Citrix secure gateway enable/disable users

[pinkpanther56]

We are a school and have a Citrix secure gateway server to allow staff to work from home. Students have found the URL (I suspect they were told by a member of staff) and are logging in from home, at the moment we don't want them to be able to do this especially during the day as it uses up licences.

Is there a way to prevent certain users accessing a Citrix secure gateway server? I can't ban them from the Citrix system altogether as then they can't logon from the thin client devices in school.

I'd appreciate any thoughts.

We're using Citrix PS (Xenapp) 4.5 with FP1

Thanks.

 

[rjs]

If you look at the Citrix Access Management console, I think you would see that all users coming in from the CSG have a client name starting with "WI". You can create a policy in Citrix to deny access to users with a client name starting with "WI". I do this to restrict my external users to a single session - they were double-clicking on the published app icons and automatically getting two sessions going.

 

[pinkpanther56]

I don't think that will work here as our web interface server is set to not generate a name but to collect the clientname of the device. We use this so we know the location of the thin client device for mapping printers and so on.
I suppose we could have more than one web interface server one for local users and one for remote users to get around this.

Thanks.

 

[rjs]

I haven't thought this through completely, but could you create 2 sets of published apps, one for students and one for staff and only show the staff apps on the WI?

 

[pinkpanther56]

As far as I know when I give a user permissions to an app it just appears on the web interface page. I'll have a look to see if there's a way to stop apps appearing on the web interface page. I don't know much about it yet.

Thanks.

 

[elconomeno]

1 make a database on an SQL express server
2. paste the next part in C:\Inetpub\

http://wwwroot\Citrix\AccessPlatform\app_data\auth\serverscripts\login.aspxf

after the private PageAction loginAuthenticateExplicit(ExplicitAuth expAuth) Function

i'm not sure but i think i have the code from

http://www.thomaskoetzing.de/

//***** START MODIFIED PART
// --------------------------------------------------------------------------------

string strConnString = "Data Source=<sqlsever>;Initial Catalog=CitrixSG;Persist Security Info=True;User ID=<sqlaccount>;Password=<password>";

System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection();
conn.ConnectionString = strConnString;

bool boolAllowed = false;
string strUsername = String.Empty;
string clientIP = String.Empty;


// Retrieve the username of the current logged in user
strUsername = user;

// Work around to get real client IP address (

http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=64&Itemid=103)

if (!(Request.ServerVariables["HTTP_X_FORWARDED_FOR"] == null) && (Request.ServerVariables["REMOTE_ADDR"] == "127.0.0.1"))
{
clientIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
}
else
{
clientIP = Request.ServerVariables["REMOTE_ADDR"];
}


try
{
conn.Open();
string strSQL = string.Format("SELECT COUNT(username) FROM WI_Include WHERE username='{0}'", strUsername);
System.Data.SqlClient.SqlCommand sqlCmd = new System.Data.SqlClient.SqlCommand(strSQL, conn);

int numRows = (int)sqlCmd.ExecuteScalar();

// If the user is not allowed to log in, log the access attempt in the database
if(numRows < 1)
{
boolAllowed = false;
string strSQLDenied = string.Format("INSERT INTO WI_AccessLog (username, logintime, remote_addr, success) VALUES ('{0}', '{1}', '{2}', '{3}')", strUsername, DateTime.Now.ToString(), clientIP, "no");
System.Data.SqlClient.SqlCommand sqlCmdDenied = new System.Data.SqlClient.SqlCommand(strSQLDenied, conn);
sqlCmdDenied.ExecuteNonQuery();
}
else
{
boolAllowed = true;
string strSQLAllowed = string.Format("INSERT INTO WI_AccessLog (username, logintime, remote_addr, success) VALUES ('{0}', '{1}', '{2}', '{3}')", strUsername, DateTime.Now.ToString(), clientIP, "yes");
System.Data.SqlClient.SqlCommand sqlCmdAllowed = new System.Data.SqlClient.SqlCommand(strSQLAllowed, conn);
sqlCmdAllowed.ExecuteNonQuery();
}
}

catch
{
}


finally
{
conn.Close();
}


if(!boolAllowed)
{
Server.Transfer("../auth/errorPage.html");
}




// --------------------------------------------------------------------------------