[THIN] Re: UNC Blocking with external access only

  • From: "BRUTON, Malcolm, GBM" <Malcolm.BRUTON@xxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Mon, 11 Sep 2006 08:28:20 +0100

Guys  Thanks for the responses.   We want to restrict unc paths when you are
within a Citrix published app.  We only want to do this when a a user comes
in via our Juniper box.  
 
The reason for this is using Juniper we currently only use it to access
citrix published apps.  Of course we can 'publish' folders but could we then
get it to launch a citrix app?  Then we would have to restrict all access
when you were within say word within citrix.
 
Is a CAG/AAC more flexible than juniper and more easily integrated with PS?
Any easy ways you can see on how to restrict access to some data and make
sure it never leaves our own network in conjunction with citrix apps?
 
Malcolm

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Steve Greenberg
Sent: 10 September 2006 17:24
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: UNC Blocking with external access only



Well the original post doesn't give a lot detail but keep in mind that it is
possible to make PS use CAG/AAC so it can be done, i.e. distinguish where
the user is coming from and assign the rights accordingly.....

 

 

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262

(602) 432-8649

www.thinclient.net

steveg@xxxxxxxxxxxxxx

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jeff Pitsch
Sent: Sunday, September 10, 2006 6:44 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: UNC Blocking with external access only

 

that is how I read it also which is why I keep specifying that, from within
the published application, CAG and/or AAC would not be of any help.  As
well, I believe what Steve is saying is only available through CAG
standalone not with AAC but I may be wrong on that but I'm pretty sure I'm
not.   heh 

 

Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 9/10/06, Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx
<mailto:andrew.wood@xxxxxxxxxxxxxxxx> > wrote: 

Which is what the juniper does - but thats not what Malcolm wanted - he
wanted to be able to control access to UNCs within the published app if I
read it correctly. 

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>  [mailto:
<mailto:thin-bounce@xxxxxxxxxxxxx> thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Steve Greenberg
Sent: 10 September 2006 00:32


To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: UNC Blocking with external access only 




 



I was referring to VPN mode, you can make specific CIFS shares available as
resources.....

 

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262

(602) 432-8649

www.thinclient.net  <http://www.thinclient.net/> 

steveg@xxxxxxxxxxxxxx  <mailto:steveg@xxxxxxxxxxxxxx> 

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jeff Pitsch
Sent: Saturday, September 09, 2006 9:31 AM
To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: UNC Blocking with external access only

 

You can control UNC's from the NavUI but NOT from within published
applications.

 

Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 9/8/06, Steve Greenberg <  <mailto:steveg@xxxxxxxxxxxxxx>
steveg@xxxxxxxxxxxxxx> wrote: 

But AAC can provide access to specific folders and files and apply granular
read, print, save, edit, rights, etc. 

 

Also, it can provide access to only specific UNC paths when used in VPN
mode....

 

 

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262 

(602) 432-8649

www.thinclient.net  <http://www.thinclient.net/> 

steveg@xxxxxxxxxxxxxx  <mailto:steveg@xxxxxxxxxxxxxx> 

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jeff Pitsch
Sent: Friday, September 08, 2006 2:02 PM


To: thin@xxxxxxxxxxxxx  <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: UNC Blocking with external access only

 

AAC doesn't do anything with published apps outside of letting you control
what apps get published based on the AAC filters and applying Citrix
policies based on AAC filters.  It would not modify any sort of
functionality within the application itself.  You have misunderstood what I
was trying to say. 

 

AAC can do checks but they are based on some sort of value.  For instance, a
version of McAfee or Firewall.  If those values change on the client side,
then you must also know the change has happened so you can adjust your EPA
scans.  Otherwise, the EPA's will fail and the users won't get access.  

Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/> 



 

On 9/7/06, Andrew Wood <  <mailto:andrew.wood@xxxxxxxxxxxxxxxx>
andrew.wood@xxxxxxxxxxxxxxxx> wrote: 

I thought AAC would allow you to do clever checks on the endpoint - I didn't
realise it'd be able to modify functionality within an individual published
application? 

 

The way I was thinking of would be to redirect your users to different
citrix servers based on their source location. The sensitive users would be
directed to servers with an lmhosts file that 'blocked' the UNC by
overriding the source name's IP resolution. 

 

messy mind.

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>  [mailto:
<mailto:thin-bounce@xxxxxxxxxxxxx> thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Jeff Pitsch
Sent: 06 September 2006 18:41


To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 
Subject: [THIN] Re: UNC Blocking with external access only 


 

The only way that I'm aware of to control that type of access through
Presetnation Server is using AAC.  You can then use the filters within AAC
on your published applications. 

 

Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>  



 

On 9/6/06, BRUTON, Malcolm, GBM <  <mailto:Malcolm.BRUTON@xxxxxxxx>
Malcolm.BRUTON@xxxxxxxx > wrote: 

I asumme this is if you are publishing folders on Juniper?  We publish
Citrix apps on Juniper only....So the control really needs to be within the
citrix session.  

 

Further ideas?

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>  [mailto:
<mailto:thin-bounce@xxxxxxxxxxxxx> thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Andrew Wood
Sent: 06 September 2006 14:07
To: thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> 

Subject: [THIN] Re: UNC Blocking with external access only

A Juniper device'll let you do it as well won't it? You can allow unc access
and then define roles that would allow access to those resources. You could
either allow full network browse access - or publish the folder themselves
iirc. 

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>  [mailto:
<mailto:thin-bounce@xxxxxxxxxxxxx> thin-bounce@xxxxxxxxxxxxx] On Behalf Of
BRUTON, Malcolm, GBM
Sent: 06 September 2006 13:51
To: ' thin@xxxxxxxxxxxxx <mailto:thin@xxxxxxxxxxxxx> '
Subject: [THIN] UNC Blocking with external access only

 

All

 

We are after a product that will allow us block sensitive unc's for users.
This of course needs to differ depending on if the user is internal or
external.  

 

When they are external they connect to Citrix via Juniper.  When they are
internal they use either normal desktops or Citrix. 

 

I believe by using CAG with AAC we can do this. 

 

Can anybody suggest any other software\hardware\methods that we could to
achieve this?

 

Malcolm

****************************************************************************
*******
The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered
Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority 
 
 
 
This e-mail message is confidential and for use by the 
 
addressee only. If the message is received by anyone other 
than the addressee, please return the message to the sender 
 
by replying to it and then delete the message from your 
computer. Internet e-mails are not necessarily secure. The 
Royal Bank of Scotland plc does not accept responsibility for 
 
changes made to this message after it was sent. 
 
 
 
Whilst all reasonable care has been taken to avoid the 
transmission of viruses, it is the responsibility of the recipient to 
 
ensure that the onward transmission, opening or use of this 
 
 
message and any attachments will not adversely affect its 
systems or data. No responsibility is accepted by The 
Royal Bank of Scotland plc in this regard and the recipient should carry 
 
 
out such virus and other checks as it considers appropriate. 
 
Visit our websites at: 
 
 <http://www.rbos.com/> 
http://www.rbos.com <http://www.rbos.com/> 
 
 <http://www.rbsmarkets.com/> 
http://www.rbsmarkets.com <http://www.rbsmarkets.com/>  
 
****************************************************************************
*******

 

 

 

 

Other related posts: