[THIN] Re: Deny XenApp connections through access gateway
- From: "Jeremy Saunders" <jeremy@xxxxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 19 Mar 2013 07:54:16 +0800
Hi Tom,
By smarts I mean a few things such as:
. Smart Access policies, but depends on your licensing.
. Full support for two-factor authentication, specifically for smart
phones and tablets.
. Load Balancing Authentication providers (LDAP, RADIUS).
. And so on.
The NS login page is rather easy to customise, but the method takes a little
getting used to. Get the "Advanced Netscaler Customizations" presentation by
Sam Jacobs from here: http://www.slideshare.net/shoesing/. It will help with
some ideas. There's plenty of examples around on how to change the default
theme to White Pearl as per Citrix knowledgebase article CTX123607, etc.
Cheers,
Jeremy
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Tom Sorenson
Sent: Monday, 18 March 2013 8:22 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Deny XenApp connections through access gateway
Thanks Jeremy,
That was helpful. I'm curious what you mean by "allowing you to do more
smarts from the Netscaler side of things." I thought about having
authentication at the netscaler, but I couldn't replicate what management
wanted on the NS WI login page.
I'm also curious how to deny connections with access gateway filters. I
can't seem to find clear documentation on how this works (or in my case
doesn't work).
On Sun, Mar 17, 2013 at 6:13 PM, Jeremy Saunders
<jeremy@xxxxxxxxxxxxxxxxxxxx> wrote:
Hi Tom,
You have a couple of options, but from what you've explained, I'm assuming
that it's setup as a CSG replacement and not for smart access. You've also
got it setup for authentication at web interface, which is not the
recommended configuration. You'd be better off setting authentication at
Access Gateway (using an Authentication service URL back to the NetScaler),
which will handle single sign on for the Web Interface, allowing you to do
more smarts from the Netscaler side of things.
You are right, the documentation is not brilliant. The following deployment
guides will assist with the overall understanding of the configuration
process:
* ICA Proxy for XenApp:
http://community.citrix.com/download/attachments/81134385/Citrix_AGEE_ICAPro
xyXenApp.pdf
* ICA Proxy for XenApp & XenDesktop for Citrix Receiver for iPhone,
iPod, iPad:
http://community.citrix.com/download/attachments/115345826/Citrix_AGEE_ICAPr
oxyXAXDReceiver.pdf
* ICA Proxy for XenApp Citrix Receiver for iPhone:
http://community.citrix.com/download/attachments/102236255/Citrix_AGEE_ICAPr
oxyXenAppiPhone.pdf
* ICA Proxy for Citrix Receiver:
http://community.citrix.com/download/attachments/116032624/Citrix_AGEE_ICAPr
oxyReceiver.pdf
The following knowledgebase articles will assist with the overall
understanding of the configuration process:
* CTX120164 - How to Implement Single Sign-on with Access Gateway
Enterprise Edition 9.x and Web Interface 5.x
<http://support.citrix.com/article/CTX120164>
Note that the screen shots in these documents may not match exactly what you
have.
However, from what you've explained, without changing your config too much,
your best option is to use the good old description field in the published
app with the associated code in Web Interface as described here:
http://support.citrix.com/article/CTX122133
To get this right, regardless of the method you choose, you'll need at least
two Web Interface sites (not servers). One for Internal Access, and one for
External Access. Once again, this depends on your setup and the environment,
but this is how I would probably do it with the limited information you've
provided.
Cheers,
Jeremy
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Tom Sorenson
Sent: Sunday, 17 March 2013 11:28 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Deny XenApp connections through access gateway
HELP!
I need to be able to deny connections to some published apps coming through
the access gateway (external connections). I've enabled trusting XML
service requests on the servers I want to deny access to and unchecked
allowing connections to the published app in the published app properties.
It doesn't work. Can anyone tell me what I'm doing wrong? Unfortunately
the citrix documentation on doing this is as clear as a cup of turkish
coffee.
Here's my environment
Netscaler 9.3
Web Interface 5.4 (authentication at web interface)
XenApp 6.5 rollup 1
Thanks for the help!
Other related posts:
