Controlling Terminal Servicer Device CAL Distribution
We are running a small Citrix Farm with 80 Windows Terminal Device CALs.
We have 40 remote WBTs accessing the Farm via Web Interface for MetaFrame XP.
We have 25 remote Windows XP Pro workstations accessing the Farm via Web Interface for Windows XP.
We have 5 laptop Windows XP Pro road warriors accessing the Farm via Web Interface for Windows XP.
Quick math says that should leave us 10 CALs for emergencies and growth.
Not the case. All the CALs are gone and we have a ton of Temp CALs lurking around.
What is happening is that people in our WBT facilities who are authorized to access via their terminal are going home and accessing the farm from their PC's grabbing extra CALs.
These machines are all remote so we can't implement any kind of group policies or procedures. The "bad guys" are using home PC's which we have absolutely no control over. We have a written company policy that this shouldn't be done but... they do it anyway.
Is there any way we can prevent access from those "authorized" home users? I would prefer not to use IP filtering as we have people who travel in hotels and will have random IPs they access from.
We have 40 remote WBTs accessing the Farm via Web Interface for MetaFrame XP.
We have 25 remote Windows XP Pro workstations accessing the Farm via Web Interface for Windows XP.
We have 5 laptop Windows XP Pro road warriors accessing the Farm via Web Interface for Windows XP.
Quick math says that should leave us 10 CALs for emergencies and growth.
Not the case. All the CALs are gone and we have a ton of Temp CALs lurking around.
What is happening is that people in our WBT facilities who are authorized to access via their terminal are going home and accessing the farm from their PC's grabbing extra CALs.
These machines are all remote so we can't implement any kind of group policies or procedures. The "bad guys" are using home PC's which we have absolutely no control over. We have a written company policy that this shouldn't be done but... they do it anyway.
Is there any way we can prevent access from those "authorized" home users? I would prefer not to use IP filtering as we have people who travel in hotels and will have random IPs they access from.
i would switch from device cals to user cals. once a device cal is used it stays used for like 90 days or something. we had this problem when we setup pc's with a different name and then changed the name. we would eat up 2 cals per computer.. although we just changed our setup procedures to fix that.
ASKER
We have a total of 350 users who access the Farm through those 60 device CALs. If we switch to user CALs we would have to buy 350.
why just place ip filters on your TS servers or on your firewalls. Only allow them to establish connections with IP's within your network. that would work.
ASKER
These connections are all coming in from outside our network. Some of the users travel so they will have random IPs. IP Filtering wouldn't be effective in this case.
ok, if all your connections are coming from the outside, i am presuming you are using a VPN technology to secure your data. if that's so am guessing you use DHCP. you could just use reservations and only give addresses to computers with macs that are authorized.. yes/no?
ASKER
Not using VPN. Using Web Interface for MetaFrame XP. It is SSL Secured web interface that acts as a Gateway to the Citrix Farm. Eliminates the need to setup VPNs for all the remote locations. Obviously you also lose some of the control over incoming connections.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Citrix Farm is protected behind the Secure Gateway server. No one can login until they are validated by the Secure Gateway over a SSL connection. This arrangement allows us to not have to support 60+ VPN connections while still using 128-bit encryption.
Maybe a combination solution. Use IP Filtering for the static locations which is 95% of the traffic. But also provide a VPN connection for our travelling road warriors that have random IP Addresses.
blb, I'll leave open for another couple days to see if there are any more ideas out there. Thanks.
Maybe a combination solution. Use IP Filtering for the static locations which is 95% of the traffic. But also provide a VPN connection for our travelling road warriors that have random IP Addresses.
blb, I'll leave open for another couple days to see if there are any more ideas out there. Thanks.
ASKER