I have restricted access to CAG using local groups that match to AD groups, and setting the default group to dump to a webpage that just says "you don't have access". I want to go one step further, and restrict who can hit the CAG from outside my private network. Telecommuting is granted on a per user basis, but any savvy user realizes that they can get to the CAG from their home computer using the same URL we use internally. So, I'd like to find a way for these users to be able to get into the CAG while at work, but not when at home. Since the CAG uses an SSL cert, and it can only be one cert with one name, users access the CAG via the same URL from inside the office, or outside the office. The difference being if they hit it via an internal IP or external IP. The only solution I've come up with so far is to redirect external users to an IIS server, which then checks against a security group for telecommuting access. If they have access, it loads a page that redirects them to the CAG. Problem with this is, I'd still need the CAG available on the internet for the redirect to work. So I have a loophole for users with Citrix access to still hit the CAG, even without telecommuting approval. Any thoughts on a way to accomplish this?