Are you possibly thinking of the access gateway's ability to have some sort of host checking and end-point analysis? The way I've done it in the past (without an access gateway) is to have multiple WI & CSG boxes & include some additional tweaks. Outside: CSG.External->WI.External Internal: WI.Internal or CSG.Internal->WI.Internal The internal/external WI can be hosted on the same server. You can use the functions and information on Thomas Koetzing's excellent resource site (http://www.youtube.com/watch?v=Cj6wgPN2CCg) to hide folders/applications on the External Site; you can also specify who has access to the WI site on a group level. Also bear in mind you can modify a WI sites so that the client name for each connection is overridden from the default. The default is to use the end client's own name - but if you enable this feature each remote connection gets a unique name (starting with WI). You can change this prefix on a WI site by site basis (http://support.citrix.com/article/CTX111851 ) so for example, the WI.External site has a prefix of EX_* and the WI.Internal has a prefix of IN_*. You can then set policies that enable/disable features based on an internal/external connection. Maybe for internal you allow printing and local drive access, and for external you don't This way - internal users get a full set of apps, with one set of policies; external users get a different set of apps (or a reduced set of apps) with a different set of policies. From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Benway Sent: 04 April 2011 16:19 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Restricting who can access citrix remotely What I was hoping for is something like If they are group A that gives them access to the app through CWI But from outside they go through the CSG first and need to be in Group B and Group A to logon through CSG=>CWI jb From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Reese Sent: Monday, April 04, 2011 11:16 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Restricting who can access citrix remotely you could always just amp up the IIS security which would force them to authenticate to the website first. Greg On Mon, Apr 4, 2011 at 10:11 AM, Jason Benway <benwayj@xxxxxxxxxxx> wrote: Currently I have two citrix farms, one old PS4 and the new XA5 (win2003) that I'm moving toward. I have two different CSG's installed to access them. Is it possible with just CSG to require an additional group to access the web interface. So if they are inside they can get to their apps, but control who/what is access from outside? I think that requires another citrix product. But I thought I remember a CWI hack from the old days that may let me do this. Jason Benway System/Storage Engineer <http://www.jsjcorp.com> www.jsjcorp.com JSJ Corporation 700 Robbins Road Grand Haven, MI 49417 _____ This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.