[THIN] restricting access to CAG
- From: Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Fri, 25 Aug 2006 09:41:51 -0400
I have restricted access to CAG using local groups that match to AD
groups, and setting the default group to dump to a webpage that just
says "you don't have access".
I want to go one step further, and restrict who can hit the CAG from
outside my private network. Telecommuting is granted on a per user
basis, but any savvy user realizes that they can get to the CAG from
their home computer using the same URL we use internally. So, I'd like
to find a way for these users to be able to get into the CAG while at
work, but not when at home.
Since the CAG uses an SSL cert, and it can only be one cert with one
name, users access the CAG via the same URL from inside the office, or
outside the office. The difference being if they hit it via an
internal IP or external IP.
The only solution I've come up with so far is to redirect external users
to an IIS server, which then checks against a security group for
telecommuting access. If they have access, it loads a page that
redirects them to the CAG. Problem with this is, I'd still need the CAG
available on the internet for the redirect to work. So I have a
loophole for users with Citrix access to still hit the CAG, even without
telecommuting approval.
Any thoughts on a way to accomplish this?
Other related posts:
- » [THIN] restricting access to CAG
