[THIN] Re: Restricting CAG access
- From: "Steve Greenberg" <steveg@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Fri, 9 Dec 2005 17:02:42 -0700
You can specify any combination of access for any group including local
users. What you may not be aware is that with CAG, you can establish any
subnet, protocol, server, etc. as an assignable resource. Therefore, you can
limit access to virtually any resource you choose by the user group and/or
by creating local users and assigning access to them.
In the case of WI, there is also the CAG features of assinging a defaul
portal, a very simply way to do this would be to assign the default portal
for the authorized users to be your internal WI and then block that
subnet,server, etc. for all other users. Also note that CAG support single
sign-on, so you have the option to make your CAG login pass through to WI so
there is truly only one login for authorized remote users.
Did that answer your question?
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Evan Mann
Sent: Friday, December 09, 2005 12:09 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting CAG access
If I used CAG local users, and said only those users can use WI portal.
Does that take effect for EVERY CAG connection, or is there a way I can
specify that the CAG local users are not looked at if you are coming from
certain subnets (they are ingored, or automatically granted access).
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Steve Greenberg
Sent: Friday, December 09, 2005 1:12 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting CAG access
You can create local users on the VAG box and set it so only they can
access, or, creat a new group in AD that the remote user must be part of to
get to WI. Define the resources they can access, such as the WI portal,
subnet, etc and apply them to the policy for that group.....
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Evan Mann
Sent: Friday, December 09, 2005 9:47 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Restricting CAG access
I'm in a situation where I need to restrict who can access WI through CAG,
based on approval to work from home. Currently, any users granted Citrix
access (via an AD security group), can hit the CAG and use Citrix, from any
system that a Citrix client can be installed. This means users can go home
and use Citrix. I need to prevent this because not everyone is authorized
to work from home, and I need to restrict those unauthorized users from
working from home.
Users don't have static IP's, so I can't use any form of IP restrictions.
It needs to be user or group based.
I'm still learning about CAG, so I don't know if it has some internal
features to do something like this. If not, can anyone think of a way to
accomplish this?
I thought about removing the external DNS entry for the CAG FQDN. I'd
publish a separate FQDN that hit an IIS website and checked against an SG,
If you were in the SG, it could redirect to the CAG URL, but if no external
DNS for the CAG URL, that wouldn't work. I could use a secondary external
FQDN for CAG, and have it redirect to that, and do it in a way that the URL
doesn't show in the browser. This would prompt an SSL mismatch, which I'm
OK with, but this still doesn't prevent the more savvy end user frm figuring
out the external FQDN directly to CAG.
Thoughts?
Other related posts:
