[THIN] Re: Netscaler Post Auth Session Policy Failure?

  • From: Pat Coughlin <strangedog@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Fri, 20 Dec 2013 14:13:59 -0500

Create a second policy, with a NSTRUE as the test and give it a lower
priority than you existing test.  So if they fail the test they get dumped
to the "SOL" policy.  If they pass you send them through.


On Fri, Dec 20, 2013 at 9:47 AM, James Scanlon <scanjam@xxxxxxxxxxx> wrote:

> any ideas how do you forward them to the 'SOL' page rather than the VPN
> page that keeps coming up.
> The global setting has no web interface specified, and makes no difference
> if override it?
> i tried creating a quarantine group and it totally ignored that also..
> (though i could have just gotten it wrong)
> L=)
> Cheers!
> scanjam
>
> ------------------------------
> Date: Fri, 20 Dec 2013 08:15:52 -0500
>
> Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?
> From: strangedog@xxxxxxxxx
> To: thin@xxxxxxxxxxxxx
>
>
> Create your own "SOL" landing page and have the users sent there rather
> than having the CAG pick when the authentication is unsuccessful.  That way
> you know exactly where your #FAIL users will end up.
>
> Patrick Coughlin
>
>
> On Fri, Dec 20, 2013 at 3:44 AM, James Scanlon <scanjam@xxxxxxxxxxx>wrote:
>
> this is definitely weird - on my test system I just had a global policy
> bound that once removed the session policy simply stopped as it had no
> where to forward the session - Fine. Clunky but it works.
>
> on the client system - there are no globally bound policies that redirect
> the users to the 'start VPN' once it fails the Session policy EPA check
> (registry scan)
>
> the page it directs to is not actually client choices - but what looks
> like the old Metaframe secure access manager page - with a ping option, and
> OWA, Web Site Shares and File Shares etc... I have no idea where this is
> coming from?
> Any ideas?
>
> ------------------------------
> From: scanjam@xxxxxxxxxxx
> To: thin@xxxxxxxxxxxxx
>
> Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?
> Date: Fri, 20 Dec 2013 10:14:17 +1000
>
>
> yep.
>
> ------------------------------
> Date: Thu, 19 Dec 2013 17:12:24 -0700
> Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?
> From: joe.shonk@xxxxxxxxx
> To: thin@xxxxxxxxxxxxx
>
> So basically any user on and internet connected device can type in user
> names and passwords?  So, a crafty person can launch a DOS attack and lock
> out accounts?
>
> Joe
>
>
> On Thu, Dec 19, 2013 at 4:53 PM, James Scanlon <scanjam@xxxxxxxxxxx>wrote:
>
> nope its configured as a session policy.
> i argued that its a bit silly as the user has already authenticated, but
> the client was advised (at some point) by citrix that pre auth is more
> difficult to troubleshoot when clients are logging in (the fun error codes
> the netscaler spits out) and they have many multiple people connecting from
> many different devices
> so they were adament they wanted a scan / reg scan after the user name and
> password....
> bah...
>
> ------------------------------
> Date: Thu, 19 Dec 2013 16:37:46 -0700
>
> Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?
> From: joe.shonk@xxxxxxxxx
> To: thin@xxxxxxxxxxxxx
>
>
> Correct me if I'm wrong, but wouldn't that be  a pre-auth policy?
>
> Joe
>
>
> On Thu, Dec 19, 2013 at 12:59 PM, James Scanlon <scanjam@xxxxxxxxxxx>wrote:
>
> Greetings thin list legends!
> long time no email!
>
> Quick one.
>
>    1. I have a single Netscaler Access Gateway with one post auth session
>    policy which points them to storefront.
>    2. It runs an single EPA check for a registry key for the domain
>    membership.
>    3. If it fails the registry check however its 'defaulting' to a the
>    client choices page and starts running an SSL VPN!?!
>
>
> Ive checked all advanced settings and the global settings - and there is
> literally nothing set to create this?
> Any idea how to set a policy so that 'If your EPA scan fails' the system
> just denies access? or even another policy which would direct them to a web
> server that doesnt exist or really ANYTHING *other *than starting a FULL
> SSL VPN!! :)
>
> I hope everyone is well and looking forward to the holidays!
> All the best for xmas and the new year.
>
> scanjam
>
>
>
>
>

Other related posts: