Roberto Alves

Scripting and server based computing

.vbs script to restrict access only from internet to Citrix XenApp or TS servers

This vbs script consist into two verifications to restrict access of users from internet in Citrix XenApp (Presentation Server/Metaframe) servers or Terminal Services, to be included in the session initialization. The idea of this script allow access from users from Internet just if they are in a specific Active Directory group.

In the first verification, the script checks if the current user belongs to a group called “Remote Workers. If yes, the script jumps to the end. If no, the script goes to the second verification.

The second verification sees if is possible to ping the user workstation from the server. If the ping replies, means that the user is using the local network, then the script jumps to the end. If the ping doesn’t reply, the script will understand that the user is trying to access from internet, them he will be logged off from the server.

See the flow below to see better how this script works:


And follow the script bellow:

On Error Resume Next

Dim group_validation, target, ping_result

Set objNetwork = CreateObject(“WScript.Network”)
set objShell = CreateObject(“WScript.Shell”)
Set objUser = GetObject(“WinNT://” & objNetwork.UserDomain & “/” & objNetwork.UserName)

group_validation = false

For each oGroup in objUser.Groups
if instr(oGroup.Name,”Remote Workers”) then group_validation = true

If group_validation = false then
strTarget = objShell.ExpandEnvironmentStrings(“%ClientName%”)
Set objExec = objShell.Exec(“ping -n 2 -w 1000 ” & strTarget)
ping_result = LCase(objExec.StdOut.ReadAll)

If InStr(ping_result, “reply from”)=0 Then
msgbox “Access denied”“logoff”)
End if
End If

‘msgbox “done”

Things to consider when you are going to use this script:

  • In my tests, the command logoff didn’t work in the login script. Worked just calling the script from the usrlogon.cmd file. You need just add a line like in the file: wscript [path][script_name.vbs]
  • Ping will not work if servers can’t resolve names though wins or dns.
  • You need disable session reconnection or use this script with the tool ReconnAct! to ensure that reconnected sessions will be verified.
  • If you deploy Citrix to your users only through Web Interface/Secure Gateway, then you can find a better solution in
  • Don’t put in production before validate very well.
Category: Scripts

Your email address will not be published. Required fields are marked *