Jump to content
Welcome to our new Citrix community!

allow url based on AAA group


Recommended Posts

Hi,

 

we have a Gateway Virtual Server where users get bookmarks based on their AD group membership (AAA group),  now we need to prevent certain users access to parts of a website we published.

 

They only need to have access to : site.domain.local/departments/department1/.....

They aren't allowed to leave their department site.

 

I created a responder policy only for the allowed sites, but I can't bind this to the AAA group and it only filters the URL and not everything behind the FQDN.

How can I create the described situation?

 

Link to comment
Share on other sites

Hi, 

 

I tried using the Authorization policy but fail to get it to work. 

I'm using the following Authorization Expression: HTTP.REQ.HOSTNAME.CONTAINS("Site.domain.com") 

 

This expression is for all the normal sites.

 

The above expression only works if i change https:// to http://.

How do I use it with https:// ???

 

HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/department")

this expression is for the department site which is allowed. 

 

 

Link to comment
Share on other sites

http.req.header("host").set_text_mode(ignorecase).contains("site.domain.com")   (these should be equivalent, but may be an issue in that the ADC is not the ssl termination point, so it can see the headers.)

 

If the above still doesn't work, then you'll have to do it by destination ip. Resolve the FQDN to the IP it uses behind the ADC and change the expression to:

authoriazation policy:  allow:  client.ip.dst.eq(<IP>)

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...