I need to restrict access to published apps when going through my CAG.
I want all of my users to be able to access all published apps when accessing them
locally. However, I want to limit access to the published apps when coming in through
the CAG. Is this possible? Please help me.
I have a Presentation Server v 4.5 farm, and my CAG is in my DMZ.
Thanks,Bobby
For published apps that should be accessible from the LAN only, have you configured access controls at the published app level (Modify application properties -> Modify access control properties)? If you clear the checkbox for "Allow connections made through Access Gateway..." for a particular app, users going through the CAG will not be able to launch that app.
Is that what you want to accomplish?
Alan Osborne
President (MCSE, CCNA, VCP, CCA)
VCIT Consulting - Citrix/Terminal Services Remote Desktop Solutions for SMB
VCIT website My Blog
You can use the built in 'Smart Access Filter' settings on applications/policies.
If you simply want to hide an application from those who are coming in through the CAG you can do the following:
Open properties of published app you wish to hide
Click Access Control node
Uncheck: Allow connections made through Access Gateway Advanced Edition (Ignore the text this works with Enterprise as well)
Check the box 'Allow all other connections'
You will need to enable XML Trust on all servers in the farm (Requires a reboot) in order for this to work.
You can use this same method for XenApp policies as well as extendeding the power and using End Point Analysis.
Edit: Sorry, I see Alan already made that suggestion, I just missed it.
That being said I am shocked your Citrix reps did not explain all of this to you and give you more detail into using End Point Analysis. EPA in conjunction with XenApp policies is where the true power of the CAG stands out.
One more thing. I have Access Gateway Enterprise Edition version 8.1 and my farm is PS 4.5 Enterprise.
Not sure if this will work you but the CAG interface looks similar to the Citrix WI v5. It works great for me.
http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=57&Itemid=97
The script is tied to LDAP which makes it very easy to allow/block access for users. I have a group setup for each department, building, etc that a manager maintains. Each night those groups are updated according to whether the manager wants the end user to access the WI.
Good luck!
Thanks Matt, I looked at that script a couple days ago. It looks pretty good, I just thought the CAG would do this without having to run a third party script. I appreciate the response.
How many users are you talking about hitting this remotely that you want to segregate applications to? If it is a small number, you could create another account for them in AD for remote use and block the local access from remote access. If it is a lot of users, then it would be tedious....just a thought.
Gentlemen, thanks for the responses. I have tried some of your suggestions. I am currently nearing the end of my POC with the CAG. I have had many calls with Citrix support, as well as a few Citrix Sales Engineers, and Sr. Sales Engineers. This device has been very difficult to get working in my environment, and my environment is not unique. It is a very straightforward 4.5 farm with around 60 servers publishing a number of applications.
I will post back with my configuration as soon as it is stable.
Currently I am using the Smart Access Filter settings, and creating different Session Policies for different groups and am binding them to the Virtual Server. I haven't gone as far as creating Endpoint Analysis scans, but I will be trying that in the next day or two.Honestly, I have been pretty disappointed with the support I have received from Citrix. I will admit, I am only in the POC stage, however we are a pretty big Citrix shop, and I would have expected Citrix to do whatever it takes to ensure that this CAG / Netscaler 7000 will do exactly what we need it to do. I have not had that feeling. On Friday, I did spend about 3.5 hours on a support call with a Sr. Sales Engineer named Matt, who finally was able to shed some light.
We are experiencing one more problem now. DNS isn't working on the CAG, so therefore Bookmarks do not work. All we are trying to do is serve up a bookmark to our Intranet site for our users who come in through the CAG.
Thanks for the tips John. I'm going to try your suggestions today. Sounds like that just might do it.
Hello John,
can you help me on how to restrict user by source IP to access or launch XEN Desktop using CAG/AGEE? WE use CAG/AGEE to ICAPROXY to to get our internal webinterface for xen.