Hi Tom, By smarts I mean a few things such as: . Smart Access policies, but depends on your licensing. . Full support for two-factor authentication, specifically for smart phones and tablets. . Load Balancing Authentication providers (LDAP, RADIUS). . And so on. The NS login page is rather easy to customise, but the method takes a little getting used to. Get the "Advanced Netscaler Customizations" presentation by Sam Jacobs from here: http://www.slideshare.net/shoesing/. It will help with some ideas. There's plenty of examples around on how to change the default theme to White Pearl as per Citrix knowledgebase article CTX123607, etc. Cheers, Jeremy From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Sorenson Sent: Monday, 18 March 2013 8:22 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Deny XenApp connections through access gateway Thanks Jeremy, That was helpful. I'm curious what you mean by "allowing you to do more smarts from the Netscaler side of things." I thought about having authentication at the netscaler, but I couldn't replicate what management wanted on the NS WI login page. I'm also curious how to deny connections with access gateway filters. I can't seem to find clear documentation on how this works (or in my case doesn't work). On Sun, Mar 17, 2013 at 6:13 PM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx> wrote: Hi Tom, You have a couple of options, but from what you've explained, I'm assuming that it's setup as a CSG replacement and not for smart access. You've also got it setup for authentication at web interface, which is not the recommended configuration. You'd be better off setting authentication at Access Gateway (using an Authentication service URL back to the NetScaler), which will handle single sign on for the Web Interface, allowing you to do more smarts from the Netscaler side of things. You are right, the documentation is not brilliant. The following deployment guides will assist with the overall understanding of the configuration process: * ICA Proxy for XenApp: http://community.citrix.com/download/attachments/81134385/Citrix_AGEE_ICAPro xyXenApp.pdf * ICA Proxy for XenApp & XenDesktop for Citrix Receiver for iPhone, iPod, iPad: http://community.citrix.com/download/attachments/115345826/Citrix_AGEE_ICAPr oxyXAXDReceiver.pdf * ICA Proxy for XenApp Citrix Receiver for iPhone: http://community.citrix.com/download/attachments/102236255/Citrix_AGEE_ICAPr oxyXenAppiPhone.pdf * ICA Proxy for Citrix Receiver: http://community.citrix.com/download/attachments/116032624/Citrix_AGEE_ICAPr oxyReceiver.pdf The following knowledgebase articles will assist with the overall understanding of the configuration process: * CTX120164 - How to Implement Single Sign-on with Access Gateway Enterprise Edition 9.x and Web Interface 5.x <http://support.citrix.com/article/CTX120164> Note that the screen shots in these documents may not match exactly what you have. However, from what you've explained, without changing your config too much, your best option is to use the good old description field in the published app with the associated code in Web Interface as described here: http://support.citrix.com/article/CTX122133 To get this right, regardless of the method you choose, you'll need at least two Web Interface sites (not servers). One for Internal Access, and one for External Access. Once again, this depends on your setup and the environment, but this is how I would probably do it with the limited information you've provided. Cheers, Jeremy From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Sorenson Sent: Sunday, 17 March 2013 11:28 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Deny XenApp connections through access gateway HELP! I need to be able to deny connections to some published apps coming through the access gateway (external connections). I've enabled trusting XML service requests on the servers I want to deny access to and unchecked allowing connections to the published app in the published app properties. It doesn't work. Can anyone tell me what I'm doing wrong? Unfortunately the citrix documentation on doing this is as clear as a cup of turkish coffee. Here's my environment Netscaler 9.3 Web Interface 5.4 (authentication at web interface) XenApp 6.5 rollup 1 Thanks for the help!