Some notes around the permitted groups and steering groups are below:

  • The Permitted Groups and Steering Groups entered should correspond to groups configured in the Active Directory.
  • The permitted groups are the groups that are allowed to access this Virtual Service. When set, if a user logs in to an application published by this Virtual Service, the user must be a member of at least one of the groups specified.
  • The Permitted Group SID(s) (security identifiers) field is the equivalent of the Permitted Groups field. If specifying permitted groups, you can complete either the Permitted Groups field or the Permitted Groups SID(s) field. In the Permitted Group SID(s) field:
    • You can specify the Group SIDs that are allowed to access this Virtual Service. After you type the groups, click Set Permitted Group SIDs.
    • You can a list of group SIDs of up to 64 bytes and 2048 characters in length.
    • Each group is separated by a semi-colon. Spaces are used to separate bytes in certain group SIDs. Here is an example:S-1-5-21-703902271-2531649136-2593404273-1606. SIDs can be found by using the get-adgroup-Identity GroupName command.
  • The Steering Groups steer client traffic to subsets of Real Servers in a Virtual Service based on group membership.
  • Multiple groups are supported per Virtual Service up to a maximum of 2048 characters in length.
  • Performance may be impacted if a large number of groups are entered on a single Virtual Service.
  • The steering group(s) entered must also be specified as permitted groups.
  • If steering groups are specified for a Virtual Service, the group membership is tested for each group in the list - starting from the left. If there is a match - the first matching group is the one that will be used to steer the traffic.
  • Groups entered are validated using an LDAP query to Active Directory
  • The group(s) specified must be valid groups in the Active Directory domain that is specified in the SSO domain associated with the Virtual Service. The SSO domain name in the LoadMaster must be set to the Active Directory name as opposed to the DNS name of the service. For example, if the SSO domain in the LoadMaster is set to webmail.example but this is not the actual Active Directory domain FQDN, it will not function. Instead, the SSO domain would need to be set to .example.com.
  • Multiple groups should be separated by a semi-colon (;). A space will not separate the groups since some group names may contain a space, such as Domain Users.
  • The following characters are not allowed in permitted group names:/ : + *
  • The authentication protocol of the SSO domain must be LDAP when using these groups.
  • The groups should be specified by name, not by full distinguished name (for example, “testgroup” as opposed to “CN=testgroup,CN=Users,DC=kemptech,DC=com”)
  • If the Virtual Service configuration is updated while a user has an open session, the request may not be steered as expected. You could flush the cache as a workaround, but this would clear the cache for all Virtual Service users meaning they are forcibly disconnected.
  • Do not enter the same group name in both the Permitted Groups and Steering Groups fields. This causes a conflict. When you specify a steering group, it is assumed to behave like a permitted group, so you do not need to enter the same group in both the Permitted Groups and Steering Groups fields.