Restricting access to the Web Interface and PNAgent/Services sites

So you have Web Interface publicly available, and a Services site publicly available.  Users love it because now they can use their Citrix apps on their iPad/DROID/Whatever with just an internet connection.  Management, however, is slightly less than thrilled.  It seems your company employs a large number of low-wage workers that are not necessarily trusted, and now they all have access as well.  As a result, PHB has given the ultimatum that you either find a way to restrict access to it, or you must take it down.  Further, they aren’t willing to spend money on a Secure Gateway or a NetScaler.  You must use the tools you have, and that’s it.

What to do?

The good news is, it CAN be done!  You need to have different sites internally and externally, however..  If you want to use the same server, it can be done.  Just create a second IIS site that listens on 8080 or something, and forward traffic from SG to that second site.  Then, make these changes on THAT site, NOT the regular internal site.  Otherwise, your users will be restricted inside the network as well, and I’m sure PHB would not be too happy about that!

To restrict the Web Interface, start by downloading ResGroups here.  The instructions are fairly simple to follow.  Add the files included, and edit two existing files.  Create an AD group to use to control access to the Web Interface, and you’re finished.  With Web Interface at least…

But what about the PNAgent/Services site?  You can’t use ResGroups because the PNA site doesn’t have all the same files the WI does, so there are things you need to modify that are “missing”.  Have no fear, you can still do it.  Mostly.

Before proceeding, you need to know that users will still be able to AUTHENTICATE, they just won’t have any applications show up.  If this is an issue, well, then I guess this solution won’t work for you.  For many companies, simply being able to prevent users from launching apps is good enough, especially for a FREE solution.  Here’s how to do it:

Browse to the webinterface.conf file in the PNA site on your webserver.  Open it up, and look for “Farm1”.  Depending on the number of farms you have configured, you may also see “Farm2” and “Farm3”, etc.  NOTE:  When you make this change, you’ll need to assign groups to ALL FARMS in the site!

The feature we are going to bastardize for this is called Web Interface Roaming.  It is designed such that if you have two farms, for exapmle one in the US and one in Japan, each hosting applications in their regional language, and a US user goes to Japan, you don’t want them to launch Japanese applications, right?  So, you add both farms to the WI servers.  Then you create two AD groups – one for US users, and one for Japanese users.  If Farm1 is the US and Farm2 is Japan, you would add two lines to the file, like this:


Then, the US users will only see the US apps, and the Japanese users will only see the Japanese apps.  So you’re thinking “I could just not assign the US users to the Japanese apps, problem solved”.  Absolutely.  But for some reason, Citrix decided to build this in.  I’m sure there’s a more applicable reason you’d want to configure this, but play along.  I was only trying to illustrate the functionality of it, not the reasons Citrix chose to build it.

Anyhow.. Basically, what happens is that if the logged-on user is not a member of one of the groups above, they will see NO APPS.  If they are a member of USUsers, they’ll see the apps from Farm1.  If they are a member of JapaneseUsers, they’ll see the apps from Farm2.  So how can we use this to restrict who can see any apps with just one farm?  Do the exact same thing.

Create an AD group called “ExternalAllowed” or something similar.  Then, edit the file to add this line right after the line that starts with “Farm1”


If you aren’t a member of that group, you see NO APPS.  But, you CAN still authenticate.

Should be good enough to make PHB happy.