You can create local users on the VAG box and set it so only they can access, or, creat a new group in AD that the remote user must be part of to get to WI. Define the resources they can access, such as the WI portal, subnet, etc and apply them to the policy for that group..... Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd. suite D8453 Scottsdale, AZ 85262 (602) 432-8649 (602) 296-0411 fax steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Friday, December 09, 2005 9:47 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Restricting CAG access I'm in a situation where I need to restrict who can access WI through CAG, based on approval to work from home. Currently, any users granted Citrix access (via an AD security group), can hit the CAG and use Citrix, from any system that a Citrix client can be installed. This means users can go home and use Citrix. I need to prevent this because not everyone is authorized to work from home, and I need to restrict those unauthorized users from working from home. Users don't have static IP's, so I can't use any form of IP restrictions. It needs to be user or group based. I'm still learning about CAG, so I don't know if it has some internal features to do something like this. If not, can anyone think of a way to accomplish this? I thought about removing the external DNS entry for the CAG FQDN. I'd publish a separate FQDN that hit an IIS website and checked against an SG, If you were in the SG, it could redirect to the CAG URL, but if no external DNS for the CAG URL, that wouldn't work. I could use a secondary external FQDN for CAG, and have it redirect to that, and do it in a way that the URL doesn't show in the browser. This would prompt an SSL mismatch, which I'm OK with, but this still doesn't prevent the more savvy end user frm figuring out the external FQDN directly to CAG. Thoughts?