[Policy assignment to non corporate machines]

19 minutes ago, Andy Vanderbeken said:

 

Here's something to consider perhaps based on first hand experience:

 

Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all.

 

Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason)

 

After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access.

 

Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using.

 

So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway.

 

To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name.  Ever since I never have had to adjust the design again no matter what additional requests came in.

 

Thanks for your input. I was thinking about this way as well, as least for the short term until Corona is over. I'd be a bit concerned about implemented EPA when all our staff are WFH!

Will need to think about how i can do this when staff are on VPN, but using remote app.

[Policy assignment to non corporate machines]

1 minute ago, Carl Stalhood1709151912 said:

To detect corporate vs non-corporate, you'd need EPA scan with EPA agent. You can do it in a post-auth policy (Session Policy expression).

Ok, thanks Carl, appreciated.

[Policy assignment to non corporate machines]

15 minutes ago, Carl Stalhood1709151912 said:

You can configure SmartAccess - https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/

Thanks Carl. Do you need to push out the EPA client still for this, or is it now handled by the receiver? I imagine it wouldn't be pre-auth as i do my client checks at my saml IDP so not use EPA for a long time.

 

Thanks

[Policy assignment to non corporate machines]

Hi,

We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain?

We are on 1909.

 

Thanks

[Forbidden logging into Storefront througth NetScaler using SAML]

Netscaler does the SAML authentication for me.

Interesting, as i didn't want to put in FAS anyway. It's going to be something stupid. Thanks for your help.

[Forbidden logging into Storefront througth NetScaler using SAML]

Just to make sure, your loginname for Office365 matches the UPN you see when you execute this command in a command-prompt? whoami -upn

 

Your local UPN and Office365 login doesn't necessarily have to match when syncing. Your local UPN could me john@contoso.local and your Office365 login could be john@contoso.com

I think FAS might be causing the problem. I assume you implemented that for the SAML authentication to the storefront? It seems to be where it's all failing.

My UPN matches all the way through.

[Forbidden logging into Storefront througth NetScaler using SAML]

Does your local userPrincipalName match your external (Azure AD?) userPrincipalName?

Yes, it's all synced as we also use Office 365.

Did you make any changes to your Storefront other than enable smartcard login for delegated validation?

[Forbidden logging into Storefront througth NetScaler using SAML]

Odd, ok Thanks.

[Forbidden logging into Storefront througth NetScaler using SAML]

I've found the solution here: http://stealthpuppy.com/netscaler-azure-ad-conditional-access/

Hi,

 

Thanks, yes i found that afterwards. Did you get a problem where the session opens but doesn't log you in? Mine sits on the login screen.

[Forbidden logging into Storefront througth NetScaler using SAML]

I don't think your article applies. I'm trying to implement Azure AD authentication.

Did you get anywhere with this? I am having exactly the same problem.