Access to CSG vs. WI, in the Citrix Web Interface forum on BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.

Access to CSG vs. WI, in the Citrix Web Interface forum on BrianMadden.com

rated by 0 users
This post has 8 Replies | 0 Followers

Top 500 Contributor
Points 545
Chris Swarr Posted: Wed, Apr 4 2007 2:52 PM
I know this question has been asked before, but I want to put a bit of a different spin on it. If I have one box running both WI 4.2 and CSG 3.0, how can I distribute access to only the internal site (http:)for some people and only the external site (https:) for others? I know that Jason Conger and Thomas Koetzing have developed WI customizations that allow you to control access to WI as a whole, but it doesn't appear that you can delegate access in the way I'm describing. If you use either of those applications and assign a certain group permission to access WI, then it seems they can get to WI through both CSG and direct to WI. Is this making sense? I'd really like to host WI for external and internal users on the same servers, but I won't be able to if I can't explicitly assign permission to each access method independently. Thanks!
  • | Post Points: 50
Top 10 Contributor
Points 21,233
What if you added some 2-factor auth for users coming in from the outside?

Rudy

  • | Post Points: 5
Top 10 Contributor
Points 88,220
Create multiple sites, one for internal, one for external and modify away.
  • | Post Points: 20
Top 25 Contributor
Points 7,687
Hi,

The basic issue you're facing is that a WI site can be configured for CSG or direct connection, but not both together unless you want to do some heavy modifications. BUt that doesn't mean it can't be done.

There are a couple of ways of doing this which both involve creating a second IIS site on the CSG/WI box and creating a copy of your primary WI site on the second IIS site.

If you want to use the same URL externally and internally eg https://yourURL for external users and http://youURL for internal users, then that will involve configuring CSG and your primary WI IIS site so that CSG can talk to WI on a port other than 80. Then create a second IIS site listening on port 80. With the access suite console create a second WI site on the second IIS site.

I prefer using the host header in the URL simply because it keeps things simple from a port assignment viewpoint.

Create a second DNS entry to citrix_internal (or whatever you want to name it) that has the same internal IP address as your WI box. Then create a second IIS site that uses the host header citrix_internal listening on port 80. With the access suite console create a second WI site on the citrix_internal IIS site.

Now all internal users have to do is go to http://citrix_internal and they'll get the internal.

regards,

Rick



Ulrich Mack
Quest Software
Provision Networks Division

  • | Post Points: 20
Top 25 Contributor
Points 9,258
You can create two instances of WI. Leave the default as the internal access so that people can type in the http://hostname to access WI internally. Then setup a second site (not the IIS default) and configure that URL into your CSG configuration (/citrix/metaframe/secondsitename).

My 5c.
The New Zealand Citrix User Group - http://www.cug.co.nz
  • | Post Points: 20
Top 25 Contributor
Points 7,687
Hi,

Had a look at the WI 4 SDK and it looks like you may be able add a filter to select the connection target by client IP address.

I suggest you download the WI4 SDK from the CDN network (create an account at http://apps.citrix.com/CDN/Login.asp?dest=/cdn/Default.asp and logon to download the SDK). It's not only a brilliant description of how WI works, but it also has examples of what I believe you may want.

regards,

Rick

Ulrich Mack
Quest Software
Provision Networks Division

  • | Post Points: 5
Top 500 Contributor
Points 545
Jeff was right...two sites seemed to do the trick. I created a second site on my WI server, so I then had two: one that only accepted access through CSG to WI and one that only accepted access from the internal network direct to WI. I then used the Restrict access code (http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=57&Itemid=97) so that I could use AD groups to handle permissions to each individual site. I only had to add the Restrict access code to the CSG site because that is the one where I needed to control access.

Now, I just have to make sure the user is directed to the correct site when then attach to the WI server. I had to turn off the 'make WI the default site' option because I now have two sites and don't always want the user going to one site. If they come in from an external IP (that I have defined on the site in the ASC), I want them to go to https://mycsgsiteurl.company.com/Citrix/Metaframe/site/login.aspx, but internal users should go to http://mysiteurl.company.com/Citrix/Metaframe1/site/login.aspx. I think I can figure this out, but if you have any ideas, feel free to post them! Thanks for your help!
  • | Post Points: 35
Top 25 Contributor
Points 9,258
One other thing I've done for some customers in the past is make the internal WI instance the IIS default page and then setup a friendly DNS name like 'citrix' for that server. Internal users just have to type citrix into their browsers and hey presto.
The New Zealand Citrix User Group - http://www.cug.co.nz
  • | Post Points: 5
Guest replied on Tue, May 1 2007 3:08 PM
[quote=Chris Swarr] Jeff was right...two sites seemed to do the trick. I created a second site on my WI server, so I then had two: one that only accepted access through CSG to WI and one that only accepted access from the internal network direct to WI. I then used the Restrict access code (http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=57&Itemid=97) so that I could use AD groups to handle permissions to each individual site. I only had to add the Restrict access code to the CSG site because that is the one where I needed to control access.

Now, I just have to make sure the user is directed to the correct site when then attach to the WI server. I had to turn off the 'make WI the default site' option because I now have two sites and don't always want the user going to one site. If they come in from an external IP (that I have defined on the site in the ASC), I want them to go to https://mycsgsiteurl.company.com/Citrix/Metaframe/site/login.aspx, but internal users should go to http://mysiteurl.company.com/Citrix/Metaframe1/site/login.aspx. I think I can figure this out, but if you have any ideas, feel free to post them! Thanks for your help!

[/quote]

The way that we did this is to use direct mode rather than passthrough and use two virtual IP's using Windows NLB. The users connect to WI through a URL, if they go to HTTP they are redirected to the HTTPS site on the WI IP. We then use a client access map like:
ClientAddressMap=*,SG,10.0.0.0/255.0.0.0,Normal,192.168.0.0/255.255.0.0,Normal
and
CSG_Server=Servername
CSG_ServerPort=443
which means internal clients go directly to the Presentation Servers and everyone else goes to Secure Gateway.
This makes sure that passwords are never going across a non-encrypted connection and is painless to the users. We have the same DNS entry bother internally and externally which point to the internal IP and external IP depending if you are asking internal or external DNS. It has the added benefit of being able to add additional CSG and WI servers for failover and loadbalancing without having to rework the site.
  • | Post Points: 5
Page 1 of 1 (9 items) | RSS