Hope someone with far more knowledge then me can help. We currently have 7 or 8 people that signin to the VPN and then click on a link to remote desktop onto their PC's in the office. At the moment each person doing this has their own User Role configured with a terminal services session to the PC.
I was wondering if there was a way of doing this but with only 1 user role (to clean things up a bit really). So the users will login, see a list of remote desktops available and then only be able to click on their own one, if the click on nay others it doesn't work? Is it possible to do this or am I alredy doing things the right way?
This is what we've done to get by with one role for most people...
We usa AD for our core auth, so we did everything in the user record. We allow people into the role by an AD user group.
In everyone's AD record, we took the "pager" field and put in their workstation name. We then wrote a Terminal Services role that used : <USER>@<userAttr.pager>.domain.com for the shortcut. added the same string to the TerSvc acl's and we were golden.
I just realized a couple days ago, that if you put multiple entries in to the "otherpager" field in AD, that the IVE creates a separate shortcut for each one, so in effect we can use this one role and one field to give everyone access to all the sessions they need without having to do anything in the IVE, just add to AD and we're done..
An easy way to clean up both the role-mapping rules and the user's portal is to allow the usesr to create their own bookmarks. The user only needs to know his workstation name or IP to create the bookmark.
make sure you have a terminal server users group in AD, make a role mapping from the AD group to Terminal Server/RDP rule, set your options in the role, now any user that is authorized and is in the TS Users group will get the RDP link and if you have DNS correctly for all the users workstations they can rdp to PC-SONICBOOM or whatever it is called. this way in the future, if theres any new users that need access, all you have to do is add them to the TS Users group in AD and never have to touch the Juniper
It won't be possible to have a list as you mentioned; but if there is an attribute on your auth server you can pull, you can do that (as several others mentioned) as the bookmark host.
If you wanted a list, you could put all the servers in one role and then in the ACL use a detailed rule and define who is allowed and who is not (but this adds additional administrative overhead).
You could do a resource profile for the computers and assign roles from there.