.vbs script to restrict access only from internet to Citrix XenApp or TS servers
26 Feb
Posted by Roberto as Scripts
This vbs script consist into two verifications to restrict access of users from internet in Citrix XenApp (Presentation Server/Metaframe) servers or Terminal Services, to be included in the session initialization. The idea of this script allow access from users from Internet just if they are in a specific Active Directory group.
In the first verification, the script checks if the current user belongs to a group called “Remote Workers. If yes, the script jumps to the end. If no, the script goes to the second verification.
The second verification sees if is possible to ping the user workstation from the server. If the ping replies, means that the user is using the local network, then the script jumps to the end. If the ping doesn’t reply, the script will understand that the user is trying to access from internet, them he will be logged off from the server.
See the flow below to see better how this script works:
And follow the script bellow:
On Error Resume Next
Dim group_validation, target, ping_result
Set objNetwork = CreateObject(”WScript.Network”)
set objShell = CreateObject(”WScript.Shell”)
Set objUser = GetObject(”WinNT://” & objNetwork.UserDomain & “/” & objNetwork.UserName)group_validation = false
For each oGroup in objUser.Groups
if instr(oGroup.Name,”Remote Workers”) then group_validation = true
NextIf group_validation = false then
strTarget = objShell.ExpandEnvironmentStrings(”%ClientName%”)
Set objExec = objShell.Exec(”ping -n 2 -w 1000 ” & strTarget)
ping_result = LCase(objExec.StdOut.ReadAll)If InStr(ping_result, “reply from”)=0 Then
msgbox “Access denied”
objShell.run(”logoff”)
End if
End If‘msgbox “done”
Things to consider when you are going to use this script:
- In my tests, the command logoff didn’t work in the login script. Worked just calling the script from the usrlogon.cmd file. You need just add a line like in the file: wscript [path]\[script_name.vbs]
- Ping will not work if servers can’t resolve names though wins or dns.
- You need disable session reconnection or use this script with the tool ReconnAct! to ensure that reconnected sessions will be verified.
- If you deploy Citrix to your users only through Web Interface/Secure Gateway, then you can find a better solution in www.thomaskoetzing.de.
- Don’t put in production before validate very well.
Subscribe by RSS or Email
Recent Articles
- Enable again toolbars in Excel 2003
- Easily running commands in all servers/workstations
- .vbs script to restrict access only from internet to Citrix XenApp or TS servers
- Simple and better solution to redirect local drives in XenApp sessions
- Is Citrix FastLaunch a good option to improve logon time of Citrix XenApp sessions?
RSS feed for comments on this post · TrackBack URI
Leave a reply