I manage a CPS 4.0 farm where users access the portal through a Web Interface. Currently all users can access the portal when on the network (internal) or offisite from home where they go through the CAG. The only difference being that the URL is https vs http.
I have a group of users that I would like to block from having external access through the CAG. I looked through the options on the CAG and did not see anything where I can block users or groups. It is also setup for single sign on.
How can I acheive blocking these users from accessing the Web Interface from home? Thanks.
First off, I'm not the CAG guy but we have AGEE in beta mode and I'm responsible for the WI side and the PS farms. So anything I'm saying here might totally off base. But...
I'm thinking you should be able to create an Access Control rule on the CAG that evaluates to true when a user is NOT in the groups you want to exclude. Then in PS, change the Access Control for your apps to "any connection the meets the following filters" and add in that CAG rule.
What will happen is that your excluded groups would fail the CAG rule and PS/WI will not show them any apps since each app will only display for those users who pass the rule.
Again, not being a CAG guy, you may not be able to use Access Control unless you're AGEE or better. And there might be a more global way of excluding these users via WI. But I've used a variant of this to not show apps to users coming from the CAG by specifying a non-existent filter to some apps. What happen is that Access Control sees a 'fail' all of the time from CAG users and will only show the app to in-house users.
That helps - thanks John
I tried unchecking "Allow Connections made through Access Gateway" as shown below but I can still access that desktop externally. (through the CAG). Any ideas on what else I can try? Thanks.
OOPS! Here is the correct post with screenshot. Thanks.
Hi Jack, Are you using CAG Standard, Advanced or Enterprise?
If using Adv or Enterprise then you can restrict who can access the environment by using AD Group Memeberships to restrict access.
In Standard I am unsure off the top of my head. In your LDAP authentication fields, do you have an option in there called MemberOf or something similar?
We have CAG aAdvanced. Any idea on how I can restrict who can access the environment by using AD Group Memeberships to restrict access? Thanks.