[THIN] Re: Netscaler Post Auth Session Policy Failure?

  • From: James Scanlon <scanjam@xxxxxxxxxxx>
  • To: Thin <thin@xxxxxxxxxxxxx>
  • Date: Sat, 21 Dec 2013 00:47:10 +1000

any ideas how do you forward them to the 'SOL' page rather than the VPN page 
that keeps coming up.The global setting has no web interface specified, and 
makes no difference if override it?i tried creating a quarantine group and it 
totally ignored that also.. (though i could have just gotten it 
wrong)L=)Cheers!scanjam

Date: Fri, 20 Dec 2013 08:15:52 -0500
Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?
From: strangedog@xxxxxxxxx
To: thin@xxxxxxxxxxxxx

Create your own "SOL" landing page and have the users sent there rather than 
having the CAG pick when the authentication is unsuccessful.  That way you know 
exactly where your #FAIL users will end up.

Patrick Coughlin 

On Fri, Dec 20, 2013 at 3:44 AM, James Scanlon <scanjam@xxxxxxxxxxx> wrote:




this is definitely weird - on my test system I just had a global policy bound 
that once removed the session policy simply stopped as it had no where to 
forward the session - Fine. Clunky but it works.

 
on the client system - there are no globally bound policies that redirect the 
users to the 'start VPN' once it fails the Session policy EPA check (registry 
scan) 
 
the page it directs to is not actually client choices - but what looks like the 
old Metaframe secure access manager page - with a ping option, and OWA, Web 
Site Shares and File Shares etc... I have no idea where this is coming from?

Any ideas?
 
From: scanjam@xxxxxxxxxxx
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?

Date: Fri, 20 Dec 2013 10:14:17 +1000




yep.

Date: Thu, 19 Dec 2013 17:12:24 -0700
Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?
From: joe.shonk@xxxxxxxxx

To: thin@xxxxxxxxxxxxx

So basically any user on and internet connected device can type in user names 
and passwords?  So, a crafty person can launch a DOS attack and lock out 
accounts?

Joe


On Thu, Dec 19, 2013 at 4:53 PM, James Scanlon <scanjam@xxxxxxxxxxx> wrote:





nope its configured as a session policy.i argued that its a bit silly as the 
user has already authenticated, but the client was advised (at some point) by 
citrix that pre auth is more difficult to troubleshoot when clients are logging 
in (the fun error codes the netscaler spits out) and they have many multiple 
people connecting from many different devices

so they were adament they wanted a scan / reg scan after the user name and 
password....bah...

Date: Thu, 19 Dec 2013 16:37:46 -0700
Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure?


From: joe.shonk@xxxxxxxxx
To: thin@xxxxxxxxxxxxx

Correct me if I'm wrong, but wouldn't that be  a pre-auth policy?


Joe

On Thu, Dec 19, 2013 at 12:59 PM, James Scanlon <scanjam@xxxxxxxxxxx> wrote:




Greetings thin list legends!long time no email!
Quick one.I have a single Netscaler Access Gateway with one post auth session 
policy which points them to storefront.


It runs an single EPA check for a registry key for the domain membership.If it 
fails the registry check however its 'defaulting' to a the client choices page 
and starts running an SSL VPN!?!



Ive checked all advanced settings and the global settings - and there is 
literally nothing set to create this?Any idea how to set a policy so that 'If 
your EPA scan fails' the system just denies access? or even another policy 
which would direct them to a web server that doesnt exist or really ANYTHING 
other than starting a FULL SSL VPN!! :)



I hope everyone is well and looking forward to the holidays!All the best for 
xmas and the new year.
scanjam



                                          

                                          

                                                                                
  

                                          

Other related posts: