Monday, March 16, 2009

[THIN] Re: 2 Access Gateways different default logon points?

This is easy to do, but perhaps some of the contents of this thread need clarification.

 

Are you doing this because the CAGs are in different firewall “zones”, or you just want users to see the appropriate page when typing the same URL? ie. One with RSA and the other without?

 

You can modify the default.asp on the External (Default) logon point and add some code to detect the REMOTE_ADDR (Client IP Address) using the http header (http://www.w3schools.com/asp/coll_servervariables.asp). If it matches an Internal address range, redirect it to the Internal logon point.

 

I like this method, because all CAGs are still in the “pool”, so you’re not losing the ability to failover to the other CAG. From reading this thread, I understood that you were wanting to isolate each CAG, and in my opinion, that’s not good.

 

The ONLY way something like this MAY fail, is if someone has a LAN at home with a matching IP Range. But at least it may give you some more ideas…there are other ServerVariables you may be able to query to avoid this.

 

Here’s a script I was playing with a while ago in my spare time, but I never had time to complete or test it…

 

----------------------------Start of script----------------------------

<%

ClientIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")

If ClientIPAddress = "" or Trim(LCase(userIPAddress)) = "unknown" Then

ClientIPAddress = Request.ServerVariables("REMOTE_ADDR")

End If

Set myRegExp = New RegExp

myRegExp.pattern = "^10."

Set myMatches = myRegExp.Execute(ClientIPAddress)

IF myMatches.count > 0 THEN

                Call Redirect(internal)

ELSE

                Call Redirect(external)

END IF

%>

 

<SCRIPT LANGUAGE=JScript RUNAT=Server>

function Redirect(clientlocation)

{

                // Initially detect either a Full Browser or a Small Form Factor Browser

                var mgr = Server.CreateObject("Veratium.VeratiumManager");

                var target = mgr.GetTarget();

 

                if clientlocation == internal

                {

                                if (target.FullOutput)

                                {

                                Response.Redirect("Welcome.aspx?ff=full");

                                }

                                else

                                {

                                                Response.Redirect("PDA/Welcome.aspx?ff=small");

                                }

                }

}

</SCRIPT>

 

----------------------------End of script----------------------------

 

I hope that’s useful information J

 

Cheers,

Jeremy.

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Steve Greenberg
Sent: Monday, March 16, 2009 11:49 AM
To: thin@freelists.org
Subject: [THIN] Re: 2 Access Gateways different default logon points?

 

Peter,

 

Are you saying in this case that both CAGs will point to the same AAC server but that the landing page will re-direct them selectively to a new landing page based on the MAC address of that CAG? That is slick!!

 

 

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85266

(602) 432-8649

www.thinclient.net

steveg@thinclient.net

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of peter_dibbens
Sent: Sunday, March 15, 2009 3:42 PM
To: thin@freelists.org
Subject: [THIN] Re: 2 Access Gateways different default logon points?

 

Hi,

Simply  put you can’t segregate the CAGs within AAC they will be treated as a single entity. Also if both the CAGs are using different FQDNS (likely) then that can cause issues with the Secure Access Client.

 

However all said and done I have had to make this work for a larger customer in the past. The way around it is to add some code to the basepage.aspx to detect the mac address of the CAG i.e the one you may want the logon point to be displayed upon.

There are other potentials ways that this could be achieved by say third party load balances or even NetScaler.

 

If you want the code for basepage.aspx let me know.

 

The reason this was implemented was to allow internet facing logon point RSA 2 Factor internal Logon point Single Factor.

 

 

Thanks Peter

 

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of James Scanlon
Sent: Saturday, 14 March 2009 1:32 PM
To: Thin
Subject: [THIN] 2 Access Gateways different default logon points?

 

Greetings again all you fabulous list legends!
 
Quick one hopefully!?
 
I have 2 Gateway Devices both pointing to the same AAC server.
 
I want to have 1 gateway device support LDAP and RSA (its available externally)
I want the other to have just LDAP (its only available internally)
 
From what I can tell the advanced authentication methods can only be setup per logon point, however I cant find a way to have 2 different CAGS point to different default logon points (under the same AAC server)
 
Am I missing something really simple?
 
Cheers and best wishes
James
 

Let ninemsn property help. Need a new place to rent, share or buy?

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.278 / Virus Database: 270.11.13/2000 - Release Date: 03/13/09 18:00:00
Confidentiality and Privilege Notice
This document is intended solely for the named addressee.  The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
Posted by thinlist at 12:14 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)