Is there a way to block certain users from going through the CAG, in the Advanced Access Control / Citrix Access Gateway forum on BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.

Is there a way to block certain users from going through the CAG, in the Advanced Access Control / Citrix Access Gateway forum on BrianMadden.com

rated by 0 users
This post has 6 Replies | 3 Followers

Top 150 Contributor
Points 1,915
Jack Johnson Posted: Thu, Oct 8 2009 9:45 AM

I manage a CPS 4.0 farm where users access the portal through a Web Interface. Currently all users can access the portal when on the network (internal) or offisite from home where they go through the CAG. The only difference being that the URL is https vs http.

I have a group of users that I would like to block from having external access through the CAG. I looked through the options on the CAG and did not see anything where I can block users or groups. It is also setup for single sign on.

How can I acheive blocking these users from accessing the Web Interface from home? Thanks.

  • | Post Points: 50
Top 500 Contributor
Points 625

First off, I'm not the CAG guy but we have AGEE in beta mode and I'm responsible for the WI side and the PS farms.  So anything I'm saying here might totally off base.  But...

I'm thinking you should be able to create an Access Control rule on the CAG that evaluates to true when a user is NOT in the groups you want to exclude.  Then in PS, change the Access Control for your apps to "any connection the meets the following filters" and add in that CAG rule.

What will happen is that your excluded groups would fail the CAG rule and PS/WI will not show them any apps since each app will only display for those users who pass the rule.

Again, not being a CAG guy, you may not be able to use Access Control unless you're AGEE or better.  And there might be a more global way of excluding these users via WI.  But I've used a variant of this to not show apps to users coming from the CAG by specifying a non-existent filter to some apps.  What happen is that Access Control sees a 'fail' all of the time from CAG users and will only show the app to in-house users.

  • | Post Points: 35
Top 150 Contributor
Points 1,915

That helps - thanks JohnBig Smile

  • | Post Points: 5
Top 150 Contributor
Points 1,915

I tried unchecking "Allow Connections made through Access Gateway" as shown below but I can still access that desktop externally. (through the CAG). Any ideas on what else I can try? Thanks.

  • | Post Points: 5
Top 150 Contributor
Points 1,915

OOPS! Here is the correct post with screenshot. Thanks.

I tried unchecking "Allow Connections made through Access Gateway" as shown below but I can still access that desktop externally. (through the CAG). Any ideas on what else I can try? Thanks.

  • | Post Points: 5
Top 50 Contributor
Points 3,644

Hi Jack, Are you using CAG Standard, Advanced or Enterprise?

If using Adv or Enterprise then you can restrict who can access the environment by using AD Group Memeberships to restrict access.

In Standard I am unsure off the top of my head.  In your LDAP authentication fields, do you have an option in there called MemberOf or something similar?

Jase

  • | Post Points: 20
Top 150 Contributor
Points 1,915

We have CAG aAdvanced. Any idea on how I can restrict who can access the environment by using AD Group Memeberships to restrict access? Thanks.

  • | Post Points: 5
Page 1 of 1 (7 items) | RSS