Prevent IP based on AD Username

[sham14]

We have recently moved a customer to a Citrix solution using one farm and many Citrix XenApp servers. Before the move it was possible to prevent access to some users based on their source IP address. This was achieved reserving IP's on DHCP and enforcing ACL's on the Cisco switch Vlans.
After moving to XenApp all the users come from the same source IP's and therefore ACL's cannot be inforced at user level.
We are looking for a solution that would ideally work off Active Directory users, groups, OU's, etc. which would be easily managed and could allow/prevent users accessing IP addresses, subnets, based on IP and/or port level. I would appreciate if anyone had any ideas of how to achieve this. The XenApp servers are running on 2003 servers. We have already looked at ipsec etc but can only be done at computer policy level.

Thanks,

 

[cyberspace]

This may be difficult on a large scale, or just too simple, or simply too easy to bypass....but you could look at adding a host table entry for the destination IP to redirect to 127.0.0.1...

I guess it depends on how locked down the machines are and how many there are that need to be blocked!

What about outbound ACL's?

'When all else fails.......read the manual'

 

[gmail2]

I don't know exactly what you're trying to block access to, but maybe setting up up a RADIUS server & authentication on the ACL might be an option? The issue here might be the authentication prompt however - if the request were http, the browser would prompt the user for credentials, however something like ping however would not

In all honesty, I don't think using IP address & DHCP reservations is particularly secure as this could be easily circumvented. If you're just trying to prevent users connecting to windows file shares (you mentioned IPSEC) then there are several ways you could lick down access at the server level based on user/group info

I'm by no means an expert, but hope this is of some value

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[burtsbees]

You could build MAC-address acl's in the Cisco, depending on the IOS/CatOS version...what model? Can you post a sh ver?

Burt

 

[gdvissch]

You could probably abuse NAP-NAC for this

http://technet.microsoft.com/en-us/library/dd125393.aspx

normally used to check health of client PC (al security patches applied? Antivirus up to date etc...)

The check is done by the NAP agent on the PC, but this agent merely runs a script that you can write yourself... Could be anything: is logged on user member of a group, is the IP of the PC in a certain list ...

Needs a NAP server (Windows 2008)
Clients can be XP SP3 or higher

Not sure though but if nothing else works, you might give it a try...

G.

 

[burtsbees]

Abuse...lol
What else would you want to do with a Micros$#t product? The real question is, what do the "$#" in "Micros$#t" stand for?lol

Burt

 

[sham14]

Thank you all for your posts. Some very good ideas here but all seem to run into the same problems that we have encountered. The solutions seem to be network based at a system level which will not fix the problem. If my first post was too vague I apologise - I will attempt to explain the situation below.

For example I have 10 users prior to the citrix move all with PC's. They can be assigned different IP addresses based on their client PC's therefore source of the ten users are ten different IP addresses.
All then are now moved to a citrix XenApp server which has the same IP address. All ten users now have the same source IP address. This is the way it works in Citrix - when you first connect to the citrix server and then on to a backend application server then your source IP will be from the citrix server not your PC.

We therefore needed to look at how to prevent access to certain destinations (from the citrix server) all based from the same source IP address - my question is how do we do this.

Thanks again

 

[gmail2]

If you're trying to prevent access to windows servers for file sharing, you could use the "Access this computer from the network" user right assignment. But I guess if it were that simple, you'd have figured it out yourself

Unfortunately the only thing I can think of right now is putting user authentication on the ACL's to the protected resource. Or maybe gdvissch's suggestion of using NAC may also help you.

Maybe this link will be of some value ?

http://www.networkworld.com/columnists/2007/091707guardian.html

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[burtsbees]

The Cisco switch can filter by source MAC---that is NEVER the same!!! But it depends on the IOS image on the switch!

Burt

 

[SimonDavies]

Surely this is something that the Citrix\Xenapp servers do based on the user who actually logs in? I am sure that you assign a profile to a user, if that user doesn't have that profile you can't access the backend data.

As far as everyone coming from the same ip address is concerned... Citrix should be shot for that, where is the security audit trail?

Simon

The real world is not about exam scores, it's about ability.

 

[burtsbees]

That's just PAT, no big deal...

Burt