[THIN] RE: [THIN] Re: Access Gateway 4.2
- From: Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Mon, 7 Aug 2006 20:33:29 -0400
It's just a different way of looking at it. If they don't get assigned
resources because they are not in a group you put into the CAG, why let
them into the CAG at all? It's less secure to have the CAG pass them
through and deny resources as opposed to just deny them through the CAG
in the first place.
It sounds like using RADIUS causes the CAG to deny you through if you're
not in a RADIUS group. There's no reaosn to not have LDAP function the
same way, right?
It's a simple fix as I see it. Have a checkbox on the default group to
disable it. If you're using LDAP and the CAG doesn't have a matching
group defined, and default is disabled, it doesn't let you through.
Disabling default is a good feature to have anyway. Why should you be
forced into having a fallback if there is no membership match?
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: Monday, August 07, 2006 7:21 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
I am still confused about this, I can see how CAG might grant
authentication to everyone in this scenario, but it still observes group
membership for resources. So I don't understand that this means users
who are not in target groups get access to anything, i.e. they may be
able to authenticate to the CAG itself through this loophole, but they
should not get ANY resources assigned and therefore cannot do anything
at all!!
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Monday, August 07, 2006 3:47 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
Hopefully something liket his gets fixed sooner rather than later.
Especially, like someone said, LDAP is probably much more in use on
these things than Radius.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 8/7/06, M <mathras@xxxxxxxxxxxxxxxx> wrote:
Thanks for raising this Chad.
Its certainly opened my eyes to LDAP and the CAGs.
I wonder how many others have realised the same thing.
Matt
----- Original Message -----
From: Schneider, Chad M <mailto:CMSchneider@xxxxxxxxx>
To: 'thin@xxxxxxxxxxxxx'
Sent: Monday, August 07, 2006 4:40 AM
Subject: [THIN] Re: Access Gateway 4.2
Radius works fine based on group membership, LDAP does not, on the CAG,
as confirmed by Citrix. LDAP reads whatever object you tell it to look
at and grants rights to that and all sub folders...set LDAP to
authenticate to your root domain, EVERYONE can sign onto the Gateway.
Trouble is, just because a user is a member of a group, does not make
them and object within the group container.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Thursday, August 03, 2006 3:35 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
What's the difference? Match groups in RAdius to CAG, Match groups in
LDAP to CAG. What am I missing because both of those work just fine.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 8/3/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote:
Radius is working like a champ, based on domain groups..
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Schneider, Chad M
Sent: Thursday, August 03, 2006 1:49 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
Direct from Citrix tech support.
Working with Radius, as I can assign groups....and those groups match
the local groups in CAG.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: Thursday, August 03, 2006 11:58 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
Who told you that? AD is based on LDAP and using groups that match
between CAG and AD is how you assign resources!!
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Schneider, Chad M
Sent: Thursday, August 03, 2006 9:13 AM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
According to Citrix, you can not use group membership from and AD
domain, when using LDAP authentication.
You can use Radius, they state. The reason is LDAP looks for the use
object, under the listing for base DN. Let's face it, we would not want
all users under a particular DN to have rights to the CAG, in most
cases. With Radius, you can control this using group membership.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: Thursday, August 03, 2006 11:12 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
That sound right
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Thursday, August 03, 2006 6:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] RE: [THIN] Re: Access Gateway 4.2
In my current setup, I have enable portal page auth checked, I use the
default portal page files (portal page config tab), and my default group
redirects to WI. The only group in the CAG is the default one as well.
This currently allows ANY users in AD to get through the CAG, and thus
to WI.
If I understand correctly, all I should do is disable the WI redirect on
the Default GROUP, and then create a new group that matches an AD group,
set that to redirect to WI, and disable "inherit properties from default
group"
Am I missing anything?
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf Of Steve Greenberg
Sent: Thursday, August 03, 2006 1:47 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
You can set require authentication to the portal page, this will force
them to login at the very first stage before getting any options.
Be sure to remove any resources from default group, do not set the
default group portal properties to go to WI, and, do not check "inherit
default group properties" for the other groups.
That should do it. I think you must have set WI as the default portal
redirect and since you did not require authentication to get to this
default page, everyone got it!!
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 10:01 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
I have the default group, and 2 other groups, each having around 15
users in the corresponding AD domain group.
The users I have tested are not in either of the created local, nor AD
domain groups. They appear to be connecting using the default user
group, as I set that to change things like the the Gateway portal
settings, and that account uses the default settings. What I want is
for no one to use default group, only allow connection to ANYTHING, even
sign onto my gateway, if they are listed in a group I create and grant
rights to.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: Wednesday, August 02, 2006 11:52 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
This is confusing to me too. The behavior of either a VPN connection or
WI redirect are both triggered by groups. If you are using CAG without
AAC all you need to do is setup the LDAP authorization and
authentication and then create a local CAG group with the same name as
the target AD group.
Obviously if the group is something like Domain Users, everyone will get
in. I would suggest a simple test- create a new group in AD and create
the same group name on the CAG. Point it to some web link or resource,
only but one account in the group. I suspect that it will work as you
want and that there may be some other issue related to group membership
going on here....
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:25 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
so to put this in perspective, everything works if you don't go to WI.
say you allow vpn access to thsoe users, then the appropriate groups are
enforced. if you go straight to WI though then everyone gets through?
Or is that groups are not enforced at all?
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 8/2/06, Evan Mann < emann@xxxxxxxxxxxxxxxxxxxxx
<mailto:emann@xxxxxxxxxxxxxxxxxxxxx> > wrote:
Sounds like you are asking for the same thing I asked about a while ago.
I have my CAG going straight to WI using SSO. (Hit CAG in browser, put
in username/password, click OK and you are dropped into WI and you see
your apps.) Qw don't use the VPN features of the CAG at all.
The only thing I ever came up with was to direct requests to an IIS
server first and use NTFS security based on group membership to
determine if the basic auth to the IIS server would allow them to then
redirect to the CAG. A few issues can be caused by this (SSL and DNS in
particular) depending on the network location of the IIS server, CAG,
and inside/outside access needs.
I never looked to see if this kind of functionality is available via
AAC, but this is such a simple request/option, I couldn't understand why
it's not available.
Alternatively, you could just do this security on the WI server. I
suppose it's not as secure, because users you don't want through the CAG
in the first place get through, but at least you could block them from
loading the WI page unless they were in a particular NTFS group.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 5:03 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
Sorry to be dense on this...just got HAMMERED down our windpipe...
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Schneider, Chad M
Sent: Wednesday, August 02, 2006 3:59 PM
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] Re: Access Gateway 4.2
We go to the CAG, it asks for credentials, we then go to our Web
interface URL rather than the default gateway portal....
Once in the WI, they click on their applications and launch a VPN
connected Citrix app.
I must be missing something.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:43 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
Oh so we aren't talking about the VPN connection. If you are going
direct to WI and not authenticating to the CAG before hand then this
would be as expected.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote:
I created 2 groups, in the CAG. Each is working fine, however, ALL
users in the AD domain are able to get through it and into it as well.
We have it set to go directly to our Web Interface page...
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Wednesday, August 02, 2006 3:12 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Access Gateway 4.2
Is this simply the CAG? You can setup groups in the CAG that would
allow you to define who has access.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 8/2/06, Schneider, Chad M < CMSchneider@xxxxxxxxx
<mailto:CMSchneider@xxxxxxxxx> > wrote:
I have it configured for LDAP, working great...well...sort of...
I want it to only allow the users/groups I grant rights to, the ability
to use this...not the ENTIRE LDAP directory...
Can anyone assist?
Chad Schneider
Technology Analyst/Citrix Admin.
Bemis Company, Inc.
920-303-7609
Other related posts:
