the associated code in Web Interface as described here: > http://support.citrix.com/article/CTX122133**** > > ** ** > > To get this right, regardless of the method you choose, you’ll need at > least two Web Interface sites (not servers). One for Internal Access, and > one for External Access. Once again, this depends on your setup and the > environment, but this is how I would probably do it with the limited > information you’ve provided.**** > > ** ** > > Cheers,**** > > Jeremy**** > > ** ** > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Tom Sorenson > *Sent:* Sunday, 17 March 2013 11:28 AM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Deny XenApp connections through access gateway**** > > ** ** > > HELP! > > I need to be able to deny connections to some published apps coming > through the access gateway (external connections). I've enabled trusting > XML service requests on the servers I want to deny access to and unchecked > allowing connections to the published app in the published app properties. > It doesn't work. Can anyone tell me what I'm doing wrong? Unfortunately > the citrix documentation on doing this is as clear as a cup of turkish > coffee. > > Here's my environment > > Netscaler 9.3 > Web Interface 5.4 (authentication at web interface) > XenApp 6.5 rollup 1 > > > Thanks for the help!**** >