[THIN] Re: Restricting CAG access
- From: "Evan Mann" <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Fri, 9 Dec 2005 12:04:21 -0500
That doesn't accomplish my goals. It has to be 2 separate groups. 1
that specifies they can access CAG from my networks/offices, and 1 from
outside those networks. This is a requirement because the users access
WI through CAG while in the office, and I need to restrict out of office
access. We're not really looking to change the fact that in office users
hit WI through CAG.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Joe Shonk
Sent: Friday, December 09, 2005 12:00 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting CAG access
Just configure the Default Domain on the CAG to point to a new AD user
group (perhaps call it Remote Citrix Users). If the users are in that
AD Group, they can access WI through the CAG.
Joe
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Friday, December 09, 2005 9:47 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Restricting CAG access
I'm in a situation where I need to restrict who can access WI through
CAG, based on approval to work from home. Currently, any users granted
Citrix access (via an AD security group), can hit the CAG and use
Citrix, from any system that a Citrix client can be installed. This
means users can go home and use Citrix. I need to prevent this because
not everyone is authorized to work from home, and I need to restrict
those unauthorized users from working from home.
Users don't have static IP's, so I can't use any form of IP
restrictions. It needs to be user or group based.
I'm still learning about CAG, so I don't know if it has some internal
features to do something like this. If not, can anyone think of a way
to accomplish this?
I thought about removing the external DNS entry for the CAG FQDN. I'd
publish a separate FQDN that hit an IIS website and checked against an
SG, If you were in the SG, it could redirect to the CAG URL, but if no
external DNS for the CAG URL, that wouldn't work. I could use a
secondary external FQDN for CAG, and have it redirect to that, and do it
in a way that the URL doesn't show in the browser. This would prompt an
SSL mismatch, which I'm OK with, but this still doesn't prevent the more
savvy end user frm figuring out the external FQDN directly to CAG.
Thoughts?
Other related posts:
