Hi All,

I'm in need of some help with a complicated security rule.

I have an environment with 4 machines in the cluster 1 being a central node and 3 rim nodes.

There are 3 virtual proxies running:

• 1 for the central node
• 1 for 1 of the rim nodes (this is a development node)
• 1 for 2 of the rim nodes (these are production nodes which are running load balancing)
  

In the context of this discussion we are talking about the rim nodes only.

I have a series of AD groups where users are added to, which in turn grants access to streams based on a custom property.

I have a stream node load balancing rule based on a custom property which at an app.node level means only certain apps are accessible by certain nodes which works perfectly in allowing apps to the respective nodes they should run on.

Now the issue that I am facing is that I have users who are members of mixed AD groups, both "development" and "production". From a user perspective it's just an odd experience, for example, if they are on the production node they can see the production apps and the stream they reside in but ALSO the development streams, however due to the app.node rule there are no apps within. This is reversed in nature if they are on development, they end up seeing all the development streams and apps, along with the empty production streams.

I realize in using 1 proxy across the respective nodes traffic could be directed somewhat appropriately (although the first app session would dictate the node for subsequent app access which isn't ideal) however there is a requirement for 2 proxies in this case due to the vastly different business use cases.

So what I am looking for is a security rule where I can assign streams to nodes or engines or something to that effect?

These users are edge cases, so it's not a huge issue, it's just not quite as cosmetically clean as I would like.

Any ideas much appreciated.

Thanks,

Thomas