• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

Controlling Terminal Servicer Device CAL Distribution

We are running a small Citrix Farm with 80 Windows Terminal Device CALs.

We have 40 remote WBTs accessing the Farm via Web Interface for MetaFrame XP.
We have 25 remote Windows XP Pro workstations accessing the Farm via Web Interface for Windows XP.
We have 5 laptop Windows XP Pro road warriors accessing the Farm via Web Interface for Windows XP.

Quick math says that should leave us 10 CALs for emergencies and growth.

Not the case.  All the CALs are gone and we have a ton of Temp CALs lurking around.

What is happening is that people in our WBT facilities who are authorized to access via their terminal are going home and accessing the farm from their PC's grabbing extra CALs.

These machines are all remote so we can't implement any kind of group policies or procedures.  The "bad guys" are using home PC's which we have absolutely no control over.  We have a written company policy that this shouldn't be done but... they do it anyway.

Is there any way we can prevent access from those "authorized" home users?  I would prefer not to use IP filtering as we have people who travel in hotels and will have random IPs they access from.
0
broussardgroup
Asked:
broussardgroup
  • 5
  • 4
1 Solution
 
broussardgroupAuthor Commented:
One more thing... We can't restrict access by time of day either because they sometimes work late at the office and sometimes access from home during regular business hours.
0
 
beaconlightboyCommented:
i would switch from device cals to user cals.  once a device cal is used it stays used for like 90 days or something.  we had this problem when we setup pc's with a different name and then changed the name.  we would eat up 2 cals per computer..  although we just changed our setup procedures to fix that.
0
 
broussardgroupAuthor Commented:
We have a total of 350 users who access the Farm through those 60 device CALs.  If we switch to user CALs we would have to buy 350.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
beaconlightboyCommented:
why just place ip filters on your TS servers or on your firewalls.  Only allow them to establish connections with IP's within your network.  that would work.
0
 
broussardgroupAuthor Commented:
These connections are all coming in from outside our network.  Some of the users travel so they will have random IPs.  IP Filtering wouldn't be effective in this case.
0
 
beaconlightboyCommented:
ok, if all your connections are coming from the outside, i am presuming you are using a VPN technology to secure your data.  if that's so am guessing you use DHCP.  you could just use reservations and only give addresses to computers with macs that are authorized.. yes/no?
0
 
broussardgroupAuthor Commented:
Not using VPN.  Using Web Interface for MetaFrame XP.  It is SSL Secured web interface that acts as a Gateway to the Citrix Farm.  Eliminates the need to setup VPNs for all the remote locations.  Obviously you also lose some of the control over incoming connections.
0
 
beaconlightboyCommented:
this is one of those who woulda thought things.. happens to the best of us.  i think you are going to have to make a command decision to change something.  in this case it looks like you will have to spend money either way.  by using VPN's you have a lot of flexibility, for starters. only those with VPN software or hardware can use the system.  Plus its more secure because your servers are not open to the outside.
0
 
broussardgroupAuthor Commented:
The Citrix Farm is protected behind the Secure Gateway server.  No one can login until they are validated by the Secure Gateway over a SSL connection.  This arrangement allows us to not have to support 60+ VPN connections while still using 128-bit encryption.

Maybe a combination solution.  Use IP Filtering for the static locations which is 95% of the traffic.  But also provide a VPN connection for our travelling road warriors that have random IP Addresses.

blb, I'll leave open for another couple days to see if there are any more ideas out there.  Thanks.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now