So here is what I need to do.
Ideally three pools, one connection server, and one security server.
One for faculty that allows internal and external (security server) connections.
Second is for students that are allow internal and external access. (parent approved)
Third is for students that are only allowed internal access to school systems.
Unfortunately the current connection server design does not support a single connection server to do this. I cannot for example allow one pool to access the security server, and prohibit another pool from doing so.
So install a replica connection server, do not connect to a security server and add a tag like "Internal".
Add internal only pool to the replica with the tag "Internal" only.
There are a few issues with this.
1.) This represents another DNS name for folks on campus. I can no longer just just "view.domain.com". I now need "view.domain.com" for folks that are allowed internal and external connections, and something like "view.internal.domain.com" for the internal pools only.
This is one more step for my users, and also for my zero client and kiosk configurations.
2.) The student pools are non-persistent floating pools. So now I have to split up the desktops that are available in each pool. So out of 100 vms. Say I put 70 in the internal only pool, and 30 in the external pool. Well now an external person might get no vms available because 30 are already in use. Also and internal person might get the same error.
It seems to me like there are some design changes needed.
1.) The master connection server should give the option to disable connections to a pool from the security server.
2.) If that is not an option, it should be able to lookup the entitlements of the user that authenticates and pass the request over to the replica that the person is entitled to.
Am I missing something? Is there another way of doing this?