[THIN] RE: [THIN] Re: Access Gateway 4.2
- From: Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 3 Aug 2006 10:44:19 -0400
That's what I was thinking was going to be the outcome. It's not
exactly what we have been trying to accomplish (don't let them into the
CAG all together). However, For me, redirecting default portal page
would be acceptable. I can just dump it to a page that says "You do not
have access" or such.
I am a little surprised there is no way to disable the default group
altogether as a way to lock people out that do not have specific access.
That's a fairly easy way to handling this.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Thursday, August 03, 2006 10:36 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
So what I did was point the default to a different portal page and that
solved it.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 8/3/06, Jeff Pitsch <jepitsch@xxxxxxxxx> wrote:
I'm getting into my CAG now and if I can't figure it out, I'll
give Citrix a buzz. The CTP thing is good for this type of thing :)
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/3/06, Schneider, Chad M <CMSchneider@xxxxxxxxx > wrote:
WE have the other groups in CAG. They work fine. The
trouble is the default group, it is active, and for those not in my
created group, citrixag, they can still authenticate and make a
connection. Heck, I have logons on the shop floor, that could go home
and make this connection and launch their applications from home. I
only want group citrixag to be able to connect to this...
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Thursday, August 03, 2006 8:38 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
If your using the default group then your getting
exaclty what you setup. Implement another group in the CAG. I tested
this out last night and it works just fine. Your implement is flawed if
your doing this through the default group.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/3/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote:
Ok...I can require authentication to the portal
page...but any user in the AD, so long as they can authenticate, can log
onto this Gateway. This is the issue, I only want users in particular
AD groups, which I have created as local groups on the gateway, to be
able to sign onto the gateway. It should not be this hard to only allow
domain group A to connect to this unit.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Greenberg
Sent: Thursday, August 03, 2006 12:47 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
You can set require authentication to the portal page,
this will force them to login at the very first stage before getting any
options.
Be sure to remove any resources from default group, do
not set the default group portal properties to go to WI, and, do not
check "inherit default group properties" for the other groups.
That should do it. I think you must have set WI as the
default portal redirect and since you did not require authentication to
get to this default page, everyone got it!!
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 10:01 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
I have the default group, and 2 other groups, each
having around 15 users in the corresponding AD domain group.
The users I have tested are not in either of the created
local, nor AD domain groups. They appear to be connecting using the
default user group, as I set that to change things like the the Gateway
portal settings, and that account uses the default settings. What I
want is for no one to use default group, only allow connection to
ANYTHING, even sign onto my gateway, if they are listed in a group I
create and grant rights to.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Greenberg
Sent: Wednesday, August 02, 2006 11:52 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
This is confusing to me too. The behavior of either a
VPN connection or WI redirect are both triggered by groups. If you are
using CAG without AAC all you need to do is setup the LDAP authorization
and authentication and then create a local CAG group with the same name
as the target AD group.
Obviously if the group is something like Domain Users,
everyone will get in. I would suggest a simple test- create a new group
in AD and create the same group name on the CAG. Point it to some web
link or resource, only but one account in the group. I suspect that it
will work as you want and that there may be some other issue related to
group membership going on here....
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:25 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
so to put this in perspective, everything works if you
don't go to WI. say you allow vpn access to thsoe users, then the
appropriate groups are enforced. if you go straight to WI though then
everyone gets through? Or is that groups are not enforced at all?
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/2/06, Evan Mann < emann@xxxxxxxxxxxxxxxxxxxxx
<mailto:emann@xxxxxxxxxxxxxxxxxxxxx> > wrote:
Sounds like you are asking for the same thing I asked
about a while ago.
I have my CAG going straight to WI using SSO. (Hit CAG
in browser, put in username/password, click OK and you are dropped into
WI and you see your apps.) Qw don't use the VPN features of the CAG at
all.
The only thing I ever came up with was to direct
requests to an IIS server first and use NTFS security based on group
membership to determine if the basic auth to the IIS server would allow
them to then redirect to the CAG. A few issues can be caused by this
(SSL and DNS in particular) depending on the network location of the IIS
server, CAG, and inside/outside access needs.
I never looked to see if this kind of functionality is
available via AAC, but this is such a simple request/option, I couldn't
understand why it's not available.
Alternatively, you could just do this security on the WI
server. I suppose it's not as secure, because users you don't want
through the CAG in the first place get through, but at least you could
block them from loading the WI page unless they were in a particular
NTFS group.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 5:03 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
Sorry to be dense on this...just got HAMMERED down our
windpipe...
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 3:59 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
We go to the CAG, it asks for credentials, we then go to
our Web interface URL rather than the default gateway portal....
Once in the WI, they click on their applications and
launch a VPN connected Citrix app.
I must be missing something.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:43 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
Oh so we aren't talking about the VPN connection. If
you are going direct to WI and not authenticating to the CAG before hand
then this would be as expected.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote:
I created 2 groups, in the CAG. Each is working fine,
however, ALL users in the AD domain are able to get through it and into
it as well.
We have it set to go directly to our Web Interface
page...
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:12 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
Is this simply the CAG? You can setup groups in the CAG
that would allow you to define who has access.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote:
I have it configured for LDAP, working
great...well...sort of...
I want it to only allow the users/groups I grant rights
to, the ability to use this...not the ENTIRE LDAP directory...
Can anyone assist?
Chad Schneider
Technology Analyst/Citrix Admin.
Bemis Company, Inc.
920-303-7609
Other related posts:
