Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Limit Nfuse Access 1

Status
Not open for further replies.
ATCal

ATCal

MIS
Apr 1, 2000
308
US
Here is my issue:

We have many internal users using XP for desktop/apps.

We are also using Nfuse and CSG for remote users.

My problem is how to prevent internal Citrix users that we DO NOT want to have remote access from connecting externally through Nfuse. It appears as though any user with Citrix rights (or anyone else that might get a hold of an internal account for that matter) that gets our URL can access our network from anywhere.
Support says that there is no solution but to perhaps impose time restrictions on accounts but this certainly does not solve the vulnerability issue.

The only thing I can think of would be to create another Farm and keep the internal and external farms seperate. It seems to me however that this could get expensive unless Farms can share a license pool.

Any additional thoughts/solutions would be appreciated.

Al Al
atc-computing@comcast.net

 
Sort by date Sort by votes
When faced with solving this problem, we setup an NT group to contain the list of NT Accounts that we wanted to allow in via the external (internet) NFUSE site. We modified the NFUSE code logon processing to check the source IP of the logon request. If the source IP is "outside" the corporate network (ie coming in via the internet) then the code looks up the ID to see if it is in the NT group mentioned above. If the user is in the group, they are allowed to logon. If they are not in the group, the web page puts up an "access denied" message. We also generate an application event whenever someone tries to login via the internet who is not in the NT group mentioned above.

Then, to allow a new user into NFUSE via the internet, just place them into the NT group.

Note, a more secure solution which we are now implementing is to use SecureID token at the firewall, to block the 'bad guys' from accessing the NFUSE site if they don't have the SecureID token.

Good luck...
 
Upvote 0 Downvote
Thank you for a very mature and logical solution. Al
atc-computing@comcast.net

 
Upvote 0 Downvote
I am using Project Columbia and I created new published apps to connect to the same published apps. But with only specific users to this new published app. With Project Columbia and I think Nfuse 1.7 I was able to hide the published apps I didn't want to show up. So now I have limited who can connect from the outside.

Steve
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

P
  • Question
Recovery Disc failing to verify correct PC even though it is. 2006 Palvilion a1410y
Replies
0
Views
178
PalBadium
P
gazonk.del
  • Locked
  • Question
How to Copy save_set from Tape to Disk -- Continuation
Replies
0
Views
249
gazonk.del
gazonk.del
bdeal4122
  • Locked
  • Question
Remote Access
Replies
2
Views
224
bdeal4122
bdeal4122
SBTBILL
  • Locked
  • Question
How to get to files
Replies
1
Views
213
Provogeek
Provogeek
DreemaGurl
  • Locked
  • Question
Can't log on to Citrix through emote access portal
Replies
1
Views
452
ntinlin
ntinlin

Part and Inventory Search

Sponsor

Back
Top