Ag 50 PDF BK

Access Gateway 5.
0 Administrator's
Guide
Access Gateway 5.0
Copyright and Trademark Notice

Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A
printable copy of the End User License Agreement is included with the installation media.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein
are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
2011
Citrix Systems, Inc. All rights reserved.
Citrix and ICA (Independent Computing Architecture) are registered trademarks and Citrix Access Gateway is a
trademark of Citrix Systems, Inc. in the United States and other countries.
Document code: May 12 2011 13:40:05
Contents
How to Use This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
About This Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Access Controller Components and Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Access Gateway Modes of Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Compatibility with Citrix Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Terminology Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
What's New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
What's New in Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Access Gateway Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring Access Gateway by Using the Management Console. . . . . . . . . . . . . .26
To change the administrator password in the Management Console. . . . . . . . . . . .27
Logon Points Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
SmartGroups Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Device Profiles Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Snapshots Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Network Resources Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Delivery Services Console Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Clustering and Load Balancing Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Advanced Endpoint Analysis Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Discontinued Features and Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Access Gateway Appliance Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Model 2010 Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Access Gateway Management Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Access Controller System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Access Controller Server Roles, Services, and Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
iii
Contents
Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Web Server IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
.NET Framework 3.5.1 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Microsoft SQL Server User Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Service Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Applying Security Templates with the Service Account. . . . . . . . . . . . . . . . . . . . . . . . . . .38
Database Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Authentication Software Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
SmartAccess Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Third-Party Portal Integration Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Delivery Services Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
System Requirements for Clustering and Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Requirements for Configuring an External Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
User Device Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Access Gateway Plug-in System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Endpoint Analysis Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Citrix XenApp and XenDesktop Integration Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
System Requirements for Single Sign-on to the Web Interface. . . . . . . . . . . . . . . . . . . . . . .47
Planning Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Preliminary Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Access Gateway 5.0 Pre-Installation Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
User Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Access Gateway Basic Network Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Network Adapter Management Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
RADIUS Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
LDAP Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
RSA SecurID Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Opening Ports Through the Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Citrix XenApp, Citrix XenDesktop, and the Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Logon Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
SmartGroups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Appliance Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Planning for Security with Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Installing Certificates for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Supporting Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
iv
Access Gateway 5.0 Administrator's Guide
Developing Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Incorporating Endpoint Analysis Scans into Your Access Strategy. . . . . . . . . . . . . . . . . . . 62
Implementing Firewall Deployments in Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . .62
Protecting Intellectual Property in Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Deploying Access Gateway in Your Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Deploying Access Gateway Appliances in the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Access Gateway Connectivity in the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Deploying Access Gateway in the Secure Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Deploying Access Gateway with XenApp or XenDesktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Deploying Additional Access Gateway Appliances for Load Balancing and Appliance
Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Deploying Access Gateway with Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Access Controller Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Deploying Plug-ins for User Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Determining Which Software Plug-in to Deploy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Deployment Options for the Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Deploying the Web Interface in the Secure Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Deploying the Web Interface Parallel to Access Gateway in the DMZ. . . . . . . . . . . . . . . .72
Deploying the Web Interface Behind Access Gateway in the DMZ. . . . . . . . . . . . . . . . . . . 73
Installing Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Setting Up the Model 2010 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
To physically connect the Access Gateway appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Configuring the Model 2010 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Planning Your Installation of Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Pre-Installation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Post-Installation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Installing Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
To install Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Troubleshooting the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Uninstalling Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Installing Licenses on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Exchanging or Migrating Existing Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Access Gateway License Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
The Platform License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
The Universal License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
The Express License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
v
Contents
Obtaining Your Platform or Universal License Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

To obtain your platform or universal license file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Migrating Licenses from 4.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
To install a license on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Licensing for Multiple Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
To obtain licenses from the license server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Licensing Grace Period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
To view licensing information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Upgrading and Migrating to Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Upgrading Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Upgrading the Access Gateway Appliance Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
To download the Access Gateway software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
To upgrade the Access Gateway software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
To revert to an earlier software version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
To delete an Access Gateway software version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Upgrading Access Gateway Appliances in an Appliance Failover Pair. . . . . . . . . . . . . . .95
To remove the primary appliance from an appliance failover pair. . . . . . . . . . . . . . . .95
To remove the secondary appliance from an appliance failover pair. . . . . . . . . . . . .95
Upgrading Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
To upgrade Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Migrating to Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Migrating the Appliance to Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Migrating to Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Access Gateway Appliance Migration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Access Gateway Settings That Are Not Migrated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Access Gateway Appliance Discontinued Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Access Gateway Appliance Migration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Access Controller Discontinued Settings and Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Migrating from Access Gateway Advanced Edition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Before You Start Your Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Support for Custom Endpoint Analysis Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Checklist for Migrating Settings to Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Migrating Existing Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
To install the Migration Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
To export and convert existing Advanced Access Control configuration data. . . . . . . .111
Importing Cluster Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
To import configuration data to Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
To remove duplicate logon points and redeploy available logon points. . . . . . . . .113
vi
Migrating Custom Endpoint Analysis Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Creating Snapshots to Manage Access Gateway Configuration Settings. . . . . . . . . . . . . . . . .114
Managing Snapshots for Appliance Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Managing Snapshots When Using Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
To create a snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
To export a snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
To import a saved snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
To restore an earlier or later version of a snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
To delete a snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Reinstalling the Access Gateway 5.0 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
To reinstall the Access Gateway software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Restarting or Powering Off Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
To restart Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
To power off Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Managing the Access Gateway Appliance and Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Managing the Access Gateway Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
In This Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Installing and Managing Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Installing a Signed Digital Certificate and Private Key. . . . . . . . . . . . . . . . . . . . . . . . . . 124
To install a certificate and private key from a Windows-based computer. . . . . . .127
Installing Root Certificates on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Installing Multiple Root Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring Wildcard Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
To view the details of a certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Exporting Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Installing Intermediate Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Adding Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Designating Network Adapters for Specific Uses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Redirecting Connections on Port 80 to a Secure Port. . . . . . . . . . . . . . . . . . . . . . . . . . .132
Adding Name Service Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Editing the HOSTS File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Defining Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Changing the Date and Time on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Synchronizing Access Gateway with a Network Time Protocol Server. . . . . . . . .136
Setting Up Network Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Installing Additional Access Gateway Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
How Appliance Failover Works on Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . 138
vii
Contents
Setting Up Multiple Appliances to Use an External Load Balancer. . . . . . . . . . . . . 141

Creating Authentication and Authorization Profiles on Access Gateway. . . . . . . . . . . .144
Adding Authentication Profiles on the Access Gateway Appliance. . . . . . . . . . . . .144
Creating LDAP Authentication Profiles on the Appliance. . . . . . . . . . . . . . . . . . . . . . .145
Creating RADIUS Authentication Profiles on the Access Gateway Appliance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Creating RSA SecurID Authentication Profiles on the Access Gateway
Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Adding Authorization to the Authentication Profile on the Access Gateway
Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Removing Authentication Profiles from Access Gateway. . . . . . . . . . . . . . . . . . . . . . .160
Creating Device Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Types of Device Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Creating a Scan Expression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Building a Device Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Defining Network Resources on the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Configuring Network Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Providing Network Access to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Network Resources Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
To add a network resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
To remove a network resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Creating Logon Points on the Access Gateway Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . .169
Logon Point Types and Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Selecting the Authentication Type for Logon Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Logging on to Access Gateway Through the Logon Point. . . . . . . . . . . . . . . . . . . . . .171
To configure a basic logon point on Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . .171
To configure a SmartAccess logon point on Access Gateway. . . . . . . . . . . . . . . . . .172
To set the default logon point on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
To enable SmartAccess logon point visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
To configure double-source authentication and authorization. . . . . . . . . . . . . . . . . . .173
To configure time-out settings for a logon point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
To disable a logon point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
To remove a logon point from Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Adding SmartGroups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
To create a SmartGroup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Configuring SmartGroup Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
To define the home page for users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
To add a logon point to a SmartGroup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
To add device profiles to a SmartGroup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
viii
Configuring Group Membership in a SmartGroup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Adding Network Resources to a SmartGroup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Defining Address Pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Selecting Advanced Property Settings for a SmartGroup. . . . . . . . . . . . . . . . . . . . . . .181
Using the Command Line to Configure Access Gateway Appliance Settings. . . . . . .182
Defining Network Settings on the Access Gateway Appliance by Using
Express Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Managing Access Gateway by Using the Command Line. . . . . . . . . . . . . . . . . . . . . .185
Enabling SSH Access to the Access Gateway Command Line. . . . . . . . . . . . . . . . .186
Troubleshooting Access Gateway by Using the Command Line. . . . . . . . . . . . . . .187
Managing Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
In This Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Initial Configuration of Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
How the Server Configuration Utility Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Enabling Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Using the Delivery Services Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Installing the Delivery Services Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Managing Administrative Users and Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Deploying the Console to Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
To start the Delivery Services Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
The Delivery Services Console User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Finding Items in Your Deployment by Using Discovery. . . . . . . . . . . . . . . . . . . . . . . . .197
Configuring Settings with the Getting Started Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Customizing Your Display by Creating My Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Creating Authentication and Authorization Profiles on Access Controller. . . . . . . . . . .199
Creating an Active Directory Authentication Profile on Access Controller. . . . . .200
Creating an LDAP Authentication Profile on Access Controller. . . . . . . . . . . . . . . . .201
Creating a RADIUS Authentication Profile on Access Controller. . . . . . . . . . . . . . .202
Assigning Authentication Profiles to Logon Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Authenticating Traffic on Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Creating Logon Points on Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Basic Logon Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
SmartAccess Logon Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Adding a Basic Logon Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Adding a SmartAccess Logon Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
To deploy a logon point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Updating Logon Page Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Setting the Default Logon Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Removing Logon Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
ix
Contents
Customizing the EPA Remediation Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Adding Resources to Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Creating Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 12
Creating Web Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 13
Creating File Shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 15
Using Dynamic Systems Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Creating Resource Groups to Ease Policy Administration. . . . . . . . . . . . . . . . . . . . . .218
Controlling Access Through Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Controlling User Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Integrating Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Creating Access Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Creating Policy Settings to Control User Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Creating Policy Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Setting Conditions for Showing the Logon Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Configuring Document Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Limitations of Clientless Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 31
Reviewing Policy Information with Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 32
Verifying Requirements on User Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Configuring Endpoint Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Creating Endpoint Analysis Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Editing Conditions and Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Scan Packages Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Using Scan Outputs in Other Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Using Data Sets in Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Scripting and Scheduling Scan Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 67
Creating Advanced Endpoint Analysis Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Configuring Clustering and Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
How Clustering and Load Balancing Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
To add Access Controller servers to a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Administering Multiple Clusters in the Delivery Services Console. . . . . . . . . . . . . .278
To configure load balancing for Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
To configure load balancing for Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
To remove an Access Controller server from the cluster. . . . . . . . . . . . . . . . . . . . . . . .279
To remove an Access Gateway appliance from the cluster. . . . . . . . . . . . . . . . . . . . .279
To use an external load balancer with Access Controller. . . . . . . . . . . . . . . . . . . . . . .279
10 Configuring User Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

Connection Type Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
x
How User Connections Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

To open the Citrix Access Gateway Options dialog box from the Start menu. . . . . . .285
Establishing the Secure Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Tunneling Private Network Traffic over Secure Connections. . . . . . . . . . . . . . . . . . .285
Making Connections Through Firewalls and Proxies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Terminating the Secure Tunnel and Returning Packets to the User Device. . . . . . . . .286
Defining Global Settings for User Connections on the Access Gateway Appliance. . . . . .287
Configuring Single Sign-on with Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Enabling Split Tunneling in Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Authenticating Users After Network Interruption or System Resume. . . . . . . . . . . . . . . .288
Enabling Split DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Enabling Access Gateway Plug-in Session Time-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
To enable Access Gateway Plug-in session time-outs. . . . . . . . . . . . . . . . . . . . . . . . . .289
Connecting with Earlier Versions of the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . .290
To enable earlier versions of the Access Gateway Plug-in to connect to
Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Closing User Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Configuring Access Gateway Plug-in Settings in Access Controller. . . . . . . . . . . . . . . . . . . . . .291
Create Connection Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Enable Split Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Use Branch Repeater for Application Acceleration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Allow Earlier Versions of the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Enable Endpoint Analysis Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Creating Connection Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
To create a connection policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
To prioritize connection policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Enabling Split Tunneling in Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
To configure split tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Enabling the Repeater Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Granting Access to the Entire Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Installing the Access Gateway Plug-in by Using the Microsoft Installer (MSI) Package
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
To download and install the MSI package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Installing the MSI Package by Using Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
To use Group Policy to deploy the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . .296
Installing the MSI Package by Using Advertisement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
To extract the MSI and MST files and create an administrative image. . . . . . . . .296
Connecting to Access Gateway and Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Installing the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
xi
Contents
To install the Access Gateway Plug-in from an appliance-only deployment. . . .298

To install the Access Gateway Plug-in from an Access Controller deployment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Logging On Through the Logon Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Logging On with the Access Gateway Plug-in for Windows. . . . . . . . . . . . . . . . . . . . . . . . . .299
To log on with the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
To change logon settings on a Windows-based device. . . . . . . . . . . . . . . . . . . . . . . . . 300
To view Access Gateway Plug-in status properties when users are logged on
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
To disconnect the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Logging On with the Access Gateway Plug-in for Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . 301
To change logon settings on Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Upgrading the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Allowing Users to Log On with Earlier Versions of the Access Gateway Plug-in. . . . 302
To allow users to log on with earlier versions of the plug-in in Access Gateway
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
To allow users to log on with earlier versions of the plug-in in Access Controller
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Providing Logon Information to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Web Browser Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Customizing Web Browser Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Adding Proxy Servers for the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
To manually configure a proxy server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
11 Integrating Access Gateway 5.0 with XenApp and XenDesktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Providing Access to Virtual Applications and Desktops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Integrating Access Gateway with XenApp or XenDesktop. . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Establishing a Secure Connection to the Server Farm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Process Overview: User Access to Published Resources in the Server Farm
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Setting Up a Web Interface Site to Work with Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . .311
Web Interface Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
XenApp Web Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
XenApp Services Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Setting Up a Web Interface Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Selecting the Access Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Creating a Web Interface Site in XenApp 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Configuring Access Gateway Settings for the Web Interface on XenApp 5.0
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
xii
Configuring Access Gateway Settings in Web Interface 5.2. . . . . . . . . . . . . . . . . . . . . . . . . 315

Creating a Web Interface 5.3 Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Configuring Access Gateway Settings in Web Interface 5.3 . . . . . . . . . . . . . . . . . . .317
Adding XenApp and XenDesktop to a Single Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
To add XenApp or XenDesktop to a single site using Web Interface 5.0 or 5.1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
To add XenApp or XenDesktop to a single site using Web Interface 5.2 or 5.3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Creating User Connections to XenApp 6 or XenDesktop 5. . . . . . . . . . . . . . . . . . . . . . . . . .320
Prerequisites for Filtering on Access Gateway Connections. . . . . . . . . . . . . . . . . . . .320
To create a XenApp 6.0 policy filter for Access Gateway connections. . . . . . . . . 320
To create a XenApp 6.0 XML Trusts policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
To create a XenDesktop 5 policy filter for Access Gateway connections. . . . . . .322
To create a XenDesktop 5 XML Trusts policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Enabling Users to Change Their Passwords with Web Interface. . . . . . . . . . . . . . . . . . . .323
Configuring Access Gateway to Communicate with the Web Interface. . . . . . . . . . . . . . . . . . .324
To configure the Access Gateway appliance to use the Secure Ticket Authority. . . .324
To configure ICA Access Control on the Access Gateway appliance. . . . . . . . . . . . . . . .325
To configure the Web Interface as the logon page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Configuring Access Gateway to Use a XenApp Services Site. . . . . . . . . . . . . . . . . . . . . . .326
To configure Access Gateway to connect to the XenApp Services site. . . . . . . . 326
Configuring Single Sign-on to the Web Interface on the Access Gateway Appliance. . . .327
To configure a basic logon point for single sign-on to the Web Interface. . . . . . . . . . . .327
To configure a SmartGroup for single sign-on to the Web Interface. . . . . . . . . . . . . . . . .328
Configuring the Web Interface for Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Guidelines for XenApp 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Guidelines for XenApp 6.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Integrating XenApp and XenDesktop with Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Linking from Access Controller to XenApp or XenDesktop . . . . . . . . . . . . . . . . . . . . . . . . . .330
To link Access Controller and XenApp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Specifying XenApp Server Farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
To specify server farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Configuring Address Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Selecting the Access Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Integrating the Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
To integrate a XenApp Web site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Preserving Workspace Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Coordinating Access Controller and Web Interface Settings. . . . . . . . . . . . . . . . . . . .334
Adding ICA Access Control on Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
xiii
Contents
Defining File Type Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Configuring Load Balancing or Failover for XenApp. . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Integrating Third-Party Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
12 Maintaining and Monitoring Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Setting Up Event Logging on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Types of Available Access Gateway Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Configuring Access Gateway Event Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
To configure the remote server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
To transfer log files to the remote server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Viewing Access Gateway Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
To view Access Gateway logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
To filter Access Gateway logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Viewing Access Gateway Plug-in Connection Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
To view the connection log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
To turn on verbose mode in the client connection log. . . . . . . . . . . . . . . . . . . . . . . . . . .344
Managing Your Access Controller Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Controlling Access by Using Multiple Consoles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
Using Groups in Policy Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Securing the Delivery Services Console by Using COM+ . . . . . . . . . . . . . . . . . . . . . . . . . . .345
To allow administrators to use the Delivery Services Console. . . . . . . . . . . . . . . . . .346
Enabling Security Between Access Gateway and Access Controller. . . . . . . . . . . . . . . .346
To enable secure communication on Access Controller. . . . . . . . . . . . . . . . . . . . . . . . 347
Enabling Secure Communication on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . .347
To install a root certificate on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
To enable secure communication on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . .347
Maintaining Availability of the Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Exporting and Importing Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Changing Service Account and Database Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
To change the service account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
To change Access Controller to a different database. . . . . . . . . . . . . . . . . . . . . . . . . . .349
Monitoring Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
To access the Session Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
To end users sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Auditing Access to Internal Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Configuring Audit Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
To select events to be logged for a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
To configure log settings for Access Controller servers. . . . . . . . . . . . . . . . . . . . . . . . .353
To consolidate event logging results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
xiv
Interpreting Audit Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354

To view logging results in the Event Log Consolidator. . . . . . . . . . . . . . . . . . . . . . . . . . 354
Troubleshooting User Access to Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
xv
Contents
xvi
Chapter 1
How to Use This Guide

This user guide is intended for system administrators
responsible for installing, configuring, and administering
Access Gateway 5.0. This document assumes that Access
Gateway is connected to an existing network and that the
administrator has experience configuring that network.
The configuration steps in this document cover the
installation of Access Gateway as a standalone appliance, the
deployment of Access Gateway with XenApp or XenDesktop,
and the deployment of Access Gateway with the optional
component, Access Controller.
Note: For the latest documentation on Access Gateway 5.0,
refer to the Citrix eDocs library.
17
Chapter 1
18
How to Use This Guide
Chapter 2
About This Release
Key Features
Citrix Access Gateway 5.0 provides new features and

functionality for user connections. Access Gateway 5.0
introduces the Access Gateway Management Console, a Webbased application that you can use to implement the following
new features and network configuration options:
What's New
w SmartGroups
Topics:
Introduction
w Logon Points
w Device Profiles
w Snapshots
w Appliance failover
w Clustering and load balancing with Access Controller
New features in Access Controller include the Delivery
Services Console, Active Directory authentication (not LDAP),
advanced endpoint analysis, central control of multiple Access
Gateway appliances, and centralized logging.
This section introduces Access Gateway, new and key features
for Access Gateway and Access Controller and known issues
for Access Gateway, Access Controller, and the Access
Gateway Plug-in.
19
Chapter 2
About This Release
Introduction
Before you install and configure Access Gateway, you want to plan your deployment.
This can include where to install the appliance, installing multiple appliances in the
DMZ, deploying the optional Access Controller software on Windows Server 2008, and
where to install licenses. You can also use the Access Gateway Pre-Installation Checklist
so you can write down your settings before you configure Access Gateway.
Access Gateway can be installed in any network infrastructure without requiring
changes to the existing hardware or software running in the secure network. It works
with other networking products, such as server load balancers, cache engines,
firewalls, routers, and IEEE 802.11 wireless devices.
Before you install Access Gateway, review the following topics for information about
getting started with Access Gateway.
20
Access Gateway 5.0 Pre-Installation

Checklist on page 51
Provides planning information to review

and a list of tasks to complete before
you install Access Gateway in your
network.
Deploying Access Gateway in Your

Network on page 65
Provides information about deploying the

Access Gateway in the network
demilitarized zone (DMZ), in a secure
network without a DMZ, and with
additional appliances to support load
balancing and failover. Also provides
information about deploying Access
Gateway with Citrix XenApp and Citrix
XenDesktop.
Migrating to Access Gateway 5.0 on page

96
Provides information about migrating to

Access Gateway and Access Controller
from previous versions. Includes
information about migrated settings and
discontinued features.
Access Gateway Management Console on

page 26
Provides information about using the

Access Gateway Management Console
and configuring settings using the
Management Console.
Installing Licenses on Access Gateway on

page 83
Provides information about installing

licenses on the appliance and using
Citrix Licensing to manage licenses. Also
provides information about installing
licenses on multiple Access Gateway

appliances.
Key Features
Access Gateway is easy to deploy and simple to administer. The most typical
deployment configuration is to locate the Access Gateway appliance in the
demilitarized zone (DMZ). You can install multiple Access Gateway appliances in the
network for more complex deployments. You can also deploy Access Controller for
additional capabilities.
The first time you start Access Gateway, you use the Access Gateway Management
Console to configure the basic settings that are specific to your internal network, such
as the IP address, subnet mask, default gateway IP address, and Domain Name System
(DNS) address. After you complete configuration of the basic network settings, you
then configure the settings specific to the Access Gateway operation, such as the
options for authentication, authorization, network resources, logon points,
SmartGroups, address pools, and device profiles to configure endpoint policies.
The key features of Access Gateway are:
w Authentication
w Termination of encrypted sessions
w Access control (based on permissions)
w Data traffic relay (when the first three functions are met)
w Support for multiple logon points
Access Controller Components and Features

Access Controller expands your Access Gateway environment through the following
standard components and features:
w Centralized administration. In deployments with multiple appliances, you use the
Delivery Services Console to define authentication and access control policies in one
location. You can also configure settings so that policy enforcement occurs on all
appliances in the environment. The Delivery Services Console is the same tool that
you use to configure Citrix XenApp and Citrix XenDesktop.
w Windows authentication using Active Directory. Instead of relying on LDAP or
RADIUS protocols for authentication, Access Controller can use native Windows
authentication APIs to locate an appropriate domain controller and authenticate
users from multiple trusted domains.
w Clientless access to Web sites and file shares. Using Access Controller, you can
define and control access to Web and file resources. When users log onto Access
Gateway, they are presented with a dynamically generated access navigation page
with links to the resources they have permission to access.
21
Chapter 2
About This Release

w Advanced endpoint analysis. Access Controller enables more advanced endpoint
analysis scans, including:
Detection of antivirus and personal firewall software by McAfee, Symantec,
Norton, and TrendMicro
Support for Windows Security Center for Windows XP SP3, Windows Vista, and
Action Center for Windows 7
Increased client network bandwidth
Support for Windows service packs and updates
Support for user device MAC addresses
w Endpoint Analysis SDK. Customers and partners can use the Citrix Endpoint Analysis
SDK for Access Controller to extend endpoint analysis scans.
w Enhanced Availability. When you deploy multiple appliances, Access Controller can
intelligently distribute incoming traffic across the multiple appliances and multiple
controller servers.
Access Gateway Modes of Operation

You can use Access Gateway in one of the three following ways:
w Connections through the appliance only. In this scenario, Access Gateway is
installed as a standalone appliance in the demilitarized zone (DMZ). Users connect
directly to Access Gateway using Citrix Access Gateway Plug-in and can then access
network resources, such as e-mail and Web servers.
w Connections using the Web Interface, Citrix XenApp, or Citrix XenDesktop. In this
scenario, users log on to the Web Interface. Then, they connect to their applications
on XenApp or to published desktops on XenDesktop. Depending on how Access
Gateway is deployed with XenApp, users can connect exclusively with Citrix XenApp
online plug-ins, with the Access Gateway Plug-in, or they can have simultaneous
connections using both plug-ins. For more information, see Deploying Access
Gateway with XenApp or XenDesktop on page 68.
w Connections using Access Controller. In this scenario, Access Gateway is installed
in the DMZ. You configure the initial TCP/IP settings for the appliance during
installation of the appliance. To configure advanced settings to manage Access
Gateway, you use the Delivery Services Console that comes with Access Controller.
For more information, see Deploying Access Gateway with Access Controller on page
69.
Compatibility with Citrix Products

The following table provides the Citrix product names and versions with which Access
Gateway Version 5.0 is compatible.
22
Citrix product
Release version
Branch Repeater
5.7 and 5.5
NetScaler
9.2 and 9.1
Web Interface
5.4 and 5.3
XenApp
6.0 for Windows Server 2008 R2

5.0 Feature Pack 2 for Windows Server
2003
5.0 (Windows Server 2003 and 2008)
XenDesktop
5.0 and 4.0
XenServer
5.6 and 5.5
Terminology Changes
With the release of Access Gateway 5.0, some of the terminology used to describe
product components has changed. The following list contains updated terminology for
the client software, Citrix XenApp, and the management consoles.
From
To
access server farm
cluster
Administration Tool
Administration Portal
Access Management
Console
Citrix Delivery Services Console (for XenApp, XenDesktop,

and Access Controller)
Citrix Web Interface Management (for Web Interface 5.2
and 5.3)
authentication realm
authentication profile
Program Neighborhood
Agent
Citrix XenApp Plug-ins (Version 11.0)

Citrix online plug-ins (Version 11.2 and later)
23
Chapter 2
About This Release
From
To
Citrix WANScaler
Citrix Branch Repeater
Citrix Web Client
Citrix XenApp Web Plug-in
Endpoint Analysis
Client
Endpoint Analysis Plug-in
endpoint analysis
policies
device profiles (applies to the appliance only)
IP pools
Address pools
default home page or

navigation page
Access Interface
WANScaler Client
Repeater Plug-in
Web Client
Citrix Web Plug-in
What's New
Access Gateway 5.0 includes the following new features on the appliance:
w Access Gateway Management Console. The Management Console replaces the
Administration Tool and Administration Portal in earlier versions of the appliance.
The Management Console, a Web-based application, makes it easy to install
certificates, configure access control, and monitor activity from any Flash-enabled
Web browser.
w Authentication profiles. Authentication profiles replace authentication realms. You
can configure LDAP, RADIUS, and RSA profiles on the appliance. You can configure
double source authentication using logon points. You can also use Active Directory
authentication on Access Controller. For more information about configuring
authentication on Access Gateway or Access Controller, see either Creating
Authentication and Authorization Profiles on Access Gateway on page 144 and
Creating Authentication and Authorization Profiles on Access Controller on page
199.
w Logon points. Each Access Gateway appliance can host multiple logon points to
support different features or different user communities. You can configure Basic
and SmartAccess logon points. Basic logon points allow users to connect with Citrix
online plug-ins only, providing access to virtual applications or desktops. Users do
not need a Universal license to log on using a basic logon point. SmartAccess logon
24

points allow users to connect with the Access Gateway Plug-in and have greater
access to network resources.
w SmartGroups. SmartGroups in Access Gateway contain a collection of settings that
group users according to their identity, authentication and authorization type, and
the results of endpoint analysis (as defined in device profiles). First, you define the
criteria users must match to become a member of a SmartGroup, and then you
define the network resources, actions, and other settings for the SmartGroup.
w Device profiles. You can configure endpoint analysis scans using device profiles. If
you enable a device profile within a logon point, the endpoint analysis scan
determines if users receive the logon page and subsequently log on. If you enable a
device profile in a SmartGroup, the device profile you select determines whether
the user receives the permissions for that SmartGroup.
w Snapshots. You can take a snapshot of the appliance configuration at a given point
of time. You can export snapshots to your computer and you can revert to an earlier
snapshot. Using the Snapshots tab in the Management Console, you can upgrade to
new Access Gateway software versions.
w Appliance failover. You can configure two Access Gateway appliances as a failover
pair. The appliances operate in active/passive mode, in which the primary appliance
services all user connections, and the secondary appliance monitors the primary
appliance and synchronizes session information. If the primary appliance fails, the
secondary appliance takes over. For more information, see Deploying Additional
Access Gateway Appliances for Load Balancing and Appliance Failover on page 68.
What's New in Access Controller

New features in Access Controller include:
w Enhanced Availability. In Access Gateway 5.0, when multiple servers are running
Access Controller, the servers are referred to as a cluster. Multiple appliances and
multiple controllers work together to ensure uninterrupted availability of the solution.
w Advanced endpoint interrogation options. You can configure endpoint analysis
requirements on Access Controller. You can use the built-in options for creating scan
packages. You can also create scan packages and an updated Endpoint Analysis Plugin using the Citrix Portal powered by OPSWAT.
w Advanced authentication options. In addition to LDAP, RADIUS, and RSA
authentication, you can configure Active Directory authentication profiles in Access
Controller.
w Centralized control of multiple Access Gateway appliances. You can use the
cluster and load balancing feature to create a cluster of Access Controller servers
and then load balance the servers and Access Gateway appliances.
w Session sharing across multiple Access Gateway appliances. When users log on,
Access Gateway routes the connection to the Access Controller server. Then Access
Controller routes the session to an appliance in the network, sharing sessions across
appliances.
25
Chapter 2
About This Release

w Centralized access logging. You can configure logging on Access Gateway to meet
regulatory requirements and to monitor user access to the network.
w Delivery Services Console. The Access Controller administration tool is more
closely aligned with XenApp and XenDesktop.

When the Access Gateway appliance is physically installed in your network and you
have configured the initial TCP/IP settings, you can then use the Access Gateway
Management Console to configure additional settings. In the Management Console, you
install licenses and certificates, and configure settings for the following features:
w Address pools
w Authentication
w Authorization
w Device profiles for configuring endpoint policies
w Logon points
w Network resources
w SmartGroups
Configuring Access Gateway by Using the Management

Console
The Access Gateway Management Console provides a convenient Web-based interface
that you can use to perform administrative tasks on Access Gateway. The Management
Console contains all Access Gateway configuration controls.
In the Management Console, you can:
w Change the administrator password
w View appliance statistics
w Configure network settings
w Monitor network connections
w View Access Gateway logs
w Install and manage certificates
w Upload licenses to the Access Gateway appliance
w Create device profiles and enable them within logon points and SmartGroups
w Upload a saved configuration or a software upgrade
w Save the Access Gateway configuration
w Restart and shut down Access Gateway
If you choose to use Access Controller as part of your deployment, you configure the
settings for one Access Controller server on Access Gateway. When Access Gateway
26

connects to Access Controller, Access Gateway automatically discovers all Access
Controller servers in the cluster.
Note: You can choose which network adapter to use to manage Access Gateway.
Access Gateway VPX supports more than two network adapters, so you can choose
which one to use for the management role. For more information about specifying the
network adapter to use to access the Management Console, see Designating Network
Adapters for Specific Uses on page 131.
To log on to the Access Gateway Management Console

1. In a Web browser, type the IP address and administrator logon point for the
Management Console.
For example:
https://AccessGatewayIPAddress/lp/adminlogonpoint/
2. In User name type admin.
3. In Password, type the default password of admin or the new password if it was
changed using the serial console.
4. Click Log On to open the Management Console.
Note: To view the Management Console as full screen, click the Maximize button
or press F11.
To change the administrator password in the Management

Console
Access Gateway has a default administrator user account that allows full access to the
appliance.
The preconfigured default user name is admin and the password is admin. You can
change the administrator password in the Access Gateway Management Console or the
serial console. To protect Access Gateway from unauthorized access, Citrix
recommends that you use the serial console to change the administrator password
when you first install the appliance in the network.
Note: To reset the root administrative password to its default password, you must
reinstall the Access Gateway appliance software. The new password can be from 6
through 127 characters in length. The password cannot begin or end with a space.
1. In the Access Gateway Management Console, click the Management tab.
2. Under System Administration, click Password.
3. Under Administrative Password, type the current password and then type the new
password in the required fields.
4. Click Save.
27
Chapter 2
About This Release
Logon Points Overview

On Access Gateway, a logon point defines the logon page for users and specifies the
settings that are applied to user sessions. These settings include the required
authentication and authorization type, logon point type, the client software to use,
and device profile settings.
Access Gateway supports the following two types of logon points:
w Basic. A basic logon point is used for XenApp or XenDesktop connections only.
Endpoint analysis, connections using the Access Gateway Plug-in, SmartAccess, and
other advanced features are disabled. Basic functionality is enabled by a platform
license that supports an unlimited number of users. Users do not consume an Access
Gateway Universal license when logging on with a basic logon point.
Authenticated users who log on from a Web browser are redirected to a single URL,
which is usually a Web Interface server on the secure network.
w SmartAccess. SmartAccess logon points allow connections from Access Gateway Plugin and Citrix online plug-ins. All Access Gateway features offered by a combination
of the appliance and Access Controller are available to users, including clientless
access, device profiles, advanced endpoint analysis, and SmartAccess filters for
XenApp and XenDesktop. Users consume one Access Gateway Universal license upon
logon.
For more information about logon points, see Creating Logon Points on the Access
Gateway Appliance on page 169.
SmartGroups Overview
SmartGroups contain a collection of settings that group users according to their
identity, location, authentication type, and the results of endpoint analysis (as defined
in device profiles). First, you define the criteria users must match to become a
member of a SmartGroup. Then, you define the network resources, actions, and other
settings for the SmartGroup.
You can define one or more SmartGroups on the Access Gateway appliance to control
access to resources. You can also configure logon points that define the criteria for
becoming a member of a SmartGroup.
For more information about using and configuring SmartGroups, see Adding
SmartGroups on page 175.
Device Profiles Overview

You can use device profiles to create a profile that checks a user device against a set of
criteria when a user logs on to the network. Before the user is allowed to access the
network, the device must meet the criteria that you set up in the device profile. For
example, an administrator at ACME corporation might define a device profile named
Company-owned Vista laptop which matches Windows Vista computers that belong to
the ACME domain and include a watermark value in the Windows registry. If the user
device matches those criteria, the user is allowed to log on to the network.
28

After you configure a device profile, you can enable it within a logon point and within a
SmartGroup as follows:
w You configure logon points on the Access Gateway appliance. Logon points define
the logon page for users and specify which settings, such as a device profile, are
applied to user sessions. For more information about logon points, see Creating
Logon Points on the Access Gateway Appliance on page 169.
w You define SmartGroups on the Access Gateway appliance to control access to
resources. When you enable a device profile in the SmartGroup, the device profile
determines the user access permissions for that SmartGroup. For more information
about SmartGroups, see Adding SmartGroups on page 175.
For more information about device profiles, see Creating Device Profiles on page 160.
Snapshots Overview
You use configuration snapshots to capture all the Access Gateway settings, licenses,
and certificates for a specific point in time. The feature allows you to easily restore
your configuration settings by importing a saved snapshot if, for example, you need to
reimage the appliance.
When you install Access Gateway 5.0 for the first time, the Access Gateway appliance
creates a snapshot of the configuration automatically. In addition, when you switch
Access Gateway to use Access Controller, the appliance creates a configuration
snapshot automatically. You can also take snapshots at different periods of time, such
as after you configure the initial settings or create logon points or SmartGroups.
For more information about snapshots, see Creating Snapshots to Manage Access
Gateway Configuration Settings on page 114.
Network Resources Overview

Network resources identify the areas in the secure network that you allow users to
access. For example, you can grant a user access to a single file share or you can give
the user complete access to all the resources on the network.
After you create network resources in the Access Gateway Management Console, you
configure SmartGroups to allow or deny access to the network resource.
For more information about network resources, see Defining Network Resources on the
Appliance on page 165.
Delivery Services Console Overview

The Citrix Delivery Services Console extends your ability to manage your deployment by
integrating many of the administrative features of your Citrix products into the
Microsoft Management Console (MMC). You use the Delivery Services Console to
configure settings on Access Controller.
The Delivery Services Console is a standalone snap-in to the MMC. Management
functionality is provided through a number of management tools (extension snap-ins)
29
Chapter 2
About This Release

that you can select when you install Citrix Access Controller, or you can add to the
console at a future time.
You can install the Delivery Services Console on any computer in your network. For
more information, see Delivery Services Console Requirements on page 40.
The Delivery Services Console replaces the Access Management Console. For more
information, see Using the Delivery Services Console on page 196.
Clustering and Load Balancing Overview

You can deploy multiple servers running Access Controller along with multiple Access
Gateway appliances. When you deploy this configuration, you create a cluster. When
you create a cluster, you configure the Access Gateway appliance with the settings of
one Access Controller server. The appliance then discovers automatically all of the
Access Controller servers in the cluster.
Access Controller also provides load balancing of user connections. This built-in feature
eliminates the need for an external load balancer. You provide the Access Gateway Web
address to your users. One Access Gateway in your deployment monitors all user
connections and then determines to which Access Controller to send the connection
request. When Access Gateway contacts Access Controller, the server then determines
to which Access Gateway to redirect the session.
For more information about clustering and load balancing, see Configuring Clustering
and Load Balancing on page 276.
Advanced Endpoint Analysis Overview

You can create advanced endpoint analysis scans using the Citrix Endpoint Analysis
Portal, powered by OPSWAT. You can create custom endpoint analysis scans for a wide
variety of products.
When you configure advanced endpoint analysis, you can create a scan policy that
contains the software versions you require on user devices. For example, you can
create a policy scan for Norton and McAfee antivirus applications. Then, you download
the policy file, a custom configuration (.cab) file, and the Endpoint Analysis Plug-in to
your computer from the Citrix Endpoint Analysis Portal. You can then import these files
to Access Controller. When users log on, the Endpoint Analysis Plug-in installs
automatically on the user device and checks to make sure the required software is on
the device. If it is, the user device passes the scan and users can log on.
For more information about Advanced Endpoint Analysis, see Creating Advanced
Endpoint Analysis Scans on page 269.
Discontinued Features and Functionality

The following table lists the features and functionality that are deprecated or removed
in Access Gateway 5.0. For a list of discontinued features, as well as settings for both
Access Gateway and Access Controller, see the following topics:
30

w Access Gateway Appliance Discontinued Settings on page 101
w Access Controller Discontinued Settings and Features on page 107
w Upgrading and Migrating to Access Gateway 5.0 on page 91
Feature
Access Gateway
Access Controller
Comment
Double-hop
demilitarized zone
(DMZ)
Dynamic routing
with the Routing
Information
Protocol (RIP)
Windows NT LAN
Manager (NTLM) as
an authentication
method
Locally defined
users on Access
Gateway
Users are
determined based
on group
membership in the
SmartGroup.
Administration Tool
This feature is
replaced by the
Access Gateway
Management
Console.
Administration
Portal
This feature is
replaced by the
Access Gateway
Management
Console.
HTML Preview
This feature was

part of Access
Gateway Advanced
Edition and is
removed from
Access Controller.
31
Chapter 2
About This Release
Feature
32
Access Gateway
Access Controller
Comment
LiveEdit
This feature was

part of Access
Gateway Advanced
Edition and is
removed from
Access Controller.
Web e-mail
This feature is
replaced by
Outlook Web
Access or Outlook
Web App.
Chapter 3
System Requirements
Topics:
Access Gateway Appliance
Requirements
Access Controller System
Requirements
System Requirements for
Clustering and Load
Balancing
User Device Requirements
Citrix XenApp and
XenDesktop Integration
Requirements
This section describes the system requirements for the Citrix

Access Gateway appliance and Citrix Access Controller.
Before you install the Access Gateway appliance in your
network, review the topics in the section Access Gateway
Appliances. You can learn about the appliance hardware,
installing the appliance in a rack and in your network, and
how to configure the appliance for the first time.
You can install Access Controller in your network after you
install the Access Gateway appliance. Access Controller
requires the appliance as part of the network solution. Before
you install Access Controller, review the system requirements
in this section. These include requirements for:
w Server roles, services and features
w Network
w Account
w Database
w Features
w Endpoint analysis
w Authentication
w XenApp and XenDesktop integration
w SmartAccess
w Third-Party portal integration
w User devices
w Delivery Services Console
33
Chapter 3
System Requirements
Access Gateway Appliance Requirements

You can install Citrix Access Gateway in any network infrastructure without making
changes to the existing hardware or back-end software. Access Gateway works with
other networking products, such as server load balancers, cache engines, firewalls,
routers, and IEEE 802.11 wireless devices.
Citrix recommends installing Access Gateway in the network demilitarized zone (DMZ).
When installed in the DMZ, Access Gateway participates on two networks: a private
network and the Internet with a publicly routable IP address. You can also use Access
Gateway to partition local area networks internally in the organization for access
control and security. You can create partitions between wired or wireless networks and
between data and voice networks.
Access Gateway 5.0 is supported on the Model 2010 appliance. After you install and
configure the appliance for the first time, you can use the Access Management Console
to configure the rest of your settings. For more information about the appliance
hardware, see Access Gateway Appliances.
Model 2010 Specifications

The Model 2010 appliance is a standard 1U 19 inch rack-mountable appliance that
supports up to 500 concurrent users.
The 2010 appliance has the following ports:
w Two front-mounted 10/100/1000 Ethernet ports
w One RS232 front-mounted serial console port
w One rear-facing USB port

Requirements
To use the Management Console effectively, keep the following minimum display
requirements and recommendations in mind:
w The Management Console display size is 1024 x 800.
w The Management Console requires Adobe Flash Player version 10.1.
w When running the Management Console on a laptop, hide all toolbars to provide
more screen space for the console.
w To view the Management Console as full screen, click the Maximize button or press
F11.
34
Access Controller System Requirements

Before installing Access Controller, verify that your servers meet the hardware and
software requirements.
Important: To ensure that your Access Controller installation progresses smoothly,
use servers that are not configured as domain controllers. During installation, Access
Controller adds a service account to the local Administrators group that is not present
on a domain controller. If you attempt to install Access Controller on a domain
controller, Access Controller cannot add the service account and the installation fails.
System Requirements
The following are the recommended hardware and software requirements for Access
Controller:
w Computer with a one gigahertz (GHz) processor. Citrix recommends a two GHz dual
core processor.
w 2048 megabytes (MB) minimum of RAM or above. Citrix recommends four gigabytes
(GB) or more.
w 40 GB of available hard disk space. Citrix recommends 100 GB or more.
w Microsoft Windows Server 2008 32-bit, Standard Edition or Enterprise Edition, with
all service packs and updates.
w Microsoft Windows Server 2008 64-bit, Standard Edition or Enterprise Edition, with
all service packs and updates.
w Microsoft Windows Server 2008 R2 64-bit, Standard Edition or Enterprise Edition,
with all service packs and updates.
w IIS 7.0 with 6.0 Metabase Compatibility Components and ASP.NET.
w Microsoft Windows Installer 4.5.
w Microsoft .NET Framework 3.5 with Service Pack 1.
w Application server with Microsoft Windows Communication Foundation (WCF) with
HTTP activation enabled.
w COM+ network access enabled.
In the Internet Information Services (IIS) Management Console make sure you allow
ASP.NET on the ISAPI and CGI Restrictions feature page before installing Access
Controller.
If you configure Windows Server 2008 to be a Terminal Server, installation of Access
Controller is not supported.
35
Chapter 3
System Requirements
Access Controller Server Roles, Services, and

Features
Before you install Access Controller, make sure you enable the following roles, services,
and features on the Windows server. Application Server and Web Server are listed under
Roles. The .NET Framework 3.5 is listed under features in Server Manager.
Application Server
w Application Server Foundation
w Web Server Internet Information Services (IIS) Support
w COM+ Network Access
Web Server IIS

In Web Server, enable the following:
w Common HTTP features
w Static Content
w HTTP Errors
In ISAPI and CGI Restrictions, enable ASP.NET.
In Management Tools, enable the following:
w IIS Management Scripts and Tools
w Management Service
w IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 Windows Management Instrumentation (WMI) Compatibility
IIS 6 Scripting Tools
.NET Framework 3.5.1 Features

w .NET Framework 3.5.1 HTTP Activation
w Windows Community Foundation (WCF) Activation
w HTTP Activation
Network Requirements
Before installing Access Controller, ensure that your network configuration meets the
following requirements:
36

w The computers or resources that users access are connected to the deployed servers
running Access Controller.
w The server running Access Controller is one of the following:
A member of the domain to which users who authenticate to the server belong.
A member of a domain that trusts and is trusted by the domains of the
authenticating users.
w In a multi-domain environment, trust relationships are established so that users in
all domains can authenticate and access resources.
w To provide access to the Internet, a Domain Name System (DNS) host record resolves
to a public IP address for the Access Gateway appliance.
Note: To configure Access Controller successfully, the server must belong to a
domain. If the server running Access Controller is a member of a workgroup and not a
domain, the Server Configuration Wizard does not run.
Account Requirements
Before you install Access Controller, the following server accounts are required.
Microsoft SQL Server User Account Requirements

When creating a cluster, Access Controller requests an account for access to SQL
Server. The specified account must permit Access Controller to create a database for
the cluster and then permit Access Controller to connect to the database.
To create the database during installation, at a minimum, the account must be
included in the Database Creators server role on SQL Server. After Access Controller
creates the database, you must assign database users to the db_datareader and
db_datawriter permissions.
SQL Server 2008 supports Windows Authentication mode, which requires Windows user
accounts for access. SQL Server 2008 also supports Mixed Mode, which accepts Windows
user accounts and SQL Server accounts.
When you first install Access Controller and create a cluster, Access Controller Server
Configuration creates a database with the same name as the cluster. Server
Configuration does not create additional databases when you add servers to a cluster.
The new servers connect to the database on the original SQL server if you choose to
join an existing cluster.
Note: The database creation and access requirements in this section apply to both
SQL Server authentication and Windows authentication for database user accounts.
Service Account Requirements

When you install Access Controller and create a new cluster, the Server Configuration
Wizard prompts you for an account to use for communicating with services and servers
in the cluster. This account is referred to as the service account. You must specify an
existing account to be the service account. If you do not have a service account, create
37
Chapter 3
System Requirements
one prior to installing Access Controller. Valid service accounts meet the following
requirements:
w The service account must be a member of the local Administrators group on every
server in the cluster.
w The service account must be enabled and not subject to password expiration or
other credential changes. If you remove the service account, the operation of the
cluster ceases.
w The service account can be a local user account only if you are creating a singleserver cluster and do not intend to scale up the cluster. You cannot install Access
Controller on multiple servers with a local user account selected for the service
account. Citrix strongly recommends using a domain account instead of a local user
account when installing Access Controller.
Important: If you specify a local user account as the service account, ensure that
the local user account also has owner permissions for the database Access
Controller creates during Server Configuration. If the local user account does not
have database owner permissions, some features might not be available to users.
w In an Active Directory environment, when specifying the service account user name
as User Principal Name (UPN) or alternate UPN format, you must enter the full
domain name.
If necessary, you can change the service account after installing Access Controller.
Note: If you are deploying Access Controller in an environment where the Restricted
Group policy is used to control the membership to the local Administrators group,
ensure that the user associated with the service account is in a group added by the
Restricted Group policy.
Applying Security Templates with the Service Account

Your IT policy may require that you apply security templates to reduce the attack
surface area of your Windows-based servers. The Highly Secure template (Hisecws.inf)
removes the service account from the local Administrators group when you apply the
template after installing Access Controller. After you apply this security template, add
the service account back to the local Administrators group. Otherwise, Access
Controller will not function correctly.
Database Requirements
Access Controller supports the following database packages:
w Microsoft SQL Server 2008
w Microsoft SQL Server Express 2008
Note: If you install SQL Server and you create a database before you install Access
Controller, be sure to specify case-insensitive collation when you create the database.
38
This requirement ensures that the names you assign to resources remain unique and
prevents you from creating resources with duplicate names.
Authentication Software Requirements

Access Controller supports the use of Microsoft Active Directory Domain Services to
strengthen the security of your deployment. You can also configure following
authentication types on either the Access Gateway appliance or on Access Controller.
w Lightweight Directory Access Protocol (LDAP)
w Remote Authentication Dial-In User Service (RADIUS)
w RSA SecurID
You can configure Active Directory authentication on Access Controller only.
SmartAccess Requirements
The SmartAccess feature enables organizations to better control how network
resources and virtual applications are accessed and used.
You can use SmartAccess with Access Controller to control which network resources
users can access based on the users' access scenario, and what users can do within
those resources after they get access. SmartAccess integrates with the Web Interface
for Citrix XenApp to give organizations granular control over virtual applications. To use
SmartAccess, you must have the following components in your environment:
w Citrix Access Controller
w Citrix XenApp 6
w Citrix XenApp 5
Note: SmartAccess is not supported with Citrix Presentation Server for UNIX or
XenApp for UNIX 4.0 with Feature Pack 1.
If you are using the Web Interface to access virtual applications, you must also have the
following software:
w XenApp Advanced Configuration (in Version 5.0)
w Delivery Services Console in XenApp 6.0
w Web Interface Version 5.0 or later
You must also ensure that address translation and firewall settings are identical for the
Web Interface and Access Controller.
Third-Party Portal Integration Requirements

Access Controller supports integration with third-party portals, such as Microsoft
SharePoint to provide convenient access to Web resources, file shares, and published
39
Chapter 3
System Requirements
applications. To integrate with SharePoint, you must have one of the following versions
installed in your environment:
w SharePoint 2007
w SharePoint 2010
Typically, users can work with documents managed by SharePoint through menu-driven
commands. The following table describes these menu items:
Menu item
Requires ActiveX?
Available to users by
default?
View Properties
No
Yes
Edit Properties
No
Yes
Edit in Microsoft Office
Yes
No
Delete
No
Yes
Check In
No
Yes
Check Out
No
Yes
Version History
No
Yes
Alert Me
No
Yes
Discuss
Yes
No
Create Document Workspace
No
Yes
Delivery Services Console Requirements

The Delivery Services Console is the configuration and administration tool for Access
Controller. You can install the console on a server running Access Controller or on
another computer in your network.
The Delivery Services Console requires at least:
w Windows Server 2008 32-bit, Standard Edition, Enterprise Edition, or Datacenter
Edition
w Windows Server 2008 64-bit
w Windows Server 2008 R2 64-bit
40

w Windows XP Professional, 32-bit edition, with Service Pack 3
w Windows Vista, Business, Enterprise, or Ultimate Edition, 64-bit
w Windows Vista, Enterprise, 32-bit
w Windows 7, Enterprise or Ultimate Edition
w 25 megabytes (MB) of available hard disk space
Note: Before you install Access Controller on Windows Server 2008 R2, make sure
the following components are installed and working:
w Register ASP.NET with Internet Information Services (IIS) 7.0
w Install the IIS 6.0 MetaBase components
System Requirements for Clustering and Load

Balancing
When you create a cluster of Access Gateway appliances and Access Controller servers,
use the following guidelines:
w Deploy a minimum of two Access Gateway appliances in your network to load
balance connections.
You can also deploy multiple Access Gateway appliances configured for appliance
failover. For example, you have three appliances, two of which you configure as an
appliance failover pair. Users connect to one of the appliances in the pair. Then,
Access Controller sends the session to one of the three appliances depending on the
load balancing method you select.
When you enable Access Controller on Access Gateway, you provide the settings for
one Access Controller server. Then, Access Gateway discovers all of the Access
Controller servers in the network.
w Deploy each Access Gateway appliance with a separate IP address with its own
certificate or wildcard certificate.
w Install a minimum of two Access Controller servers in the secure network. The
servers provide the configuration settings to Access Gateway.
w Select SQL Server to use as an external SQL Server database when you install Access
Controller.
You can configure a SQL Server database cluster. You can have two databases that
share the same physical database. Access Controller does not support SQL Server
Express when you create a cluster.
w Install a Network Time Protocol (NTP) server which is required to synchronize the
date and time between Access Gateway and Access Controller.
If you configure Access Gateway to work with Access Controller, you must deploy an
NTP server and configure NTP settings on Access Gateway. On the Access Controller
41
Chapter 3
System Requirements
server, you can enable NTP by configuring Windows Time Service Tools and Settings
by using the Net time command.
Requirements for Configuring an External Load

Balancer
Use the manufacturers documentation to install and configure the load balancer in the
network demilitarized zone (DMZ).
Be sure to perform each of these configurations on the load balancer to enable it to
work with the Access Gateway appliances:
w Configure the load balancer to load balance connections to the Access Gateway
appliances based on the Source IP.
w Configure the load balancer with a fully qualified domain name (FQDN) that Access
Gateway uses when establishing a connection to the load balancer.
w Configure the load balancer so that it does not terminate the Secure Sockets Layer
(SSL) encryption. The SSL connection must be passed to Access Gateway and Access
Gateway must terminate the SSL encryption.
w Install the same server certificate on each Access Gateway appliance.
User Device Requirements

You can use Access Gateway and Access Controller to allow users to view, upload, or
download Web-based resources using any user device that has a Web browser. Other
features require additional server software.
Access Gateway handles all user connections. This includes connections from the
Access Gateway Plug-in, Citrix online plug-ins, and clientless access.
The following information describes the user device requirements for the computer
operating systems and Web browsers that Access Gateway supports.
Operating system
Web browser
Windows 7
Internet Explorer 8
Windows Vista
Internet Explorer 7
Windows XP with Service Pack 3
Mozilla Firefox 3.0 or later

Google Chrome 5.0
Apple Mac OS X (English only) 10.5 and

10.6
42
Safari

The following table describes the SmartPhone devices and operating systems that
Access Gateway supports:
Device
Operating system with version
Google Nexus Android
Android 2.2 Froyo
Blackberry
OS 4.7.1.40
iPad Version
iOS 3.2
iPhone 3G
iOS 3.1
iPhone 3GS
iOS 3.1
Microsoft
Windows Mobile 6.5 Professional
Nokia
Symbian OS 11.2021
Note: If you are using Mac OS X, apply all updates, service packs, and security
updates to ensure that Web-based features function properly.
Access Gateway delivers content to Web browsers by transmitting Web pages encoded
with HTML and JavaScript. In most cases, standard client configurations can support
Access Gateway.
You must ensure that you enable execution of client-side JavaScript for each Web browser.
Access Gateway Plug-in System Requirements

The Access Gateway Plug-in establishes a connection from the user device to the
Access Gateway appliance. The Access Gateway Plug-in can be distributed as a desktop
application for Microsoft Windows or Mac OS X. The Access Gateway Plug-in is
downloaded and installed automatically when users enter the secure Web address of
the Access Gateway appliance and a logon point in a Web browser.
The Access Gateway Plug-in is supported on the following operating systems and Web
browsers.
Operating system
Mac OS X (10.5 and
10.6)
32-bit
64-bit
x
Browser
x
Safari
43
Chapter 3
System Requirements
Operating system
Windows 7 Home
Basic Edition
32-bit
64-bit
x
Browser
x
Microsoft Internet
Explorer, Version 7
Internet Explorer,
Version 8
Mozilla Firefox
Version 3.6
Windows 7 Home
Premium Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Windows 7
Professional
Edition
Windows 7
Enterprise Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Internet Explorer,
Version 8
Firefox Version 3.6
Windows 7
Ultimate Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Windows Vista
Home Basic Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
44
Windows Vista
Home Premium
Edition
Windows Vista
Enterprise Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Internet Explorer,
Version 7
Operating system
32-bit
64-bit
Browser
Internet Explorer,
Version 8
Firefox Version 3.6
Windows Vista
Business Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Windows Vista
Ultimate Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Windows XP Home
Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Windows XP
Professional
Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Endpoint Analysis Requirements

The Endpoint Analysis Plug-in collects user device information, such as operating
system, antivirus, or Web browser versions before users logon to Access Gateway. The
Endpoint Analysis Plug-in is distributed as a Windows 32-bit application.
To use the Endpoint Analysis Plug-in, the following software is required on the user device:
w Windows XP, Windows Vista, or Windows 7 with all service packs and critical updates
installed
w Internet Explorer 7.0 or later with cookies enabled
w Firefox 3.0 or later
45
Chapter 3
System Requirements
You can configure endpoint analysis scans to run on user devices to check them for
protective measures, such as an operating system with or without service packs and
antivirus software, before users access resources in the secure network.
Endpoint analysis scans require the Endpoint Analysis Plug-in for Windows that is
installed as a Windows 32-bit application. To download and install the plug-in, Windows
users must be members of the Administrators or Power Users group of the user device.
The Endpoint Analysis Plug-in downloads and installs on the user device when users log
on to Access Gateway for the first time.
Important: If a user does not install the Endpoint Analysis Plug-in on the user device
or chooses to skip the scan, the user cannot log on with the Access Gateway Plug-in.
The user can access resources for which a scan is not required by using either
clientless access or by using Citrix online plug-ins.
Citrix XenApp and XenDesktop Integration

Requirements
You can configure Access Gateway and Access Controller to access virtual applications
and desktops published by XenApp or XenDesktop. To do so, users install Citrix online
plug-ins on the user device.
Access Gateway and Access Controller support integration with the following versions
of XenApp and XenDesktop:
w Citrix XenApp 6.0
w Citrix XenApp 5.0
w Citrix XenApp 5 Feature Pack 2 for Windows Server 2003
w XenDesktop 5
w XenDesktop 4
You can configure basic logon points to use Citrix online plug-ins when users access
virtual applications and desktops.
Access Controller supports using the following user software:
46
Client
English
Japanes
e
Germa
n
Spanis
h
French
Simplified
Chinese
Citrix online
plug-in
Version 11.2
or later
Yes
Yes
Yes
Yes
Yes
Yes
Client
English
Japanes
e
Germa
n
Spanis
h
French
Simplified
Chinese
Citrix XenApp
Web Plug-in
Version 11.0
Yes
Yes
Yes
Yes
Yes
Yes
Citrix XenApp
Plug-ins 11.0
Yes
Yes
Yes
Yes
Yes
Yes
For more information about configuring Access Controller to access virtual applications
and desktops, see Integrating Access Gateway 5.0 with XenApp and XenDesktop on page
307.
System Requirements for Single Sign-on to the Web

Interface
The minimum system requirements for configuring single sign-on to the Web Interface
are as follows:
w Web Interface 5.0 or later
w XenApp 6.0
w XenApp 5.0
w Web Interface must be deployed behind Access Gateway, either in the demilitarized
zone (DMZ) or in the secure network
Important: The server running the Web Interface must trust the Access Gateway
certificate and be able to resolve the fully qualified domain name (FQDN) to the correct
IP address. If the Web Interface does not trust the certificate, single sign-on might not
work correctly.
Single sign-on supports logon and authentication using LDAP or RADIUS and Active
Directory for both Access Gateway and the Web Interface. If you are using LDAP or
RADIUS, the user name and password must be valid in the Active Directory domain.
If you deploy Access Gateway behind an external load balancer, single sign-on to the
Web Interface might not work correctly. You can do one of the following to enable
single sign-on to the Web Interface:
w Deploy Access Controller. You can configure the Web Interface to point to Access
Controller instead of Access Gateway when the single sign-on callback is requested.
w Configure a separate Web Interface site for each Access Gateway appliance or
failover pair.
47
Chapter 3
48
System Requirements
Chapter 4
Planning Your Access Strategy
Access Gateway 5.0 PreInstallation Checklist
Before you install Citrix Access Gateway and Citrix Access

Controller, you should evaluate your infrastructure and collect
information to plan an access strategy that meets the specific
needs of your organization.
Planning for Security with

Access Gateway
This section includes topics to help you plan your access

strategy.
Developing Your Access

Strategy
When you define your access strategy, you need to consider

security implications, the networks users are allowed to
connect to, and the policies needed for user connections. In
addition, you can plan to deploy the Access Gateway
appliance only or use Access Controller to create more
granular configuration settings.
Topics:
Preliminary Steps
As you start preparing your access strategy, take the following
preliminary steps:
w Identify resources. List the network resources for which
you want to provide access, such as Web or published
applications, services, and data that you defined in your
risk analysis.
w Develop access scenarios. Create access scenarios that
describe how users access network resources. An access
scenario is defined by the logon point used to access the
network, endpoint analysis scan results, authentication
type, SmartGroups, or a combination thereof. These access
scenarios also determine the actions users can perform
when they gain access. For example, you can specify
whether users can modify documents using a published
application or by connecting to a file share.
w Associate policies with users. The policies you create on
Access Gateway and Access Controller enforces when the
individual or set of users meets specified conditions. You
will determine the conditions based on the access
scenarios that you create. You then create policies that
extend the security of your network by controlling which
resources users can access and what actions users can
perform on those resources. You associate the policies with
appropriate users. For more information about how to
49
Chapter 4

implement policies and formulate strategies to control
resources according to the user scenario on Access
Controller, see Controlling Access Through Policies on page
219. For more information about creating network
resources on Access Gateway, see Defining Network
Resources on the Appliance on page 165.
50
Access Gateway 5.0 Pre-Installation Checklist

This document contains a checklist of the tasks and planning information you should
complete before you install Citrix Access Gateway 5.0.
Citrix recommends that you print and complete this checklist. The checklist has an
extra column that you can use to check off each task as you complete it.
The checklist notes the configuration values that you need when you install and
configure Access Gateway. You should make note of these values before you install and
configure the appliance.
For instructions about installing and configuring the Access Gateway appliance, see
Introducing Access Gateway Hardware and Introduction on page 20.
User Devices
1
Ensure that user devices meet the

installation prerequisites.
For more information, see Access
Gateway Plug-in System Requirements
on page 43.
Access Gateway Basic Network Connectivity

2
Access Gateway host name.

This is the fully qualified domain name
(FQDN).
IP address and subnet mask reserved for

eth0.
The network adapter eth0 typically
connects Access Gateway to the external
network.
(Optional) IP address and subnet mask

reserved for eth1.
The network adapter eth1 connects
Access Gateway to the internal network.
If Access Gateway is deployed in the
internal network, configuring eth1 is
optional.
51
Chapter 4
For more information, see Deploying

Access Gateway in Your Network on page
65.
5
Network speed
Enter the rate at which your network
transmits data. This rate can be 10
Mbps, 100 Mbps, or 1,000 Mbps.
Note: You use the Access Gateway
Management Console to configure
network speeds. You cannot use the
command line to configure network
speeds.
Port
Enter the port on which the Access
Gateway listens for Secure Sockets Layer
(SSL) user connections. The default is
TCP port 443. This port must be open on
the firewall between Access Gateway
and the first firewall in the demilitarized
zone (DMZ).
Default gateway IP address
First DNS server
Second DNS server (if applicable)
10
Third DNS server (if applicable)
11
WINS server (if applicable)
Network Adapter Management Roles
52
12
You can select the management roles for

the network adapters on Access Gateway.
13
External - identifies the network adapter

that connects to the Internet or external
network.
14
Internal - identifies the network adapter

that connects to the secure network.
15
Appliance Failover - identifies the

network adapters that monitor another
Access Gateway in an appliance failover
pair. You can use one or more adapters
for an appliance failover pair.
16
Management - identifies the network

adapter to which you connect to the
Access Gateway Management Console.
Authentication and Authorization

Access Gateway supports several different authentication and authorization types that
you can use in a variety of combinations. Complete the following authentication and
authorization fields as appropriate for your network environment.
For details about authentication and authorization, see Adding Authorization to the
Authentication Profile on the Access Gateway Appliance on page 156.
RADIUS Authentication and Authorization

If your environment includes a RADIUS server, you can use RADIUS for authentication
only or for both authentication and authorization. Complete the following fields as
needed.
Authentication Settings
17
Primary RADIUS server IP address and port

The default port is 1812.
18
Primary RADIUS server secret (shared

secret)
19
Secondary RADIUS server IP address and

port
The default port is 1812.
20
Secondary RADIUS server secret (shared

secret)
RADIUS Authorization Settings

These RADIUS settings are also required when you configure the Microsoft Internet
Authorization Service (IAS) to support RADIUS. When you configure RADIUS
53
Chapter 4

authorization on Access Gateway, enter the same values that you entered when
configuring IAS.
21
Vendor code
This value must be the same as the
vendor-specific attribute number that
you enter in the Vendor-Specific
Attribute Information dialog box in IAS.
If you select RADIUS Standard, the
default value is 0 (zero).
22
Vendor attribute
This value is the assigned number for the
User Group attribute. The default value
is 0.
23
Attribute value prefix

For the Access Gateway, the attribute
value prefix is
CTXSUserGroups=groupname. If two
groups are defined, such as sales and
finance, the attribute value is
CTXSUserGroups=sales;finance.
Separate multiple groups with the
character that is specified as the
separator in the following field.
24
Separator
The separator is the punctuation used
between groups in the attribute value
prefix. The default value is a semicolon
(;).
LDAP Authentication and Authorization

If your environment includes an LDAP server, you can use LDAP for authentication only,
authorization only, or for both authentication and authorization.
Authentication and Authorization Settings

25
LDAP server IP address and port

If you allow unsecured connections to
the LDAP server, the default is port 389.
If you encrypt connections to the LDAP
server with SSL, the default is port 636.
54
26
Use secure connection

When you configure LDAP authentication
or authorization, you have the option to
encrypt or not encrypt connections
between Access Gateway and the LDAP
server. To encrypt the connection, you
need to install the LDAP server root
certificate signed by a Certificate
Authority on Access Gateway.
When you enable this option, users can
change their passwords.
27
Administrator bind DN
If your LDAP server requires
authentication, enter the Administrator
bind DN that Access Gateway should use
to authenticate when making queries to
the LDAP directory. An example is
cn=administrator, cn=Users, dc=ace,
dc=com.
28
Administrator password
The password associated with the
Administrator bind DN.
29
Base DN
DN (or directory level) under which users
are located; for example, ou=users,
dc=ace, dc=com.
30
Server logon name attribute

Enter the LDAP directory Person object
attribute that specifies a users logon
name. The default is
sAMAccountName. If you are not using
Active Directory, common values for this
setting are cn or uid.
31
Group attribute and User Member

Attribute
The Group attribute field is needed for
authorization but not authentication.
55
Chapter 4
Enter the LDAP directory Person object

attribute that specifies the groups to
which a user belongs. The default is
memberOf. This attribute enables
Access Gateway to identify the directory
groups to which a user belongs.
RSA SecurID Authentication

You do not need to collect any information if you use the RSA Authentication Manager
software for authentication. However, you must add the RSA Authentication Manager
sdconf.rec file to Access Gateway.
Use the administration tools provided with the RSA Authentication Manager software to
generate an sdconf.rec file and upload that file to Access Gateway.
Opening Ports Through the Firewalls

If your organization protects the internal network with a DMZ and you deploy Access
Gateway in the DMZ, open the following ports through the firewalls.
32
Open a TCP/SSL port (default 443) on

the firewall between the Internet and
Access Gateway. User devices connect to
Access Gateway on this port.
33
Open one or more appropriate ports on

the firewall between the DMZ and the
secured network. Access Gateway
connects to one or more authentication
servers or to computers running Citrix
XenApp in the secure network on these
ports.
Authentication Ports
The default authentication and
authorization ports are listed below.
Open only the port appropriate for your
Access Gateway configuration.
w For an unsecured LDAP connection,
the default is TCP port 389.
w For a secure LDAP connection, the
default is TCP/SSL port 636.
w For a RADIUS connection, the default
is UDP port 1812.
56
Citrix XenApp Ports

If you are using Access Gateway with
Citrix XenApp, open TCP port 1494. If
session reliability is enabled, open TCP
port 2598 instead of 1494.
Citrix XenApp, Citrix XenDesktop, and the Web

Interface
Complete the following fields only if you are deploying Access Gateway to provide
access to Citrix XenApp or Citrix XenDesktop through the Web Interface. The Access
Gateway Plug-in is not used in this deployment. Users access the published applications
through Access Gateway using only Web browsers and XenApp online plug-ins. Users
access published desktops with Desktop Receiver.
For more information about configuring Access Gateway for XenApp, XenDesktop, and
the Web Interface, see Integrating Access Gateway with XenApp or XenDesktop on page
308.
34
FQDN or IP address of the server running

the Web Interface
35
FQDN or IP address of the server running

the Secure Ticket Authority
36
ICA Access Control list. If you are using

XenApp or XenDesktop, you must
configure ICA Access Control.
Start IP Address. IP address range of all
computers running Citrix XenApp or
Citrix XenDesktop and the port on which
XenApp or XenDesktop listens for user
connections.
End IP Address. These values are
specified to enable users to connect to
Citrix XenApp or Citrix XenDesktop
through Access Gateway.
Protocol. Select ICA or Session
reliability.
57
Chapter 4
Port. The default port for ICA

connections is port 1494. If you enable
session reliability, the server listens for
connections on port 2598 instead of 1494.
Logon Points
You can configure logon points for user access. When you configure a logon point, you
select the type, authentication and authorization, device profiles, logon point visibility
and remediation message, and user time-out settings.
The user time-out settings that you configure within a logon point overrides the global
user time-out settings.
37
Name. Write the name of one or more

logon points.
38
Type. Select Basic for ICA-only

connections. Select SmartAccess for
Access Gateway Plug-in connections.
39
Authentication and Authorization for

user connections. You can configure
double-source authentication
40
Logon point visibility. Select the device

profiles with which to validate user
devices.
SmartGroups
SmartGroups in Access Gateway contain a collection of settings that group users
according to their identity, location, authentication and authorization type, and the
results of endpoint analysis (as defined in device profiles).
A SmartGroup also contains a collection of settings that define what resources in the
network to which users are allowed to connect, unique IP addresses (if needed) and
Access Gateway Plug-in connection settings, including user session time-out values. The
user session time-out values configured in a SmartGroup override the settings that you
configure globally or within a logon point.
41
58
Name. Write the name of one or more

SmartGroups to configure on Access
Gateway
42
Home page. Select the default home page,

Web Interface, Outlook Web Access,
Outlook Web App, SharePoint 2007, or
specify your preferred home page.
43
Logon points. Select the logon points to

use with the SmartGroup.
44
Devices profiles. Select the device profiles

with which to scan the user device for
endpoint analysis requirements.
45
Group memberships. Define the groups on

the authentication or authorization servers
with which users are a member.
46
Network resources. Select the network

resources that users are allowed to access.
47
Address pools. Select a group of unique IP

addresses for user connections.
48
Advanced properties. Select the settings

that define user sessions.
Appliance Failover
You can configure two Access Gateway appliances for appliance failover. If the primary
Access Gateway fails, the secondary appliance can accept user connections.
49
Identify the primary Access Gateway and

the network adapter to enable appliance
failover. You can use either eth0 or eth1 or
both adapters.
50
Identify the secondary Access Gateway and

the network adapter to enable appliance
failover. You can use either eth0 or eth1 or
both adapters.
51
Configure settings for the primary Access

Gateway on the Appliance Failover panel.
59
Chapter 4
52
Configure settings for the secondary Access

Gateway on the Appliance Failover panel.
53
Peer IP address. You can configure up to

two peer IP addresses. Use the IP address
of the network adapter on which you
enable appliance failover on the secondary
appliance.
54
Internal virtual IP address. The virtual IP

address provides services. You can
configure virtual IP addresses on the
primary appliance only.
55
External virtual IP address on the primary

appliance.
Planning for Security with Access Gateway

When planning any type of Access Gateway deployment, you should review the
following basic security issues and follow the preliminary steps associated with
certificates, authentication, and authorization support.
Installing Certificates for Security

Before you deploy Access Gateway in a production environment, Citrix recommends
that you request and receive a signed Secure Sockets Layer (SSL) server certificate
from a known Certificate Authority (CA) and upload it to Access Gateway.
If you deploy Access Gateway in any environment in which Access Gateway must
operate as the client in an SSL handshake, you must also install a trusted root
certificate on Access Gateway. The SSL handshake starts on the user device when users
start the connection to Access Gateway. This handshake creates the cryptographic
parameters of the session between the user device and Access Gateway.
For example, if you deploy Access Gateway with XenApp and the Web Interface, you
can encrypt connections from Access Gateway to the Web Interface with SSL. In this
configuration, you must install a trusted root certificate on Access Gateway. For more
information, see Installing Root Certificates on Access Gateway on page 127.
Supporting Authentication and Authorization

You can configure Access Gateway to authenticate users and control the authorization
policy that defines the network resources to which users have access on the internal
network.
60

Before deploying Access Gateway, your network environment should have the
directories and authentication servers in place to support one of the following
authentication types:
w LDAP
w RADIUS
w RSA SecurID
If you deploy Access Gateway with Access Controller, you can configure Active
Directory for use with Access Controller. Active Directory is also supported on the
appliance using LDAP authentication.
You can configure authorization using RADIUS and LDAP as part of the authentication
profile. You can then allow or deny network resource access using a network resource
profile.
For more information about configuring authentication, see Creating Authentication
and Authorization Profiles on Access Gateway on page 144 or Creating Authentication
and Authorization Profiles on Access Controller on page 199.
Developing Your Access Strategy

While planning to deploy Access Gateway, you should evaluate your network
infrastructure, which includes all of the hardware components that exist in your
organizations network, such as user devices, servers, load balancers, and firewalls. You
should also evaluate the network resources for which you want to provide access, such
as Web or published applications, services, and data in your assessment. The most
common types of network infrastructure include:
w Web applications such as an intranet or a Web-based e-mail application
w Data, such as databases, documents, presentations, and spreadsheets
w Servers, such as Exchange servers, Web servers, database servers, and file shares
Note: Access Controller includes built-in load balancing support. Therefore, you do
not need to deploy an external load balancer to manage requests made to the servers
After you evaluate your network infrastructure and the network resources for which
you want to provide access, and perform a risk analysis, you are ready to create your
access strategy. This process includes determining how to integrate Access Gateway
and Access Controller into your existing network. This topic discusses three essential
elements that you should consider when creating an effective access strategy for
Access Gateway: endpoint analysis scans, firewall deployments, and intellectual
property.
61
Chapter 4
Incorporating Endpoint Analysis Scans into Your

Access Strategy
Access Gateway and Access Controller provides endpoint analysis to verify information
on the user device. On the Access Gateway appliance, you create device profiles to
identify the file, process, registry setting, operating system, or ports required for
logging on. If a device profile is associated with a logon point on the appliance, Access
Gateway scans the user device before showing the logon page. If the user device passes
the scan, users receive the logon page and are allowed access to network resources. If
this is a basic authenticated logon point, users receive a list of published applications
or desktops in the Web Interface. If this is a SmartAccess logon point, users can
connect to the network resources that are allowed in the SmartGroup. If the user
device fails the scans, users do not receive the logon page. Users must correct the
problem on the user device before they can log on.
When you enable a device profile in a SmartGroup, the endpoint analysis scan runs and
it determines user membership in the SmartGroup. If the user device fails the scan,
users can log on and might have different access permissions than if the scan passed on
the user device.
If you configure endpoint analysis on Access Controller, endpoint analysis scans detect
information about a user device, such as the operating system version and service pack
level. The scans run when a user tries to connect through a logon point defined on
Access Controller. Endpoint analysis scans run only one time per session. You can
incorporate scan results into access policies, allowing you to base access to your
networks and resources on the information you gather about the user device. For
example, you can prohibit access to your network by employees working from a home
computer unless the computer is running a required version of antivirus software.
Implementing Firewall Deployments in Your Access

Strategy
Access Gateway eases firewall traversal and provides a secure Internet gateway
between Access Controller servers and user devices. Scenarios in which firewalls are
commonly used include:
w Demilitarized zones (DMZs). In this scenario, firewalls are used to create a DMZ to
protect the internal network from Internet traffic. This deployment requires users
who are external to the network to traverse firewalls that protect the internal
network before users gain access to network resources.
w Enclaves. In this scenario, firewalls limit traffic between specific segments of the
network. For example, hospital administrators may segment their LAN so that access
to sensitive information, such as patient records is accessible only from specific
enclaves within the network.
w Perimeter of an Access Controller cluster. In this scenario, firewalls secure Access
Controller servers from threats within the LAN by forming a secure perimeter
62

around the cluster. This deployment ensures that users cannot directly access the
cluster.
Protecting Intellectual Property in Your Access

Strategy
Sensitive data, often referred to as intellectual property, is any information,
application, or service that the employer considers to be proprietary. Examples of
intellectual property include financial documents, customer data, and employee
records. The sensitivity of data is based on the assessment of impact in the case of a
loss of data confidentiality or integrity. When assessing the sensitivity of data, consider:
w Regulatory requirements. Understand the privacy laws that are more stringent and
impose new levels of confidentiality on several business sectors including health
care, insurance, and finance. In addition, the global environment necessitates an
awareness of regulations in any state or country in which your employer performs
business.
w Legal ramifications. Determine if there are any legal implications related to the
exposure of proprietary data; specifically, whether or not another party takes legal
action against your employer due to the exposure of confidential information to
unauthorized users.
w Competitive impact. Determine if the loss of information results in your employers
inability to remain competitive. For example, consider a scenario in which your
companys secret recipe is made available to your competitors.
w Corporate reputation. Determine the impact to your organizations reputation if
certain proprietary information is made available to unauthorized users. For
example, consider a scenario in which unauthorized users access your customers
credit card information. In addition to possible legal action, customers may lose
faith in your companys ability to maintain the customers' privacy and, as a result,
choose to stop using your services.
The goal of intellectual property control is to prevent the exposure of sensitive data.
Using Access Gateway and Access Controller, you can protect intellectual property
through the use of the following policy-based access control features. For example, you
can integrate with Citrix XenApp and configure files to open within a published
application instead of a local application on a user device. This feature increases the
protection of intellectual property because proprietary data remains within the
protected network at all times.
In addition, you can share Access Controller policy information with XenApp to
selectively enable functionality for a specific published application session, such as
client drive mapping and local printing. For more information about filters, see
Controlling Access Through Policies on page 219.
63
Chapter 4
64
Chapter 5
Deploying Access Gateway in Your

Network
Topics:
Deploying Access Gateway
Appliances in the DMZ
in the Secure Network
with XenApp or XenDesktop
Deploying Additional Access
Gateway Appliances for Load
Balancing and Appliance
Failover
with Access Controller
Deploying Plug-ins for User
Access
Deployment Options for the
Web Interface
You can deploy Citrix Access Gateway at the perimeter of your

organizations internal network (or intranet) to provide a
secure single point of access to the servers, applications, and
other network resources residing in the internal network. All
remote users must connect to Access Gateway before they
can access resources on the internal network.
Citrix recommends installing the Access Gateway in the
demilitarized zone (DMZ). When installed in the DMZ, Access
Gateway participates on two networks: a private network and
a public network with a publicly routable IP address. Typically,
the private network is the internal network and the public
network is the Internet. You can also use Access Gateway to
partition LANs internally in the organization for access control
and security. You can create partitions between wired or
wireless networks and data and voice networks.
You can also deploy Access Gateway with the following Citrix
products:
w Citrix Access Controller
w License Server
w Web Interface
w XenApp
w XenDesktop
You can deploy Access Gateway in the following locations in
your network:
w In the network DMZ
w In a secure network that does not have a DMZ
w With additional Access Gateway appliances to support load
balancing and appliance failover
65
Chapter 5
Deploying Access Gateway in Your Network
Deploying Access Gateway Appliances in the

DMZ
Many organizations protect their internal network through the use of a demilitarized
zone (DMZ). A DMZ is a subnet that lies between an organizations secure internal
network and the Internet (or any external network) and is separated by firewalls. When
Access Gateway is deployed in the DMZ, users connect to the appliance by using the
Access Gateway Plug-in or Citrix online plug-ins.
The following figure shows a configuration of Access Gateway in the DMZ.
Access Gateway is installed in the DMZ and configured to connect to both the Internet
and the internal network.
Access Gateway Connectivity in the DMZ

When you deploy Access Gateway in the DMZ, user connections must traverse the first
firewall to connect to Access Gateway. By default, connections use Secure Sockets
Layer (SSL) on port 443 to establish this connection. To support this connectivity, you
must enable SSL on port 443 through the first firewall.
Access Gateway decrypts the SSL connections from the user device and establishes a
connection on behalf of the user device to the network resources behind the second
66

firewall. The ports that must be open through the second firewall are dependent on
the network resources that you authorize external users to access.
For example, if you authorize external users to access a Web server in the internal
network, and the server listens for HTTP connections on port 80, you must allow HTTP
on port 80 through the second firewall. Access Gateway establishes the connection
through the second firewall to the HTTP server on the internal network on behalf of
the external user devices.
Deploying Access Gateway in the Secure

Network
You can install the Access Gateway appliance in the secure network, which is less
secure than deploying Access Gateway in the DMZ. In this scenario, one firewall exists
between the Internet and the secure network. Access Gateway resides behind the
firewall to control access to the network resources. The following figure shows a
configuration of Access Gateway in the secure network:
When Access Gateway is deployed in the secure network, you connect one interface on
Access Gateway to the firewall between the appliance and the Internet and the other
interface to servers that are running in the secure network. Installing Access Gateway
in the secure network provides access for local and remote users. With only one
firewall, however, this scenario is less secure for users who are connecting from a
remote location. Although Access Gateway intercepts traffic from the Internet, the
traffic enters the secure network before users are authenticated. When the Access
Gateway is deployed in a DMZ, users are authenticated before network traffic reaches
the secure network.
When Access Gateway is deployed in the secure network, Access Gateway Plug-in
connections must traverse the firewall to connect to Access Gateway. By default, user
connections use the Secure Sockets Layer (SSL) on port 443 to establish this
connection. To support this connectivity, you must open port 443 on the firewall.
67
Chapter 5
Deploying Access Gateway with XenApp or

XenDesktop
When you deploy Access Gateway to provide secure remote access to XenApp or
XenDesktop, Access Gateway works with the Web Interface and the Secure Ticket
Authority (STA) to provide access to published applications and desktops that are
hosted in a server farm.
When Access Gateway is deployed in the demilitarized zone (DMZ) to provide remote
access to a server farm, you can implement one of the following three deployment
possibilities:
w Deploy the Web Interface behind Access Gateway in the DMZ. In this
configuration, both Access Gateway and the Web Interface are deployed in the DMZ.
The initial user connection goes to Access Gateway and is then redirected to the
Web Interface.
w Deploy Access Gateway parallel to the Web Interface in the DMZ. In this
configuration, both Access Gateway and the Web Interface are deployed in the DMZ,
but the initial user connection goes to the Web Interface instead of to the Access
Gateway.
The Web Interface interacts with the STA and generates an ICA file to ensure that
Citrix online plug-in traffic is routed through Access Gateway to a computer running
XenApp in the server farm.
w Deploy Access Gateway in the DMZ and deploy the Web Interface in the internal
network. In this configuration, Access Gateway authenticates user requests before
the requests are relayed to the Web Interface in the secure network. The Web
Interface does not perform authentication, but interacts with the STA and generates
an ICA file to ensure that ICA traffic is routed through Access Gateway to the server
farm.
Deploying Additional Access Gateway

Appliances for Load Balancing and Appliance
Failover
You can install multiple Access Gateway appliances into your environment for the
following reasons:
w Scalability. To accommodate more users, you can install additional Access Gateway
appliances in your network. To provide fault tolerance, you can deploy multiple
appliances behind a load balancer to balance the user load between Access Gateway
appliances.
68

w Appliance failover. If an Access Gateway fails, you can install additional Access
Gateway appliances to ensure that the internal network remains available to remote
users.
Note: To address appliance failover only, you can configure one Access Gateway as
the primary and one appliance as the secondary. If the primary Access Gateway fails,
user connections are directed to the secondary Access Gateway. For more information
about this configuration, see How Appliance Failover Works on Access Gateway 5.0
on page 138.
Deploying Access Gateway with Access

Controller
Access Controller is an optional software component available for use with Access
Gateway. Access Controller offers the following features and benefits:
w Central administration of multiple Access Gateway appliances
w Clientless access to Web sites and file shares
w Native Active Directory authentication (not using LDAP)
w Advanced endpoint analysis scans
w Load balancing of connections across multiple appliances
w Adaptive access control to enable or disable published applications, desktops, and
ICA virtual channels based on endpoint analysis results
After you install Access Controller on a computer running Windows Server 2008, you
must configure Access Gateway to communicate with Access Controller. First, on the
Access Controller server, you add the Access Gateway appliance to Access Controller.
Then, you use the Access Gateway Management Console to switch Access Gateway to
use Access Controller.
For more information about the Management Console, see Access Gateway Management
Console on page 26.
You can then configure Access Controller to manage the settings for Access Gateway.
After you configure Access Controller, use the Access Gateway Management Console to
manage appliance-specific settings only.
If you have multiple servers running Access Controller, when you enter the IP address or
fully qualified domain name (FQDN) of one server, Access Gateway automatically
discovers the other Access Controller servers. It is only necessary to configure one
Access Controller on the appliance.
Access Controller Configurations

Access Controller supports the following cluster configurations:
69
Chapter 5

w Access Controller on a single server. Install Access Controller on a single server.
The server contains all required cluster components, including the database server.
w Access Controller on a single server and Microsoft SQL Server on a separate
server. Install Microsoft SQL Server on a separate server. Install Access Controller
and specify the SQL database server for the cluster database.
w Access Controller on multiple servers. Install Microsoft SQL Server on a separate
database server. Install Access Controller on multiple servers to create a cluster.
Caution:
w When you select Access Controller to manage the Access Gateway settings, the
corresponding settings in the Access Gateway Management Console are
deactivated. If you configured settings with the Management Console before
selecting Access Controller, you must configure these settings again using the
Delivery Services Console.
For more information about configuring these settings in the console, see
Managing Access Controller on page 189.
w If you disable administration with Access Controller, settings in the Delivery
Services Console are deactivated and existing configuration values are removed.
The settings that you previously configured on the Access Gateway are restored.
For more information, see Enabling Access Controller on page 194.
Deploying Plug-ins for User Access

Access Gateway supports the following software deployment options:
Integration with enterprise software deployment tools
Deploy client software using a Microsoft Active Directory infrastructure or a standard
third-party MSI deployment tool, such as Windows Server Update Services. If you use a
tool that supports Windows Installer packages, you can deploy the packages with any
tool that supports MSI files. Then, use your deployment tool to deploy and install the
software on the appropriate user devices.
Advantages of using a centralized deployment tool include:
w Ability to adhere to security requirements. For example, you can install client
software without enabling software installation privileges for non-administrative
users.
w Control over software versions. You can deploy an updated version of the software
to all users simultaneously.
w Scalability. A centralized deployment strategy easily scales to support additional
users.
w Positive user experience. You can deploy, test, and troubleshoot installation-related
issues without involving users in this process.
70

Citrix recommends this option when administrative control over the installation of
client software is preferred and access to user devices is readily available.
For more information, see Installing the Access Gateway Plug-in by Using the Microsoft
Installer (MSI) Package on page 295.
On demand
Configure the deployment of software only when required. Users connect to their
network and the software is automatically downloaded on an as needed basis.
You can combine deployment options to create your deployment strategy. For example,
you can post the installation packages on a network share point for users within the
secure network and also enable on-demand deployment of clients for users who
connect from an Internet kiosk.
Note: The Endpoint Analysis Plug-in is available as a stand-alone MSI on the Server
CD in the \Setup\EndpointAnalysisClient\lang directory. In addition, you can create
individual installation packages for all client software components supported by
Access Client package.
Determining Which Software Plug-in to Deploy

If your Access Gateway deployment does not require any software plug-in on user
devices, your deployment is considered to provide clientless access. In this scenario,
users need only a Web browser to access network resources. However, certain features
require the plug-in software on the users device.
For additional information about user device software minimum requirements, see User
Device Requirements on page 42.
Note: Small form factor devices are not compatible with the Access Gateway Plug-in
or the Endpoint Analysis Plug-in. Therefore, features that require the plug-ins are not
available on small form factor devices.
Deployment Options for the Web Interface

When deploying Access Gateway with the Web Interface, you can install the Web
Interface in the demilitarized zone (DMZ) or in the secure network. The location in
which you deploy the Web Interface depends on a number of factors, including:
w Authentication. When users log on, either Access Gateway or the Web Interface can
authenticate user credentials. Where you place the Web Interface in your network is
a factor that determines, in part, where users authenticate.
w User software. Users can connect to the Web Interface with either the Access
Gateway Plug-in or Citrix online plug-ins. You can limit the resources users can
access by using online plug-ins only, or give users greater network access with the
Access Gateway Plug-in. How users connect, and the resources to which you allow
71
Chapter 5

users to connect can help determine where you deploy the Web Interface in your
network.
The Web Interface deployment options are:
w Web Interface in the secure network
w Web Interface parallel to Access Gateway in the DMZ
w Web Interface behind Access Gateway in the DMZ
The topics in this section discuss these options.
Deploying the Web Interface in the Secure Network

In this deployment, the Web Interface resides in the secure network. The Access
Gateway appliance is deployed in the demilitarized zone (DMZ). Access Gateway
authenticates user requests before the requests are sent to the Web Interface.
When the Web Interface is deployed in the secure network, authentication must be
configured on Access Gateway. Users connect to Access Gateway, type their
credentials, and are connected to the Web Interface.
If you deploy the Web Interface with XenDesktop, deploying the Web Interface in the
secure network is the default deployment scenario. When you install Desktop Delivery
Controller, a custom version of the Web Interface is also installed.
Deploying the Web Interface Parallel to Access

Gateway in the DMZ
In this deployment, the Web Interface and Access Gateway both reside in the
demilitarized zone (DMZ) and run parallel to each other. Users connect directly to the
Web Interface using a Web browser. After users log on to the Web Interface, they can
access published applications or desktops in the server farm. When users start an
application or desktop, the Web Interface sends an ICA file containing instructions for
routing ICA traffic through Access Gateway as if the appliance were a server running
the Secure Gateway. The ICA file that the Web Interface delivers includes a session
ticket produced by the Secure Ticket Authority (STA).
When Citrix online plug-ins connect to Access Gateway, the ticket is presented. Access
Gateway contacts the STA to validate the session ticket. If the ticket is still valid, the
users ICA traffic is relayed to the server in the server farm.
When the Web Interface runs parallel to Access Gateway in the DMZ, you do not need
to configure authentication on Access Gateway. If you have Access Gateway deployed
where one network adapter connects to the external networkeither the Internet or
wide area network (WAN)and the second network adapter connects to your intranet,
the Web Interface and Access Gateway must have IP addresses that users can reach
from the Internet or the secure network. The network adapters installed on Access
Gateway and the Web Interface must be on the same network and be able to
communicate with each other.
72

Figure 5-1. The Web Interface installed parallel to Access Gateway
User connections are first sent to the Web Interface for authentication. After
authentication, the connections are routed through Access Gateway.
Deploying the Web Interface Behind Access

Gateway in the DMZ
To route all HTTPS and ICA traffic through a single external port and require the use of
a single Secure Sockets Layer (SSL) certificate, Access Gateway can act as a reverse
Web proxy for the Web Interface.
When you deploy the Web Interface behind Access Gateway in the demilitarized zone
(DMZ), authentication on the appliance can be configured, but is not required.
73
Chapter 5
74
Chapter 6
Installing Access Gateway 5.0

Topics:
Setting Up the Model 2010
Appliance
Configuring the Model 2010
Appliance
Planning Your Installation of
Access Controller
Installing Access Controller
When you receive your Citrix Access Gateway appliance, you

unpack the appliance and prepare the site and rack. After you
determine that the location where you will install your
appliance meets the environmental standards and the server
rack is in place according to the instructions, you install the
hardware. After you mount the appliance, you connect it to
the network, to a power source, and to the console terminal
that you use for initial configuration. After you turn on the
appliance, you perform the initial configuration, and assign
management and network IP addresses. Be sure to observe the
cautions and warnings listed with the installation instructions.
After you install the appliance, you can install Citrix Access
Controller on Windows Server 2008. You then configure Access
Gateway and Access Controller to communicate with each
other.
Citrix recommends using the Access Gateway 5.0 PreInstallation Checklist on page 51 so you can make a note of
your settings before installing the Access Gateway appliance.
It also contains information about installing Access Gateway.
For information about installing the Access Gateway
appliance, see Installing the Access Gateway Appliance.
75
Chapter 6
Setting Up the Model 2010 Appliance

The following procedures describe how to set up the Access Gateway Model 2010
appliance for the first time.
To physically connect the Access Gateway appliance

1. Install Access Gateway in a rack if it is rack-mounted.
2. Connect the power cord to the AC power receptacle.
3. Connect either the serial cable to a Windows-based computer, a cross-over cable
to a Windows-based computer, or an RJ-45 network cable to a network switch and
Access Gateway.
4. Configure the TCP/IP settings by following the instructions in Configuring the
Model 2010 Appliance on page 76.
Figure 6-1. Access Gateway connection options using a cross-over cable, a network
switch, or terminal emulation
Configuring the Model 2010 Appliance

You can use a serial console to configure the initial settings of Access Gateway. You can
use the serial console to set the IP address and subnet of the network adapter that is
called Interface 0, as well as the IP address of the default gateway device. You
configure subsequent settings using the Management Console in Access Gateway 5.0 or
the Administration Tool in Access Gateway 4.6.
For more information about configuring Access Gateway to work in your network, see
the following:
w If you are using Access Gateway 5.0, see Introduction.
76

w If you are using Access Gateway 4.6, see Getting Started with Access Gateway
Standard Edition.
Planning Your Installation of Access Controller

To plan your installation of Access Controller, you must also make sure your servers
meet the requirements for the Access Controller components and features you plan to
use. This topic provides an overview of the tasks you must perform before and after
you install the Access Controller software.
To get started with Access Controller, complete the following steps:
1. Update your Windows-based server with Windows Update to apply the appropriate
security updates to your Access Controller servers.
2. Ensure that your servers meet all requirements for the components and features
you plan to use.
3. Install licenses on the Access Gateway appliance or on Citrix License Server. Access
Controller obtains licenses from the location configured on the appliance.
4. Install Access Controller and the Delivery Services Console by following the steps in
the next section.
5. Install additional components, if applicable.
6. Go to the Citrix Knowledge Center to download and install critical updates.
In addition to this list, before you install Access Controller on Windows Server 2008 R2,
make sure you perform the following tasks:
w Register ASP.NET with Internet Information Services (IIS) 7.0
w Install the IIS 6.0 MetaBase components
Pre-Installation Tasks
Many Access Controller features require that you install certain components or
configure settings before you install the software.
The following table describes the required pre-installation tasks and includes
references to additional information about each component or feature.
Component or
feature
Required task
Additional information
Access Gateway
appliance
Install one or more

appliances.
Access Gateway 5.0 PreInstallation Checklist on

page 51
Introduction on page 20
77
Chapter 6
Component or
feature
Required task
Access Gateway
Management Console on
page 26
Access Controller
Ensure that your servers are

running a supported version
of Microsoft Windows.
Account Requirements on
page 37
Ensure network
configuration meets
requirements.
Network Requirements on
page 36
Ensure service account

meets requirements.
page 37
Install database server and

create user account.
page 37
Restart the server if

installing on a server

on page 79
Authentication
Configure Active Directory

or other authentication
types on Access Controller.
Authentication Software
Requirements on page 39
Delivery Services
Console
If installing on a standalone
server, ensure that required
software is installed.
Delivery Services Console

Requirements on page 40
Database server
Database Requirements on
page 38
Post-Installation Tasks
The following table describes the tasks you perform immediately after installing the
Access Controller software and includes references to additional information about
each component or feature.
78
Component or feature
Required task
Access Controller
Configuration
Run the Server

Configuration utility to
configure settings on
Access Controller and
connect to a SQL Server
database.
How the Server

Configuration Utility
Works on page 191
Access Gateway appliance
Configure communication
with Access Controller.

with Access Controller on
page 69
Access Controller
Add Access Gateway

appliances to Access
Controller.
To add Access Gateway to

Access Controller on page
195

You can only install Access Controller on Windows Server 2008. If you want to upgrade
from Access Gateway 4.5, Advanced Edition to Access Controller, install Access
Controller on the server and then migrate settings from Advanced Access Control.
Before you install Access Controller, review the Access Controller System Requirements
on page 35 for the server. Make sure the server and your network environment can
support Access Controller before you start the installation process. For details, see
Planning Your Installation of Access Controller on page 77.
To install Access Controller

Citrix supports the deployment of Access Controller on a single server or on multiple
servers in your network.
The Access Controller Setup Wizard guides you through the process of installing Access
Controller and its components.
1. Insert the Access Controller server CD-ROM in the CD drive. The startup screen
appears if you enable autorun. If you do not enable autorun, navigate to the CD
root directory and double-click AutoRun.exe.
2. On the startup screen, click Citrix Access Controller.
3. On the Welcome screen, click Next.
4. Read and accept the Citrix license agreement.
5. Select any of the following components to install:
79
Chapter 6

Server. Installs the Access Controller server software, including the Logon Agent
and server configuration tools.
Delivery Services Console. Installs the configuration and management tool for
Access Controller.
6. Follow the on-screen instructions to complete the Setup Wizard.
While Access Controller is installing, a message box indicates the progress. When the
installation is complete, before exiting the wizard, you can select an option to use the
Server Configuration utility to configure the server and install Access Controller on
other servers.
For more information about configuring your server, see Initial Configuration of Access
Controller on page 190.
Troubleshooting the Installation

During installation, Access Controller creates the log file CTXCAC50_Install.log that you
can use to troubleshoot the server installation. Access Controller writes the log file to a
temporary folder by default. To define the location of this folder, Access Controller
checks the following environment variables:
w TMP
w TEMP
w USERPROFILE
w windir
The first valid path that Windows finds among these variables becomes the location of
the installation log files.
You can override this default path by typing /logfilepath folder_path at a
command prompt, where folder_path is the location where you want to store the
installation log files.
Uninstalling Access Controller

If you want to remove an Access Controller component from a server, use Programs and
Features in Control Panel. Depending on the options you installed, remove the
components in the following order:
w Citrix Access Gateway Server
w Citrix Access Access Gateway Console
w Citrix License Server Administration
w Citrix Delivery Services Console - Diagnostics
w Citrix Delivery Services Console - Framework
Note: You can remove the Citrix License Server Administration and Citrix Delivery
Services Console - Diagnostics components at any time in the uninstallation process.
80
However, you must remove the Citrix Delivery Services Console - Framework
component last.
To remove Access Controller components

1. Choose Start>Settings>Control Panel.
2. In Control Panel, double-click Programs and Features.
3. Select a program, click Uninstall and follow the prompts.
81
Chapter 6
82
Chapter 7
Installing Licenses on Access Gateway

Topics:
Access Gateway License
Types
Obtaining Your Platform or
Universal License Files
Licensing Grace Period
To view licensing information
Citrix Access Gateway 5.0 requires the Platform license. To

allow connections to the network through the Access Gateway
Plug-in or a SmartAccess logon point, you must also add a
Universal license.
In Access Gateway 5.0, you install licenses on either the
Access Gateway appliance or Citrix License Server. You use the
Access Gateway Management Console to install licenses for
Access Gateway. If you use Citrix Access Controller, the server
obtains licenses from either the appliance or the license
server, depending on how you configured the licenses on
Access Gateway. You do not have to install licenses on Access
Controller.
Important: When license files are hosted on the appliance,
the host name in the license file must match the host name
on the Access Gateway exactly, including letter case.
Exchanging or Migrating
Existing Licenses
If you are a current Subscription Advantage member, you can
exchange or migrate your existing Access Gateway licenses to
update your license files.
Migrating licenses involves the following steps:
w Migrate existing licenses through MyCitrix.com.
w Download a new license file.
w Copy the new license to the license server.
83
Chapter 7
Access Gateway License Types

Access Gateway 5.0 requires a Platform license. To allow connections to the network
through the Access Gateway Plug-in or a SmartAccess logon point, you must also add a
Universal license. The trial version of the virtual appliance, Access Gateway VPX,
comes with the Platform license.
The Platform license is supported on the following Access Gateway versions:
w Access Gateway 5.0
w Access Gateway 4.6, Standard Edition
w Access Gateway 9.3, Enterprise Edition
w Access Gateway 9.2, Enterprise Edition
w Access Gateway VPX
Important: Citrix recommends that you retain a local copy of all license files that you
receive. When you save a backup copy of the configuration file, all uploaded license
files are included in the backup. If you need to reinstall the Access Gateway appliance
software and do not have a backup of the configuration, you will need the original
license files.
The Platform License

The Platform license allows user connections to XenApp-hosted applications or
XenDesktop-hosted desktops and do not use an Access Gateway concurrent license for
each connection. If you only want users to connect with online plug-ins to XenApp or
XenDesktop, the Platform license is all that is required.
The Platform license is delivered electronically with all new Access Gateway orders,
whether physical or virtual. If you already own an appliance covered by a warranty or
maintenance agreement, you can obtain the Platform license through the Product
Upgrades/Fulfillment toolbox on MyCitrix.com.
The Universal License

The Universal license limits the number of concurrent user sessions to the number of
licenses you purchase.
The Universal license supports the following features:
w Full VPN tunnel
w Endpoint analysis
w Policy-based SmartAccess
w Clientless access to Web sites and file shares
84

If you purchase 100 licenses, you can have 100 concurrent sessions at any time. When a
user ends a session, that license is released for the next user. A user who logs on to
Access Gateway from more than one computer occupies a license for each session.
If all licenses are occupied, no additional connections can be opened until a user ends a
session or you terminate the session. When a connection is closed, the license is
released and can be used for a new user.
When you receive your Access Gateway appliance, licensing occurs in the following order:
w You receive the License Authorization Code (LAC) in e-mail.
w You use the Setup Wizard to configure Access Gateway with the host name.
w You allocate the Access Gateway licenses from MyCitrix.com. Use the host name to
bind the licenses to the appliance during the allocation process.
w You install the license file on Access Gateway or your license server.
The Express License

The Express license is used with the Access Gateway VPX and allows for up to five
concurrent user connections using Citrix online plug-ins or the Access Gateway Plug-in.
The Express license is available for the VPX Express appliance and expires after one
year. The user sessions can be from Basic or SmartAccess logon points.
For more information about the system requirements for Access Gateway VPX Express
and to download the appliance, see Try Access Gateway.
After you download Access Gateway VPX Express, from the Try Access Gateway Web
site, you acquire a license key, and then you activate and download your license file.
You will need to provide the host name of your Citrix License Server or the fully
qualified host name of the Access Gateway.
Important: The entry field for this name is case-sensitive, so make sure that you copy
the host name exactly as it is configured on the Access Gateway appliance or license
server.
Obtaining Your Platform or Universal License

Files
After you install the Access Gateway, you are ready to obtain your license files from
Citrix. You connect to My Citrix to access your available licenses and to generate a
license file. When the license file is generated, download it to a computer. When the
license file is on the computer, you can then upload it to the Access Gateway.
Before going to the Citrix Web site, you need the following information:
w The license code. You can find the code in an email you receive from Citrix or from
My Citrix. If you are upgrading from an older version of the Access Gateway, you can
continue to use the existing license, if the license was obtained from the
85
Chapter 7

Subscription Advantage Management-Renewal-Information system (SAMRI) and the
Subscription Advantage date is not expired.
w Your user ID and password for My Citrix. You can register for this password on My
Citrix.
Note: If you cannot locate either of these items, contact Citrix Customer Service at
1-800-4-CITRIX.
w The host name of the Access Gateway. The entry field for this name on My Citrix is
case-sensitive, so make sure that you copy the host name exactly as it is configured
on the Access Gateway appliance.
w How many licenses you want to include in the license file. You do not have to
download all of the licenses to which you are entitled at once. For example, if your
company purchases 100 licenses, you can choose to download 50. At a later date,
you can allocate the rest in another license file. Multiple license files can be
installed on the Access Gateway.
Before obtaining your licenses, make sure you configure the host name of the appliance
using the Setup Wizard and then restart the appliance. When you are ready to install
the universal license on the Access Gateway, go to My Citrix to get your license.
To obtain your platform or universal license file

1. From a Web browser, go to http://www.citrix.com/ and click on My Citrix.
2. Enter your user name and password.
If this is your first time logging on to the site, you are asked for additional
background information.
Note: If you are an existing customer, proceed with Steps 3 through 11. If you are
a new customer, go to Steps 9 through 11 to obtain your licenses.
3. In Choose a Toolbox, click Product Upgrades/Fulfillment.
4. On the Product Upgrades/Fulfillment page, next to Current Tool, select Upgrade
Eligible Products.
5. Under Product Fulfillment Selection, in Select the product you have, select
Access Gateway/Secure Access Manager.
6. Under Select the product you would like to receive, select one of the following:
Access Gateway Platform License
Note: If you selected the platform license, a screen appears that explains the
platform license, eligibility, and appliance software requirements.
Access Gateway Universal License
86
Note: This option is available only if you have a valid Subscription Advantage
or purchased the universal license as a standalone license.
7. Click Submit.
A second Web browser window opens with the selection for the platform or
universal license.
8. Under the Access Gateway appliance description, click on one of the serial
numbers and click Continue.
The Confirmation page appears. This screen displays an agreement between you
and Citrix. Click Accept.
The Fulfillment Request Confirmation page appears showing that your request is
registered. When this is complete, you will receive an email containing download
links for media, license code and sever (if needed) from the GTL License
Administrator.
9. When you receive the license email from Citrix, click the link to allocate the
license.
The Citrix Activation System page appears. You need the host name or host ID
reference to activate your license.
The host name or host ID is based on the MAC address of Access Gateway VPX or
the host ID of the Access Gateway appliance on which you install the license.
10. Click Continue.
The platform or universal license name, license code and quantity appears.
11. In Host name of your citrix license server, enter the host name of Access
Gateway VPX or of the physical appliance, click Allocate and then click Confirm.
When you click Confirm, a screen appears with your licensing information. To download
and save the license file, click Download License File and save the file to your
computer. You can then install the license on the Access Gateway.
To install the license on Access Gateway Enterprise Edition, see To install a license on
the Access Gateway using the configuration utility.
Migrating Licenses from 4.6

In Access Gateway 5.0, user licenses are the same as they were in Version 4.6. If your
Subscription Advantage subscription is current, you can use your existing licenses. They
are compatible with 5.0.
The Platform license is new for Access Gateway 5.0. Without a Platform license, you
cannot use your user licenses even if your Subscription Advantage date is valid. Starting
in February of 2010, Citrix began issuing Access Gateway 5.0compatible Platform
license files to all new Access Gateway customers. If you have not yet received a
Platform license for a Model 2010 appliance that you purchased before February 2010,
you will need to obtain the license from the Upgrade My Products toolbox on
MyCitrix.com when you upgrade from Version 4.6 to 5.0.
87
Chapter 7
To install a license on Access Gateway

After you successfully download the license file to your computer, you use the Access
Gateway Management Console to install the file on Access Gateway.
License files are generated based on the host name, using the fully qualified domain
name (FQDN) of the Access Gateway appliance. The Access Gateway appliance where
the licenses are installed, also called the license server, processes the installed license
files and disregards invalid license files.
1. In the Access Gateway Management Console, click Management.
2. Under System Administration, click Licensing.
3. Under Installed License Files, click Upload.
4. In the Select file to upload dialog box, navigate to the license file you want to
install, and then click Open.
Important: Citrix recommends that you retain a local copy of all license files that you
receive. When you save a backup copy of the configuration file, all uploaded license
files are included in the backup. If you need to reinstall the Access Gateway appliance
software and do not have a backup copy of the configuration file, you will need the
original license. For information about creating a configuration snapshot and restoring
configuration settings, see Creating Snapshots to Manage Access Gateway
Configuration Settings on page 114.
Licensing for Multiple Appliances

In Access Gateway 5.0, you install licenses on either the Access Gateway appliance or
Citrix License Server. If you are using Access Controller, the server obtains licenses from
either the appliance or the license server. You do not have to install licenses on Access
Controller.
If you have multiple Access Gateway appliances installed in your network, you can
configure the appliances to obtain licenses from Citrix License Server.
Note: One Access Gateway appliance cannot act as a license server for multiple
appliances. You can either install licenses on each installed appliance or install
licenses on the license server.
License allocation occurs for appliances regardless of their individual status in the
network.
To obtain licenses from the license server

3. At the bottom of the Licensing panel, click Configure.
88

4. In the Licensing Server dialog box, for Licensing type, select Retail or Express.
5. For Server, select Remote Server.
6. In Server, type the FQDN or IP address of the license server.
7. In Manager port, change the port number or leave the default as 27000 and then
click Save.
8. Repeat this procedure on each Access Gateway in the cluster.
The manager port makes the initial contact from Access Gateway and passes it to the
license server. Then, the license server passes communication from the manager port
to the vendor port. The vendor port runs on the license server and grants the license
using port number 27001. The port numbers can be changed depending on your firewall
configuration. The manager port tracks the licenses that are checked out and which
Access Gateway is using them.
You might need to create new firewall rules to allow network access to the license
server ports.
Licensing Grace Period

When you first install Access Gateway 5.0, you enter a 48-hour grace period. During
this grace period, you are entitled to two Universal licenses and one Platform license.
You must install your license on the appliance or configure the appliance to use a
remote licensing server by the end of this grace period. If you do not, users cannot log
on.
If the Access Gateway licensing server fails, the other appliances in the cluster enter a
30-day grace period. Access Gateway keeps the date when it last contacted the license
server. Users can continue to log on during this grace period. When a remote appliance
detects the license server, the 30-day grace period is reset. If the license server fails
again, the appliances enter another 30-day grace period.
To view licensing information

In the Access Gateway Management Console, you can view details about the licenses
that you installed on Access Gateway. The details include the license type, license
expiration date, and concurrent user count.
3. In the Licensing panel, under Access Gateway License Information, expand an
entry to see details for the installed license.
The table displays information for each license, such as the expired and issued
dates, type, last updated date, version, serial number, total number, and the
number used.
89
Chapter 7
90
Chapter 8
Upgrading and Migrating to Access

Gateway 5.0
Topics:
Upgrading the Access
Gateway Appliance Software
Upgrading Access Controller
Migrating to Access Gateway
5.0
Migrating from Access
Gateway Advanced Edition
Creating Snapshots to
Manage Access Gateway
Configuration Settings
Reinstalling the Access
Gateway 5.0 Software
Restarting or Powering Off
Access Gateway
You can upgrade Citrix Access Gateway from earlier versions

of the appliance. You can upgrade the Access Gateway
appliance from the following versions:
w Access Gateway 4.6.x, Standard Edition
w Access Gateway 5.0.x
When you upgrade from Version 4.6.x to Version 5.0, some
settings are migrated to Version 5.0. When you upgrade from
Version 5.0 to Version 5.0.1 or later, you create a snapshot of
your configuration settings first and then install the upgrade.
After installation, you migrate to the new version and your
configuration settings are preserved.
Important: Before you upgrade Access Gateway, Citrix
recommends saving your configuration settings to your local
computer. If you want to revert to an earlier version or need
to reimage the appliance for any reason, you can use the
saved configuration to restore your settings.

Citrix Access Controller runs on Windows Server 2008.
You can perform the following upgrades in Access Controller:
w Upgrade from Version 5.0 to Version 5.0.2
w Upgrade from Version 5.0.1 to Version 5.0.2
You cannot upgrade from the following versions. Instead, you
must perform a new installation of Access Controller on
Windows Server 2008:
w Access Gateway 4.5, Advanced Edition to Access Gateway
5.0 or later. After you install Access Controller on Windows
Server 2008, you can use the Migration Wizard to migrate
your Advanced Access Control settings from Access
Gateway 4.5, Advanced Edition to Access Controller.
91
Chapter 8
Upgrading and Migrating to Access Gateway 5.0

w Access Gateway 5.0 to Access Gateway 5.0.1. The steps for
upgrading to Access Controller Version 5.0 to 5.0.1 are:
a. Export the Version 5.0.x cluster database configuration.
b. Remove the earlier version of Access Controller from
the server.
c. Install Version 5.0.1 of the Access Controller software.
d. Run Server Configuration.
e. Create a new database (do not join an existing cluster).
f. Import the saved cluster configuration.
To move from Version 5.0 to 5.0.1, you must remove Version
5.0 first. To remove Access Controller from the server, use
Programs and Features in Control Panel. Depending on the
options you installed, you must remove the components in the
following order:
w Citrix Access Gateway Server
w Citrix Access Gateway Console
w Citrix Licensing
w Citrix Delivery Services Console - Diagnostics
w Citrix Delivery Services Console - Framework
You can remove the Citrix License Server Administration and
Citrix Delivery Services Console - Diagnostics components at
any time in the uninstallation process. However, you must
remove the Citrix Delivery Services Console - Framework
component last.
To remove Access Controller components
1. Choose Start>Settings>Control Panel.
2. In Control Panel, double-click Programs and Features.
3. Select a program, click Uninstall and then follow the
prompts.
Important: When you run Server Configuration after
installing Access Controller, select the option Create a new
database. You do not want to join the server to an existing
Access Controller 5.0.x cluster. After you configure the
cluster, you can import Version 5.0.x cluster data to the new
cluster. You do not need to use the Migration Wizard.
92
Upgrading the Access Gateway Appliance

Software
You can upgrade the Access Gateway software when a new version becomes available.
To upgrade the appliance software, you use the Snapshots tab in the Access Gateway
Management Console.
Each Access Gateway software version is stored in a database on the Access Gateway
and is listed on the Software Releases and Configuration Snapshots panel. When you
click a software version, the corresponding snapshots appear in the Snapshots panel
below the Software Releases panel.
Important: Before installing a new version of the Access Gateway software, Citrix
recommends that you create a snapshot of the current configuration and then export
the snapshot to your computer. For more information about exporting the configuration
snapshot, see To export a snapshot on page 115.
After you save the current configuration, you can install the latest release of the
software on Access Gateway. To do so, download the new software version from My
Citrix and save it to your computer. Then, again, on the Snapshots tab in the Access
Gateway Management Console, you import the new software file to Access Gateway.
You can also delete software versions from Access Gateway. When you delete a
software version, all corresponding snapshots that reside in the database are deleted.
You cannot delete the version that is currently active.
To download the Access Gateway software

1. Go to the Citrix Web site, click My Citrix and then log on.
2. At the top of the Web page, click Downloads.
3. In Search Downloads by Product, select Access Gateway.
4. Under Product Software, click the product name and version that matches your
software release version.
The download page appears.
5. Click Get Software to start the download, view the end-user license agreement,
and save the file to a folder on your computer.
To upgrade the Access Gateway software

1. In the Access Gateway Management Console, click Snapshots.
2. In the Software Releases and Configuration Snapshots panel, next to Software
Releases, click Import.
93
Chapter 8

3. Navigate to the software upgrade file you saved on your computer and then click
Open.
The software installation starts.
After completing the software installation, the new version appears in Software
Releases panel. To make the new version active, select the version, click Migrate and
then restart Access Gateway.
To revert to an earlier software version

You can revert to an earlier version of the Access Gateway software. To do so, in the
Access Gateway Management Console, you select the snapshot to which you want to
revert.
Important: Citrix recommends that you create a snapshot of the current configuration
before you revert to an earlier version of the software. For more information, see To
create a snapshot on page 115.
2. In the Software Releases and Configuration Snapshots panel, under Software
Releases, click the software version to which you want to revert.
3. Under Snapshots, select a snapshot and then click Make Active.
You are prompted to restart Access Gateway. When the appliance restarts, the
earlier software version is active.
Note: You cannot revert to Access Gateway 4.6.x, Standard Edition or earlier using
Snapshots.
To delete an Access Gateway software version

You can use the Access Gateway Management Console to delete a version of the Access
Gateway software.
2. In the Software Releases and Configuration Snapshots panel, in Software
Releases, select a software version and then click Delete.
When you delete a software version, all corresponding snapshots are also removed
from the Access Gateway database.
94
Upgrading Access Gateway Appliances in an

Appliance Failover Pair
When you upgrade Access Gateway appliances that are part of an appliance failover
pair, you must remove both appliances from the pair. After you remove the pair, you
upgrade each appliance and then reestablish the pair.
To remove the primary appliance from an appliance failover

pair
1. On the primary appliance in the pair, open the Access Gateway Management Console.
2. Click Management and then under System Administration, click Appliance
Failover.
3. Under Start or Stop Appliance Failover, click Stop.
4. Restart the Access Gateway when prompted.
To remove the secondary appliance from an appliance

failover pair
When you remove the primary appliance from the appliance failover pair, the
secondary appliance takes over as the primary appliance. You must also remove the
secondary appliance from the pair by following the preceding steps.
After you remove each appliance from the pair, you use snapshots to upgrade each
appliance and migrate to the new version. When you complete the upgrade process,
you enable appliance failover on each appliance.
Note: When you migrate to the new software version, only one Access Gateway in
the appliance failover pair prompts you to restart the appliance. You must restart both
appliances in the pair when you complete the migration.

You can perform the following upgrades in Access Controller:
w Upgrade from Version 5.0 to Version 5.0.2
w Upgrade from Version 5.0.1 to Version 5.02
You cannot upgrade from the following versions. You must perform a new installation of
Access Controller on Windows Server 2008:
w Access Gateway 4.5, Advanced to Access Gateway 5.0 or later.
After you install Access Controller on Windows Server 2008, you can then migrate
your Advanced Access Control settings to Access Controller.
w Access Gateway 5.0 to Access Gateway 5.0.1.
95
Chapter 8

When you start the upgrade to Version 5.0.2, the Citrix Access Gateway dialog box
appears. If you have a previous version of Access Controller installed, this dialog box
displays the installed components, either the server software, the Delivery Services
Console, or both. When you click Citrix Access Controller, the Setup Wizard starts.
During this first phase, you back up your existing configuration, select the components
to install, and remove the current installation. You cannot select a component if it is
already installed.
When the first phase of the upgrade is complete, you must restart the server running
Access Controller. When the server restarts, the second phase of the upgrade begins
with the installation of the most recent version of Access Controller. Your saved
configuration imports to the server automatically and then Setup completes installation
of the components you selected.
When the upgrade is complete, your original configuration appears in the Delivery
Services Console. You can then configure additional settings for Access Controller.
To upgrade Access Controller

You can download the newest version of the Access Controller software from My Citrix.
To download the software from My Citrix, see the readme on the Citrix Knowledge
Center. After you download the Access Controller software, you can then upgrade the
server.
1. Navigate to the folder where you saved the Access Controller software, or insert
the Access Controller CD image (.iso).
2. Open the folder for Access Controller and then double-click AutoRun.exe.
3. On the startup screen, click Citrix Access Controller.
4. On the Welcome screen, click Next.
5. Read and accept the Citrix license agreement.
6. Select any of the following components to install:
Server. Installs the Access Controller server software, including server
configuration tools.
Delivery Services Console. Installs the configuration and management tool for
Access Controller.
Note: If either of these options appears dimmed, the components are currently
installed on the server. The components upgrade automatically.
7. Follow the on-screen instructions to complete the Setup Wizard.
Migrating to Access Gateway 5.0

If you have an earlier version of Citrix Access Gateway, you can upgrade your
appliances to Access Gateway 5.0. If you are running Advanced Access Control, you
96

need to install Citrix Access Controller on Windows Server 2008 and then migrate
settings from Advanced Access Control.
Migrating the Appliance to Access Gateway 5.0

If you are running Access Gateway 4.6, Standard Edition or earlier, Citrix recommends
that you create a backup of your configuration and save it to your computer. After you
upgrade to Version 5.0, you cannot downgrade to Version 4.6.x. If you want to revert to
Version 4.6.x, you must reimage the appliance and restore the configuration that you
backed up.
When you install Access Gateway 5.0 on an appliance that is running Version 4.6.x, the
Access Gateway Migration Tool runs and creates an XML file that contains the 4.6.x
settings that you want to migrate. After the upgrade, restart Access Gateway and the
configuration settings from 4.6.x appear in Version 5.0. You then use the Access
Gateway Management Console to continue configuring Access Gateway 5.0. You cannot
use the Administration Tool from Version 4.6.x to configure Access Gateway 5.0. For
more information, see Access Gateway Management Console on page 26.
Migrating to Access Controller

If Access Gateway 4.5, Advanced Edition is installed on a server in your network, you
can migrate settings to Access Controller. You cannot install Access Controller on the
same server as Advanced Access Control. You must install Access Controller on Windows
Server 2008. Citrix recommends that you leave the Advanced Access Control server
running so you can migrate settings to Access Controller.
To migrate Advanced Access Control settings to Access Controller, you use the Migration
Wizard from the Access Gateway 5.0 CD. Before you run the Migration Wizard, note the
following:
w If you have a Web resource and an email resource in one policy, separate it into two
policies on Advanced Access Control. Otherwise, the email policy takes precedence.
If you have a Web email resource, when you migrate settings, the Web email
resource becomes a generic Web resource. Web email is not supported in Access
Controller.
w If you import a Web resource, access policy settings for Web resources are set to
Deny when importing is complete. You need to edit the access policy to change the
setting in Access Controller.
w To migrate settings from Advanced Access Control to Access Controller, Citrix
recommends using SQL Server 2008 and not SQL Server Express.
w The Migration Wizard creates two .cab files. After you migrate settings, when you
import the settings, you want to use the migration file, not the file that appears in
the field Source file for configuration data. The correct file is typically named
MigratedAccessGatewayConfigurationData.cab and is located in the directory
%systemroot%\User folder\Documents folder on Windows Server 2008.
97
Chapter 8
Access Gateway Appliance Migration Settings

If you are running Access Gateway 4.6, Standard Edition on the appliance, you can
migrate to Access Gateway 5.0. When you upgrade from Version 4.6 to Version 5.0, the
following tables show settings that are or are not migrated to Access Gateway 5.0.
The following table contains the settings that are migrated when you upgrade to Access
Gateway 5.0 and import the configuration file from Version 4.6 or earlier.
98
Feature
Access Gateway 4.6 tab

or setting
Comment
Network adapter
management
Access Gateway Cluster >

General Networking
The IP addresses and

subnet masks for eth0 and
eth1 migrate. After you
complete the upgrade and
if you are using both
network adapters, you
must select which adapter
is the management
interface for the Access
Gateway Management
Console. You can do this
by using Express Setup in
the command line or by
using the Management
Console. For more
information, see Defining
Network Settings on the
by Using Express Setup on
page 183.
Authentication and
authorization realms
Authentication
Authentication realms are

migrated to
authentication profiles.
When you upgrade the
appliance, authentication
and authorization profiles
appear as separate
profiles.
LDAP authentication realm
Authentication
If you convert an LDAP

authentication realm, it
appears as Other in the
Access Gateway
Management Console. You
need to select LDAP as
Feature

or setting
Comment
the authentication type

for the profile from the
Authentication panel.
Branch Repeater
Enable application
accelerator with the
Accelerator Plug-in
Interoperability with
Branch Repeater is the
default setting.
Network resources
Access Policy Manager
Migrated network
resources appear as
multiple network
resources in the Network
Resources panel in the
Access Gateway
Management Console.
Name Service Providers

The Domain Name System

(DNS), Windows Internet
Name Service (WINS), DNS
suffixes, and HOSTS file
settings migrate.
Routes

Routes
Static route information

migrates when you
upgrade. Dynamic routing
is no longer supported.
Licensing

Licensing
Licenses and server

settings migrate, with the
exception of the vendor
port, which is not
supported.
Date and time

Certificates
All settings migrate.

Certificate Signing Request
Administration
Signed certificates and

the private key migrate.
Trusted root certificates
migrate. In the Access
Gateway Management
Console, you can use the
Certificates panel to
upload and manage
certificates.
99
Chapter 8
Feature

or setting
Comment
User connection settings
Split tunneling and close

connection settings
migrate. All other user
connection settings do not
migrate.
XenApp settings
Authentication > Secure

Ticket Authority (STA)
STA settings migrate to

the Secure Ticket
Authority panel in the
Access Gateway
Management Console.
Authentication > ICA

Access Control
ICA Access Control lists

migrate to the XenApp or
XenDesktop panel in the
Access Gateway
Management Console.
Global Cluster Policies Select encryption type
The encryption type

migrates. You can change
the setting on the Global
Options panel in the
Access Gateway
Management Console.
Security
Access Gateway Settings That Are Not Migrated

The following settings are not migrated when you upgrade Access Gateway to Version
5.0. Some of these settings are part of discontinued features. To see a list of
discontinued features, see Access Gateway Appliance Discontinued Settings on page
101.
100
Access Gateway 4.6

Administration Tool
Setting or tab
Comment
Access Gateway Cluster

tab
NetTools tab
For the settings on the NetTools

tab, you can now use a variety
of network tools by using the
Access Gateway command line.
For more information, see
Capturing Network Settings for
Troubleshooting on page 187.
Access Gateway 4.6

Administration Tool
Setting or tab
Comment
Administration tab
You can enable command line

access on the Networking
panel. You enable access to the
Management Console by
designating one network
adapter for the management
role on the Networking panel.
Access Gateway with

Advanced Access
Control
Access Gateway Cluster

> Advanced Options >
Advanced Access
Control
This setting is not migrated.

When you upgrade to Version
5.0, it is as a standalone
appliance. You must enable
access by adding Access
Gateway appliances in the
Delivery Services Console and
by enabling Access Controller
using the Deployment Mode
panel in the Access Gateway
Management Console. For more
information, see Enabling
Access Controller on page 194.
Access Policy Manager Properties
Authentication after
network interruption
You can enable these two

settings in the Access Gateway
Management Console on the
Global Options panel.
Authenticate upon
system resume
Global Cluster Policies
Allow connections using

earlier versions of
Access Gateway Plug-in
You can enable this setting in

the Access Gateway
Management Console on the
Global Options panel.
Connections from the Access
Gateway Plug-in from Version
4.6.x or earlier are not
supported.
Access Gateway Appliance Discontinued Settings

The following tables show the discontinued settings on Access Gateway and Access
Controller.
101
Chapter 8
Access Gateway 4.6,

Standard Edition tab
Setting
Comment
Access Gateway
Cluster >
Administration tab
Failover Servers tab
You can now use appliance failover

in which two Access Gateway
appliances act as the primary and
secondary appliance. The
secondary listens to the primary
appliance and if the primary
appliance fails, the secondary
appliance starts accepting user
connections.
If you are using Access Controller
in your deployment, you can
create a cluster of Access Gateway
appliances and Access Controller
servers. In this deployment,
Access Controller can load balance
user connections between the
appliances and servers. For more
information, see Configuring
Clustering and Load Balancing on
page 276.
Citrix Receiver tab

Enable external
administration
In Access Gateway 5.0, you select

a network adapter as the
management interface. This can
be the network adapter that
connects to the external (Internet)
network.
Manage client
certificates
Client certificate authentication is

not supported in Access Gateway
5.0.
Save the current

configuration
In Access Gateway 5.0, you save

the configuration by using
Snapshots.
Initialize the
appliance
Access Gateway
Cluster > Licensing tab
102
Vendor port
Access Gateway 4.6,

Setting
Comment
Access Gateway
Cluster > Statistics tab
All settings
You can view system and user

statics by using the Monitor tab in
the Access Gateway Management
Console.
User groups
Users are determined by the

authentication type and group
membership on the authentication
server. You can configure group
membership as part of a
SmartGroup.
Local users
Application policies
Endpoint resources
Endpoint policies
Global Cluster Policies
You can use device profiles to

configure endpoint analysis on
Access Gateway 5.0.
Prompt or force
upgrades from earlier
versions of the Access
Gateway Plug-in
Enable incorrect
password cache and
password cache timeout setting
Enable internal
failover
Enable logon page
authentication
Security options
Client certificate authentication is

not supported in this release.
Validating secure certificates for
internal connections is not
supported.
103
Chapter 8
Access Gateway 4.6,

Setting
Comment
Validating secure certificates

without a trusted root certificate
is not supported.
Web session time-out
Accessible networks
In Access Gateway 5.0, you

configure network resources.
Authentication
Use the local user

database on Access
Gateway
In Access Gateway 5.0, users are

determined by group membership
on the authentication server.
Portal Page
Configuration
Logon page tab
You can configure a home page

within a SmartGroup. The home
page can be the default home
page, Web Interface, Outlook Web
Access, Outlook Web App,
SharePoint 2007, or a custom
home page of your choosing.
Group priority
User group list
Portal page tab
Publish
Access Gateway Appliance Migration Settings

If you are running Access Gateway 4.6, Standard Edition on the appliance, you can
migrate to Access Gateway 5.0. When you upgrade from Version 4.6 to Version 5.0, the
following tables show settings that are or are not migrated to Access Gateway 5.0.
The following table contains the settings that are migrated when you upgrade to Access
Gateway 5.0 and import the configuration file from Version 4.6 or earlier.
104
Feature

or setting
Comment
Network adapter
management

General Networking
The IP addresses and

subnet masks for eth0 and
eth1 migrate. After you
complete the upgrade and
if you are using both
Feature

or setting
Comment
network adapters, you

must select which adapter
is the management
interface for the Access
Gateway Management
Console. You can do this
by using Express Setup in
the command line or by
using the Management
Console. For more
information, see Defining
Network Settings on the
by Using Express Setup on
page 183.
Authentication and
authorization realms
Authentication
Authentication realms are

migrated to
authentication profiles.
When you upgrade the
appliance, authentication
and authorization profiles
appear as separate
profiles.
LDAP authentication realm
Authentication
If you convert an LDAP

authentication realm, it
appears as Other in the
Access Gateway
Management Console. You
need to select LDAP as
the authentication type
for the profile from the
Authentication panel.
Branch Repeater
Enable application
accelerator with the
Accelerator Plug-in
Interoperability with
Branch Repeater is the
default setting.
Network resources
Migrated network
resources appear as
multiple network
resources in the Network
Resources panel in the
105
Chapter 8
Feature

or setting
Comment
Access Gateway
Management Console.

The Domain Name System

(DNS), Windows Internet
Name Service (WINS), DNS
suffixes, and HOSTS file
settings migrate.
Routes

Routes
Static route information

migrates when you
upgrade. Dynamic routing
is no longer supported.
Licensing

Licensing
Licenses and server

settings migrate, with the
exception of the vendor
port, which is not
supported.
Date and time

Certificates
All settings migrate.

Certificate Signing Request
Administration
106
Signed certificates and

the private key migrate.
Trusted root certificates
migrate. In the Access
Gateway Management
Console, you can use the
Certificates panel to
upload and manage
certificates.
User connection settings
Split tunneling and close

connection settings
migrate. All other user
connection settings do not
migrate.
XenApp settings
Authentication > Secure

Ticket Authority (STA)
STA settings migrate to

the Secure Ticket
Authority panel in the
Access Gateway
Management Console.
Feature
Security

or setting
Comment
Authentication > ICA

Access Control
ICA Access Control lists

migrate to the XenApp or
XenDesktop panel in the
Access Gateway
Management Console.
Global Cluster Policies Select encryption type
The encryption type

migrates. You can change
the setting on the Global
Options panel in the
Access Gateway
Management Console.
Access Controller Discontinued Settings and

Features
Access Gateway 4.5,
Advanced Edition feature
Feature
Comment
Access Policy
Allow logon
Download and upload are

part of other settings in
Access Controller.
HTML Preview
LiveEdit
Email as attachment
Bypass URL rewriting
Email synchronization
Connection Policy
Continuous scans
Desktop sharing
Launch Secure Access
Client if access is allowed
Access Gateway appliance

properties
Allowing the Access

Gateway Plug-in is
automatic when you
create a connection policy.
Internal failover
Improve latency for Voice
over IP
Global accessible networks
107
Chapter 8
Access Gateway 4.5,

Advanced Edition feature
Feature
Comment
Require Secure Sockets

Layer (SSL) client
certification
Enable failover among
gateway appliances
Validate SSL certificates
on the backend
No outbound ICA
restrictions
Endpoint Analysis
Citrix Scans for Symantec

Antivirus
Citrix Scans for Netscape
Navigator
Citrix Scans for Macintosh

is now part of Citrix
Clientless Scans for
Platforms.
Citrix Scans for ZoneAlarm

Citrix Scans for ZoneAlarm
Pro
Bandwidth Scans
Resources
Lotus Notes
Email Synchronization
Only Outlook Web Access

2007 and Outlook Web
App 2010 are supported in
Access Gateway 5.0.
Settings for Web email
and Lotus Notes are
migrated as a generic Web
resource.
Presentation Server farm

properties
Address modes panel

Authentication service URL
Web Interface association
Configure the Secure

Ticket Authority (STA) and
Access Gateway
properties.
You can only select
Gateway Direct and
Gateway Alternate in
Access Controller. This
applies to all user device
addresses.
108
Migrating from Access Gateway Advanced

Edition
Citrix Access Controller is supported on Windows Server 2008, so you cannot upgrade
your existing Window Server 2003 servers to Access Controller.
If you want to take advantage of the new features in Access Controller, but you want to
keep your existing access centers running, you must maintain two distinct access server
farms or clusters. The Access Management Console that comes with Access Gateway
4.5, Advanced Edition is not compatible with the Citrix Delivery Services Console in
Access Controller. You cannot use the Delivery Services Console to administer Access
Gateway Advanced Edition. Maintaining separate access server farms or clusters might
involve considerable administrative overhead for your organization, so consider
carefully how integral access centers are to your user's access environment.
You can use the Migration Wizard in the Setup folder of the Access Controller
installation CD or package to migrate settings from servers running Advanced Access
Control to Access Controller.
Before You Start Your Migration

Before you migrate Access Gateway Advanced Edition settings to Access Controller,
follow the steps below:
1. Determine your migration scenario and print out the corresponding checklist.
2. Verify that you are a valid Subscription Advantage customer. The Subscription
Advantage eligibility date for Access Gateway 5.0 is September 1, 2010.
3. Verify that your environment meets the minimum system requirements. Verify that
the servers on which you plan to install Access Controller meet the hardware and
software requirements.
4. Install the Migration Wizard on your server.
Support for Custom Endpoint Analysis Scan

Packages
Access Controller supports custom endpoint analysis scan packages. When you create a
scan package and users log on, the Endpoint Analysis Plug-in downloads and installs on
the user device. The plug-in contains all the components of the scan package.
You can upgrade existing scan packages to Access Controller by using the Endpoint
Analysis Software Development Kit (SDK). The SDK requires the following software:
w Citrix Endpoint Analysis SDK
w Microsoft Visual Studio 2008
109
Chapter 8

w Windows Installer XML (WiX) toolset 3.0
Scan packages must be digitally signed. To upgrade existing scan packages or to create
new ones, you must have access to a digital certificate issued by a certificate authority
such as Verisign.
Important: Before you migrate your scan packages to Access Controller, if your
custom scan packages are maintained by a third party, make sure you can acquire
updated scan packages.
Checklist for Migrating Settings to Access Controller

Use the following checklist to migrate settings from Access Gateway Advanced Edition
to Access Controller.
Status
110
Task
For more information
Install licenses on Access

Gateway or configure
Citrix License Server
Installing Licenses on
Access Gateway on page
83
Install Access Controller
Installing Access
Controller on page 79
Back up your Advanced

Access Control farm data
See the Access Gateway

Advanced Edition
Administrator's Guide for
information about backing
up farm data.
Migrating Existing
Configuration Data
Migrating Existing
Configuration Data on
page 111
Importing Cluster
Configuration Data
Importing Cluster
Configuration Data on
page 112
Add Access Gateway

appliances to Access
Controller
To add Access Gateway to

Access Controller on page
195
Migrating Custom
Endpoint Analysis Scan
Packages
Migrating Custom
Endpoint Analysis Scan
Packages on page 113
Migrating Existing Configuration Data

You can use the Migration Wizard to migrate the configuration database from Access
Gateway Advanced Edition to Access Controller.
Before you can migrate your configuration data, you must install the Migration Wizard
on a Windows-based server in your network. The Migration Wizard is in the Setup folder
of the Access Controller installation CD or in the package you download from My Citrix.
When you start the Migration Wizard, the wizard contacts the database for Advanced
Access Control and exports the configuration data to a .CAB file, which is then saved to
a location you specify. Then, the data is converted so it is compatible with Access
Controller. The converted data is also saved as a .CAB file to the location you specify.
You can then use the Citrix Delivery Services Console to import the .CAB file to a server
running Access Controller. You must use the Migration Wizard from Access Gateway 5.0,
which can run on any Windows-based server.
Note: The Migration Wizard exports and converts only the configuration data that is
required for migration to Access Controller, such as policy settings, logon point
settings, and Web resource settings.
To install the Migration Wizard

The installation program for the Migration Wizard is located in the \Images\Setup
\MigrationTool folder on the Access Gateway 5.0 installation CD or in the package you
download from My Citrix. The Migration Wizard does not install automatically when you
install Access Controller.
1. Navigate to the folder that contains the Access Controller package and then
navigate to the \Images\Setup\MigrationTool folder.
2. Double-click Migration.MSI and follow the instructions in the wizard.
To export and convert existing Advanced Access

Control configuration data
After you install the Migration Wizard, you can start the Migration Wizard to transfer
settings from the server running Advanced Access Control to Access Controller.
1. Click Start>Programs>Citrix>Access Gateway>Migration Wizard.
2. On the Select Source page, click Access Gateway Advanced Edition 4.5 with any
applied hotfix releases and then click Next.
3. On the Enter Access Controller Cluster Database page, in Cluster database
server, type the IP address or fully qualified domain name (FQDN) of the SQL Server.
4. In Access Controller cluster name, type the name of the Advanced Access Control
access server farm name.
111
Chapter 8

5. Do one of the following:
Select Use Windows authentication to use your Windows credentials to export
the file.
Select Use SQL authentication to use the SQL Server administrator credentials
to export the file.
6. Click Next.
7. In Configuration data target file enter the path, including the file name, where
you want to save your data after it is migrated.
By default, this data is saved as a .CAB file in the My Documents folder of the
current user with the file name MigratedAccessGatewayConfigurationData.cab. For
example, you can locate the file at %systemroot%\Documents and Settings
\Administrator\My Documents\MigratedAccessGatewayConfigurationData.cab.
8. Click Next.
When you click Next, the Migration Wizard restructures the data and saves it to
the location you specified.
After you migrate the data to Access Controller, you then need to import the settings
to the cluster.
Importing Cluster Configuration Data

You can use the Delivery Services Console to import your migrated data to a server
After you import your cluster configuration data, be aware of the following:
w Logon points are not imported in a deployed state. You must redeploy all logon
points using Server Configuration on each Access Controller servers.
w When redeploying logon points, check the Visibility settings of each logon point to
ensure that users can access the appropriate logon pages.
w If you configure logon points on Access Controller and the names of those logon
points are the same as the names of the logon points you are importing, the Server
Configuration tool appears to display duplicate logon points after you import your
cluster configuration data. To resolve this, use Server Configuration to remove the
duplicate logon points and redeploy the logon points that are marked as Available
for deployment.
To import configuration data to Access Controller

Important: Importing configuration data erases and replaces your existing
configuration settings. Citrix recommends backing up your configuration before
importing another configuration.
1. Click Start>Programs>Citrix>Management Consoles>Delivery Services Console.
2. Expand Citrix Resources, expand Access Gateway and then click a cluster node.
112

3. Under Other Tasks, click Import Cluster.
4. In Source file for configuration data, click Browse, navigate to the .CAB file and
then click Next.
When you click next, the .CAB file is decompressed and the existing configuration
data is replaced with the imported data.
To remove duplicate logon points and redeploy available

logon points
1. Click Start>Programs>Citrix>Access Gateway>Server Configuration.
2. Under Tasks, click Logon Points.
3. Select the logon points with a status of The folder cannot map to the deleted
logon point and then click Remove.
4. To redeploy the remaining logon points, select the logon points with status of
Available for deployment, click Deploy and then click OK.
Migrating Custom Endpoint Analysis Scan Packages

You can migrate custom endpoint analysis scan packages from Access Gateway
Advanced Edition to Access Controller. When you import custom scan packages,
consider the following:
w Separate server and user components. Endpoint analysis scan packages contain
only the server component. The Endpoint Analysis Plug-in is distributed separately
to users.
w Digital signing. All scan packages that come with Access Controller are digitally
signed. In addition, all custom scan packages must be digitally signed. Digital signing
ensures the scan package is from a reputable source and is unaltered.
w Endpoint Analysis Plug-in versioning. To make sure that users have access to the
latest version of the plug-in, Access Controller redirects users to an upgrade page
where they can download and install the plug-in, even if they do not have
Administrator or Power User privileges.
w Compatibility of Access Gateway 4.5, Advanced Edition scan packages. When you
migrate scan packages from Advanced Access Control and import them to Access
Controller, only the default values are returned. The Citrix Delivery Services Console
alerts you to upgrade the scan packages by displaying notices in the Alerts node of
the console tree.
w Endpoint Analysis Plug-in deployment. When you create a custom scan package
that relies on a plug-in component to gather data from user devices, you must
incorporate this component into the Endpoint Analysis Plug-in and generate a new
plug-in to distribute to users. When you create a new plug-in, you include unique
strings that identify your organization and the plug-in version. Access Controller
uses these strings to differentiate plug-ins from other organizations, as well as other
versions of the plug-in. When you deploy a new version of the Endpoint Analysis Plug-
113
Chapter 8

in, users can upgrade the plug-in to the newer version, even if they do not have
Administrator or Power User privileges.
w Server-side scan packages. Access Controller includes the scan package Citrix Scans
for Browser Type that does not rely on user components to gather data from the
user device. Additionally, you can create custom server-side scan packages with the
Endpoint Analysis SDK. When you create this type of scan package, you do not need
to generate a new Endpoint Analysis Plug-in.
For more information, see the Endpoint Analysis SDK online Help that is located with
the Endpoint Analysis Software Development Kit (SDK) available on your product CD or
the Citrix Web site at http://community.citrix.com/cdn.
Creating Snapshots to Manage Access Gateway

Configuration Settings
A configuration snapshot represents all the Access Gateway settings, licenses, and
certificates at a specific time. If you have multiple software versions installed on
Access Gateway, you can have snapshots that span the different software versions.
When you install Access Gateway 5.0 for the first time, Access Gateway creates a
snapshot of the configuration automatically. Then, you can take snapshots at different
periods of time, such as after you configure the initial settings or create logon points or
SmartGroups.
When you create the snapshot, the name is generated automatically. You provide a
description for the snapshot and then save the snapshot. The snapshot then becomes
active automatically.
A benefit of the snapshot feature is that you can easily restore your configuration
settings if, for example, you need to reimage the appliance. You can export a snapshot
to your computer and then import the snapshot back to Access Gateway. When you
import the snapshot to the appliance, you then make the snapshot active to restore
configuration settings.
If necessary, you can revert to an earlier snapshot. Reverting the snapshot restores the
configuration settings to that point in time.
Managing Snapshots for Appliance Failover

If your network configuration includes two Access Gateway appliances for appliance
failover, identical snapshots are shared between appliances. Existing snapshots are not
replicated across the nodes. When you set up appliance failover and then take a
snapshot on the primary appliance, the same snapshot appears on the secondary
appliance.
When you create an appliance failover pair, you can only see the snapshots you create
while the appliances are paired. Any snapshots that you made before you joined
appliances to the pair are not visible. If you break the pair, the earlier snapshots
reappear on each appliance.
114
Managing Snapshots When Using Access Controller

When you switch the Access Gateway appliance to use Access Controller, the appliance
creates a configuration snapshot automatically. After restarting Access Gateway, the
snapshot appears in the Snapshots panel on the Software Releases and Snapshots
page. When the snapshot appears, you can export the snapshot to a computer in your
network.
If you decide to remove Access Controller from your deployment and switch back to
using only the Access Gateway appliance, the appliance creates a new snapshot. You
can make any previous snapshot active, which restores configuration settings of that
snapshot for Access Gateway, including your network settings.
To create a snapshot
Releases, select a software version and then click Create.
3. In the Snapshot Description dialog box, type a description and then click Save.
Note: Special characters are not allowed in the description.
When you create the snapshot, it becomes active automatically.
To export a snapshot
You can create a copy of a snapshot and save it to a computer in your network by
exporting the snapshot from the Access Gateway Management Console. At a later time,
you can import the snapshot to restore the configuration settings to Access Gateway.
Saving snapshots to your computer allows you to reinstate configuration settings in case
you need to reimage the appliance. This prevents you from having to configure the
appliance again.
When you export a snapshot, it is encrypted to ensure the validity and guarantee the
integrity of the snapshot. If you import the snapshot to Access Gateway at a later time,
the software version of the snapshot must match the software version installed on
Access Gateway.
Releases, select the software version.
3. Under Snapshots, click a snapshot and then click Export.
4. In the Download Snapshot message box, click Yes.
5. Save the snapshot to a location on your computer.
115
Chapter 8

Snapshots are saved using the version and build number along with other identifying
information. Exported snapshots have the file extension .bin.
To import a saved snapshot

You can import snapshots that you saved to a computer in your internal network at any
time. You can also import snapshots from a different Access Gateway appliance in your
network. If you need to reimage or restore the default configuration on the appliance,
for example, you can restore your configuration settings by importing a saved snapshot.
If you are importing saved snapshots between appliances, each appliance must have
the same software version. If you attempt to import a snapshot from an Access
Gateway appliance that has a different software version, the snapshot is rejected. The
snapshot you are attempting to import is also rejected if the snapshot already resides
on the appliance.
After you import the snapshot, you can make the snapshot configuration active. The
configuration settings in the snapshot are then applied to the Access Gateway
appliance after you restart the appliance.
2. In the Software Releases and Configuration Snapshots panel, next to the
Snapshots panel, click Import.
3. Navigate to the saved snapshot on your computer and then click Open.
Exported snapshots have the file extension .bin.
4. Select the imported snapshot and then click Make Active.
You receive a message prompting you to restart Access Gateway. Click OK and then
click Restart. After you log on again, the snapshot is active.
To restore an earlier or later version of a snapshot

Each snapshot you create is stored on Access Gateway. You can restore a snapshot and
make it the active configuration.
It is important that you know the content of the snapshot you want to restore because
you might inadvertently change settings. For example, if you changed the Access
Gateway IP address at a later time than the time you created the snapshot you want to
restore, when you restore the snapshot, the network settings change. Making this
snapshot active could interrupt user connections to Access Gateway or prevent users
from logging on.
If you restore a snapshot in an appliance failover pair, you should break the appliance
failover pair, restore the snapshot on the primary appliance and then establish the
appliance failover pair again. The snapshot is then restored on the secondary appliance
in the pair.
When you restore a snapshot, you must also restart Access Gateway.
116

2. In the Software Releases and Configuration Snapshots panel, under Snapshots,
click a snapshot and then click Make Active.
You receive a message prompting you to restart Access Gateway. Click OK and then
click Restart. After you log on again, the snapshot is restored.
To delete a snapshot
You can delete one or more snapshots from Access Gateway, except the snapshot that is
currently active.
2. In the Software Releases and Configuration Snapshots panel, under Snapshots,
select a snapshot and then click Delete.
Reinstalling the Access Gateway 5.0 Software

If you need to perform a clean installation of the Access Gateway software, you can
use the original software that came with the appliance. If you want to keep your
configuration settings, you must back up your configurations before reinstalling the
software.
You use a USB storage device to install the Access Gateway software. The software is
downloaded to your Windows-based computer and then copied to the storage device.
You then plug the storage device into Access Gateway and reinstall the software.
Caution: When you copy the Access Gateway software to the USB storage
device, any data on the device is erased. Make sure you are using a USB storage
device that does not contain critical information. In addition, if you restart your
computer or Access Gateway with the USB storage device in the USB port, the
storage device attempts to reimage the computer or Access Gateway.
System Requirements
To create the installation package on a USB storage device, you need the following:
w One gigabyte (GB) USB storage device
w .NET Framework 1.0
w One of the following Windows operating systems:
Windows Server 2003
Windows Server 2008
Windows XP
Windows Vista
117
Chapter 8

Windows 7
w USB port on the Windows-based computer
w Access Gateway CD
w Access Gateway 2010 Appliance Imaging Tool available from the Citrix Support Web
site.
To reinstall the Access Gateway software

1. Save the Access Gateway configuration settings as described in Creating Snapshots
to Manage Access Gateway Configuration Settings on page 114.
2. Make sure that a computer capable of hosting terminal emulation software is
connected to the Access Gateway; turn on both systems.
3. Download the Access Gateway software from the Citrix Support Web site to your
computer. Then, use the Access Gateway 2010 Appliance Imaging Tool that is
available on the Support Web site to copy the image to a USB storage device.
Caution: After you copy the Access Gateway software to the USB storage
device, remove the device and the Access Gateway CD from the computer
immediately. If you restart your computer with the device in the USB port, or with
the CD in the drive, the device could erase information on your computer.
4. Insert the USB storage device in the USB port of the Access Gateway appliance to
start the installation program.
When installation is complete, the serial console displays the message Installation
successful.
5. Remove the USB storage device and turn off Access Gateway.
6. Turn on Access Gateway.
7. Restore the configuration settings as described in Creating Snapshots to Manage
Access Gateway Configuration Settings on page 114.
Restarting or Powering Off Access Gateway

After making changes to Access Gateway, you might need to restart the appliance. You
can restart Access Gateway from the Access Gateway Management Console.
If you need to power off Access Gateway, use the Management Console. Never shut
down the Access Gateway by powering it off. Use the power switch only to power on
the appliance. You can only power on the appliance using the power switch.
Caution: Shutting down or restarting the appliance using the power switch might
result in data loss.
118
To restart Access Gateway

1. In the Access Gateway Management Console, click Restart.
2. Close the Web browser.
To power off Access Gateway

1. In the Access Gateway Management Console, click Shut Down.
2. Close the Web browser.
119
Chapter 8
120
Chapter 9
Managing the Access Gateway Appliance

and Access Controller
Topics:
Managing the Access
Gateway Appliance
Managing Access Controller
After you plan your deployment and you install Access

Gateway, you then need to configure and manage the
appliance. You use the Access Gateway Management Console
to configure detailed settings that specify, for example, user
connections and how users log on.
Access Controller provides additional benefits to Access
Gateway, including:
w Native Active Directory Authentication
w Advanced Endpoint Analysis
w Centralized control of Access Gateway appliances
w Session sharing across multiple Access Gateway appliances
w Centralized logging
Access Controller expands your Access Gateway environment,
providing your users with the following standard features:
w SmartAccess analyzes the access scenario and then delivers
the appropriate level of access without compromising
security.
w SmoothRoaming ensures that as users move between
devices, networks, and locations, the appropriate level of
access is configured automatically for each new access
scenario.
w Secure by Design provides users with access that is
inherently secure by design, protecting both the security
of company information, as well as the integrity of the
network.
121
Chapter 9
Managing the Access Gateway Appliance and Access Controller
Managing the Access Gateway Appliance

After you plan your deployment and you install Access Gateway, you then need to
configure and manage the appliance. You use the Access Gateway Management Console
to configure detailed settings that specify, for example, user connections and how
users log on.
In This Section
This section of eDocs contains information about configuring and managing Access
Gateway 5.0.
122
Installing and Managing Certificates on

page 123
Provides information about the types of

certificates you can install on Access
Gateway and creating a Certificate
Signing Request.
Adding Network Settings on page 131
Provides information about managing

network adapters, configuring Name
Service Providers, configuring static
routes, configuring the date and time on
Access Gateway and other appliance
network settings.
Installing Additional Access Gateway

Appliances on page 137
Provides information about configuring

an appliance failover pair and using
multiple appliances behind an external
load balancer.
Creating Authentication and

Authorization Profiles on Access Gateway
on page 144
Provides information about creating

authentication profiles on Access
Gateway.
Creating Device Profiles on page 160

settings for endpoint analysis of user
devices.
Defining Network Resources on the

Appliance on page 165

network resources that identifies the
servers, file shares, or email servers
users are allowed to connect.
Creating Logon Points on the Access

Gateway Appliance on page 169

basic and SmartAccess logon points.
Adding SmartGroups on page 175

SmartGroups to use logon points,
authentication profiles and groups,
device profiles, network resources,
address pools, and advanced properties
for user connections.
Using the Command Line to Configure

Access Gateway Appliance Settings on
page 182
Provides information about using the

command line to configure Access
Gateway and troubleshoot the
appliance, including creating a support
bundle.
Configuring User Connections

settings on Access Gateway for the
Access Gateway Plug-in.
Installing and Managing Certificates

On Access Gateway, certificates are used to create secure connections and
authenticate users.
To establish a secure connection, a server certificate is required at one end of the
connection. A root certificate of the Certificate Authority (CA) that issued the server
certificate is required at the other end.
w Server certificate. A server certificate certifies the identity of a server. Access
Gateway requires this type of digital certificate.
w Root certificate. A root certificate identifies the CA that signed the server
certificate. The root certificate belongs to the CA. The user device requires this
type of digital certificate to verify the server certificate.
You can configure certificate chains, which contain intermediate certificates, between
the server certificate and the root certificate. Both root certificates and intermediate
certificates are referred to as trusted certificates.
When establishing a secure connection with a Web browser on a user device, the Access
Gateway appliance sends its certificate to the user device.
When receiving a server certificate, the Web browser (for example, Internet Explorer)
on the user device checks to see which CA issued the certificate and if the CA is trusted
by the user device. If the CA is not trusted or if it is a test certificate, the Web browser
prompts the user to accept or decline the certificate (effectively accepting or declining
the ability to access the site).
Note: You can only install Privacy Enhanced Mail (PEM) and Personal Information
Exchange (.pfx) certificate files on Access Gateway.
123
Chapter 9
Installing a Signed Digital Certificate and Private Key

Access Gateway includes a digital certificate that is not signed by a trusted Certificate
Authority (CA). You need to install on the Access Gateway appliance a digital X.509
certificate that belongs to your company and is signed by a CA. Your company can
operate as its own CA, or you can obtain a digital certificate from a commercial CA,
such as Verisign or Thawte.
Caution: Operating Access Gateway without a digital certificate signed by a CA
can subject VPN connections to malicious attacks.
Access Gateway accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a
text format that is the Base-64 encoding of the Distinguished Encoding Rules (DER)
binary format. The PEM format specifies the use of text BEGIN and END lines that
indicate the type of content that is being encoded.
You can install a secure digital certificate and private key on the Access Gateway
appliance in the following two ways:
w Generate a Certificate Signing Request by using the Access Gateway Management
Console. When the request is generated, Access Gateway creates a certificate and
private key. The private key remains on the appliance and the certificate contents
are copied and submitted to a CA Web site for signing. When the signed certificate
is returned, it is installed on the appliance. During installation, the signed
certificate is paired with the password-protected private key. Citrix recommends
that you use this method to create and install secure certificates.
w Install a PEM certificate and private key from a Windows-based computer. This
methods uploads a signed certificate and private key together. The certificate is
signed by a CA and is paired with the private key.
Managing Certificates in the Access Gateway Certificate Manager

The Access Gateway Certificate Manager allows you to view the certificates and details
about the certificates that you installed on the Access Gateway appliance. The
certificates can be server, root, or trusted certificates used in a certificate chain.
The details that you can view about the certificates include:
w The name and description of the certificate
w The status of the certificate
w The time period (date range) for which the certificate is valid
w The type of certificate
w Whether or not the certificate is active
You can also use the Access Gateway Certificate Manager to upload and manage server
and root certificates on Access Gateway. Before you can upload a certificate to the
appliance, you need to generate a Certificate Signing Request (CSR) in the Access
Gateway Certificate Manager. You can generate a CSR, as well as view details about
pending CSRs in the Access Gateway Certificate Manager. You can delete the pending
request or install a response certificate.
124

You can manage server and root certificates in the Access Gateway Certificate Manager
in the following ways:
w Upload a Privacy Enhanced Mail (PEM) .pem or Personal Information Exchange
(PKCS#12) .pfx file, which includes a server certificate and its password-protected
private key.
w Export an existing server certificate and its corresponding private key to a file on
your computer, with the private key being password-protected. You can only export
PEM certificates.
Note: Access Gateway and all of its clients support the use of a wildcard certificate
for the server certificate. For example, you can request and install a server
certificate with subject *.acme.com. Web browsers and clients can then connect to
"gateway.acme.com" or "access.acme.com" without receiving certificate-related
errors or warnings.
w Upload and manage certificates for trusted root certificate authorities, as well as
trusted certificates used in certificate chains. When the appliance initiates a secure
connection to another host, that host's certificate must be issued by a CA whose
root certificate is installed on the Access Gateway appliance.
Overview of the Certificate Signing Request

Before you can upload a certificate to the Access Gateway appliance, you need to
generate a Certificate Signing Request (CSR) and private key. You create the CSR in the
Certificate Signing Request dialog box that you open from the Certificate
Management panel in the Access Gateway Management Console. After you create
the .csr file, you copy the certificate contents and submit them to the Certificate
Authority (CA) Web site for signing. The CA signs the certificate and returns it to you at
the e-mail address you provided. When you receive the signed certificate, you can
install it on Access Gateway.
To provide secure communications using Secure Sockets Layer (SSL) or Transport Layer
Security (TLS), Access Gateway requires a server certificate. A summary of the steps
for obtaining and installing a server certificate on Access Gateway are as follows:
w Generate a CSR using the Certificate Signing Request dialog box accessed through
the Certificate Management panel in the Access Gateway Management Console.
w Copy the certificate contents and submit them to a CA Web site for signing.
w When you receive the signed certificate file from your CA, upload the certificate on
the Certificate Management panel in the Access Gateway Management Console.
The certificate is automatically converted to the Privacy Enhanced Mail (PEM)
format, which is required by Access Gateway.
Password-Protected Private Keys

Private keys that are generated with the CSR are stored in an encrypted and passwordprotected format on the Access Gateway appliance. When creating the CSR, you are
asked to provide a password for the private key. The password is used to protect the
private key from tampering and is also required when restoring a saved configuration to
Access Gateway. Passwords are used whether the private key is encrypted or unencrypted.
125
Chapter 9
To create a Certificate Signing Request

To provide secure communications using Secure Sockets Layer (SSL) or Transport Layer
Security (TLS), a server certificate is required on the Access Gateway appliance. Before
you can upload a certificate to Access Gateway, you need to generate a Certificate
Signing Request (CSR) and private key.
1. In the Access Gateway Management Console, click Certificates.
2. Click New and in Certificate Signing Request, type the required information.
In Key Length (required), select the encryption strength.
In Common name (required), type the host name or the fully qualified domain
name (FQDN) of the appliance as it appears on the Networking panel.
In Email, the email address for the contact person at your company.
In Description, type a description for the CSR.
In Company name, type the name of your company or organization.
In Department name, type the name of the department that will use the
certificate.
In City, type the name of the city in which your company or organization is
located.
In State or Province, type the full name of the state or province where your
company is located.
In Country code (required), use the two letter code for your country, such as US.
3. Click Save.
Access Gateway creates the CSR. A dialog box that contains the contents of the
CSR opens.
4. Copy the certificate contents from the dialog box and paste the content into the
appropriate area on the Certificate Authority Web site.
The certificate provider returns a signed certificate to you by e-mail. When you
receive the signed certificate, install it on Access Gateway.
You can create up to three CSRs. You can view or delete existing CSRs, and you can also
choose to sign a CSR so that you can use the certificate immediately.
To import a signed server certificate to Access Gateway

You can upload a signed certificate response file to Access Gateway that you receive in
e-mail from the Certificate Authority (CA). The file can be a Privacy Enhanced Mail
(PEM) or Personal Information Exchange (PKCS#12) file, which includes both a server
certificate and its password-protected private key.
2. Click Import and then select Server (.pem) to import a CA signed root certificate.
126

3. In Select file to upload, navigate to the certificate and then click Open.
To install a certificate and private key from a Windowsbased computer

If you are using a load balancer or you have a signed digital certificate with a private
key that is stored on a Windows-based computer, you can upload the certificate to
Access Gateway. If the Access Gateway appliance is not located behind a load balancer,
the certificate must contain the fully qualified domain name (FQDN) of Access
Gateway. If the Access Gateway appliance is located behind a load balancer, each
appliance must contain the same certificate and private key.
2. Click Import and the select Server (.pfx).
3. In Select file to upload, navigate to the certificate and then click Open.
When you upload the certificate to Access Gateway, you are asked for a password
to encrypt the private key.
Installing Root Certificates on Access Gateway

Root certificates are provided by the Certificate Authority (CA). Secure Sockets Layer
(SSL) clients use root certificates to validate certificates presented by an SSL server.
When an SSL client attempts to connect to an SSL server, the server presents a
certificate. The client device consults its root certificate store to see if the certificate
that the SSL server presented is signed by a CA that the user device trusts.
If you deploy Access Gateway in any environment where Access Gateway must operate
as the client in an SSL handshake, in which an exchange of messages initiates
encrypted connections with a server, you must install a trusted root certificate on the
Access Gateway appliance. For example, if you deploy Access Gateway with Citrix
XenApp and the Web Interface, you can encrypt connections from Access Gateway to
the Web Interface with SSL. In this configuration, you must install a trusted root
certificate on the Access Gateway appliance.
The root certificate that is installed on Access Gateway has to be in Privacy Enhanced
Mail (PEM) format. On Windows, the file extension .cer is sometimes used to indicate
that the root certificate is in PEM format.
If you are validating certificates on internal connections, the Access Gateway appliance
must have a root certificate installed.
To install a root certificate on Access Gateway

2. On the Certificate Management panel, click Import and then select Trusted
(.pem).
3. In Select file to upload, navigate to the file and then click Open.
To remove the root certificate, select the certificate in the Certificates table and then
click Delete.
127
Chapter 9
Installing Multiple Root Certificates

You can install multiple root certificates on the Access Gateway appliance, however
they must be in one file. For example, you can create a text file in a plain text editor
(such as Notepad) that contains all of the root certificates. Open each root certificate
in another plain text editor window and then copy and paste the contents of each
certificate below the last line in the new text window. After you copy all of the
certificates to the new file, save the text file in Privacy Enhanced Mail (PEM) format,
and then upload the file to Access Gateway.
Creating Root Certificates Using a Command Prompt

You can also create PEM-formatted root certificates using a DOS command prompt. For
example, if you have three PEM root certificates, you can use the following command
to create one file that contains all three certificates:
type root1.pem root2.pem root3.pem > current-roots.pem
If you want to add additional root certificates to an existing file, use the following
command:
type root4.pem root5.pem >> current-roots.pem
When this command is executed, all five root certificates are in the file currentroots.pem. The double greater than sign (>>) appends the contents of root4.pem and
root5.pem to the existing contents of current-roots.pem.
Configuring Wildcard Certificates

Access Gateway supports validation of wildcard certificates for the Access Gateway Plugin. The wildcard certificate has an asterisk (*) in the certificate name. You can format
wildcard certificates in one of two ways, such as *.mycompany.com or
www*.mycompany.com. When the Access Gateway Plug-in uses the wildcard
certificate, users can choose different Web addresses, such as http://
www1.mycompany.com or http://www2.mycompany.com. The use of a wildcard
certificate allows several Web sites to be covered by a single certificate.
You can create wildcard certificates by using the Certificate Signing Request.
To view the details of a certificate

If you encounter any problems with a certificate, you might want to verify the issuer of
the certificate. You can see this information, as well as other details about every
certificate installed on Access Gateway in the Access Gateway Management Console.
2. In the Certificates table, select the certificate for which you want to view
contents and then click Details.
3. In the dialog box that opens, view certificate details, subject name, and issuer
name for the selected certificate, and then click Close.
Exporting Certificates
You might need to export certificates when migrating to a new appliance, backing up
an appliance, and sharing certificates between a pair of appliances used for appliance
128

failover. You can export an existing server certificate and its corresponding passwordprotected private key to a file. You can only export certificates in Privacy Enhanced
Mail (PEM) format.
2. In the table, select the certificate to export and then click Export (.pem).
3. In the Please enter password dialog box, in Password and Confirm, type the
password that will be used to encrypt the exported certificate and then click OK.
Installing Intermediate Certificates

An intermediate certificate is a digital certificate that goes between the server
certificate (on Access Gateway) and a root certificate (usually installed on the user
device). An intermediate certificate is part of a certificate chain.
Some organizations delegate the responsibility for issuing certificates to resolve the
issue of geographical separation between organization units, or to apply different
issuing policies to different sections of the organization.
You can set up subordinate Certificate Authorities (CAs) to delegate responsibility for
issuing certificates. The X.509 standard includes a model for setting up a hierarchy of
CAs. In this model, the root CA is at the top of the hierarchy and has a self-signed
certificate. The CAs that are directly subordinate to the root CA have CA certificates
signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA
certificates signed by the subordinate CAs.
The following figure illustrates the hierarchical structure of a typical digital certificate
chain.
Figure 9-1. The X.509 model showing the hierarchical structure of a typical digital
certificate chain
129
Chapter 9

CAs can sign their own certificates (that is, they are self-signed) or they can be signed
by another CA. If the certificate is self-signed, it is called a root CA. If the certificates
are not self-signed, they are called subordinate or intermediate CAs.
If a server certificate is signed by a CA with a self-signed certificate, the certificate
chain is composed of exactly two certificates: the end entity certificate and the root
CA. If a user or server certificate is signed by an intermediate CA, the certificate chain
is longer.
The following figure shows that the first two elements are the end entity certificate (in
this case, gwy01.company.com) and the certificate of the intermediate CA, in that
order. The intermediate CAs certificate is followed by the certificate of its CA. This
listing continues until the last certificate in the list is for a root CA. Each certificate in
the chain attests to the identity of the previous certificate.
Figure 9-2. A typical digital certificate chain
To install an intermediate certificate

2. On the Certificate Management panel, click Import and then select Trusted
(.pem).
3. In Select file to upload, navigate to the file and then click Open.
When you install an intermediate certificate on Access Gateway, you do not need to
specify the private key or a password.
After the certificate is installed on the appliance, the certificate needs to be linked to
the server certificate.
To link an intermediate certificate to a server certificate

2. In the Certificates table, select the server certificate to which you want to link an
intermediate certificate and then click Add to Chain.
3. In the dialog box that opens, select a certificate and then click Add for each
certificate that you want to add to the chain.
4. When you are finished building the certificate chain, click Close.
130
Adding Network Settings

After you install one or more licenses and certificates on Access Gateway, you can
complete the following configuration steps, depending on your network configuration
or preferences, so that Access Gateway can work with your network:
w Assign different roles to the network adapters on the appliance to designate a
specific use.
w Redirect user connections from an unsecure port to a secure port.
w Configure up to three DNS servers and one Windows Internet Name Service (WINS)
server.
w Edit the HOSTS file to bypass the DNS server and resolve specific IP addresses to
specific host names.
w Configure static routes that listen for the routes published by one or more of your
routing servers or use specified static routes.
w Configure the date and time on Access Gateway or configure a Network Time
Protocol (NTP) server.
Designating Network Adapters for Specific Uses

You use the Networking panel in the Access Gateway Management Console to manage
network interfaces on the Access Gateway appliance and set network adapter roles.
Internal or external adapter. By default, eth0 is set as the external adapter and eth1
is set as the internal adapter. The external adapter is used by users who connect to
Access Gateway from the Internet. The internal adapter is used by users who connect
to Access Gateway from the secure network. As a best practice, assign an internal
(private) IP address to the internal adapter. Private IP addresses include the 10.0.x.x,
172.0.x.x, 192.168.x.x address range. These addresses cannot be reached from
external sources, such as the Internet.
Appliance Failover. When you enable appliance failover, there are two Access Gateway
appliances: one is primary and the other is secondary. In the Networking panel, you
designate one network adapter on the appliance you are configuring to communicate
with the other appliance in the pair.
Management. The network adapter that you select under Management in the
Networking panel is the adapter that administrators use to connect to the Access
Gateway Management Console. Administrators can also use this network adapter to
connect with Secure Shell (SSH) to the appliance. Citrix recommends that you
designate the internal network adapter as the management adapter.
Default Gateway. The default gateway can be an Access Gateway appliance or another
piece of networking equipment, such as a firewall, router, or switch. When a user
attempts to connect to an IP address that does not match any addresses on the secure
network, the user connection is routed to the default gateway.
131
Chapter 9
Redirecting Connections on Port 80 to a Secure Port

By default, Access Gateway does not accept unsecure connections on port 80. If a user
attempts to connect to Access Gateway using HTTP on port 80, the connection attempt
fails.
You can configure Access Gateway to automatically redirect HTTP connection attempts
on port 80 to be secure connections on port 443 (or another secure port). If a user
attempts an unsecure connection on port 80, Access Gateway automatically converts
this connection attempt into a secure, Secure Sockets Layer (SSL)encrypted,
connection on port 443.
To redirect unsecure connections

2. Under System Administration, click Networking.
3. Under Access Gateway Properties, select Redirect HTTP to HTTPS.
Note: If you do not select Redirect HTTP to HTTPS, all user connection
attempts on port 80 fail and Access Gateway will not attempt to redirect them to
port 443.
Adding Name Service Providers

Access Gateway uses Name Service Providers to convert Web addresses to IP addresses.
You can configure a DNS server or a Windows Internet Naming Service (WINS) server on
Access Gateway.
You configure name resolution on the Name Service Providers panel in the Access
Gateway Management Console. You can specify the settings for up to three DNS servers
and one WINS server.
To specify DNS and WINS servers

2. Under System Administration, click Name Service Providers.
3. In First DNS server, Second DNS server, or Third DNS server, type the IP address
of each server.
4. In WINS Server, type the IP address of the server.
5. In DNS Suffixes, click New. In Domain Name Server Suffix, in Input Suffix, type
the suffix and then click OK. Repeat this step for each suffix you want to add.
These are the DNS suffixes of the servers. Each entry should follow the format of
site.com. Do not precede a suffix with a dot (.), such as .site.com.
By default, Access Gateway checks a users remote DNS server only. If you want to
allow failover to a users local DNS server, you need to enable split DNS. For more
information, see Enabling Split DNS on page 288.
132

6. Click Save.
Editing the HOSTS File

You can add entries to the Access Gateway HOSTS file from the Name Service
Providers panel in the Access Gateway Management Console. Access Gateway uses the
entries in the HOSTS file to resolve fully qualified domain names (FQDNs) to IP addresses.
When Access Gateway attempts to translate an FQDN to an IP address, Access Gateway
checks its HOSTS file before connecting to a DNS server to perform the address
translation. If Access Gateway can translate the FQDN to an IP address using the
information in the HOSTS file, the appliance does not use a DNS server to perform the
address translation.
You might want to add entries to the HOSTS file in an Access Gateway deployment
where the network configuration prevents Access Gateway from connecting to a DNS
server to perform address translations. Also, adding entries to the HOSTS file can
optimize performance because Access Gateway does not have to connect to a different
server to perform the address translations.
To add an entry to the HOSTS file

3. Under HOSTS File, click New.
4. In Enter Hostname, enter the following information.
In IP Address, enter the IP address that you want to associate with an FQDN.
In Fully qualified domain name, enter the FQDN you want to associate with the
IP address you entered.
5. Click Ok.
The IP address and HOSTS name pair appear in the Host Table.
To remove an entry from the HOSTS file

3. Under HOSTS File, click the IP address and HOSTS name pair you want to delete.
4. Click Remove.
Defining Static Routes

You can configure Access Gateway to support static routing.
When you set up communication with another host or network, you might need to add
a static route from Access Gateway to the new destination. You set up static routes on
the Access Gateway network adapter that is not used by the default gateway, as
specified on the Networking panel in the Access Gateway Management Console.
133
Chapter 9

Each static route should consist of a network ID, subnet mask, gateway address, and
assigned network interface.
To add a static route

1.
2.
3.
4.
5.
6.
7.
8.
In the Access Gateway Management Console, click Management.

Under System Administration, click Static Routes.
In the Static Routes panel, click New.
In Add Static Route, in Destination IP address, type the IP address of the
destination LAN.
In Subnet mask, type the subnet mask for the Access Gateway appliance.
In Gateway, type the IP address for the default gateway.
If you do not specify a gateway, Access Gateway can access content only on the
local network.
In Adapter, select the network adapter for the static route and then click Add.
The default is eth0.
The static route appears in the Static routes table.
Click Save.
To remove a static route

2. Under System Administration, click Static Routes.
3. In the Static Routes table, select the route that you want to delete and then click
Remove.
4. Click Save.
Static Route Example

An example of a static route is as follows: Suppose the IP address of Interface 0 on your
Access Gateway is 10.0.16.20 and a request occurs to access information at 129.6.0.20
to which you currently do not have a path. You can create a static route through the
network adapter that is not set as your Access Gateway default gateway and out to the
requested network address, as shown in the following figure:
Figure 9-3. Example of a static route
134

The diagram shows the following connections:
w The eth0 adapter (10.0.16.20) leads to the default gateway (10.0.16.1), which
connects to the rest of the 10.0.0.0 network.
w The eth1 adapter (192.168.0.20) is set to communicate with the 192.168.0.0
network and its gateway (192.168.0.1). Through this gateway,eth1 can communicate
with the 129.6.0.20 network and the server at IP address 129.6.0.20.
To set up the static route, you need to establish the path between eth1 and the IP
address 129.6.0.20.
To set up the example static route

1. In the Access Gateway Management Console, click Management
2. Under System Administration, click Static Routes.
3. In the Static Routes panel, click New.
4. In Add Static Route, in Destination IP address, set the IP address of the
destination LAN to 129.6.0.0.
5. In Subnet mask, set the subnet mask for the Access Gateway appliance.
6. In Gateway, set the IP address of the default gateway to 192.168.0.1.
7. In Adapter, select eth1 as the Access Gateway device adapter and then click Add.
The example static route appears in the Static routes table.
8. Click Save.
Changing the Date and Time on Access Gateway

The current time and date appear on the Monitor tab under System Information in the
Access Gateway Management Console. You can set the time of Access Gateway
manually or by supplying a Network Time Protocol (NTP) server address.
Note: If you are using Access Controller in your deployment, you must configure an
NTP server to synchronize the date and time between Access Gateway and Access
Controller.
To change the date and time

2. Under System Administration, click Date and Time.
3. In Time zone, select the appropriate time zone.
4. In Date, select the date.
5. In Time, select the time.
6. Click Set Time and then click Save.
135
Chapter 9
Synchronizing Access Gateway with a Network Time

Protocol Server
The Network Time Protocol (NTP) transmits and receives time over TCP/IP networks.
The NTP is useful for synchronizing the internal clock of computers on the network to a
common time source.
You can set the time of Access Gateway appliance manually or by supplying an NTP
server address.
If you have an NTP server in your secure network, you can use the Access Gateway
Management Console to configure Access Gateway to synchronize the time with the
NTP server.
Note: If you are using Access Controller in your deployment, you must configure an
NTP server to synchronize the date and time between Access Gateway and Access
Controller.
Important: If you are using Access Gateway VPX, Access Gateway does not support
the suspension and resumption of virtual appliances. If you suspend and then resume
the virtual appliance, the NTP server is not synchronized with Access Gateway. To
resynchronize Access Gateway with the NTP server, you must restart Access Gateway.
To synchronize Access Gateway with a Network Time Protocol Server

2. Under System Administration, click Date and Time.
3. In Time zone, select the appropriate time zone.
4. Select the Use Network Time Protocol server check box.
5. In Primary server, type the fully qualified domain name (FQDN) or IP address of
the NTP server.
6. Optional. In Secondary server, type the FQDN or IP address of the secondary NTP
server.
7. Click Save.
Setting Up Network Access

After you configure the Access Gateway appliance to operate in your network
environment, the next step is to configure network access for the appliance in the
Access Gateway Management Console.
w Step 1: Configuring global settings for user connections. Allow users to connect to
the appliance using earlier versions of the Access Gateway Plug-in. On the Global
Settings panel, you can:
Audit Citrix online plug-in user connections.
136

Select the encryption strength.
Configure settings for the Access Gateway Plug-in
w Step 2: Configuring authentication and authorization. Authentication defines how
users log on and is configured using profiles. Authentication types include LDAP,
RADIUS, and RSA SecurID. Authorization defines the network resources users can
access. Authorization types include LDAP and RADIUS. For more information about
configuring authentication and authorization, see Creating Authentication and
Authorization Profiles on Access Gateway on page 144.
w Step 3: Configuring networks to which clients can connect. By default, user
devices cannot connect to any networks. The first step in configuring network
access is to use Network Resources to specify the networks to which users can connect.
For more information about configuring network resources, see Defining Network
w Step 4: Configuring logon points. After you configure authentication and the
networks to which user devices can connect, you configure logon points. A logon
point defines the logon page for users and specifies settings that are applied to user
sessions. These logon point settings include the required authentication and
authorization type, logon point type, the client software to use, and the device
profile settings.
For more information about configuring logon points, see Creating Logon Points on
the Access Gateway Appliance on page 169.
w Step 5: Configuring SmartGroups for network access. After you configure logon
points, you configure SmartGroups. Within a SmartGroup, you enable the logon
point, group membership, address pools, network resources, device profiles, and
advanced properties. Any settings that you change in Advanced Properties override
the settings in Global Options. For example, with time-out settings, logon point timeouts override global time-outs, but SmartGroup time-outs override both logon point
and global time-out settings.
For information about configuring SmartGroups, see Adding SmartGroups on page
175.
w Step 6: Configuring device profiles. Device profiles allow you to create a profile
that validates a user device against a set of criteria when a user logs on to the
network. Before the user is allowed access to the network, the device must meet
the criteria that you set up in the device profile. You define device profiles to
represent the variety of endpoint devices with which users may access internal
resources.
For information about configuring device profiles, see Creating Device Profiles on
page 160.
Installing Additional Access Gateway Appliances

You can install multiple Access Gateway appliances in your network. The additional
appliances can be part of appliance failover or you can install the appliances behind a
load balancer.
You can install multiple Access Gateway appliances for any of the following reasons:
137
Chapter 9

w Scalability. If the size of your user population exceeds the capacity of a single
Access Gateway, you can install multiple appliances to accommodate the user load.
w Appliance failover. You can install two appliances in the demilitarized zone (DMZ)
so that an Access Gateway is always available to handle the connections if one
Access Gateway fails.
If you have two Access Gateway appliances, you can deploy them in a configuration
where one Access Gateway accepts and manages connections, while a second Access
Gateway monitors the first appliance. If the first Access Gateway stops accepting
connections for any reason, the second Access Gateway takes over and begins
actively accepting connections. This prevents downtime and ensures that the
services provided by the Access Gateway remain available, even if one Access
Gateway is not working.
w Clustering and load balancing. You can deploy multiple Access Gateway appliances
and multiple Access Controller servers to create a cluster.
When you deploy Access Gateway as a cluster, load balancing occurs within the
cluster, eliminating the need for an external load balancer. When users log on to
Access Gateway, the appliance contacts one Access Controller server in the cluster
based on the load balancing algorithm configured on Access Controller. Then, Access
Controller sends the user session to an Access Gateway within the cluster based on
that algorithm.
Load balancing provides improved scalability for user connections. Load balancing
supports both the physical Access Gateway appliance and Access Gateway VPX. Load
balancing is for end user sessions and is per session.
You configure load balancing on Access Controller as part of the server cluster
properties and the global properties for the Access Gateway appliances.
If your deployment contains multiple Access Gateway appliances only, you can use an
external load balancer for user sessions. An external load balancer routes user
connections to the Access Gateway with the least load on it. If you use an external load
balancer, you must install the same server certificate on each Access Gateway in the
network. Each Access Gateway appliance must have the same fully qualified domain
name (FQDN) as the host name.
If the external load balancer needs to find the load metric for Access Gateway, it uses
the query interface provided by the appliance and parses the response to determine
the load of Access Gateway.
How Appliance Failover Works on Access Gateway 5.0

When you configure Access Gateway for appliance failover, the secondary Access
Gateway monitors the primary appliance by sending periodic messages to determine if
the primary appliance is accepting connections. If the secondary Access Gateway
detects that the primary appliance is not accepting connections, the secondary Access
Gateway tries the connection again for a specified amount of time until it determines
that the primary appliance is not working. When the secondary Access Gateway makes
the determination, it takes over for the primary Access Gateway. This functionality is
called failover. You can initiate failover from the primary appliance only.
Before configuring appliance failover, you need to complete the following prerequisites:
138

w Each Access Gateway appliance must be running the same version of the Access
Gateway software. You can find the version number in the Access Gateway
Management Console on the Monitor tab.
w Access Gateway does not automatically synchronize passwords between two
appliances. You can configure each Access Gateway to have matching passwords.
w You must configure the primary and secondary Access Gateway with a unique system
IP address.
w Licenses for both appliances reside on the primary appliance. The secondary
appliances gets licenses from the primary appliance. When you configure the
secondary appliance for failover, Access Gateway removes any licenses you
previously installed on the secondary appliance.
When configuring appliance failover, use the following information to configure the
settings:
w On both Access Gateway appliances, you must enable appliance failover on at least
one network interface. Each appliance in the pair must have the same shared secret.
w On the primary appliance, you must configure internal and external virtual IP
addresses that provide services. The virtual IP addresses are available on the
primary appliance only. Primary and secondary peer IP addresses are used for the
communication path between the two appliances. The secondary peer IP address is
for redundancy and is an optional setting.
w When you configure the secondary appliance, you select the interface that
communicates with the primary appliance. Then, you configure the secondary
appliance to listen to the primary appliance. After you configure the settings on the
secondary appliance, you join it to the primary appliance.
When you complete configuration of appliance failover on both appliances and start
the service, the following services are available on the primary appliance:
w Administrator services
w User services
w Database replication that has a listener port available to service the secondary
Access Gateway
On the secondary appliance, the following services are available:
w Administrator services
w Database replication that establishes a network connection to the primary Access
Gateway
When you enable appliance failover on the secondary appliance, you can configure
networking settings and static routing. Snapshots on the secondary appliance are
limited to uploading and removing software releases, importing and exporting
snapshots, showing a filtered list of common snapshot names and release names. When
you configure appliance failover on the secondary appliance, you cannot take snapshots
of the configuration. In addition, the following features are disabled on the secondary
appliance:
139
Chapter 9

w SmartGroups
w Logon points
w Network resources
w Device points
w Authentication
w Network time protocol
w ICA Access Control
w Secure Ticket Authority
w Address pools
w Appliance failover configuration (except failover)
w Name Service Providers
w Access Controller (deployment mode)
w Global options
w Certificates
The secondary appliance receives these settings from the primary appliance.
Note: If you log on to both appliances as an administrator, the secondary appliance
shows two sessions: one is your session on the primary appliance and the other is
your session on the secondary appliance.
To enable appliance failover on a network adapter

Before you can configure appliance failover settings on either the primary or secondary
Access Gateway appliance, you enable appliance failover on an appliance network
adapter.
3. In the Networking panel, next to Network adapters, under Adapter Roles, click
the Appliance Failover check box for the adapter on which you want to enable
appliance failover and then click Save.
To configure appliance failover on the primary appliance

1. In the Access Gateway Management Console, click Management,
2. Under System Administration, click Appliance Failover.
3. In the Appliance Failover Configuration panel, in Appliance failover role, click
Primary.
4. In Shared key, type the shared key.
140
Note: The shared key must be identical on the primary and secondary appliances.
5. In Peer IP address, type the IP address of the network adapter on which you
enable appliance failover on the secondary appliance.
If the primary IP address fails for any reason, this is the IP address to which
failover to the secondary appliance occurs.
6. In Internal virtual IP address and External virtual IP address, type the internal
and external IP addresses that accept user connections.
The primary appliance uses the external IP address for user connections.
7. Click Start and then click Save.
To configure appliance failover on the secondary appliance

3. In the Appliance Failover Configuration panel, in Appliance Failover role, click
Secondary.
4. In Shared key, type the shared key.
Note: The shared key must be identical on the primary and secondary appliances.
5. In Peer IP address, type the IP address of the network adapter on which you
enable appliance on the primary appliance.
This is the IP address the secondary appliance monitors.
6. Click Join primary and then click Save.
To force failover to the secondary appliance

If you configure two appliances for appliance failover and if you need to update or
restart the primary appliance, you can force failover to the secondary Access Gateway
appliance. When you force failover, the secondary appliance starts accepting user
connections.
1. Open the Access Gateway Management Console for the primary appliance.
4. Under Start or Stop Appliance Failover, click Force failover.
Setting Up Multiple Appliances to Use an External Load

Balancer
You can deploy multiple Access Gateway appliances behind a load balancer to support a
large population of remote users to ensure access of the internal network to users.
The load balancer you deploy with the appliances must support load balancing based on
the Source IP (Src IP).
141
Chapter 9

Figure 9-4. Multiple Access Gateway appliances deployed behind a load balancer
The load balancer is configured with a unique IP address or fully qualified domain name
(FQDN). This address is used by the Citrix Access Gateway Plug-in or a Web browser to
connect to the load balancer. The load balancer distributes the user connections evenly
among the appliances deployed behind it.
Upon receiving a user connection, the load balancer uses an algorithm to select one of
the appliances from the list and directs the user connection to the selected Access
Gateway.
In addition to an equal distribution of user connections, a load balancer also provides
greater access to the internal network.
To provide increased access, some load balancers can detect when appliances deployed
behind them are failing. If the load balancer detects that an appliance is failing, the
load balancer removes the appliance from the list of available appliances and redirects
user connections to the remaining active appliances. When Access Gateway comes back
online, the load balancer adds it back to the list of active appliances. This approach
ensures that all user connections have continuous access to the internal network if one
Access Gateway fails.
To create a certificate for appliances deployed behind a load balancer

When you deploy Access Gateway appliances behind a load balancer, you must deploy
the same Secure Sockets Layer (SSL) server certificate and private key on each appliance.
Important: Do not use the Certificate Signing Request (CSR) feature available on the
Certificates panel in the Access Gateway Management Console to create the SSL
server certificate request. This feature creates an individual private key on the Access
Gateway on which it is run. When Access Gateway appliances are deployed behind a
load balancer, each Access Gateway must use the same private key and SSL certificate.
142

1. Use an OpenSSL tool, such as Keytool, to create the SSL server certificate request
and private key. (To learn more about OpenSSL and available tools, browse to http://
www.openssl.org.)
Create the server certificate request in the PEM format.
When creating the server certificate request, use the fully qualified domain
name (FQDN) of the load balancer as the server name in the request. Do not use
the FQDN of any of the Access Gateway appliances in the request.
Optionally, you can use an asterisk for the server name in the FQDN that you
enter in the server certificate request. The use of the asterisk creates a
wildcard certificate, which lets you use the same certificate on any appliance
in your organization; users will be able to connect through different URLs. For
example, you can create an SSL server certificate request for a server name in
this format:
*.domain.com
Create the private key separately from the server certificate request.
2. Send the SSL server certificate request to a Certificate Authority (CA) to be signed.
Send only the server certificate request in the PEM format. Do not send the private
key.
3. When you receive the signed SSL server certificate request from the CA, manually
add the private key to the top of the signed certificate.
4. When you receive the signed certificate from the CA, upload the SSL server
certificate and private key to each of the Access Gateway appliances deployed
behind the load balancer:
a. In the Access Gateway Management Console, click Certificates.
b. Click Import and then select Server (.pem).
c. Navigate to and select the file containing the combined private key and signed
PEM certificate and then click Open.
Repeat Step 4 to upload the private key and PEM certificate to each Access
Gateway deployed behind the load balancer.
To combine the private key with the signed certificate

You must combine the signed certificate with the private key before you can upload it
to Access Gateway.
1. Use a text editor to combine the unencrypted private key with the signed
certificate in the PEM file format.
The file contents should look similar to the following:
-----BEGIN RSA PRIVATE KEY----<Unencrypted Private Key>
-----END RSA Private KEY---------BEGIN CERTIFICATE----<Signed Certificate>
-----END CERTIFICATE----143
Chapter 9

2. Save and name the PEM file; for example, AccessGateway.pem.
Specifying a Load Balancer as the Default Gateway

Some load balancers or network configurations might require you to specify the load
balancer as the default gateway for Access Gateway. If you specify the load balancer as
the default gateway, configure static routes on Access Gateway so that all traffic
destined for the secure network is routed to an internal network that can successfully
route all internal traffic.
If Access Gateway receives a packet destined for an unknown IP address, the appliance
sends the packet to the default gateway address. If the load balancer is configured as
the default gateway, Access Gateway can use static routing to ensure that packets
destined for internal locations are delivered.
If Access Gateway receives a packet destined for an internal address and the static
routing table does not include an appropriate route for the packet, the packet might
be lost.
For example, assume the load balancer is specified as the default gateway and the
following conditions exist:
w You have three internal networks: 10.10.0.0, 10.20.0.0, and 10.30.0.0.
w The network 10.10.0.0 can route packets to networks 10.20.0.0 and 10.30.0.0.
However, the 10.20.0.0 and 10.30.0.0 networks cannot route packets to other
networks.
In this environment, you must create static routes associated with the internal network
adapter on Access Gateway. These static routes must direct all traffic destined for the
10.20.0.0 and 10.30.0.0 networks to the 10.10.0.0 network through the eth1 network
adapter on Access Gateway.
Creating Authentication and Authorization Profiles

on Access Gateway
You can configure authentication on the Access Gateway appliance for your
authentication type. The Access Gateway appliance supports the following
authentication types:
w LDAP
w RADIUS
w RSA SecurID
As part of the authentication profile, you can configure authorization. Access Gateway
supports LDAP and RADIUS authorization. Configuring authorization is not a requirement.
Adding Authentication Profiles on the Access Gateway

Appliance
You can configure the Access Gateway to use LDAP, RADIUS, or RSA SecurID
authentication servers. You configure authentication on Access Gateway using
authentication profiles. You can configure multiple profiles to accommodate sites with
144

more than one LDAP or RADIUS server or with a combination of authentication servers.
The following figure shows Access Gateway connecting to and communicating with
authentication servers in the secure network.
Figure 9-5. Communication between Access Gateway and authentication servers
After a user is authenticated, Access Gateway performs a group authorization check by

obtaining the users group information from either the LDAP or RADIUS servers. If group
information is available for the user, Access Gateway then checks the network
resources allowed for the group. LDAP authorization works with all supported
authentication methods.
If you use SafeWord or Gemalto Protiva authentication servers, you configure a RADIUS
authentication profile and enter the settings for SafeWord or Protiva.
You can also configure double-source authentication in which users are required to
enter two types of credentials, such as a password and a personal identification
number (PIN). Double-source authentication is configured when you create logon
points. When you configure logon points, you select the authentication type for the
logon point. If users connect only with Citrix online plug-ins, you can choose to
authenticate users with either Access Gateway or Web Interface. For more information
about configuring double-source authentication, see To configure double-source
authentication and authorization on page 173.
Creating LDAP Authentication Profiles on the Appliance

You can configure Access Gateway to authenticate users with one or more LDAP servers.
For each LDAP authentication profile you configure on Access Gateway, you can
configure up to three LDAP servers to provide failover capabilities. Configuring
additional LDAP servers works only with failover and not load balancing. If Access
Gateway cannot connect to an LDAP server, the appliance tries to connect to the next
server in the list until Access Gateway finds an available LDAP server in order to
authenticate users.
You can specify the order in which Access Gateway connects to the LDAP servers. When
Access Gateway fails to connect to an LDAP server, that server is removed from the
145
Chapter 9

server pool for five minutes. Access Gateway does not check the server again until the
five minute limit expires. If there is only one LDAP server, Access Gateway checks the
server within the five minute wait period. If there are two or more LDAP servers, when
users log on, Access Gateway attempts to connect to each server.
When Access Gateway successfully establishes a connection with an LDAP server,
authentication and authorization occur. If user authentication fails on the LDAP server,
Access Gateway does not attempt to connect to another server. Access Gateway
prompts the user to check the user name and password and try to log on again.
By default, connections to LDAP servers are not secure. You can make the connection
secure by choosing Use secure connection in the authentication profile, configuring a
secure port, and installing a secure server certificate on Access Gateway.
The port numbers for LDAP connections are:
w 389 for unsecured LDAP connections
w 636 for secure LDAP connections
w 3268 for Microsoft unsecured LDAP connections
w 3269 for Microsoft secure LDAP connections
When configuring the LDAP server, the letter case must match on the server and on
Access Gateway.
If you specify the root directory of the LDAP server, Access Gateway searches all of the
subdirectories to find the user attribute. In large directories, this setting can affect
performance. For this reason, Citrix recommends that you use a specific organizational
unit (OU).
The following table contains examples of user attributes for LDAP servers:
LDAP server
User attribute
Case
sensitive
Active Directory Server
sAMAccountName
No
Novell eDirectory
cn
Yes
IBM Tivoli Directory Server (formerly IBM

Directory Server)
uid
Yes
Lotus Domino
CN
Yes
Sun ONE directory (formerly iPlanet)
uid or cn
Yes
The following table contains examples of the base DN, which is the top level of the
LDAP directory tree:
146
LDAP server
Base DN
DC=citrix, DC=local
Novell eDirectory
dc=citrix,dc=net

Directory Server)
cn=users
Lotus Domino
OU=City, O=Citrix, C=US
ou=People,dc=citrix,dc=com
The following table contains examples of bind DN, which is an administrative user and
password:
LDAP server
Bind DN
CN=Administrator, CN=Users, DC=citrix,

DC=local
Novell eDirectory
cn=admin, dc=citrix, dc=net
IBM Tivoli Directory Server

(formerly IBM Directory Server)
LDAP_dn
Lotus Domino
CN=Notes Administrator, O=Citrix, C=US
Sun ONE directory (formerly

iPlanet)
uid=admin,ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot
To create an LDAP authentication profile on the appliance

2. Under Access Control, click Authentication Profiles.
3. In the right panel, next to Add, click the down arrow, and then click LDAP.
4. Under General Properties, in Profile name, type a name for the profile.
5. Under LDAP Servers, in Server Type, select the type of LDAP server you have
installed in your network.
147
Chapter 9

When you select the server type, settings under Authentication Properties and
Authorization Properties populate automatically. These default settings are the
most commonly used. You can change these settings.
6. In Network Time-out, type the length of time before the logon attempt times out.
This value sets the length of time Access Gateway waits when attempting to
establish a TCP connection to the LDAP server. The maximum value is 60 seconds.
The default value is 10 seconds.
7. In Server List, click New.
8. In the Add LDAP Server dialog box, in Server type the IP address of the LDAP server.
9. In Port, type the port number, and then click OK.
10. Under Bind Properties, in Administrator DN, type the administrator bind DN for
queries to your LDAP directory.
The following are examples of syntax for the administrator bind DN:
domain/user name
ou=administrator,dc=ace,dc=com
user@domain.name (for Active Directory)
cn=Administrator,cn=Users,dc=ace,dc=com
For Active Directory, the group name specified as cn=groupname is required. The
group name that is defined in Access Gateway must be identical in character and
case to the group name that is defined on the LDAP server.
For other LDAP directories, the group name either is not required or, if required, is
specified as ou=groupname.
Access Gateway binds to the LDAP server using the administrator credentials and
then searches for the user. After locating the user, Access Gateway unbinds the
administrator credentials and rebinds with the user credentials.
11. In Password, type the password.
12. In Base DN (location of users), type the base DN under which users are located.
The base DN is usually derived from the bind DN by removing the user name and
specifying the group where users are located. Examples of syntax for base DN are:
ou=users,dc=ace,dc=com
cn=Users,dc=ace,dc=com
13. In User search query, type the parameters for searching for users in the LDAP
directory.
14. In Server logon name attribute, leave the default for your server type or type
another value.
15. Click Save.
To allow users to change their passwords on the appliance

When you configure an LDAP authentication profile in Access Gateway, you can give
users the option to change their passwords. Users who log on to Active Directory or
Novell eDirectory can change their passwords.
148

If you configure Access Gateway to use a connection that is unsecured, the password
change might fail. If you are using Active Directory, you must secure the connection
using Secure Sockets Layer (SSL).
To allow users to change their password when you have LDAP configured through Active
Directory, you must do the following tasks:
w Configure port 636 for secure LDAP authentication
w Install Certificate Authority-signed root and server certificates that are used to sign
the secure LDAP certificate.
If you associate a logon point with an LDAP authentication profile for Active Directory
or Novell eDirectory over a secure connection, users can change their passwords from
the logon page. If users then log on to Active Directory or Novell eDirectory, they might
receive a prompt to change their password.
3. In the right pane, in Authentication Profiles, select an LDAP authentication
profile, and then click Edit.
4. Under General Properties, click Allow users to change password and in Friendly
name, type the name of the LDAP authentication profile. This field is for display
purposes only.
The friendly name describes the LDAP authentication profile in a link on the page
where users change their password. Users change their password by clicking the
link Click to change your password <friendly name>.
5. In Single sign-on domain, type the domain name to use when users do not specify
a domain name when logging on.
Determining Attributes in Your LDAP Directory

If you need help determining your LDAP directory attributes so you can configure
authentication settings on Access Gateway, you can easily look them up with the free
LDAP browser from Softerra.
You can download the LDAP browser from the Softerra LDAP Administrator Web site.
After you install the browser, set the following attributes:
w The host name or IP address of your LDAP server.
w The port of your LDAP server. The default is 389.
w The base DN field, which you can leave blank. The information provided by the
LDAP browser can help you determine the base DN that you need to configure this
setting on Access Gateway.
w The Anonymous Bind check determines if the LDAP server requires user credentials
to connect to it. If the LDAP server requires credentials, leave the check box cleared.
After completing the settings, the LDAP browser displays the profile name in the left
pane and connects to the LDAP server.
149
Chapter 9
Creating RADIUS Authentication Profiles on the Access

Gateway Appliance
You can configure Access Gateway to authenticate user access with one or more RADIUS
servers.
For each RADIUS profile that you use for authentication, you can configure up to three
RADIUS servers. If the primary RADIUS server is unavailable, Access Gateway attempts
to authenticate against the other RADIUS servers for that profile.
If you are using Gemalto Protiva or SafeWord servers for authentication, you configure
these servers using RADIUS.
Configuring Gemalto Protiva
Protiva is a strong authentication platform that Gemalto developed to use the strengths
of Gemalto's smart card authentication. With Protiva, users log on with a user name,
password, and a one-time password that the Protiva device generates. Similar to RSA
SecurID, the authentication request is sent to the Protiva authentication server and the
server either validates or rejects the password. To configure Gemalto Protiva to work
with Access Gateway, use the following guidelines:
w Install the Protiva server.
w Install the Protiva SAS Agent Software, that extends the Internet Authentication
Server (IAS), on a Microsoft IAS RADIUS server. Make sure you note the IP address
and port number of the IAS server.
w Configure a RADIUS authentication profile on Access Gateway and enter the settings
of the Protiva server.
Configuring SafeWord
The SafeWord product line provides secure authentication using a token-based
passcode. After the user enters the passcode, SafeWord immediately invalidates the
passcode and it cannot be used again. When you configure the SafeWord server, you
need the following information:
w The IP address of Access Gateway. This should be the same IP address that you
configured in the RADIUS server client configuration. Access Gateway uses the
internal IP address to communicate with the RADIUS server. When you configure the
shared secret, use the internal IP address. If you configure two appliances for
appliance failover, use the virtual internal IP address.
w A shared secret.
w The IP address and port of the SafeWord server. The default port number is 1812.
Configuring RADIUS for Authentication on Windows Server 2008

On Windows Server 2008, you configure RADIUS authentication and authorization using
the Network Policy Server (NPS), which replaces Internet Authentication Service (IAS).
You can use Server Manager and add NPS as a role to install NPS.
When you install NPS, select the Network Policy Service. After installation, you can
configure RADIUS settings for your network by starting the NPS from Administrative
Services on the Start menu.
150

When you open the NPS, you add Access Gateway as a RADIUS client and then configure
server groups.
When you configure the RADIUS client, make sure you select the following settings:
w For the vendor name, select RADIUS Standard.
w Make note of the shared secret because you will need to configure the same shared
secret on Access Gateway.
For the RADIUS groups, you need the IP address or host name of the RADIUS server. Do
not change the default settings.
After you configure the RADIUS client and groups, you then configure settings in the
following two policies:
w Connection Request Policies where you configure the settings for the Access
Gateway connection including the type of network server, the conditions for the
network policy, and the settings for the policy.
w Network Policies where you configure the Extensible Authentication Protocol (EAP)
authentication and the vendor-specific attributes.
When you configure the connection request policy, select Unspecified for the type of
network server. You then configure your condition by selecting NAS Port Type as the
condition and Virtual (VPN) as the value.
When you configure a network policy, you need to configure the following settings:
w Select Remote Access Server (VPN Dial-up) as the type of network access server.
w Select Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP
and SPAP) for the EAP.
w Select RADIUS Standard, for the Vendor-Specific Attribute.
The default attribute number is 26. This attribute is used for RADIUS authorization.
Access Gateway needs the vendor-specific attribute to match the users defined in
the group on the server with those on Access Gateway. This is done by sending the
vendor-specific attributes to the Access Gateway.
w Select String for the attribute format.
The Attribute value requires the attribute name and the groups.
For Access Gateway, the attribute value is CTXSUserGroups= groupname. If two
groups are defined, such as sales and finance, the attribute value is
CTXSUserGroups=sales;finance. Separate each group with a semicolon.
w The separator is that which you used on the NPS to separate groups, such as a
semicolon, a colon, a space, or a period.
When you are finished configuring the remote access policy in IAS, you can configure
RADIUS authentication and authorization on Access Gateway.
151
Chapter 9
Configuring RADIUS Authentication on Windows Server 2003

On Windows Server 2003, you configure RADIUS authentication and authorization by
configuring a remote access security policy in Microsoft Internet Authentication Service
(IAS). When you configure Access Gateway, complete the fields as follows:
w Vendor ID is the vendor-specific code number that was entered in IAS.
w Type is the vendor-assigned attribute number.
w Attribute name is the type of attribute name that is defined in IAS. The default
name is CTXSUserGroups=.
w Separator is defined if multiple user groups are included in the RADIUS
configuration. A separator can be a space, period, a semicolon, or a colon.
If IAS is not installed on the RADIUS server, you can install it from Add or Remove
Programs in Control Panel in Windows Server 2003. For more information, see Windows
online Help.
To configure IAS, use the Microsoft Management Console (MMC) and install the snap-in
for IAS. Follow the wizard, making sure you select the following settings:
w Select local computer.
w Select Remote Access Policies and create a custom policy.
w Select Windows-Groups for the policy.
w Select Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP and
SPAP).
w Click to clear the MS-CHAP v2 and MS-CHAP check boxes.
w Select the Vendor-Specific Attribute.
Access Gateway needs the Vendor-Specific Attribute to match the users defined in
the group on the server with those on Access Gateway. To ensure that these values
match, the Vendor-Specific Attributes are sent to Access Gateway. Make sure you
select RADIUS=Standard.
w Use the RADIUS default of 0. Use this number for the vendor code.
w Use the vendor-assigned attribute number of 0.
This value is the assigned number for the User Group attribute. The attribute is in
string format.
w Select String for the Attribute format.
The Attribute value requires the attribute name and the groups.
For Access Gateway, the attribute value is CTXSUserGroups=groupname. If two
groups are defined, such as sales and finance, the attribute value is
CTXSUserGroups=sales;finance. Separate each group with a semicolon.
w Remove all other entries in the Edit Dial-in Profile dialog box, leaving theVendorSpecific entry.
152

When you are finished configuring the remote access policy in IAS, you can configure
RADIUS authentication and authorization on Access Gateway.
To create a RADIUS authentication profile on the appliance

3. In the right panel, next to Add, click the down arrow, and then select RADIUS.
4. In the RADIUS Properties dialog box, under General Properties, in Profile name,
type a name for the profile.
5. Under RADIUS servers, under Servers List, click New.
6. In the Add RADIUS Server dialog box, in Server, type the IP address of the RADIUS
server.
7. In the Shared Secret and Confirm Secret fields, type the shared secret as it is
configured on the RADIUS server.
Important: Make sure you use a strong server secret. A strong secret is one that
is at least eight characters and includes a combination of letters, numbers, and
symbols.
8. In Port, type the port number and then click OK.
9. Repeat Steps 5 through 8 for each RADIUS server you want to add.
You can configure up to three RADIUS servers in a profile.
To change the priority of RADIUS servers

After you add RADIUS servers to the authentication profile, you can change the order
the servers are queried when users log on.
2. Under Access Control, click Authentication.
3. On the Authentication Profiles panel, select a RADIUS authentication profile and
then click Edit.
4. In Servers list, select a RADIUS server.
5. Next to Move, click the up or down arrow to move the server in the list and then
click Update.
Creating RSA SecurID Authentication Profiles on the

If your site uses RSA ACE/Server or RSA Authentication Manager and RSA SecurID for
authentication, you can configure Access Gateway to authenticate user access with the
RSA server. Access Gateway acts as an RSA Agent Host, authenticating on behalf of the
users who use Citrix Access Gateway Plug-in to log on.
Access Gateway supports the following RSA servers:
153
Chapter 9

w RSA ACE/Server Version 5.2 and higher
w RSA Authentication Manager Versions 6.1 and 7.1
Access Gateway also supports replication servers. Replication server configuration is
completed on the RSA server and is part of the sdconf.rec file that you upload to
Access Gateway. If replication server configuration is configured on the RSA server,
Access Gateway attempts to connect to the replication servers if the primary server
suffers a failure or network connection loss.
Note: If you are running a RADIUS server on an RSA server, configure RADIUS
authentication as described in Creating RADIUS Authentication Profiles on the Access
Gateway Appliance on page 150.
When creating the sdconf.rec file, use the following information as a guideline for the
settings:
Note: The following steps describe the required settings for Access Gateway. Your
site might have additional requirements. Refer to the RSA product documentation for
more information.
w Create an Agent Host.
w Configure Net OS Agent to identify Access Gateway and use the internal Access
Gateway IP address for the network address.
If you configure two Access Gateway appliances for appliance failover, use the
internal virtual IP address.
w Create a descriptive name for Access Gateway, which is serving as the Agent Host
for which you are creating the configuration file.
w The agent type is UNIX Agent.
w When you are creating the Agent Host, make sure that the Node Secret Created
check box on the RSA server is cleared. The RSA server sends the Node Secret to
Access Gateway the first time that the software authenticates a request from
Access Gateway. After that, the Node Secret Created check box is selected. By
clearing the check box and generating and uploading a new configuration file, you
can force the RSA server to send a new Node Secret to Access Gateway.
w You can indicate which users can be authenticated through Access Gateway in the
following ways:
Configure Access Gateway as an open Agent Host that is open to all locally known
users.
Select the users to be authenticated by editing the Agent Host and selecting the
users to be activated.
To contact the RSA server, Access Gateway must include a copy of the ACE Agent Host
sdconf.rec configuration file that the RSA server generates. After you have created the
settings on the RSA server, create the sdconf.rec file and upload the file to Access
Gateway. You can upload only one sdconf.rec file to Access Gateway.
154

For more information about configuring settings on the RSA server, see the
manufacturers documentation.
Supporting User Connections
Access Gateway supports Next Token Mode. If a user enters three incorrect personal
identification number (PIN) and token codes, the Access Gateway Plug-in prompts the
user to wait until the next token is active before logging on. The RSA server can be
configured to disable a users account if a user logs on too many times with an
incorrect password.
Access Gateway supports the option of allowing users to change their PIN. Users can
change their PIN in one of three ways:
w Users must accept a system-generated PIN.
w Users must create a new PIN.
w Users can choose to generate a new PIN or accept a system-generated PIN.
When users change their PIN, they must log on again to Access Gateway.
To create an RSA SecurID authentication profile on the appliance

3. In the right panel, next to Add, click the down arrow and select RSA SecurID.
4. In the RSA SecurID Configuration dialog box, under General Properties, in Name,
5. To upload the sdconf.rec file, under Configuration File, click Browse, navigate to
the file, click Open, and then click Save.
Note: The sdconf.rec file is typically written to ace\data\config_files and to windows
\system32.
The first time that a user is successfully authenticated, the RSA server writes
configuration files to Access Gateway. If you subsequently change the IP address of
Access Gateway, you need to remove the RSA authentication profile and then create a
new profile. You must upload the sdconf.rec file again.
Adding the RSA Settings File for Multiple Appliances

If you have two or more Access Gateway appliances in your network, the sdconf.rec file
needs to contain the fully qualified domain name (FQDN) for each appliance. You need
to install the same sdconf.rec file on each Access Gateway appliance. Including the
FQDN for each appliance allows all of the appliances to connect to the RSA server.
You can also limit connections to the RSA server from user connections. If, for example,
you have three appliances in your network and the FQDNs of the first and second
appliances are included in the sdconf.rec file, but the FQDN of the third appliance is
not included. In this example, users can connect only to the RSA server using the first
two appliances.
155
Chapter 9
To create an RSA SecurID authentication profile on the appliance

3. In the right panel, next to Add, click the down arrow and select RSA SecurID.
4. In the RSA SecurID Configuration dialog box, under General Properties, in Name,
5. To upload the sdconf.rec file, under Configuration File, click Browse, navigate to
the file, click Open, and then click Save.
Note: The sdconf.rec file is typically written to ace\data\config_files and to windows
\system32.
The first time that a user is successfully authenticated, the RSA server writes
configuration files to Access Gateway. If you subsequently change the IP address of
Access Gateway, you need to remove the RSA authentication profile and then create a
new profile. You must upload the sdconf.rec file again.
Resetting the Node Secret

If you reimaged Access Gateway, giving it the same IP address as before, and restored
your configuration, you must also reset the Node Secret on the RSA server. Because
Access Gateway was reimaged, the Node Secret no longer resides on the appliance and
an attempt to authenticate with the RSA server fails.
After you reset the server secret on the RSA server, the next authentication attempt
prompts the RSA server to send a Node Secret to Access Gateway.
Adding Authorization to the Authentication Profile on the

You configure authorization to specify the resources users are allowed to access in the
secure network. Access Gateway supports the following authorization types:
w No authorization
w LDAP authorization
w RADIUS authorization
You configure LDAP and RADIUS authorization within the authentication profile.
You can always choose LDAP as an authorization type. You can choose RADIUS
authorization, however, only when the same profile is also used for authentication. The
following table shows the available authorization profiles for various combinations of
primary and secondary authentication profiles.
156
Secondary authentication
profile
Primary authentication profile
LDAP
RADIUS
RSA SecurID
LDAP
LDAP, None
LDAP, RADIUS,
None
LDAP, None
RADIUS
LDAP, RADIUS,
None
LDAP, RADIUS,
None
LDAP,
RADIUS, None
RSA SecurID
LDAP, None
LDAP, RADIUS,
None
LDAP, None
None
LDAP, None
LDAP, RADIUS,
None
LDAP, None
Adding LDAP Authorization on the Appliance

You can choose to configure LDAP authorization with LDAP authentication. You can also
use LDAP authorization with RADIUS or RSA authentication. It is also possible to
configure authentication without authorization.
If you are using double-source authentication in which users log on using two
authentication profiles, Access Gateway uses the credentials associated with the
primary authentication method for authorization.
LDAP authorization requires identical group names in Active Directory, on Access
Gateway, and on the LDAP server. The group names are case insensitive.
When users log on and if you configure LDAP authorization, Access Gateway searches
the LDAP server for the groups that users belong to.
The following table contains examples of LDAP group attributes:
LDAP server
Group attribute
Microsoft Active Director server
memberOf
Novell eDirectory
groupMembership

Directory Server)
ibm-allGroups
nsRole
Searching the LDAP Directory

157
Chapter 9

When you configure an LDAP authentication profile with LDAP authorization, you can
select how you want to search the LDAP directory. You can search the entire directory
or you can start the search from a specific location within the directory.
If you want to search the entire directory, you need to set the following parameters:
w Base DN
w User member attribute name
w Group member attribute name
You can also select to search the LDAP directory using the base DN as your starting
point. For example, you can start the search using the group container
ou=groups,cn=citrix,cn=com. If User1 belongs to the Engineering group, the
search is based on the member attribute of the Engineering group.
If User2 belongs to the Engineering group and it has two subgroups, such as Quality
Assurance and Test, User2 belongs to all three groups.
If you want to search from a specific point in the directory, you need to set the group
member attribute name.
You can use a search filter to narrow the search for group members. An example of the
search filter is (objectClass=group). This parameter is optional.
To configure LDAP authorization on the appliance

When you configure LDAP settings on Access Gateway, the authorization properties
appear automatically when you select the server type, such as Active Directory or
Novell eDirectory. If you have custom settings, you can change the authorization
properties.
3. Select an LDAP server from the list, and then click Edit.
4. Under Authorization Properties, change the settings as appropriate for your LDAP
server, and then click Save.
The User member attribute and Group member fields populate automatically
depending on the type of LDAP server you selected in Server type.
The Group member field enables Access Gateway to obtain the groups asociated with a
user during authorization.
The Search scope drop-down list allows Access Gateway to search the entire LDAP
directory or search from a specific point in the directory.
The Search time-out box is the length of time Access Gateway searches for users or
groups when users log on. The maximum value is four minutes. The default value is 30
seconds.
158
How LDAP Group Extraction Works from the User Object Directly
LDAP servers that evaluate group memberships from group objects work with Access
Gateway authorization.
Some LDAP servers enable user objects to contain information about groups to which
the objects belong, such as Active Directory (by using the memberOf attribute) or IBM
eDirectory (by using the groupMembership attribute). A users group membership can
be attributes from the user object, such as IBM Directory Server (by using ibmallGroups) or Sun ONE directory server (by using nsRole). Both of these types of LDAP
servers work with Access Gateway group extraction.
For example, in IBM Directory Server, all group memberships, including the static,
dynamic, and nested groups, can be returned through the use of the ibm-allGroups
attribute. In Sun ONE, all roles, including managed, filtered, and nested, are
calculated through the use of the nsRole attribute.
How LDAP Group Extraction Works from the Group Object Indirectly
LDAP servers that evaluate group memberships from group objects indirectly will not
work with Access Gateway authorization.
Some LDAP servers, such as Lotus Domino, enable group objects only to contain
information about users. These LDAP servers do not enable the user object to contain
information about groups and thus will not work with Access Gateway group extraction.
For this type of LDAP server, group membership searches are performed by locating the
user in the member list of groups.
Adding RADIUS Authorization on the Access Gateway Appliance

You can use the following authorization types with RADIUS authentication:
w RADIUS authorization
w LDAP authorization
w No authorization
3. In the right panel, select a RADIUS profile and click Edit.
4. Under Group Authorization, enter the values to correspond to those on the
RADIUS server.
For more information about authorization values, see the following topics:
Configuring RADIUS Authentication on Windows Server 2003 on page 152
Configuring RADIUS for Authentication on Windows Server 2008 on page 150
Note: If you are using Microsoft Internet Authentication Service (IAS) as a RADIUS
server and receive a bad user name or password error message when Access
Gateway sends a request to the configured RADIUS server, in IAS Remote Access
159
Chapter 9
Policies, under the applied policy's properties on the Authentication tab, select
Unencrypted Authentication (PAP, SPAP).
Removing Authentication Profiles from Access Gateway

If you are retiring an authentication server or removing a domain server, you can
remove the authentication profile from Access Gateway.
3. Select the authentication profile, and then click Remove.
Creating Device Profiles

Device profiles in Access Gateway allow you to create a profile that validates a user
device against a set of criteria when a user logs on to the network. Before the user is
allowed access to the network, the device must meet the criteria that you set up in the
device profile. You define device profiles to represent the variety of endpoint devices
with which users may access internal resources.
For example, the administrator at ACME corporation might define a device profile
named Company-owned Vista laptop, which matches Windows Vistabased computers
and that include a watermark value in the Windows registry. If the user device matches
those criteria, the user is allowed to log on to the network.
You can use devices profiles in a logon point. You can make the display of the logon
page conditional by requiring that user devices pass endpoint analysis scans (using
device profiles) before displaying the page. This is called logon point visibility.
Device profiles are used in SmartGroups. Each SmartGroup can contain none, one, or
more device profiles. Access Gateway uses the device profile information that you
configure to determine user access permissions for the configured SmartGroups.
In this section, you will find information about the different types of scans and profiles
you can create in the Access Gateway Management Console. The section also includes
information about creating scan expressions and building device profiles.
Types of Device Profiles

Device profiles check a user device against a set of criteria when a user logs on to the
network. Before the user is allowed to access the network, the device must meet the
criteria that you set up in the device profile.
You can create the following types of device profiles:
w File scan. Detects whether or not a particular file is present on a user device.
w Process scan. Detects whether or not a process is running on the user device.
w Registry scan. Detects information in the registry, such as the presence of a registry
key or registry value, on the user device.
160

w Operating system scan. Checks for information about the operating system, such as
name, version, and service pack, on the user device.
w Ports scan. Detects port information, such as whether or not a user device is
listening on a particular port.
Adding a File Scan

A file scan detects whether or not a particular file is present on a user device.
2. Under Access Control, click Device Profiles.
3. In the Device Profiles panel, click New.
4. In Profile name, enter a name for the device profile.
5. In Description, enter a description for the device profile.
6. Under Add or Modify Scan, set the following options.
In Scan type, select File.
In File name, type the full path to and the name of the file you want to search
for on a user device.
In Hash type, select one of the following cryptographic hash functions:
w None. When specified, no hash is calculated.
w MD5. The MD5 cryptographic hash function is commonly used in security
applications to check the integrity of files.
w SHA-1. This Secure Hash Algorithm cryptographic hash function is used in
several widely used security applications and protocols.
w SHA-256. This Secure Hash Algorithm cryptographic hash function is a
member of the SHA-2 has function that uses 32-bit words.
In Hash value, click New to type a value that indicates the required set of file
hashes.
Select the Expand Environment check box if Windows Environment Variables
are used in the full file path.
In Version, select the operator to use to compare file versions.
In Scan name, enter a friendly name for the file scan.
Click Add Scan to add the scan to the scan expression.
7. When you finish entering the information for the file scan, click Save.
Adding a Process Scan

A process scan detects whether or not a process is running on the user device.
161
Chapter 9

3. In the Device Profile panel, click New.
In Scan type, select Process.
In Process, type the name of the process you want to search for on a user device.
In Hash type, select one of the following cryptographic hash functions:
w None. When specified, no hash is calculated.
w MD5. The MD5 cryptographic hash function is commonly used in security
applications to check the integrity of files.
w SHA-1. This Secure Hash Algorithm cryptographic hash function is used in
several widely used security applications and protocols.
w SHA-256. This Secure Hash Algorithm cryptographic hash function is a
member of the SHA-2 has function that uses 32-bit words.
In Hash value, click New to type a value that indicates the required set of file
hashes.
Select the Expand Environment check box if Windows Environment Variables
are used in the full file path.
In Version, select the operator to use to compare file versions.
In Scan name, enter a friendly name for the process scan.
7. When you finish entering the information for the process scan, click Save.
Adding a Registry Scan

A registry scan detects information in the registry, such as the presence of a registry
key or registry value, on the user device.
In Scan type, select Registry.
In Registry key, enter the name of the registry key you want the scan to detect.
162

In Value name, enter the name of the registry value you want the scan to detect.
In Value data, select the type of registry value to scan for.
In Type, select the area of the registry to search, 32-bit, 64-bit, or Any.
Note: You can scan the 32-bit registry on a 64-bit user device.
In Value, select the operator to use to compare or detect registry values.
In Scan name, enter a friendly name for the process scan.
7. When you finish entering the information for the registry scan, click Save.
Adding an Operating System Scan

Operating system scans check for information such as name, version, and service pack
on the user device.
In Scan type, select Operating System.
In Operating system, select the name of the operating system you want the
scan to detect.
In Version, enter the version number of the operating system you want to scan
for.
In Service pack, select the service pack release you want to scan for, or select
None or Any.
In Redirection, select the bit type of the operating system you want to scan
for, 32-bit, 64-bit, or Any.
In Scan name, enter a friendly name for the operating system scan.
7. When you finish entering the information for the operating system scan, click Save.
Adding a Ports Scan

A ports scan detects disallowed ports. For example, if you don't want user devices
listening on port 80, you can disallow that port. Then, if the user device is listening on
port 80, the device fails the scan. You can disallow any port using a device profile.
163
Chapter 9

In Scan type, select Ports.
In Service ports, enter port numbers, a port range, or a combination of both,
separated by commas.
Note: For listening ports, the port numbers refer to local ports. Otherwise, the
port numbers refer to remote ports.
In Disallow protocols, select the protocol that, if detected with the specified
ports on the user device, will cause the scan to fail: TCP, UDP, or ANY.
Optionally, in Scan name, enter a friendly name for the ports scan.
7. When you finish entering the information for the ports scan, click Save.
Creating a Scan Expression

A device profile can consist of a single scan or you can create detailed device profiles
that tie two or more scans together using AND and OR operators. For example, you can
create a device profile that is a combination of scans to detect if the user device is
running Windows XP Service Pack 3 and if Notepad is running on the device.
To create a scan expression

6. Under Scan Expression, select the name of the device profile you entered in Step
4 and then click AND.
In Scan type, select Operating System.
In Operating system, select Windows XP.
In Service pack, select Service Pack 3.
164

In Redirection, select Any.
Optionally, in Scan name, enter a friendly name for the operating system scan.
8. Under Scan Expression, select AND.
In Scan type, select File.
In File name, type notepad.exe.
Optionally, in Scan name, enter a friendly name for the file scan.
10. When you select the name of the scan under Scan Expression, the complete scan
expression appears in the Sentence box:
( ( scan for OS AND scan for notepad ) )
11. Click Save.
Building a Device Profile

When you define a device profile, you specify attributes that must be present on the
user device in order to fit the profile. You define scans from a set of scan templates
and then add one or more scans to the device profile definition. You can then use the
device profile in logon points for visibility and in SmartGroups.
The steps to define a device profile are as follows:
1. Define an endpoint scan.
The scan checks specific aspects of a user device, including a file, process, registry
value, operating system, service pack, and antivirus software. After you define the
endpoint scan, the endpoint scan can be used across multiple device profiles.
2. Define a new device profile.
The device profile can include one or more scans.
Note: You can use a device profile in a logon point and a SmartGroup. When the
device profile is part of a logon point, the user device must meet the criteria before
the user can log on. When the device profile is part of a SmartGroup, the user
device must pass the endpoint analysis scan to become a member of the
SmartGroup.
3. Add the device profile as a criterion to gain membership in a SmartGroup.
For information about SmartGroups, see Adding SmartGroups on page 175.
Defining Network Resources on the Appliance

Users connect to internal resources using network access through Access Gateway. You
can grant or deny access to any subnet on your network. For example, you can give a
165
Chapter 9

user access to one or more file shares on your network, or give the user complete
access to all the resources on the network, including Web applications, servers, and email servers.
You create network resources in the Access Gateway Management Console, and then
you allow or deny access to the network resource using SmartGroups.
For more information about adding network resources to SmartGroups, see Adding
Network Resources to a SmartGroup on page 179.
Configuring Network Routing

To provide access to internal network resources, Access Gateway must be capable of
routing data to internal networks.
The Access Gateway routing table, the default gateway, and static routes specified for
Access Gateway determine the networks to which Access Gateway can route data. The
Access Gateway routing table must contain the routes necessary to route data to any
internal network resource that a user may need to access.
When Access Gateway receives a packet, it checks the routing table. If the destination
address of the packet is within a network for which a route exists in the routing table,
the packet is routed to that network.
If Access Gateway receives a packet and the routing table does not contain a route for
the destination address of the packet, Access Gateway sends the packet to the default
gateway. The routing capabilities of the default gateway then determine how the
packet is routed.
Providing Network Access to Users

A network resource allows you to control permissions to the network. After you create
a network resource, you can manage the network resource in SmartGroups to grant or
deny access to users. The network resources that you allow users to access must reside
in a network to which Access Gateway can route data.
With Access Gateway, you can take a granular approach to providing access to network
resources for the users.
You control user access to network resources by creating a network resource. A
network resource includes one or more network locations. Generally, a network
resource is a subset of all of the network resources to which Access Gateway can route
data. For example, a network resource might provide access to a single application, a
subset of applications, a range of IP addresses, or an entire intranet. What you include
in a network resource depends largely on the different access requirements of your
users. You might want to provide some users with access to many resources and other
users with access to smaller subsets of resources.
You can change the default operation so that SmartGroups are denied network access
unless they are specifically allowed access to one or more network resources.
Network Resources Topology

When users log on, their credentials are sent to the authentication server and
validated. After authentication is verified, Access Gateway checks network resources
166

for the IP addresses in the secure network that users can access. Users can then
navigate to files shares, Web applications, and other servers as if they are in the office.
Network resources are associated with SmartGroups to form resource access control
policies. The following illustration shows the network topology when users connect
using the Access Gateway Plug-in.
Figure 9-6. Network topology for network resource groups and authentication
Suppose that you want to provide a user with secure access to the following subnets on
your network:
w The 10.10.x.x subnet
w The 10.20.10.x subnet
w The IP addresses of 10.50.0.60 and 10.60.0.10
To provide that access, you create a network resource profile by specifying the
following IP address/subnet pairs:
10.10.0.0/255.255.0.0
10.20.10.0/255.255.255.0
10.50.0.60/255.255.255.255
10.60.0.10/255.255.255.255
You can specify the mask in Classless Inter-Domain Routing (CIDR) notation. For
example, you could specify 10.60.0.10/32 for the last entry.
The following tips describe ways to achieve more granular control when creating
network resource groups:
w You can further restrict access by specifying a port, a port range, and protocol for
an IP address/subnet pair. For example, you might specify that a network resource
can use only port 80 and the TCP protocol.
167
Chapter 9

w When you configure network resources for a SmartGroup, you can allow or deny
access to any network resource from within the SmartGroup. This enables you to
exclude a portion of an otherwise allowed resource. For example, you might want to
allow a user access to 10.20.10.0/24, but deny that user group access to
10.20.10.30. Deny rules take precedence over allow rules.
w If you have one or more user groups that should have access to all network
resources, create a network resource for 0.0.0.0/0.0.0.0 and allow the user groups
to access the network resource in the SmartGroup. For all other SmartGroups, you
will need to allow or deny user access to individual network resources as needed.
Note: If you configure a network resource using 0.0.0.0/0.0.0.0, split tunneling is
disabled since the user device intercepts outbound network traffic for all allowed
resources. In this instance, all network traffic is sent to Access Gateway, including
traffic to public Internet sites.
To add a network resource

2. Under Access Control, click Network Resources.
3. In the Network Resources panel, click New.
4. In the Network Resources Properties dialog box, in Name, type a name for the
network resource.
5. In Description, type a description for the network resource.
6. Under Enabled Protocols, select one or all of the listed protocols.
If you select Repeater, the Access Gateway works with Branch Repeater for TCP
optimization.
7. In Port or port range, do one of the following:
Click All to allow all ports.
-or Type the allowed port numbers.
8. Under Networks list, click New.
9. In the Add Network Resource dialog box, in IP address, type the IP address.
10. In Subnet mask, type the subnet mask and then click OK.
11. Repeat Steps 8 through 10 for each network resource and then click Save.
After you create your network resources, allow or deny the resource in the
SmartGroup. For more information, see Adding Network Resources to a SmartGroup on
page 179.
168
To remove a network resource

You can remove a network resource at any time using the Access Gateway Management
Console. Access Gateway automatically removes network resources from any associated
SmartGroup.
2. Under Access Control, click Network Resources.
3. In the Network Resources panel, select a network resource and then click
Remove.
Creating Logon Points on the Access Gateway

Appliance
The logon point defines the logon page for users and specifies settings that are applied
to user sessions. When you configure logon points on the Access Gateway appliance,
these settings include the required authentication and authorization type, logon point
type, the client software to use, and the device profile settings.
To determine the logon points you will need, consider:
w The users who are accessing your deployment. For example, users in a particular
department may require their own logon point. Likewise, users with a specific
relationship to your organization, such as partners, may require their own logon point.
w The devices with which users access the logon point. For example, users who access
resources with small form factor devices, such as a PDA may require a logon point
separate from the logon point that users access with computers.
w The policies you want to create that restrict access to resources based on the logon
point used. For example, users who authenticate from a specific logon point can
access resources that are unavailable when the users authenticate from a different
logon point.
Note: When you create a logon point, you can only use alphanumeric characters. You
can not use special characters, such as ( "" & ! @ # $ %.
Logon Point Types and Settings

You can configure two types of logon points on Access Gateway: Basic and SmartAccess.
A basic logon point allows connections only from Citrix online plug-ins or Desktop
Receiver to published applications or desktops. A SmartAccess logon point allows for
full VPN connections using the Access Gateway Plug-in, clientless access to Web sites
and file shares, and endpoint analysis features. When users log on using the plug-in,
they can access all of the network resources that are allowed, including e-mail servers
and file shares.
Configuring Basic Logon Points
When you configure a basic logon point, Access Gateway automatically creates a
SmartGroup and assigns the logon point to the SmartGroup that works with the Web
169
Chapter 9

Interface to display applications or desktops to users. When you create a basic logon
point, you provide the Web Interface URL.
When users log on to a basic logon point, the Platform license is used for the
connection. Users log on using either Citrix online plug-ins or Desktop Receiver.
You can configure the following settings for a basic logon point:
w Web address for the Web Interface
w Primary and secondary authentication type
w Single sign-on to Web applications
Configuring SmartAccess Logon Points
When you configure a SmartAccess logon point, all Access Gateway features are
available and you can control access using device profiles and SmartGroups.
You can configure the following settings for SmartAccess logon points:
w Primary and secondary authentication type
w Primary and secondary authorization
w Logon point visibility with device profiles
w Remediation message for users regarding endpoint analysis of the user device
w Time-out settings including user inactivity, session, and network inactivity
Time-out settings that you configure within the logon point override global time-out
settings. If you configure different time-out settings in a SmartGroup, the SmartGroup
time-out settings take precedence over logon point and global time-out settings.
Selecting the Authentication Type for Logon Points

Before you configure logon points, you need to configure authentication profiles on
Access Gateway. Then, when you configure logon points, you select the authentication
profiles to use for the logon point.
When you configure a basic logon point, you can choose the authentication profile or
you can choose to authenticate users by using the Web Interface. When you select
authentication on the Web Interface, all other settings in logon point properties page
become unavailable.
If you choose to use the Web Interface for authentication, the Web Interface server
must be in the demilitarized zone (DMZ). If the Web Interface is installed in the secure
network, you must configure authentication on Access Gateway. For more information
about deploying the Web Interface with Access Gateway, see Integrating Access
Gateway with XenApp or XenDesktop on page 308.
For both basic and SmartAccess logon points, you can configure double-source
authentication in which users are required to enter two types of credentials. For
example, the user enters a user name, password, and then another type of password.
The secondary password can be a personal identification number (PIN) plus a code on a
token, such as the token provided by RSA SecurID.
170

If you configure a SmartAccess logon point, you can also select the authorization type
to use. If you are using double-source authentication, you can select two authorization
profiles.
Logging on to Access Gateway Through the Logon Point

After you configure the settings on Access Gateway, including authentication profiles,
logon points, SmartGroups, network resources, and device profiles, users can log on to
Access Gateway and work from anywhere, as if they are in the office. Users can log on
using a Web browser or they can use the Access Gateway Plug-in to log on.
Logging on Using a Web Browser
When you deploy a logon point, a logon point folder is created in a virtual directory
named CitrixLogonPoint. A URL pointing to the logon point folder can be used to access
the network. For example:
https://GatewayApplianceFQDN/lp/CitrixLogonPoint/LogonPointName/
where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of the Access
Gateway server on which you deployed the logon point and LogonPointName is the
name of the logon point.
For example, if the FQDN of the Access Gateway server is
companyserver.mydomain.com and the logon point is remote, the URL for logging
on is https://companyserver.mydomain.com/CitrixLogonPoint/lp/remote.
Alternatively, users can access the default logon point (if you set a default logon point
on Access Gateway) by navigating to the following URL:
https://GatewayApplianceFQDN/
where GatewayApplianceFQDN is the FQDN of the Access Gateway server on which you
deployed the logon point.
To configure a basic logon point on Access Gateway

Before you configure a basic logon point, make sure you install the Web Interface and
verify that it is communicating with the network. When you configure a basic logon
point, you must also configure at least one Secure Ticket Authority (STA) server and ICA
Access Control. For more information, see To configure the Access Gateway appliance
to use the Secure Ticket Authority on page 324.
When you configure a basic logon point, you can choose to authenticate users with
Access Gateway or the Web Interface.
2. Under Access Control, click Logon Points.
3. In the Logon Points panel, click New.
4. In the Logon Points Properties dialog box, in Name, type a unique name for the
logon point.
5. In Type, select Basic.
171
Chapter 9

6. To use an authentication server in the secure network, under Authentication
Profiles, in Primary, select the authentication type for the logon point.
When users log on, they type the credentials for the selected authentication profile.
7. To authenticate using the Web Interface, click Authenticate with the Web
Interface, and in Web Interface, type the IP address or fully qualified domain
name (FQDN) of the Web Interface.
When users log on, they receive the Web Interface logon page where they enter
their user credentials.
Note: If users authenticate to the Web Interface, Citrix recommends installing the
Web Interface in the demilitarized zone (DMZ). This deployment enables
authentication to occur before users can access resources in the secure network.
8. Click Save.
To configure a SmartAccess logon point on Access Gateway

4. In the Logon Points Properties dialog box, in Name, type a name for the logon point.
5. In Type, select SmartAccess.
6. Under Authentication Profiles, in Primary, select the authentication type.
7. Under Authorization Profiles, select the authorization type if applicable and then
click Save.
To set the default logon point on Access Gateway

Default logon points enable users to log on to Access Gateway without specifying a
logon point. For example, users log on to Access Gateway using only the fully qualified
domain name (FQDN) of the appliance, such as https://AccessGatewayFQDN.
Otherwise, users need to include the name of the logon point to log on, such as https://
AccessGatewayFQDN//lp/logonpointName. You use the Access Gateway Management
Console to designate a logon point as the default. You can only designate one logon
point as the default at any time.
Note: If users attempt to access a nonexistent logon point and a default logon point is
not defined, users receive a message that a logon point is not available.
3. In the Logon Points panel, select a logon point from the list and then click Set
Default.
To change the default logon point, select a different logon point and then click Set
Default.
172
To enable SmartAccess logon point visibility

The SmartAccess logon point sends the logon page to the user device Web browser,
allowing users to enter their credentials. You can make the display of the logon page
conditional by requiring that user devices pass endpoint analysis scans (using device
profiles) before displaying the page. This is called logon point visibility.
This feature adds security to your logon page. For example, you can create an endpoint
analysis scan that verifies that the user device is running your required level of
antivirus protection. User devices that are not running the required level of antivirus
protection might host a virus or sniffing program to record a users keystrokes. Such
programs can record and steal credentials as users log on.
Before you configure the logon point, configure the device profiles you need. Then,
within the logon point, you can select the device profile in the Logon Point Properties
dialog box. If users do not meet the specified conditions, they receive an Access Denied
error when they attempt to connect to the logon page. Users also receive a
remediation message if you defined a message for the logon point. Users need to check
the device for the required file, process, operating system, registry entry, or disallowed
ports.
If you do not set any conditions in the Logon Point Visibility section of logon point
properties, the logon page is visible to any user who is allowed to browse to the Access
Gateway Web address.
3. In the Logon Points panel, select a logon point and then click Edit.
4. Under Logon Visibility, select Control visibility and then select one or more
device profiles from the list.
5. In Match, select All or Any to control what the device profile searches for when
users log on.
If you select All, the user device must pass all of the scans.
If you select Any, the user must pass at least one scan.
6. Under User Remediation Message, select Show message and then type the
message you want users to see if the user device fails the endpoint analysis scan.
7. Click Update.
To configure double-source authentication and authorization

Access Gateway supports double-source authentication that requires users to use two
authentication types to log on. Access Gateway first checks the secondary
authentication type against the server. If authentication passes, Access Gateway then
checks the primary authentication type. For example, if you configured LDAP and RSA
SecurID profiles on the appliance, when users log on, they type their LDAP password in
the first password field and the RSA SecurID personal identification number (PIN) and
passcode in the second password field. When users click Log on, Access Gateway uses
the RSA SecureID PIN and passcode and then the LDAP password to authenticate users.
173
Chapter 9

You configure double-source authentication when you create either Basic or
SmartAccess logon points. You can also change the authentication profile after creating
the logon point.
When you configure the logon point and double-source authentication, you can also
select a primary and secondary authorization type. LDAP authorization works with
LDAP, RADIUS, and RSA SecurID authentication. RADIUS authorization works only with
RADIUS authentication.
Configuring double-source authorization is optional for the logon points.
3. In the Logon Points panel, select a logon point and then click Edit.
4. Under Authentication Profiles, in Primary, select an authentication profile.
5. In Secondary, select an authentication profile.
6. Under Authorization Profiles, in Primary, select an authorization profile.
7. In Secondary, select an authentication profile and then click Update.
To configure time-out settings for a logon point

You can configure time-out settings in Access Gateway globally, for a logon point, and
within a SmartGroup. Logon point time-out settings override global settings.
SmartGroup time-out settings override logon point and global settings.
You can enable three time-out settings for a logon point:
w Session time-out. If you enable this setting, the Access Gateway Plug-in disconnects
after the time-out interval elapses regardless of what the user is doing. There is no
action the user can take to prevent the disconnection from occurring when the timeout interval elapses. The global default setting is 30 minutes. You cannot disable
this setting. The minimum value is one minute.
w User inactivity time-out. If you enable this setting, the user session times out if
Access Gateway does not detect mouse or keyboard activity on the user device for
the specified interval. The global default time-out setting is 30 minutes. If you set
this value to zero within the logon point, this time-out setting is disabled.
w Network inactivity time-out. If you enable this setting, the user session times out if
Access Gateway does not detect network traffic. The global default setting is 30
minutes. If you set this value to zero in the logon point, the setting is disabled.
Network activity monitoring requires the Access Gateway Plug-in.
3. In the right panel, select a logon point and then click Edit.
4. In the Logon Point Properties page, under Session Properties, set any of the
following values:
174

Click Override user inactivity time-out and then type the minutes.
Click Override network activity time-out and then type the minutes.
Click Override session time-out and then type the minutes.
5. Click Save.
To disable a logon point

You can disable a logon point in Access Gateway if you need to temporarily stop users
from logging on to a specific logon point. This setting is also helpful if you need to
temporarily add or remove policies for testing. You do not need to remove and then
recreate the logon point.
Note: When you disable a logon point, existing user connections are not affected.
3. Select the logon point you want to disable and click Edit.
4. In the Logon Point Properties dialog box, under General Properties, click Disable
and then click Update.
To remove a logon point from Access Gateway

If you no longer need a logon point for users, you can remove the logon point from
Access Gateway.
Note: Users who are currently connected to the removed logon point retain their
connection to Access Gateway.
3. In the Logon Points panel, select the logon point and then click Remove.
Adding SmartGroups
SmartGroups in Access Gateway contain a collection of settings that group users
according to their identity, location, authentication and authorization type, and the
results of endpoint analysis (as defined in device profiles).
Before you configure a SmartGroup, Citrix recommends that you configure
authentication profiles, logon points, network resources, and device profiles in the
Access Gateway Management Console. Then, you when you create the SmartGroup, you
can enable the settings that apply when users log on. To define the users, you configure
Group Membership within the SmartGroup. The name of the group must match the
group configured on the authorization server. You cannot configure users on Access
Gateway.
175
Chapter 9
To create a SmartGroup
2. Under Access Control, click SmartGroups.
3. In the SmartGroups panel, click Add.
4. In the SmartGroups Properties dialog box, configure the settings and then click
Save.
Configuring SmartGroup Settings

On the SmartGroup properties page, you can configure settings for the SmartGroup.
Each SmartGroup can consist of one or more settings. When you configure a
SmartGroup, logon points, device profiles, and group memberships are all used as
criteria for users to become a member of a SmartGroup. Before users can become
members of the SmartGroup, they must satisfy all the criteria defined in the
SmartGroup. If a SmartGroup does not have network resources defined, the
SmartGroup implicitly denies access to all resources.
When you configure a SmartGroup, you assign one or more SmartAccess logon points to
the SmartGroup. When users log on, they receive the settings for the logon point and
the settings that you configured within the SmartGroup.
You can configure the following settings in SmartGroups:
w Home page. The home page appears after the user logs on. The home page can be
the Access Interface, the Web Interface, Outlook Web Access, or SharePoint. If you
do not configure a home page within a SmartGroup, the Access Interface appears
when users successfully log on.
w Logon points. You can select or disable logon points that you configured on Access
Gateway. For example, you can select two logon points for the SmartGroup. When
users log on with the defined logon point, the users receive all the settings
associated with the logon point for that SmartGroup. Each SmartGroup must have at
least one logon point enabled. The same logon point can be shared among different
SmartGroups.
Note: When you configure a SmartGroup, you cannot select a basic logon point
from the list of available logon points.
w Device profiles. You can select which devices profiles to use for each SmartGroup.
Access Gateway uses the device profiles that you select to determine user access
permissions. You can enable none, one, or multiple device profiles. Selecting a
device profile is optional for SmartGroups.
w Group membership. Group membership helps Access Gateway determine where to
apply the SmartGroup. Group membership is used with extracted groups based on
the authorization type that you selected when you enabled the logon point for the
SmartGroups. A SmartGroup should have at least one group name defined in group
membership. You can type in the group names in the SmartGroup. If you do not
176

configure group membership, user groups retrieved from the authorization server
are not used to determine membership in the SmartGroup.
w Network resources. Network resources are the areas in the secure network that
users are allowed to access. You can select the network resource and then allow or
deny access to that network resource.
w Address pools. If users need a unique IP address, you can associate an address pool
with the SmartGroup. When users log on to the logon point and SmartGroup, they
receive the unique IP address.
w Advanced properties. Advanced properties contain settings that you can either set
globally or as part of the SmartGroup. The SmartGroup settings take precedence
over the global settings. The advanced properties are:
Split tunneling
Close existing connections
Authenticate after network interruption
Authenticate after system resume
Split DNS
Single sign-on with Windows
Time-outs, including user inactivity, session, and network inactivity
To define the home page for users

After users log on to Access Gateway, a home page appears in the Web browser. The
default home page for Access Gateway is the Access Interface. If you want users to use
the Access Interface, you do not have to configure it as part of the SmartGroup. If you
want to use a different home page, you configure it as part of the SmartGroup. If you
configure Access Gateway to use the Web Interface, but do not use the Web Interface
as the home page, the list of published applications appear in the left panel of the
Access Interface. The middle panel contains a list of Web sites users can access. The
right panel contains a list of files shares to which users can connect. If the Web
Interface is not part of the configuration, only the Web sites and file share panels
appear in the Access Interface.
You can configure the following home pages:
w Web Interface
w Generic
w Outlook Web Access 2007
w Outlook Web App 2010
w SharePoint 2007
A generic Web page is one to which you want users to connect that is not one of the
predefined types on Access Gateway. Examples of a generic home page are a Web page
within your intranet or your department home page.
177
Chapter 9

3. In the SmartGroups panel, select a SmartGroup and then click Edit.
4. Under Home Page, select Use specified home page.
5. In Web address, type the URL of the home page.
6. In Type, select the type of home page.
7. To allow users to log on to the Web Interface or a Web application automatically,
click Single sign-on to the Web application and then click Update.
To add a logon point to a SmartGroup

You can select or disable logon points that you configured on Access Gateway. For
example, you can select two logon points for a SmartGroup. When users log on to one
of the defined logon points, the users become eligible for inclusion in the SmartGroup.
There are two types of logon points: SmartAccess and Basic. You can only use
SmartAccess logon points in SmartGroups. You must enable at least one logon point in
each SmartGroup. The same logon point can be used as criteria for joining different
SmartGroups.
4. Under Group Criteria, click Logon Points.
5. Select the logon point and then click Update.
To add device profiles to a SmartGroup

You can enable none, one, or multiple device profiles to use for each SmartGroup.
When you enable a device profile in the SmartGroup, users must logon on with a user
device that has the requirements of the device profile you select. When the user
device passes the check, users receive the access permissions for that SmartGroup. The
results of the endpoint analysis scan on the user device, pass or fail, determines
membership in the SmartGroup.
Selecting a device profile is optional for SmartGroups. If you do not select a device
profile, endpoint analysis scans are not used to determine user access permissions.
Note: If you enable a device profile in a logon point, the endpoint analysis scan runs
when users connect to Access Gateway. If the user device fails the scan, users are not
allowed to log on.
For more information about device profiles, see Creating Device Profiles on page 160.
178

4. Under Group Criteria, click Device Profiles.
5. Select one or more device profiles you want to enable and then click Save.
Configuring Group Membership in a SmartGroup

Group membership defines the users that are part of the SmartGroup. Users are
defined by the groups returned by the authorization server. If a user is a member of a
group on the authorization server and the name of that group is in group membership
in the SmartGroup, users receive the settings of the SmartGroup. You configure the
SmartGroup using the Access Gateway Management Console.
The authorization profile that is selected in the logon point determines the groups and
users on the authorization server. A SmartGroup should have at least one group name
defined in group membership. You can type in the group names in the SmartGroup. You
cannot configure users on Access Gateway.
A user's group membership is extracted from LDAP, RADIUS or Active Directory
authorization servers and can be used as a criteria for becoming a member of a
SmartGroup. For example, you define a SmartGroup named External contractors. You
then add any user who belongs to the groups "ACME Corp Employees" or "Outside
workers" as defined in a domain server group to the External Contractors SmartGroup.
You can also use logon points as a criteria for becoming a member of a SmartGroup. For
example, you create a logon point called "MyDesk" and then create a SmartGroup
named "Employees". You can then designate any user who logs on through the "MyDesk"
logon point to be added to the Employees SmartGroup.
When users belong to multiple SmartGroups, users are allowed access to all of the
resources allowed by each SmartGroup. For example, if a user is a member of three
SmartGroups, when the user logs on, the user receives the settings from each
SmartGroup. If a network resource to 10.8.170.100 is allowed in one SmartGroup, but
denied in another SmartGroup, users cannot access that network resource. If any
SmartGroup explicitly denies access to a network resource, users cannot connect to
that resource even if it is allowed in another SmartGroup.
To configure group membership

3. In the SmartGroups panel, select a SmartGroup, and then click Edit.
4. In the SmartGroups dialog box, under Group Criteria, click Group Membership.
5. Click New, type the name of the group on the authorization server.
6. Repeat Step 5 for each group you want to add and then click Update.
Adding Network Resources to a SmartGroup

Network resources are those areas in the secure network that users are allowed to
access. When you enable a network resource within a SmartGroup, you then allow or
deny access to the network resource. If users belong to multiple SmartGroups, if a
179
Chapter 9

network resource is denied in one SmartGroup, users cannot connect to the resource
even if it is allowed in another SmartGroup. The deny setting always takes precedence
over the allow setting.
For more information about creating network resources, see Defining Network
To add a network resource

4. Under Group Settings, click Network Resources.
5. Under Name, select a network resource.
6. Under Rule, click Allow or Deny and then click Update.
Defining Address Pools

In some situations, users who connect using the Access Gateway Plug-in need a unique
IP address for Access Gateway. For example, in a Samba environment, each user who
connects to a mapped network drive needs to appear to originate from a different IP
address. When you enable address pools for a SmartGroup, Access Gateway can assign a
unique IP address to each user device.
You can specify the gateway device to be used for address pools. The gateway device
can be the Access Gateway appliance or some other device. If you do not specify a
gateway, an Access Gateway network adapter is used, based on the Networking
settings, as follows:
w If you configured only network adapter eth0, the eth0 IP address is used as the
gateway. Access Gateway is inside your firewall.
w If you configured the network adapters eth0 and eth1, the eth1 IP address is used as
the gateway. Access Gateway is in the demilitarized zone (DMZ). The network
adapter eth1 is considered to be the internal interface in this scenario.
You create address pools using the System Administraton panel in the Access Gateway
Management Console. You enable or disable address pools in SmartGroups. When users
log on and receive the settings of the SmartGroup, a unique IP address is assigned to
the connection from the pool.
To create address pools

2. Under System Administration, click Address Pools.
3. In the Address Pools panel, click New.
4. In the IP Pool Properties dialog box, in Name, type the name for the address pool.
5. In Start IP Address, type the starting IP address for the pool.
180

6. In Number of IP addresses, type the number of IP address aliases. You can have as
many as 2,000 IP addresses total in all address pools.
7. In Default Gateway, type the gateway IP address and then click Add.
If you leave this field blank, an Access Gateway network adapter is used, as
described earlier in this section. If you specify some other device as the gateway,
Access Gateway adds an entry for that route in the Access Gateway routing table.
To enable an address pool in a SmartGroup

3. In the SmartGroups panel, click a SmartGroup and then click Edit.
4. In the SmartGroup Properties dialog box, under Group Settings, click Address
Pools.
5. Click an address pool and then click Update.
Selecting Advanced Property Settings for a SmartGroup

The settings in Advanced Properties for a SmartGroup are the same as the settings you
can configure in the Global Options panel in the Access Gateway Management Tool. You
can configure the settings in each SmartGroup to override the global settings.
When you configure the settings in Advanced Properties, you can choose the following
options for each setting:
w Inherit. Uses the global setting value.
w Enable. Enables the Advanced Properties setting for the SmartGroup and overrides
the global setting
w Disable. Disables the Advanced Properties setting for the SmartGroup and overrides
the global setting
You can configure the following settings:
w Split tunneling
w Close existing connections when users log on to Access Gateway
w Authenticate after network interruption
w Authentication after system resume
w Spit DNS
w Single sign-on with Windows
w Time-out settings including user inactivity, network inactivity, or session.
Important: The Advanced Properties settings you configure in SmartGroups override
Global Options and logon point settings.
181
Chapter 9
To configure time-out settings for a SmartGroup

You can configure time-out settings in Access Gateway globally, with a logon point, and
within a SmartGroup. Logon point time-out settings override the global settings.
You can enable three time-out settings within a SmartGroup:
action the user can take to prevent the disconnection from occurring when the timeout interval elapses. The global default setting is 30 minutes. If you change the
value to zero within the SmartGroup, the setting is disabled.
w User inactivity time-out. If you enable this setting, the user session times out if
Access Gateway does not detect mouse or keyboard activity on the user device for
the specified interval. The global default time-out setting is 30 minutes. If you set
this value to zero within the SmartGroup, this time-out setting is disabled.
w Network inactivity time-out. If you enable this setting, the user session times out if
Access Gateway does not detect network traffic. The global default setting is 30
minutes. If you set this value to zero in the SmartGroup, the setting is disabled.
4. In the SmartGroup Properties dialog box, under Group Settings, click Advanced
Properties.
5. Set any of the the following values:
Select Override user inactivity time-out and then type or select the minutes.
Select Override network activity time-out and then type or select the minutes.
Select Override session time-out and then type or select the minutes.
6. Click Update.
Using the Command Line to Configure Access

Gateway Appliance Settings
Citrix Access Gateway 5.0 has a new command-line interface that lets you configure
network settings, see system information, and troubleshoot problems.
After you physically install the Access Gateway appliance in your network, you
configure the network settings for the appliance to communicate with internal and
external networks. You connect the appliance to a serial cable and when the serial
console appears, you run Express Setup to configure the network settings for the
appliance. In Express Setup, you can configure the following settings:
182

w Configure the IP address and subnet mask that is used for connections from the
Internet or external network
w Configure the internal management interface that is used for connection to the
secure network
w Configure the default gateway
w Configure Domain Name System (DNS) servers
w Configure a Network Time Protocol (NTP) server
w Enable Access Controller on Access Gateway
You can then use the command line to configure additional settings, such as:
w Display system date and disk usage
w Enable or disable Secure Shell (SSH) access to the command line
w Reset the certificate
w Import or restore a saved snapshot to change the appliance configuration
w Restart or shut down Access Gateway
If you need to troubleshoot an issue on Access Gateway, you can use the command line
to collect information for technical support staff. You can enter commands to gather
network information, configure logging, and creates a support bundle for technical
support. The support bundle contains log, system or network information, and
configuration data to help technical support find any problems that might occur.
After you install Access Gateway and configure settings for the first time, you can
continue to use the command line to configure the settings mentioned above. If you
want to use the command line after removing the serial cable, you need to enable SSH
access to the command line from within the Access Gateway Management Console. You
can then use an SSH application to connect to the command line.
If you reconfigure the appliance or if the appliance fails to start three times in 30
minutes and is in system recovery mode, some items in the command line are not
available. These include:
w Express Setup
w Reset Certificates
w Import Configuration
Defining Network Settings on the Access Gateway

Appliance by Using Express Setup
Express Setup allows you to use the command line to configure initial network settings
on Access Gateway. When you install Access Gateway in your network, you use a serial
cable to connect the appliance to a computer with a terminal emulator and then you
can use Express Setup to configure the following network settings:
183
Chapter 9

w [0] Internal Management Interface. Select the network adapter to use to connect
to the Access Gateway Management Console. You can select an adapter from the list
to access the Management Console.
w [1] Interface IP, Netmask. Configure the IP address and subnet mask for the
network adapters installed on the appliance. Citrix recommends that you use both
network adapters.
w [2] Default Gateway. Configure the IP address of the default gateway, which can be
the main router, firewall, or server load balancers, depending on your network
configuration.
w [3] DNS Servers. Configure Domain Name System (DNS) servers in your network. You
can use the command line to configure up to two DNS servers.
w [4] NTP Servers. Configure a Network Time Protocol (NTP) server in your network.
If you deploy Access Controller with Access Gateway, you must configure an NTP
server to synchronize the time between Access Gateway and Access Controller. You
can use the command line to configure up to two NTP servers.
w [5] AG Deployment Mode. Enable communication between Access Gateway and
Access Controller. Before you change this setting, you must add Access Gateway to
Access Controller. When you use the command line to enable Access Controller, you
provide the Access Controller shared key and identifier. You also provide the Access
Controller IP address, port, and indicate if the connection is secure. For more
information, see Enabling Access Controller on page 194.
w [6] Commit Changes. Save your configuration settings to the Access Gateway
appliance.
w [7] Return to Main Menu. Return to the main command-line menu.
After you use the command line to configure the initial network settings, you can then
use the Access Gateway Management Console to configure logon points, device
profiles, and SmartGroups for user access. For more information, see Access Gateway
Management Console on page 26.
To configure Access Gateway appliance network settings by using

Express Setup
When you first install Access Gateway 5.0, you can use the serial console to set the IP
address and subnet of the network adapters on Access Gateway, as well as the IP
address of the default gateway device. You use Express Setup to configure networking
settings on the appliance.
If you want to reach Access Gateway through the serial console before making any
other configuration settings, use a serial cable to connect the Access Gateway to a
computer that has terminal emulation software. After you configure the initial settings,
you can use the Access Gateway Management Console to configure other appliance
settings.
When you use the command line, current settings appear in brackets ([ ]).
Note: Citrix recommends using both network adapters on the appliance.
184

1. Connect the serial cable to the 9-pin serial port on Access Gateway and connect
the cable to a computer that is capable of running terminal emulation software.
2. On the computer, start a terminal emulation application, such as HyperTerminal.
Note: HyperTerminal is not automatically installed on Windows Server 2003 or
Windows Server 2008. To install HyperTerminal, use Add or Remove Programs in
Control Panel.
3. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit.
Hardware flow control is optional.
4. Turn on Access Gateway. The serial console appears on the computer terminal after
about three minutes. If using HyperTerminal, press ENTER.
5. On the serial console, enter the default administrator credentials. The user name
is admin and the password is admin.
6. To set the IP address and subnet mask and the default gateway device, type 0 and
then press ENTER to choose Express Setup.
7. Using the menu, configure the network settings for the appliance. When you are
finished, press 6 and then press ENTER to commit the changes.
8. To verify that the Access Gateway can detect the presence of a connected network
device, type 2 to open the Troubleshooting menu, type 0 to open Network
Utilities and then type 3 to use the ping command. Type the IP address of the
target network and press ENTER.
After you verify that Access Gateway can connect to other places in the network, shut
down the appliance so you can connect network cables to the appliance. Remove the
serial cable and connect Access Gateway using either a cross-over cable to a Windowsbased computer or a network cable to a network switch and then turn on Access Gateway.
To shut down Access Gateway by using the command line

Do not shut down the Access Gateway appliance by using the power switch on the
appliance. You can use the command line to shut down the appliance.
1. In the command line, on the main menu, press 1 and then press ENTER to open the
System menu.
2. In the System menu, press 5, press ENTER and then follow the command prompts.
Managing Access Gateway by Using the Command Line

You can use the command line System menu to gather statistical information and
manage the Access Gateway appliance. On this menu, you can do the following:
w [0] System Date. View the date and time on Access Gateway.
w [1] System Disk Usage. Show the amount of disk space used on Access Gateway.
w [2] Toggle SSH Access. Enable or disable the use of a Secure Shell (SSH) interface,
such as PuTTY, to use the command line.
185
Chapter 9

w [3] Reset Certificate. Reset the Access Gateway certificate.
w [4] System Restart. Restart Access Gateway.
w [5] System Shutdown. Turn off Access Gateway.
w [6] Restore Configuration. Restore an earlier version of a snapshot.
w [7] Import Configuration. Import a saved snapshot from a computer in your network.
w [8] Back to Main Menu. Return to the main menu.
Enabling SSH Access to the Access Gateway Command Line

After you install Access Gateway and use the serial console to configure the initial
settings, you can enable Secure Shell (SSH) access to the command line. You can do this
in the command line when you initially configure the appliance, or from the Access
Gateway Management Console.
To enable SSH access to the command line

In the command line, on the main menu, press 1 and then press ENTER to enter the
System menu.
In the System menu, press 2 and then press ENTER to run the Toggle SSH Access
command and follow the prompt to enable or disable SSH access.
To enable SSH access by using the Access Gateway Management Console

3. Under Access Gateway Properties, click Enable support access and then click
Save.
Resetting the Default Access Gateway Configuration by Using the

Command Line
You can use the command line to restore the default Access Gateway configuration. You
can choose to restore the default configuration or use a support bundle to restore
settings.
1. In the Access Gateway command line, press 1 and then press ENTER to open the
System menu.
2. In the System menu, press 6 and then press ENTER to restore the default
configuration.
3. Press the appropriate number to select the snapshot you want to restore or press
ENTER to cancel the command.
4. Restart Access Gateway when prompted.
Resetting Certificates by Using the Command Line

You can use the command line to change the default certificate on Access Gateway.
When you reset the certificate, Access Gateway removes the passphrase and the new
186

certificate file overwrites the old certificate file. When you reset the default
certificate, you must restart the appliance.
1. In the command line, on the main menu, press 1 to enter the System menu.
2. In the System menu, press 3 and then press ENTER to reset the certificate and
then follow the command prompts.
Troubleshooting Access Gateway by Using the Command

Line
Access Gateway provides tools to help you gather information to solve issues that may
arise with the appliance. From the Troubleshooting menu in the command line, you can
use the following tools:
w [0] Network Utilities. View routing tables, network information, and use traceroute
and ping to check network connections.
w [1] Logs. Use to configure log levels and download logs to your computer.
w [2] Support Bundle. Create a support bundle that contains system information,
logs, database information, core information, trace files, and the latest snapshot of
Access Gateway. You can select either the Secure Copy protocol (SCP) or the File
Transfer Protocol (FTP) to transfer the support bundle to the remote server for your
support personnel.
w [3] Back to Main Menu. Return to the main command line menu.
Capturing Network Settings for Troubleshooting

You can view Access Gateway network settings to help you troubleshoot issues that may
arise with the appliance. You can use the command line to view the following network
details:
w View network information for each network adapter on Access Gateway
w View the Access Gateway routing table that lists routes to network destinations
w View the Address Resolution Protocol (ARP) table information for Access Gateway
w Use the ping command to detect other networks
w Use traceroute to view network routes
w Use DNS lookup to view the DNS name associated with an IP address
w Create a network trace to provide to technical support personnel
To view network information on Access Gateway

1. In the command line, on the Main menu, press 2 and then press ENTER to open the
Troubleshooting menu.
2. In the Troubleshooting menu, press 0 and then press ENTER to open the Network
Utilities menu.
3. In the Network menu, select one of the following options:
187
Chapter 9

Press 0 to obtain network information about Access Gateway.
Press 1 to view the Access Gateway routing table.
Press 2 to view the ARP table.
Press 3 to open the ping utility.
Press 4 to trace the network route of an IP address.
Press 5 to find the DNS name associated with an IP address.
Press 6 to obtain a network trace.
4. Follow the command prompts for the selected option.
Creating a Support Bundle

If you have a problem with the Access Gateway appliance, you can create a support
bundle to send to technical support staff for evaluation. The support bundle contains
the following information:
w System information
w Access Gateway logs
w Access Gateway database information
w Access Gateway core information
w Trace files
w Latest snapshot of Access Gateway
To create a support bundle

2. In the Troubleshooting menu, press 2 and then press ENTER to open the Support
Bundle menu.
3. In the Support Bundle menu, press 0, press ENTER and then follow the command
prompts.
When Access Gateway finishes creating the support bundle or overwriting a support
bundle you previously created, you receive a message that contains the name of the
support bundle. The name contains the date and time stamp, and the internal IP
address of the appliance. The support bundle has the extension .support. For example,
you might see the following as the name of the file:
20100823150921_10.199.240.168.support. The section 20100823 is the date,
150921 is the time, and 10.199.240.168 is the IP address. When you create a support
bundle, you can then use the Secure Copy protocol (SCP) or the File Transfer Protocol
(FTP) menu options to upload the bundle to a remote server for review by technical
support staff.
188
To upload a support bundle by using either SCP or FTP

2. In the Troubleshooting menu, press 2 and then press ENTER to open the Support
Bundle menu.
3. In the Support Bundle menu, press either 1 or 2, press ENTER and then follow the
command prompts.
Configuring Logs by Using the Command Line

You can use the command-line menu to configure logs to troubleshoot issues that may
arise with Access Gateway. You can revert back to the default log level, create a new
log, or display the current log.
If you need to troubleshoot an issue, you can create logs for debugging using class and
group log levels. You set these parameters with Citrix Technical Support personnel.
To configure logs by using the command line

1. In the command line, in the Main menu, press 2 and then press ENTER to open the
2. In the Troubleshooting menu, press 1 and then press ENTER to open the Logs menu.
3. In the Logs menu, do one of the following:
Press 2 to restore the default log level.
Press 3 to create a new log file.
Press 4 to display the current log. When you select this option, you can then
select how many lines (from 1 through 1,000) of the log you want to view.
Managing Access Controller

Citrix Access Controller provides additional benefits to Citrix Access Gateway, including:
w Native Active Directory Authentication
w Advanced Endpoint Analysis
w Centralized control of Access Gateway appliances
w Session sharing across multiple Access Gateway appliances
w Centralized logging
Access Controller expands your Access Gateway environment, providing your users with
the following standard features:
189
Chapter 9

w SmartAccess analyzes the access scenario and then delivers the appropriate level of
access without compromising security.
w SmoothRoaming ensures that as users move between devices, networks, and
locations, the appropriate level of access is configured automatically for each new
access scenario.
w Secure by Design provides users with access that is inherently secure by design,
protecting both the security of company information, as well as the integrity of the
network.
In This Section
This section of eDocs contains information about installing, setting up, and configuring
Access Controller.
Initial Configuration of Access Controller
on page 190
Contains information about supported

configurations for Access Controller and
running the Server Configuration utility.
Using the Delivery Services Console on

page 196
Describes the Delivery Services Console

for managing Access Controller.
Creating Authentication and

Authorization Profiles on Access
Contains information about configuing

Active Directory, LDAP, RADIUS, and RSA
SecurID authentication profiles.
Creating Logon Points on Access

Describes how to configure basic and

SmartAccess logon points.
Adding Resources to Access Controller on

page 211
Describes how to configure file shares,

Web and network resources.
Controlling Access Through Policies on

page 219
Describes how to configure filters,

access policies, and connection policies.
Configuring Clustering and Load

Balancing on page 276
Describes how to create a cluster of

Access Gateway appliances and Access
Controller servers. Includes information
about load balancing the cluster.
Initial Configuration of Access Controller

After you install Citrix Access Controller on your server, you can then configure Access
Controller to work with the Citrix Access Gateway appliance and Citrix XenApp.
After you install Access Controller, the Server Configuration utility appears. Within the
utility, you configure the initial settings for Access Controller. Then, you can use the
190

Delivery Services Console to configure additional settings. You can also run Server
Configuration utility again to change settings.
When you install more than one Access Controller server in a cluster, you can configure
additional servers to provide recovery, enhance performance, and increase the cluster's
capacity to support additional users. You can make changes to the cluster configuration
at any time from the Delivery Services Console.
How the Server Configuration Utility Works

After you install Access Controller, you configure your server using the Server
Configuration utility, which runs when the installation of Access Controller is complete.
The Server Configuration utility allows you to perform preliminary configuration tasks,
such as creating a cluster and configuring the basic settings for Access Controller. When
you run the Server Configuration utility for the first time, you configure the following
settings:
w Create or join a cluster.
w Create the administrator service account.
w Create the Microsoft SQL Server database account. You can create an account for an
existing SQL Server database or you can use SQL Server Express which is included
with Access Controller.
w Configure Web Services. These settings include the Web site path, the advertised IP
address of the Access Controller server, or a custom path for Web content.
When you select your settings, Access Controller configures the cluster and installs SQL
Server Express if you selected that option.
The Server Configuration utility performs the following operations:
w Verifies all account information
w Updates services
w Stops Access Controller services
w Starts Access Controller services
w Updates internal service account information
w Updates internal database account information
w Synchronizes the cluster
Server Configuration Utility Administrator Account
Server Configuration sets up the administrator account that you specify as the service
account. The utility adds the account to the local Administrators group and grants the
following local security policy rights:
w Act as part of the operating system
w Log on as a batch job
w Log on as a service
Important: The Server Configuration utility cannot create a SQL user account for
access to the cluster database. You must create an account in SQL Enterprise
191
Chapter 9
Manager before you change the user account for database access. The database user
account must have system administrator privileges.
The Server Configuration utility does not add the service account to network shares.
The Server Configuration utility does not remove previous service accounts from the
local security policy or network shares. If this is a security concern, remove the old
accounts after updating the account information with the utility.
Changing Settings with the Server Configuration Utility
If necessary at a later time, you can also run the Server Configuration utility to change
your settings. You can carry out the following configuration tasks:
w Changing the administrator service account
w Selecting or changing a cluster database and specifying a database server
w Deploying logon points
w Importing endpoint analysis plug-in packages
w Starting or stopping Access Controller services
w Configuring Web Services settings
To start the Server Configuration utility

After installing Access Controller, you can configure a server with the Server
Configuration utility. When installation is complete, make sure you run the Server
Configuration utility. At the end of the installation, you receive a dialog box stating
that the installation is successful. In this dialog box, click Run Server Configuration
and complete the steps in the wizard as follows.
1. Create a cluster or add the server to an existing cluster.
Create a new cluster
Choose this option if you are creating a cluster. The cluster name becomes the
Microsoft SQL Server database name. Choosing this option requires you to enter
licensing, service account, and database information.
Join an existing cluster
Choose this option if you are adding a server to an existing cluster. Choosing this
option requires you to enter service account and database information.
2. Add the the services account which enables communications between services and
servers in the cluster.
3. Specify whether to use an existing SQL Server database or to install a local
database engine. The database server stores the configuration data for the cluster.
Microsoft SQL Server
Choose this option to use a supported version of Microsoft SQL Server as the
database server for the cluster. SQL Server can run on the same server running
Access Controller or on a separate database server.
192
Important: If you want to select a SQL Server database, be sure the SQL
Service is running on the server you want to specify. If the SQL Service is not
running, the Server Configuration utility cannot detect the server.
If you select SQL Server as your database, the Server Configuration utility
prompts you to specify the server on which SQL Server is installed.
w Configuration database server. Type the name of the database server.
w Cluster name. Type the name of the cluster you want to create or join.
w Use the Service Account to access the configuration database. Choose this
option to use the Access Controller service account credentials to access the
SQL database.
w Use SQL Authentication to access the configuration database. Choose this
option to use the SQL database account credentials to access the SQL
database. If you choose this option, you must also enter the database user
name and password.
Microsoft SQL Server Express
Choose this option if you want Access Controller to install the necessary
components for a local database server and create a database for the cluster.
The Server Configuration utility searches for an instance of SQL Server Express
labeled CitrixController. If this instance is not found, the Server Configuration
utility installs this instance for you.
Note: Use the Microsoft SQL Server Express option for a pilot deployment of
Access Controller. Citrix recommends the use of SQL Server for large-scale
deployments.
4. Select a Web Site path. The Web site path is the location where all Web content
for Access Controller is installed. Review the Web site path that Access Controller
detects to ensure that the path is valid for your deployment.
To change the physical path:
a. Select the Web site you want to change.
b. Click Use custom path for Web content.
c. In Path, type the physical path you want to use for the Web site. You can also
click Browse to navigate to the directory you want to specify.
5. Secure Web Site traffic with SSL. When you select a Web site path, you can also
enable the Secure Sockets Layer (SSL) protocol to secure communication with
Access Gateway. To secure Web site traffic, select the Secure communication
with this server check box.
Important: You must have the required digital certificates installed on the server
before configuring Access Controller. This check box is not enabled unless SSL is
enabled on the server.
193
Chapter 9

6. Finish server configuration.
The Server Configuration utility displays a summary of your selected options and
configuration settings. After you review the summary, click Next to initiate server
configuration. When configuration is complete, click Finish and proceed to
configuring Access Controller to manage the Access Gateway appliance.
Enabling Access Controller

After you install Access Controller and run the Server Configuration utility, you need to
enable Access Controller and the Access Gateway appliance to recognize each other.
To enable communication with Access Controller, use the following guidelines:
w Add the Access Gateway appliance to Access Controller.
w In the Access Gateway Management Console, on the Deployment Mode panel, select
Access Controller and enter the server information.
w Copy the shared key and Access Gateway identifier from Access Controller to the
corresponding fields on the Deployment Mode panel in the Access Gateway
Management Console.
w In the Access Gateway Management Console, on the Name Service Providers panel,
enter the Domain Name System (DNS) and Windows Internet Name Service (WINS)
information for your Access Controller server.
w In the Access Gateway Management Console, on the Static Routes panel, configure
the IP static routes as needed.
w Make sure you synchronize Access Gateway and Access Controller date and time. To
do so, you must deploy a Network Time Protocol (NTP) server.
After you perform these tasks and restart the appliance, you use the Management
Console to manage appliance-specific settings only. You use the Delivery Services
Console to manage all settings for Access Controller.
For more information about using the Management Console, see Access Gateway
Management Console on page 26.
When you configure Access Gateway to use Access Controller, the following settings are
deactivated and existing configuration values are removed in the Access Gateway
Management Console:
w Global Options
w Authentication
w Device Profiles
w Logon Points
w Network Resources
w SmartGroups
If you configured these settings with the Management Console before enabling Access
Controller, you must configure these settings again in the Delivery Services Console.
194

For more information about configuring these settings in the Access Gateway
Management Console, see Managing the Access Gateway Appliance on page 122.
Likewise, if you disable appliance administration with Access Controller, the global
Access Gateway appliance settings you configured in the Management Console are
activated and existing configuration values are restored. When you enable Access
Controller, Access Gateway creates a snapshot of the configuration. If you choose to
use Access Gateway only in your deployment, you can restore the snapshot and the
configuration settings.
For more information, see Creating Snapshots to Manage Access Gateway Configuration
Settings on page 114.
To add Access Gateway to Access Controller

You must add the Access Gateway appliance to Access Controller before you enable
Access Controller on the appliance. When you add the Access Gateway appliance, you
then copy the shared key from Access Controller to the appliance.
2. In the console tree, expand Citrix Resources, expand Access Gateway and then
expand the Access Controller on which you want to add the Access Gateway
appliance.
3. Click Access Gateway appliances and then under Common Tasks, click Add Access
Gateway appliance.
4. In Name, type the IP address of the appliance.
5. In Access Gateway Identifier, copy the identifier and then paste it in a text file.
Paste the identifier into the corresponding field in the Access Gateway
Management Console.
6. In Shared Key, copy the key and then paste it in a text file.
When you complete this procedure, you can then go to Access Gateway and enable
Access Controller. Paste the shared key in the corresponding field on the
Deployment Mode panel in the Access Gateway Management Console.
7. To use network address translation (NAT), click Use translated address when
communicating with this appliance and then type the IP address and port number.
8. Click Add.
To enable Access Controller on the Access Gateway appliance

Before you configure the Access Gateway to use Access Controller, add the appliance to
Access Controller.
2. Under System Administration, click Deployment Mode.
3. Next to Access Gateway Mode, click Access Controller.
4. In Identifier, paste the identifier from Access Controller.
195
Chapter 9

5. Under Access Controller Settings, in Shared key, paste the shared key from
Access Controller.
Note: The shared key must be 64 characters in length. You obtain the shared key
when you configure Access Gateway appliances on Access Controller.
6. In Server address, type the type the IP address or fully qualified domain name
(FQDN) of a server running Access Controller.
7. Click Secure connection to secure the connection between Access Gateway and
Access Controller.
8. In Port, type the port number and then click Save.
To disable Access Controller on Access Gateway

If you want Access Gateway to manage user connections, you can disable Access
Controller using the Access Gateway Management Console.
3. Next to Access Gateway Mode, click Appliance and then click Save.
When you remove an Access Gateway appliance from Access Controller, you must
disable Access Controller using the Access Gateway Management Console. If you do
not disable Access Controller on the appliance, Access Controller registers Access
Gateway again.
Using the Delivery Services Console

The Citrix Delivery Services Console extends your ability to manage your deployment by
integrating many of the administrative features of your Citrix products into the
Microsoft Management Console (MMC). This is a standalone snap-in to the MMC.
Management functionality is provided through a number of management tools
(extension snap-ins) that you can select when you install Citrix Access Controller or at a
future time.
Installing the Delivery Services Console

The Delivery Services Console is part of the Access Controller installation. When the
installation and Server Configuration is complete, you can start configuring settings on
Access Controller.
Managing Administrative Users and Accounts

You must be a system or network administrator to use the Delivery Services Console.
You should therefore ensure that the correct administrator privileges are in place
before allowing others to use the console.
Do not run the console in two sessions simultaneously on one computer using the same
user account. Changes made on the console in one session can overwrite changes made
in the other.
196
Deploying the Console to Administrators

To use the console to make changes to an Access Controller deployment, administrators
must have permission to run the Access Gateway Server COM+ application. For more
information about granting COM+ permissions, see Securing the Delivery Services
Console by Using COM+ on page 345.
To start the Delivery Services Console

Click Start>Programs>Citrix>Management Consoles>Delivery Services Console.
The Delivery Services Console User Interface

The main user interface of the Citrix Delivery Services Console consists of three panes:
w The left pane contains the console tree.
w The task pane in the middle displays administrative tasks and tools. This pane is not
present in the Microsoft Management Console.
w The details pane on the right displays information about your deployment items and
associated tasks.
The following nodes are available under the top-level node in the console tree:
w Alerts. Lists the alerts created by all the items in your deployment. Double-click an
alert to locate the affected item.
w Search Results. Displays the results of any search that you perform. Click Search in
the task pane to perform a standard or advanced search.
w My Views. Allows you to customize the information that you display in the details
pane.
You can use the Delivery Services Console to manage settings on Access Controller and
Access Gateway. With the Delivery Services Console, you can:
w Configure logon points, resources, filters, and policies
w Manage multiple Access Controller clusters and Access Gateway appliances
w Create endpoint analysis scans
Finding Items in Your Deployment by Using Discovery

Before you can use the Citrix Delivery Services Console to manage the items in your
deployment, you must run discovery. Discovery is not equivalent to locating items that
already exist in the console tree, which you perform using Search in the task pane. By
contrast, discovery updates items with the latest information from the database.
Discovery includes adding, removing, or updating the items, including names, IP
addresses, and status.
You can use the Run discovery task to discover items. The first time you open the
console, discovery runs automatically.
You should run discovery on a regular basis to ensure that you have the most up-to-date
view of your deployment. Run discovery if:
197
Chapter 9

w You installed or removed an Access Gateway or Access Controller item or
component. The Delivery Services Console does not recognize any recently installed
items or components until you run discovery.
w Items are added to or removed from an existing deployment. The console tree, the
details pane, and the available tasks are refreshed only after discovery is
completed.
w Your administrative privileges change or you change a custom administrators
privileges. Modifications to privileges do not take effect in the console until you run
discovery again.
To run discovery for one component in the console tree, select the component and then
click Run discovery.
To run discovery
2. In the console tree, click Citrix Resources.
3. In the task pane, under Common Tasks, click Run discovery.
Configuring Settings with the Getting Started Panel

To help you configure your Access Controller deployment, the Getting Started panel in
the Citrix Delivery Services Console presents links to several wizards that guide you
through tasks, such as configuring Web resources and access policies. These links
include the following items:
w Adding Access Gateway appliances to Access Controller
w Creating logon points, authentication profiles, and endpoint analysis scans for user
logon
w Creating resources, policies, and filters for user access to the network
To access the Getting Started panel

2. In the navigation pane, click the Access Gateway node and under Other Tasks,
click Getting started.
You can also click the Access Controller node or the cluster node in the console tree
and then under Other Tasks, click Getting started.
Customizing Your Display by Creating My Views

You can create custom displays in the Citrix Delivery Services Console details pane
called My Views. These are configurable displays that give you quick access to items
you need to examine regularly or items in different parts of the console tree that you
want to group in the same display. Instead of repeatedly browsing the console tree, you
can place the items in a single, easily retrievable display and see updated information
at any time without searching for them. For example, you can create a My View to
display policies for servers in different access server clusters.
198

You can select any node, such as Resources or Access Gateway appliances, in the tree
and save the settings in My Views.
2. Select a node and under Common Tasks, click Save in My Views.
3. In Name, type a name for the view.
4. In Description, type a description of the view.
5. In Location, click New Folder, type a name for the folder and then click OK.
After you add items to My Views, you can click My Views in the task panel to show all
of the items added to the details pane.
Creating Authentication and Authorization Profiles

on Access Controller
You can configure authentication on Citrix Access Controller for your authentication
type. Access Controller supports the following authentication types:
w Native Active Directory
w LDAP
w RADIUS
w RSA SecurID
For each authentication type, you create an authentication profile. As part of the
authentication profile, you can configure authorization. Access Controller supports
Active Directory, LDAP, and RADIUS authorization. If you do configure authorization, you
then configure network resources to allow or deny access to the network resources.
If you are using Active Directory or LDAP for authorization, you do not need to
authenticate using Active Directory or LDAP. If you use RADIUS authentication and want
to use authorization, you must use RADIUS authorization.
You can configure several authentication profiles in Access Controller, each with its
own independent authentication requirements. When users logon, the logon point
determines the authentication profile to use.
You can enable these authentication types by configuring the logon point properties in
the Delivery Services Console. When you configure a logon point, you select the
authentication and authorization methods you want to use. For example, you can
select LDAP to authenticate users and Active Directory to authorize users to access
certain corporate resources.
To further strengthen your Access Gateway environment, you can use Secure Sockets
Layer (SSL); however, SSL is optional. Access Gateway can use SSL to communicate with
the Access Controller server.
199
Chapter 9
Creating an Active Directory Authentication Profile on

Access Controller
You can authenticate users with native Active Directory authentication. When you
configure this type of authentication on Access Controller, users are authenticated with
the Windows logon application programming interface (API) instead of LDAP.
Access Controller supports authentication against the domain to which it belongs, plus
any trusted domains in the Active Directory forest. When you configure an Active
Directory authentication profile on Access Controller, you can select a default domain
for all users, allow users to specify the domain, or allow users to select the domain
from a provided list.
When you configure Active Directory authentication, you can also allow users to change
their password when they log on. Access Controller supports the following types of user
logon credentials:
w User name, plus domain and password
w Domain\user name and password
w User principle name (UPN) and password
To configure Active Directory authentication

2. In the console tree, click the Access Controller cluster name (the default is
CitrixController).
3. In the middle pane, under Common Tasks, click Edit cluster properties.
4. In Access Controller Cluster Properties, click Authentication Profiles.
5. Click New and select Active Directory.
6. In Name, type a name for the profile.
7. In Description, type a description for the profile.
8. Under Domain Selection, select one of the following:
Use the selected domain for all users to set a default domain for user logon.
Allow users to specify their domain to allow users to select their domain when
users log on.
Allow users to select a domain from the domain list to allow users to select
from multiple domains. If you select this option, click Domain List, select the
domains and then click OK.
9. Click OK twice to complete the Active Directory profile.
200
Creating an LDAP Authentication Profile on Access

Controller
Authentication profiles allow you to configure LDAP settings at the cluster level and
apply them to one or more logon points. When using LDAP authentication and Active
Directory authorization, group names, including character and case, must be identical.
To create an LDAP authentication profile

CitrixController).
4. Select Authentication Profiles, click New and then select LDAP.
5. In Name and Description, type a name and description to define the profile.
6. Under Servers type, select the type of LDAP server you are using.
When you select the LDAP server, most of the other fields are populated
automatically with the default values of the LDAP server. You can change the
default values at any time. You can also select Other to complete each field with
your settings.
7. Under Servers list, click New and then type the name or IP address of the LDAP
server you want to use.
8. In Port, type the server port number that your LDAP server uses for LDAP requests.
The port numbers for LDAP connections are:
389 for unsecured LDAP connections
636 for secure LDAP connections
3268 to query the Global Catalog using unsecured LDAP connections
3269 to query the Global Catalog using secure LDAP connections
9. In Administrator Name, type the name of the administrative user that has access
to your LDAP server and the rights to look up user entries in the LDAP repository.
The following are examples of syntax for this field:
domain\user name (for Active Directory)
ou=administrators,dc=ace,dc=com
user@domain.name (for Active Directory)
cn=Administrator,cn=Users,dc=ace,dc=com
Active Directory uses the parameter domain\user name.
Access Gateway binds to the LDAP server using the administrator credentials and
then searches for the user. After locating the user, Access Gateway unbinds the
administrator credentials and rebinds with the user credentials.
201
Chapter 9

10. In Administrator Password and Confirm Administrator Password, type the
password.
11. In BaseDN (location of users), type the distinguished name of the LDAP container
under which user lookups should begin. Examples of syntax for Base DN include:
ou=users,dc=ace,dc=com
cn=Users,dc=ace,dc=com
12. In User name attribute and Group name attribute, type the attributes under
which Access Gateway should look for user logon names and group names for the
LDAP server that you are configuring. Depending on the directory service you are
using, type one of the following attributes:
For Active Directory, use the default sAMAccountName.
For Novell eDirectory or Lotus Domino, use the default cn.
For IBM Directory Server, use the default uid.
For Sun ONE Directory, use uid or cn.
13. In Search scope, select the type of search that is appropriate for your LDAP server
type.
14. If you select Entire Directory for your search scope, in User Member Of Attribute
and Group Member Of Attribute, type the name of the group attribute Access
Gateway should use to obtain the groups associated with a user during
authorization. Depending on the directory service you are using, type one of the
following attributes:
For Active Directory, use the default memberOf.
For Novell eDirectory, use groupMembership.
For IBM Tivoli Directory Server, use the default member.
For Sun Directory Server, use the default member.
15. If you select Specify base DN for your search scope, provide the following:
a. In Directory container for group extraction, provide the distinguished name of
the LDAP container to use when searching for groups to which users belong.
b. In Group Extraction Filter, provide the LDAP filter which identifies instances of
groups in the container.
c. In Group member attribute, type the name of the attribute used on those
instances that identifies the group name.
16. Click OK twice.
Creating a RADIUS Authentication Profile on Access

Controller
Authentication profiles allow you to configure RADIUS settings at the cluster level and
apply them to one or more logon points. Creating a RADIUS authentication profile
involves the following tasks:
202

w Define RADIUS server authentication to specify the RADIUS servers you want to use,
the time-out period, and to configure server load balancing or failover.
w Define RADIUS authorization using the attributes and values configured on your
RADIUS server.
To configure RADIUS authentication

CitrixController).
4. In Access Controller Cluster Properties, click Authentication Profiles, click New
and then select RADIUS.
5. In Name and Description type a name and description to define the profile.
6. Under Servers List, click New.
7. In RADIUS Server Configuration, in Server name or address, type the IP address
or fully qualified domain name (FQDN) of the RADIUS server.
8. In Authentication port and Accounting port, type the port numbers.
The default port numbers are 1812 and 1813 respectively.
9. Under Enter Authentication or Authorization Credentials, in Authentication
secret and Confirm authentication secret, type the shared secret and then click
OK
This shared secret is identical to the shared secret configured on the RADIUS server.
10. In RADIUS Profile Configuration, in Servers List use the Up and Down arrows to
change a servers position in the list.
11. If you want to change the period in which the user authentication process times
out for lack of a server response, change the value in Network time-out.
By default, authentication times out after five seconds.
12. Click OK twice.
Assigning Authentication Profiles to Logon Points

After you configure authentication profiles in Access Controller, you must assign these
profiles to a logon point. You can assign authentication profiles in the Delivery Services
Console in the Logon Point properties panels, on the Authentication and
Authorization pages. You can add Active Directory, LDAP, RADIUS, and RSA SecurID
profiles to the logon point.
If you assign an LDAP profile to authenticate users, you can use Active Directory, LDAP,
or RADIUS to authorize users. When using a RADIUS profile for authentication, you must
use the same profile for authorization. If you use RSA SecurID for authentication, you
can use Active Directory, LDAP, or RADIUS for authorization.
When you use RADIUS or LDAP profiles, you can specify how users access resources that
require Active Directory credentials. In scenarios where RADIUS or LDAP authenticate
203
Chapter 9

and authorize users, you can enable single sign-on to Active Directory. This allows users
to access resources smoothly, without entering their Active Directory credentials. To do
this, you supply the single sign-on Active Directory domain. User accounts in the
default Active Directory domain match the user accounts on your RADIUS or LDAP servers.
To assign authentication profiles to a logon point

CitrixController).
3. Expand Logon Points and then click the logon point you want to configure.
For more information about creating a new logon point, see Creating Logon Points
on Access Controller on page 205.
4. Under Common Tasks, click Edit logon point.
5. In Logon Points Properties, in the left pane, click Authentication and then click
the authentication profile you want to use to identify users in your organization.
6. In the left panel, click Authorization and then click the authorization profile you
want to use to determine the level of access users receive when they authenticate
successfully.
7. Click OK.
To configure double source authentication on Access Controller

Access Controller supports double-source authentication that requires users to use two
authentication types to log on. Access Controller first checks the secondary
authentication type against the server. If authentication passes, Access Controller then
checks the primary authentication type. For example, if you configured LDAP and RSA
SecurID profiles on the appliance, when users log on, they type their LDAP password in
the first password field and the RSA SecurID personal identification number (PIN) and
passcode in the second password field. When users click Log on, Access Controller uses
the RSA SecurID PIN and passcode and then the LDAP password to authenticate users.
You configure double-source authentication when you create either Basic or
SmartAccess logon points in the Delivery Services Console. You can also change the
authentication profile after creating the logon point. When you configure the logon
point and double-source authentication, you can also select multiple authorization
types. LDAP authorization works with Active Directory, LDAP, RADIUS, and RSA SecurID
authentication. RADIUS authorization works only with RADIUS authentication. Active
Directory authorization works with LDAP, RADIUS, and RSA SecurID authentication.
Configuring double-source authorization is optional for the logon points.
2. In the console tree, expand the Access Controller cluster name (the default is
CitrixController).
3. Click Logon Points and then select a logon point.
204

For more information about creating a new logon point, see Creating Logon Points
on Access Controller on page 205.
4. Under Common Tasks, click Edit logon point.
5. In Logon Point Properties, in the left pane, click Authentication.
6. Under Authentication Profiles, click Add to add the authentication profiles to the
logon point.
7. Under Authentication Profiles, click Primary to select the primary authentication
profile and then click OK.
The primary authentication profile is used for single sign-on.
Authenticating Traffic on Access Controller

When you deploy Access Gateway and Access Controller, Access Gateway typically
authenticates users by communicating directly with the authentication servers.
Depending on your deployment scenario, you can configure Access Controller to act as
the source of the authentication traffic when users log on. You can configure Access
Controller to authenticate user requests for LDAP, RADIUS, and RSA SecurID
authentication. For Active Directory authentication, the Access Controller always acts
as the source for authentication traffic.
CitrixController).
4. In Access Controller Cluster Properties, click Authentication Profiles.
5. Select the LDAP, RADIUS, or RSA SecurID authentication profile and then click Edit.
6. Click Force authentication to occur at Access Controller and then click OK.
Creating Logon Points on Access Controller

The logon point defines the logon page for users and specifies settings that are applied
to user sessions. When you configure logon points on Citrix Access Controller, these
initial settings include the required logon point type, authentication type, the type of
endpoint analysis plug-in to use, the home page, and the Citrix XenApp server farms.
User sessions inherit the properties of the logon point through which they connect.
To determine the logon points you will need, consider:
w The users who are accessing your deployment. For example, users in a particular
department may require their own logon point. Likewise, users with a specific
relationship to your organization, such as partners, may require their own logon point.
w The devices with which users access the logon point. For example, users who access
resources with small form factor devices such as a PDA may require a logon point
separate from the logon point accessed with computers.
205
Chapter 9

w The policies you want to create that restrict access to resources based on the logon
point used. For example, users who authenticate from a specific logon point can
access specific resources that are unavailable when the users authenticate from a
different logon point.
There are two types of logon points: Basic and SmartAccess.
Basic Logon Points

A basic logon point allows users to connect using Citrix online plug-ins or Desktop
Receiver only.
Users can log on and connect to XenApp or XenDesktop only with a basic logon point.
You can configure the following settings for a basic logon point:
w Define the Web Interface home page. You must configure the Web Interface as a
Citrix Web Interface application in a Web resource.
w Configure the authentication type.
SmartAccess Logon Points

Users can log on with the Access Gateway Plug-in and have full network access with a
SmartAccess logon point. You can configure the following settings for a SmartAccess
logon point:
w Define the home page. The home page can be the Access Interface or another home
page.
w Configure the authentication type.
w Configure group authorization.
w Configure XenApp farms to use with the logon point.
w Configure sound and windows settings.
w Configure workspace control.
w Configure endpoint analysis.
w Select the endpoint analysis plug-in to use with the logon point.
Adding a Basic Logon Point

A basic logon point allows users to log on using Citrix online plug-ins or Desktop
Receiver. When users log on, they can only access published applications in the XenApp
or published desktops in XenDesktop. Users that logon with a basic logon point use the
Platform license. The Universal license is not used.
To configure a basic logon point in your Access Controller deployment, you perform the
following tasks:
w Create the logon point using the Delivery Services Console
w Deploy the logon point using the Server Configuration utility.
206
To create a basic logon point

2. In the console tree, click Citrix Resources, click Access Gateway and then click
the Access Controller cluster on which you want to create a basic logon point.
3. Click Logon Points and under Common Tasks, click Create logon point.
4. On the Define Logon Point page, do the following:
a. In Logon point name, type a unique name for the logon point.
b. In Description, type a description for the logon point.
c. In Type, select Basic.
d. Click Next.
5. On the Select Home Page page, select the Web Interface site to use as the home
page.
Before configuring the logon point, you must configure the Web Interface as a Web
application in a Web resource. For more information, see Creating Web Resources
on page 213.
6. On the Configure Authentication page, select the authentication profile you want
to use when users log on. For more information about configuring authentication,
see Creating Authentication and Authorization Profiles on Access Controller on
page 199.
7. On the Logon Page Visibility page, click Enable this logon point and then click
Finish.
If you want the Web Interface to authenticate users, click Unauthenticated on the
Define Logon Point page. If you do not enable this check box, Access Gateway
authenticates users by using the selected authentication profile in the logon point.
Adding a SmartAccess Logon Point

A SmartAccess logon point allows users to log on using the Access Gateway Plug-in and
access resources in the secure network. When users log on with the plug-in, they use a
Universal license.
To configure a logon point in your Access Controller deployment, you perform the
following tasks:
w Create the logon point using the Delivery Services Console
w Deploy the logon point using the Server Configuration utility.
To create SmartAccess logon point

the Access Controller on which you want to create a SmartAccess logon point.
207
Chapter 9

3. Expand Logon Points and under Common Tasks, click Create logon point.
4. On the Define Logon Point page, do the following:
a. In Logon point name, type a unique name for the logon point.
b. In Description, type a description for the logon point.
c. In Type, select SmartAccess.
d. Click Next.
5. On the Select Home Page page, select the page to display after users log on.
Display the Access Interface. Displays the Access Interface, a built-in default
home page for users, with tabs for email, file shares, and published applications.
Display the Web resource with the highest priority. Displays the Web
application listed at the top of the display order list. To change the display
priority, click Set Display Order.
6. On the Configure Authentication and Configure Group Authorization pages,
select the authentication method and group authority you want to use when users
log on. For more information about configuring authentication, see Creating
Authentication and Authorization Profiles on Access Controller on page 199.
7. On the XenApp Server Farms page, add the farms that you want to make available
to users. If you are using the Web Interface to deliver published applications, you
do not need to add clusters to the logon point. For more information about using
the Web Interface with Access Controller, see Integrating XenApp and XenDesktop
with Access Controller on page 329.
8. On the Sound and Windows Settings page, configure options for sound, window
color, and window size.
9. On the Configure Workspace Control page, configure options that allow users to
reconnect to their open applications. If users have pop-up blockers enabled, they
are prompted to allow each application to open in a separate window.
10. On the Session Time-outs page, set the interval, in minutes, for the following timeout settings:
Session time-out. The length of time a session using the Access Gateway Plugin is allowed to remain active. The default value is 1440 minutes (one day).
Note: Session time-outs work with the Access Gateway Plug-in only. If users
log on using the Access Interface, the session does not end after the specified
time.
Network inactivity time-out. The length of time a browser-only session or a
session using the Access Gateway Plug-in is allowed to remain active without
any traffic activity detected. The default value is 20 minutes.
User inactivity time-out. The length of time a session using the Access
Gateway Plug-in is allowed to remain active without any mouse or keyboard
input detected.
208

11. On the Logon Page Visibility page, select whether to show the logon page to users
who are logging on through Access Gateway or to set conditions for showing the
logon page to users logging on to Access Controller directly. The default logon
point is always visible to users logging on through Access Gateway. For more
information about using conditions for showing the logon page, see Setting
Conditions for Showing the Logon Page on page 228.
12. On the EPA Remediation page, type the message users will see if endpoint analysis
fails.
13. On the Select Plug-in page, select the endpoint analysis plug-ins you want to
deploy to users during logon.
To deploy a logon point

You use Access Controller Server Configuration to deploy logon points. When you deploy
the logon point, it becomes visible for users.
1. Click Start > Programs > Citrix > Access Gateway > Server Configuration.
2. On the Logon Points page, select the logon point you want to deploy.
3. Click Deploy and then click OK.
Updating Logon Page Information

Access Gateway stores copies of the Web pages and graphic files that make up the
logon pages that users see when they access resources. You must update these files
when you:
w Deploy a new logon point
w Customize an existing logon page
w Redeploy a renamed logon point
To update logon page information

1. Click Start >Programs>Citrix>Management Consoles>Delivery Services Console.
2. In the console tree, expand Citrix Resources, click Access Gateway and then click
an Access Controller server.
3. Click Logon Points and select the logon point you want to update.
4. In Common Tasks, click Refresh logon page information.
If Access Gateway is unavailable when you perform this task, the console displays an
error message indicating that the Access Gateway appliance is out of date. If Access
Gateway becomes available when you rerun the task, the console displays a message
indicating that the update was successful.
Setting the Default Logon Point

Default logon points enable users to log on to the cluster through Access Gateway
without specifying a logon point. You can use the Delivery Services Console to designate
a logon point as the default. You can only designate one logon point as the default at
any time.
209
Chapter 9

When you set a logon point as the default, the logon point becomes visible
automatically to users who log on through Access Gateway. If, at a later time, you set a
different logon point as the default, the logon point remains visible to these users. If
you want the logon point to be visible only to users who log on to Access Controller
within the your network, you must change the visibility settings in the logon point
properties.
To set a default logon point

1. Click Start > All Programs > Citrix > Management Consoles > Delivery Services
Console.
the Access Controller on which you want to set a default logon point.
3. Expand Logon Points and then select the logon point you want to designate as the
default.
4. Under Common Tasks, click Set as default logon point.
Removing Logon Points

If you no longer need a logon point for users, you can remove it. To remove a logon
point from your Access Controller deployment, you perform the following tasks:
w Remove any filters or endpoint analysis scan rules associated with the logon point
w Remove the logon points virtual directory from the Access Controller server using
the Server Configuration utility
w Delete the logon point from the Delivery Services Console
You cannot delete the default logon point.
To remove a deployed logon points virtual directory from the server

You can only remove deployed logon points.
1. Click Start >Programs>Citrix>Access Gateway >Server Configuration.
2. In Citrix Access Gateway Server Configuration, click Logon Points.
3. On the Logon Points page, select the logon point you want to remove, click
Remove and then click OK.
To delete a logon point from the console

2. In the console tree, expand Citrix Resources and then click the Access Controller
server on which you want to delete a logon point.
3. Expand Logon Points and then select the logon point you want to delete.
4. Under Common Tasks, click Delete logon point.
210
Customizing the EPA Remediation Message

When access is denied because the user device does not meet the requirements
configured in logon point properties for displaying the logon page, users may see an
Access Denied page when attempting to access the logon page.
You can modify the message that appears on the Access Denied page to provide users
with troubleshooting information.
For example, you can customize the message with frequently asked questions and
technical support contact information. Another possible Access Denied page
customization is to redirect users to a Web page with links to client software
installation packages. You can create a unique message for each logon point.
Note: The maximum allowed message size is 2048 unicode characters (20 KB).
To edit the Access Denied message

2. In the console tree, expand Citrix Resources, expand Access Gateway, and then
expand the name of the Access Controller server on which you want to configure
an EPA remediation message.
3. Expand Logon Points and then click the name of a configured logon point.
4. Under Common Tasks, click Edit Logon Point.
5. In the Logon Point Properties dialog box, click EPA Remediation.
6. In the box, type the message text that you want users to see when the endpoint
analysis scan fails and then click OK.
Adding Resources to Access Controller

To control your network resources with Access Controller, you add them to a cluster in
the Delivery Services Console and then create policies for them.
Resources include those areas in your network that you want to provide for user access.
You can create the following resources on Access Controller:
w Resource groups that enable you to group different types of resources into a single
entity and apply policies to the group
w Network resources to define subnets or servers in your network to which users can
connect directly
w Web resources that define the Web pages, sites, or applications that you want to
secure with policies
w File shares made up of shared directories, folders, and files on your network that
you want to secure with policies
You can define network resources using the following formats:
211
Chapter 9

w A single IP address
w A subnet in your network that includes the network address and subnet mask
Creating Network Resources

You configure network resources in Access Controller to define subnets or servers in
your network that users can connect to directly through Access Gateway using the
Access Gateway Plug-in. By default, users are denied access to network resources until
you create policies that grant them access permission.
To create a network resource

click the Access Controller cluster on which you want to create a network resource.
3. Expand Resources, click Network Resources and under Common Tasks, click
Create network resource.
4. In the Create Network Resource wizard, on the Define Network Resource page, in
Network resource name and Description, type a name and description for the
resource and then click Next.
5. On the Specify Servers and Ports page, click New and then configure one of the
following:
a. In Network IP address and Subnet mask type the IP address and subnet mask
for the network.
To define entire subnets, specify network addresses with subnet masks. For
example, to define all servers on the 10.x.x.x network, specify a subnet mask
of 255.0.0.0. To define a single server, you can define a specified network IP
address such as 10.2.3.4 with subnet mask 255.255.255.255.
b. In Single IP address, type the IP address of a server in your network to which
users have access.
6. In Port, specify the port or port range, click OK and then click Next.
You can specify multiple ports or port ranges by separating each port with a
comma and hyphenating ranges. For example, the entry 22,80,110-120 means
that the resource uses port 22, port 80, and all ports from 110 through 120.
User connections with the Access Gateway Plug-in through Access Gateway are
allowed on the specified ports.
7. In Protocols, select the network protocols used for the network resource.
8. Select Enable Logging to log connection information to the network resource.
9. Click OK and then click Next.
10. On the Add Policy page, select one of the following:
Add a default policy granting access to all users now
212
Note: If you create a default policy, you can edit its properties later.
Add a policy to grant access to all users later.
11. Click Finish.
After defining a network resource, you can change the default policy settings or create
policies that control its user access and connection settings.
The only access control permission you can grant for a network resource is to allow or
deny access. Because users connect directly to the services defined by the specified
port or network subnode, URL rewriting is not used. Connecting to resources through
URL rewriting is required if you want to tailor the level of access with action controls.
When users connect with the Access Gateway Plug-in, they can view a list of their
network resources in the plug-in properties.
Creating Web Resources

Web resources define the Web pages, sites, or applications that you want to secure in
Access Controller with policies. You can group multiple URLs and define them as a
single Web resource.
By default, users are denied access to a Web resource until you create policies in the
Delivery Services Console that grant access permission.
If you configure a Web resource in Internet Information Services (IIS) and use Digest
authentication, and you configure a Web resource in Access Controller without enabling
single sign-on, when users enter their authentication credentials, authentication fails.
To ensure that authentication succeeds, when you configure the Web resource in IIS,
use Basic authentication instead of Digest authentication.
To create a Web resource

click the Access Controller on which you want to create the Web resource.
3. Expand Resources, click Web Resources and then under Common Tasks, click
Create Web resource.
4. In the Create Web Resource wizard, on the Create a Web Resource page, in Web
resource name and Description, type a name and description for the resource and
then click Next.
5. On the Configure Addresses page, click New.
6. In Web address, type the address.
Addresses can include:
Virtual directories but not individual documents. For example, you can add
http://PeopleManagementSystem/Recruiting/ but not http://
PeopleManagementSystem/How-to-Interview.html
213
Chapter 9

Dynamic system tokens, such as http://www.MyCompany.com/users/
#<FullName>
To use a dynamic system token, click Enable tokens (Select this option to
replace tokens for this resource).
Addresses cannot include:
General regular expressions, such as http://www.server[1-0]+.com/[A-Za-z]+(AZa-z0-9)*/
Wildcards, such as *.MyURL.com or http://www.*/Dept/MyCompany.com
7. In Application type, select the type of Web application. The application type
determines if specialized information is needed in the Web address configuration.
Citrix Web Interface points to a Web Interface site displaying users published
applications or desktops from Citrix XenApp or Citrix XenDesktop. For more
information see Integrating XenApp and XenDesktop with Access Controller on
page 329.
Microsoft Outlook Web Access 2007 or Microsoft Outlook Web App 2010
points to the Exchange server that is running Outlook Web Access.
Microsoft SharePoint 2007 points to a SharePoint site.
Microsoft SharePoint with Web Interface Web Part points to a Web Part
designed to provide Citrix Web Interface as an area on a SharePoint site. This
application type supports SmartAccess features through the Web Interface.
Web Application points to a Web site URL that needs no specialized
configuration information. This application type is the default setting.
Web Application (requires session cookies) points to Web sites allowed to
receive cookies. By default, URL rewriting does not forward cookies to
redirected URL addresses. Also, URL rewriting does not pass cookies to the
default Web application type.
Note: If you configure Outlook Web Access or Outlook Web App and enable file
type association, you must disable the extension .js in XenApp to prevent users
from opening files with this extension. If you leave the .js extension enabled, users
might not be able to read emails or do other tasks in Outlook. You can use
Content Redirection in XenApp to disable the .js extension. For more information,
see To update file type associations in the XenApp documentation in the Citrix
eDocs library.
8. Click OK.
9. Select the following options to publish in users lists of resources if you want this
resource to appear in the Access Interface.
a. Select Publish for users in their lists of resources and then in Home page,
type the Web address.
w The home page must be a page within the exact Web address you specify in
Step 6. For example, if you enter http://MyCompany.net for the resource
214

address, you can specify a page within that site, such as http://
MyCompany.net/Finance.aspx.
w If your directory service uses the home page token, you can enter
#<HomePage> for the URL home page.
b. Select Publish as Featured Application.
10. Click Next.
Create a default policy granting access to all users.
I will create a policy to grant access later.
Configuring Single Sign-on for Web Resources

When you enable single sign-on to Web resources, users do not have to enter their
credentials a second time.
If you are using double source authentication, Access Controller uses the primary
authentication type for single sign-on.
To configure single sign-on to Web resources

expand the Access Controller on which you want to configure single sign-on.
3. Expand Resources, expand Web Resources and then click a resource.
4. Under Common Tasks, click Edit Web resource.
5. On the Web Resources Properties page, click Web Addresses.
6. Under Web address, select a resource and then click Edit.
7. In Edit Web address, click Enable single sign-on and then click OK.
8. Repeat Steps 6 and 7 for each resource on which you want to enable single sign-on
and then click OK.
Creating File Shares

File shares are made up of shared directories, folders, and files in your network that
you want to secure in Access Controller with policies.
You can group multiple shares and define them as a single resource. Grouping file
shares requires you to create fewer policies, because each policy you create for the
resource applies to all shares in the group.
By default, users are denied access to file shares until you create policies in the
Delivery Services Console that grant them access permission.
215
Chapter 9
To create a file share

expand the Access Controller on which you want to create a file share.
3. Expand Resources, click File Shares and under Common Tasks, click Create file
share.
4. In the New File Share wizard, on the Define File Share page, in File share name
and Description, type a name and description for the resource and then click Next.
6. On File Share, in Display name type a name for the file share.
7. In File share location type the path to the file share, such as \\MyServer\SharedFiles-Folder.
You can include addresses for specific document files, as well as directories.
You can use dynamic system tokens, such as #<username>. To use system
tokens, the service account in the Server Configuration for Access Controller
must be a domain account and not a local computer account. If you are using
tokens, select Enable token (Select this option to replace tokens in the
resource).
8. Select Publish for users in their list of resources if you want this resource to be
listed in the Access Interface.
If you do not select the option to publish a file share, users can still navigate to
the share in their browsers as long as a policy allows access to the file share. A file
share that a user has access to but is not published can also be accessed if it
appears embedded in a Web page or email.
9. Click OK and then click Next.
Create a default policy granting access to all users.
I will create a policy to grant access later.
11. Click Finish.
Configuring Single Sign-on to File Shares

When you enable single sign-on to file shares, users do not have to enter their
credentials a second time.
If you are using double source authentication, Access Controller uses the primary
authentication type for single sign-on.
216
To configure single sign-on to file shares

2. In the console tree, click Citrix Resources, expand Access Gateway and then
3. Expand Resources, click File Shares and then click a file share.
4. Under Common Tasks, click Edit file share.
5. In the File Share Properties page, click Share Locations.
6. Under Display Name, select a file share and then click Edit.
7. In File Share, click Enable single sign-on and then click OK.
8. Repeat Steps 4 and 5 for each file share on which you want to enable single sign-on
and then click OK.
Using Dynamic Systems Tokens

You can use dynamic token replacement in Universal Naming Convention (UNC) or URL
addresses when defining resources that can retrieve dynamic information from the
directory service. Dynamic token replacement provides replacement of strings with
user attributes obtained from Active Directory.
Note:
w To use Dynamic System tokens, you must add the authentication profile used to
retrieve the tokens (attributes) to the authorization profiles list.
w There is one attribute from Lightweight Directory Access Protocol (LDAP) or
Windows NT Directory Services that you can use without Active Directory. This is the
#<username> attribute. All other attributes require Active Directory. For example, if
an enterprise with thousands of employees provides each user with a unique file
share named for the user, it is more efficient to use a token in place of the user
name rather than listing each explicit file share to define the resource group.
w To use system tokens, the service account in the Server Configuration for Access
Controller must be a domain account and not a local machine account.
Use the following syntax for token replacement:
#<Attribute>
Examples:
\\Public-shares\Departments\#<Department>\Reports
http://inotes.my-server.com/mail/#<username>.nsf
Active Directory Attributes
The following attributes can be used with Active Directory.
#<Department>
#<displayname>
#<Division>
#<domain>
217
Chapter 9

#<EmployeeId>
#<FirstName>
#<FirstNameInitial>
#<FullName>
#<HomeDirectory>
#<HomePage>
#<Initials>
#<LastName>
#<LastNameInitial>
#<OtherName>
#<UPN>
#<username>
Creating Resource Groups to Ease Policy Administration

Resource groups enable you to group different types of resources into a single entity
and apply policies to the group. Using resource groups in Access Controller requires
fewer total policies and eases policy administration. The basic steps for bundling
resources are:
w Decide which resources you want to provide to users under a specific access
scenario. For example, make a list of all the resources (network, Web sites, and file
shares) that your sales force needs to access from corporate laptops they use on the
road.
w Ensure that each of the resources is configured in the Delivery Services Console. For
example, if you want to include five corporate Web sites and access to Outlook Web
App, make sure you configure one or more Web resources that include these sites
and configure Outlook Web App before you create the resource group.
w Create a resource group that includes all the resources you listed.
w Create a filter that includes your requirements for the access scenario. For
example, you can create a filter that requires users to authenticate with RSA
SecurID authentication, log on to your Sales logon point, and pass specified endpoint
analysis scans of the user device.
w Create a policy for the resource group. Associate the policy with the filter you
create and select the action controls you want for each resource.
Resource group names or descriptions do not appear to users in their published lists of
resources. The name and description you define for a resource group is for
administrative use only. If you choose to publish a Web resource or file share, users see
the resources description (not the description of the resource group) in their list of
resources.
Each resource type has a wizard to guide you through adding the resource. These
wizards are available from Common Tasks in the Delivery Services Console when you
select the Resources node.
By default, users are denied access to any resource you define until you create policies
that grant access permissions. This includes all resources and resource groups.
218
To create a resource group

expand the Access Controller on which you want to create a resource group.
3. Expand Resources, click Resource Groups, and under Common Tasks, click Create
resource group.
4. In the New Resource Group wizard, on the Define Group page, in Resource group
name and Description, type a name and description for the resource and then
click Next.
5. On the Select Resources page, under Available resources, select the Web
resources, network resources, or file shares to add to the group and then click
Finish.
Controlling Access Through Policies

Policies on Access Controller provide granular control of access at the resource level.
You can use access policies to:
w Define access permissions for specified users to resources under specified
conditions. For example, an access policy determines whether or not a group of
users can access a certain file share or Web resource.
w Leverage the power of filters to apply policies based on information detected about
the user device, who users are, the strength of their authentication, and from
where they are logging on. Filters provide the flexibility to match policies to your
access scenarios.
Policies also extend the security of your network environment by enabling you to control:
w Connections. You can control Access Gateway Plug-in connections and apply
settings to those connections.
w Endpoint Analysis. You can control users ability to connect to your resources unless
they meet security requirements, such as identity, authentication, antivirus,
firewall, and client software.
This section discusses how to implement policies and formulate strategies to control
resources according to the user scenario.
Note: Take care not to confuse access policies with connection policies. Connection
policies enable Access Gateway Plug-in connections and applies settings to those
connections. You must allow use of the Access Gateway Plug-in to establish
connections to any network resource, because these types of resources do not allow
browser-only access. For more information, see Configuring Access Gateway Plug-in
Settings in Access Controller on page 291.
219
Chapter 9
Controlling User Access

Policies on Access Controller help you secure your network even before users log on and
allow you to extend that security down to the individual resource level.
After users pass your security requirements for connecting, they must be granted
explicit permission to a resource before the resource is available to them. You control
this access through policies defined for each resource or group of resources.
By default, users are not provided permission to access or take action on any resources
on your networks. You must define your resources for the cluster and then create
policies that grant access to them and control actions users can perform on them.
Policies on Access Controller extend the operating system security settings and cannot
override them. For example, if a user is denied access to a file share in the shares
Windows NT File System (NTFS) security settings, granting access to that file share
through Access Gateway policies does not allow access to the file share.
Note: Access to applications and resources published by XenApp is not controlled by
Access Controller policies. Access to these resources depends on the properties of
the logon point through which users log on and the permissions that users are
assigned in XenApp.
Integrating Your Access Strategy

The way you define resources and create policies on Access Controller is influenced by
your overall strategy for controlling access. The goal is to make sure users get the level
of access that you can securely provide given the user situation.
Your strategy determines how you pool resources and design policies.
Pooling Resources by Access Needs
Before defining resources and creating policies, pool resources into resource groups
that reflect their relative security requirements. When you define resources, group
similar resources together.
For example, you might create a resource group that contains several file shares and
Web resources that require very restricted access when users are connecting remotely.
In another resource group, you might add Web resources and file shares that you want
users to have access to at all times, as long as they have a trusted user device.
Designing Policies from User Scenarios
Plan policies according to a basic set of user scenarios, such as the scenarios presented
in the following table. Start with just a few scenarios. Define a few types of resources,
pool them into resource groups, and practice creating policies until you have enough
policies to cover all the user scenarios needed in your organization.
The following table provides a few example scenarios of user situations with different
access and the actions that might be permitted with the resources:
220
User device
Resources users can access
Actions users can take
Company
computer
running required
antivirus
software
w All internal networks and

file systems
w Download files
w Full email services

w Enterprise portals and
Web applications
w Upload files
w Edit files on servers running
XenApp
w Published applications
through XenApp
w Other applications
Remote user
device running
required
antivirus and
firewall software
w Web applications
w Published applications
through XenApp
w Limited access to file
systems
w Servers or services
defined as network
resources
Public kiosk
running a
required browser
w Web applications
w Outlook Web Access or
Outlook Web App access
only
w Limited client mapping or

printing documents on servers
running XenApp
w Connect directly to network
resources through Access
Gateway using the Access
Gateway Plug-in
w No client mapping or printing

documents on servers running
XenApp
w Limited access to
published applications
Small form factor
device, including
SmartPhones,
iPhone, and iPad
w Outlook Web Access or

Outlook Web App access
only
w View Outlook Web Access or

Outlook Web App, which
supports refactoring for small
devices
w No application access
Remote laptops
for system
administrators
who cover
emergencies
from home
w Full access to individual

mission critical
applications defined as
network resources, or full
access to the entire
network
w Connect directly to network

resources through Access
Gateway using the Access
Gateway Plug-in
After you develop an access strategy, you configure resources, policies, and filters in
combinations that comply with and extend your security guidelines. Resources and
221
Chapter 9

policies define the access control you allow. Filters define when and under what
conditions the access is granted.
Differentiating Access Control and Publishing
Allowing access to a resource through policy control is not the same as publishing the
resource. When you define file shares and Web resources, you can choose to publish
the resource, which means it is listed for users on the Access Interface or third-party
portals.
Enabling the access permission to a Web resource permits the user to view it with a
browser. What the user can do with the item or which application is used to open it
depends on the group of policy settings you have defined for the resource. Simply
enabling the access permission for a resource does not provide a navigation to that
resource. For example, if you enable the access permission to a Web address but do not
publish it, users can get to the Web address only through a link embedded on a Web page.
You must create a Web resource or network resource for any application that you want
users to have remote access to. You must create policies for these items granting
explicit Access permission for users. Configuring file share access is slightly different
than for Web resources, because you do not choose the Access permission in policies
for file shares. Users can view a file share resource through their browser if you publish
the resource and if the operating system access control list (ACL) allows access
permission to the users. Policies for file shares define the users who can view the file
share, the actions those users are allowed to take on the documents in those file
shares, and the conditions under which they can take the actions.
Creating Access Policies

You must create policies on Access Controller to provide users with access to resources.
By default, users do not have access privileges to any resource. When you create an
access policy, you define who has access, the conditions under which access is granted,
and the granular access controls that are allowed or denied.
When you create an access policy for a Web Interface, Outlook Web Access 2007, or
Outlook Web App 2010 Web resource, you must set the access permission to Extended.
When you set this access permission for the Web Interface, the access policy allows
published applications to appear.
To create an access policy

expand the Access Controller on which you want to create a policy.
3. Click Policies and under Common Tasks, choose Create access policy.
4. In the New Access Policy wizard, in Name and Description, type a name, describe
the policy and then click Next.
5. On the Select Resources page, select the resource groups and resources for the
policy to control.
Select Network Resources>Entire Network if you want this policy to control
access to all visible servers and services on the network.
222
Note: Take care to review selections in the available resources tree. When you
select or clear a category of resource, such as File Shares, all items grouped
under that category are selected or cleared. Expand nodes to display the
selections under each category.
6. On the Configure Policy Settings page, enable each desired setting individually
and then click Next.
It is possible to select policy settings on the Configure Settings page for types of
resources that you did not select for the policy to control. The policy applies
settings only for the resources that are selected for the policy.
7. On the Select Filter page, select a filter that defines the conditions to be met for
the policy to be enforced.
You can create a new filter from the Select Filter page by clicking New and
following the steps in the wizard.
If you have not yet configured filters, you can edit the policy and assign a filter to
it later.
8. On the Select Users or Groups page, select the users to whom the policy applies.
You can select to apply the policy to all authenticated users or click Add to choose
individual groups or users.
Note: If multiple policies apply to a resource, a policy that denies access takes
precedence over other policies that allow access.
Naming Policies
All policy names must be unique. Developing a consistent naming convention or
practice eases the administration of policies. Because you define policies per resource
to provide granular control, you can potentially create many policies. The naming
convention you develop should help you quickly identify the resource and, if possible,
the level of access you are applying.
You can develop a convention that meets your organizations needs. In general, the
policy name should include the resource. One typical naming convention names policies
by resource name and contains an access level phrase that coincides with your access
strategy or the permissions allowed. For example:
w Web resource X_full access_all users
w Web resource X_limited access_field users
w Web resource X_full access_administrators
w File share Z_all actions_all users
w File share Z_restricted actions_unknown devices
You can change the name of default policies.
223
Chapter 9
To change a policy name

expand the Access Controller on which you want to change the policy name.
3. Select the policy in the right details pane of the console.
4. Right-click the policy and then click Edit policy properties.
5. In the policy Properties page, in the left pane, click Name.
6. In the right pane, in Policy name, change the name and then click OK.
Creating Policy Settings to Control User Actions

Policies on Access Controller for resources opened through the browser (Web resources,
file shares, and network resources) enable you to control not only access, but also what
actions users can perform with the resource.
Policy settings enable you to allow or deny specific action controls. You configure
policy settings in the Delivery Services Console policy wizard or policy properties.
The policy settings that are available when you create a policy depend on the type of
resource you are securing and your environment. For example, if the cluster is not
configured to link to a server farm running XenApp, the file type association permission
setting is not available.
Depending on the type of resource and your cluster configuration, you can allow or
deny the following policy settings.
Access
Allows users access to the resource through a Web browser or Access Gateway Plug-in
connection.
For Outlook Web Access or Outlook Web App, this setting allows all functionality
provided by Outlook, such as viewing and sending emails, managing the calendar, and
viewing an address book, but does not allow the ability to access email attachments.
For network resources, Access allows a direct connection to the resource using the
Access Gateway Plug-in. Access is the only permission you can set for network
resources.
The access settings for network resources are allow or deny. For Web resources and
file shares, the access settings are basic, extended, or deny. If any setting is set to
deny, all the settings are denied for that policy.
Document Control
You can limit the documents that users can download or open by using document
control. You add document file type extensions to the document control list. Users
can only open the documents using file type association, provided that you allow file
type association in Access Controller and the document control setting is Limited. If
you set document control to Full, it applies to all extensions, not just the ones in the
list. Users cannot open any document unless you allow file type association. If you
224

configure document control and do not allow file type association, users cannot open
documents. If you disable document control or if the list is empty, there are no
restrictions based on document type.
If document control is enabled, the allow setting for Web resources is limited
document control. For file shares, you can configure both limited and full.
File Type Association
Allows users to open documents in applications published through XenApp. You can
use this permission to allow users to open and edit documents on servers in the
trusted environment and avoid sending the document to the users device. You can
use file type association only for document types that are associated with a
published application and only if the logon point properties are correctly configured.
Allowing File Type Association
Allowing file type association for a resource enables users to open the resource with an
application running on XenApp. Providing file type association as the only means for
editing resource documents can heighten security because it requires that editing occur
on the server and not on the user device.
For example, you might choose to grant file type association for a file share where
employees post reports of ongoing project meetings, without providing the ability to
download or upload.
Providing file type association requires that:
w Users run Citrix online plug-ins software on the user device.
w Users connect through a logon point configured for XenApp.
w Users are assigned to the desired applications in XenApp.
w XenApp is configured to work with Access Controller.
Creating Policy Filters

Filters define the conditions under which the policy on Access Controller applies.
Consider the following example of a policy statement:
Allow access permission only to the Quarterly Sales Reports file share for Sales
department users when they log on from outside using double source authentication.
The filter part of the above policy statement is when they log on from outside the
secure network using double source authentication. If you authenticate remote
workers through a specific logon point, you can filter by the logon point and you can
require the use of a one user name, a password, and a personal identification number
(PIN) and code from a token.
In the Delivery Services Console, you can configure three types of conditions for a filter:
w Logon point. Applies the policy based on the URL with which the user connects to
the network.
w Authentication strength. Applies the policy based on the authentication type being
used. The options available in the filter depend on the authentication configurations
225
Chapter 9

you have set up. For more information, see Creating Authentication and
Authorization Profiles on Access Controller on page 199.
w Endpoint analysis scan outputs. Applies the policy based on information gathered
by endpoint analysis scans of the user device. You must configure scans before any
scan outputs are available to integrate into a filter.
Filters are designed so you can name them and use the same filter for multiple
policies. Each policy uses one filter only. To achieve the effect of using multiple filters,
you can use the custom filter feature to create complex filters that contain other filters.
To create a policy filter

You can create a filter before, at the same time, or after you create the policies you
want to associate with it.
expand the Access Controller on which you want to create a policy filter.
3. Expand Policies, click Filters, and under Common Tasks, click Create filter.
You can also create a filter from within a policy wizard by clicking Select Filters
and then clicking New.
4. In the Create a Filter wizard, in Filter name and Description, type a name and
describe the filter and then click Next.
5. On the Choose Filter Type page, select the option Create a typical filter and then
click Next.
6. On the Select Logon Points page, under Available logon points, select a logon
point and then click Add.
The policy to applies when users enter through specific logon points.
7. If you want the policy to apply based on the authentication type used, on the
Select Authentication page, select the authentication type.
If you have multiple authentication profiles configured, select the profile you want
to use from the drop-down box.
8. If you want the policy to apply based on endpoint analysis scans of the user device,
on the Select Endpoint Analysis Outputs page, under Available endpoint analysis
outputs, select a scan and then click Add.
Each type of filter condition is optional. For example, you can configure a filter based
on logon point only.
Logically, the conditions defined in a filter are combined with the AND logical operator,
and within a condition type, the settings are combined with an OR operator. For
example, if your filter settings specify Logon Point A, Logon Point B, and Scan Output
C, the policy is applied with the following logic:
(Logon Point A or Logon Point B) and Scan Output C
226
Creating Custom Filters

You can create custom filters in Access Controller that use logical expressions with the
operators AND, OR, and NOT. These logical expressions allow you to create filters with
greater complexity than you can with typical filters. With typical filters, you are
limited to selecting conditions that the wizard combines with AND logic only. Because
they are made from logical expressions, custom filters provide more complexity and
flexibility, but they are harder to create.
Using custom filters is optional and not required for common configurations. For ease
of administration, use typical filters.
To build a custom filter with logical expressions

expand the Access Controller on which you want to create a custom filter.
3. Expand Policies, click Filters, and under Common Tasks, click Create filter.
4. In the New Filter wizard, in Name and Description, type a name and describe the
filter and then click Next.
5. On the Choose Filter Type page, select Create a custom filter and then click
Next.
6. On the Build Custom Filter page, use the logical expression builder to create an
expression that reflects the conditions you want to be met before the policy is
enforced.
Insert the logical operators AND, OR, and NOT along with elements for logon
point, authentication, endpoint analysis output, or another filter to create the
logical expression.
Note that the Root object displayed in the expression builder does not affect
expression logic. The root signals the beginning of your expression tree.
Example: Creating a Custom Filter

Assume for this example that your network security strategy is to deny logon privileges
to user devices running Windows XP unless those devices have Windows XP Service Pack
3 installed OR are running Internet Explorer 7.0. You want to build a filter for this
scenario that you can assign to a policy that includes the Allow Logon privilege.
Before creating the custom filter, create two scans as follows:
1. Use Citrix Scans for Windows Service Pack to create a scan with these settings:
Rule conditions: operating system = Windows XP; user device regional locale = all
Property value to verify: Service Pack 3
2. Use Citrix Scans for Internet Explorer to create a scan with these settings:
Rule conditions: operating system = Windows XP; user device regional locale = all
227
Chapter 9

Property value to verify is the minimum required version: 7.0
3. On the Build Custom Filter page of the New Filter wizard, follow these steps to
create the logical expression:
a. Click OR from the Insert group box.
b. Click Endpoint Analysis Results and choose the scan output for Service Pack 3.
c. Select OR in the expression builder and click Endpoint Analysis Results again to
choose the scan output for Internet Explorer Version 7.0.
The result in the expression builder appears as:
OR
Citrix Scans for Windows Service Pack.scan_name.Verified-WindowsService-Pack
Citrix Scans for Internet Explorer.scan_name.Verified-InternetExplorer
where scan_name is the name you assigned to the scans.
Setting Conditions for Showing the Logon Page

The logon point sends the logon page to the user device browser, allowing users to
enter their credentials. You can make the display of the logon page conditional by
requiring that user devices pass endpoint analysis scans before displaying the page. You
configure this as part of a SmartAccess logon point.
This Access Controller feature adds security to your logon page. For example, you can
create an endpoint analysis scan that verifies that the user device is running your
required level of antivirus protection. User devices that are not running the required
level of antivirus protection might host a virus or sniffing program to record a users
keystrokes. Such malicious programs can record and steal credentials as users log on.
You can set conditions for showing the logon page in logon point properties in the
Delivery Services Console. If users do not meet the specified conditions, they receive
an access denied error when they attempt to open the logon page URL.
If you do not set any conditions in the Logon Page Visibility section of logon point
properties, the logon page is visible to any user who is allowed to browse to the URL.
To set conditions for showing the logon page

2. In the console tree, click Citrix Resources, expand Access Gateway, expand the
Access Controller on which you want to adjust logon point settings and then click
Logon Points.
3. Select the logon point and under Common Tasks, click Edit logon point.
4. In Logon Point Properties, select the Logon Page Visibility
5. Select Only show logon page when these conditions are met.
6. If you want to show the logon page conditionally, use the logical expression builder
to define the conditions to be met by the connecting user device.
228

a. Insert the logical operators AND, OR, and NOT and then click Endpoint Analysis
Output to choose from a list of your configured scans.
b. Review the resulting logical statement in the Expression preview.
Note: The expression builder appears unavailable until you have created
endpoint analysis scans.
The Root object that appears in the expression builder does not affect expression
logic. The root signals the beginning of your expression tree.
Example 1: An Expression Requiring One Scan

To create an expression that requires the user device to be running a required level of
McAfee VirusScan, click Endpoint Analysis Output and choose the scan output for the
antivirus application. The expression builder contains:
Citrix Scans for McAfee VirusScan.scan_name.Verified-McAfeeVirusScan
where scan_name is the name you assigned to the scan when you created it.
Example 2: Creating a Conditional Expression with OR

Assume that the conditions you want to set are reflected by the following statement:
Show the logon page to users with user devices that are running a required level of
McAfee VirusScan or McAfee VirusScan Enterprise. Before you build this conditional
expression, you must create an endpoint analysis scan for your required versions of
McAfee VirusScan and McAfee VirusScan Enterprise.
Note: This example requires you to have configured two endpoint analysis scans to
verify whether or not the user device is running McAfee VirusScan or McAfee
VirusScan Enterprise. For information about creating scans, see Creating Endpoint
Analysis Scans on page 234.
1. Select the Root object in the tree and then click OR.
2. Click Endpoint Analysis Output and choose the scan output for McAfee Virus Scan.
3. Click Endpoint Analysis Output and choose the scan output for McAfee Virus Scan
Enterprise.
The result of this example procedure looks like the following example in the expression
tree:
ROOT
OR
Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan
Citrix Scans for McAfee VirusScan Enterprise.scan_
name.Verified-McAfee-VirusScan-Enterprise
229
Chapter 9
Example 3: Creating a Complex Conditional Expression with NOT

The following example shows a conditional expression using the NOT operator. To pass
this complex condition, the user device must have your required version of McAfee
VirusScan or McAfee VirusScan Enterprise, but the device cannot be connecting with
the Mozilla Firefox browser.
Note: This example requires you to have configured three endpoint analysis scans to
verify whether or not the user device is running McAfee VirusScan or McAfee
VirusScan Enterprise, and to also verify if the user device is connecting with the
Mozilla Firefox browser.
1. Select the Root object in the tree and then click AND.
2. Click OR.
3. Click Endpoint Analysis Output and choose your scan output for McAfee VirusScan.
4. Click Endpoint Analysis Output and choose your scan output for McAfee VirusScan
Enterprise.
5. Select the AND object that you created in Step 1 and then click NOT.
6. Click Endpoint Analysis Output and choose your scan output for Mozilla Firefox.
The result of the example looks like the following example in the expression tree:
ROOT
OR
Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan
Citrix Scans for McAfee VirusScan Enterprise.scan_
name.Verified-McAfee-VirusScan-Enterprise
NOT
Citrix Scans for Mozilla Firefox.scan_name.
Verified-Mozilla-Firefox-Connecting

The Expression preview shows the following logical statement:
((Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan OR Citrix Scans for McAfee VirusScan
Enterprise.scan_name.Verified-McAfee-VirusScan-Enterprise)
AND (NOT Citrix Scans for Mozilla Firefox.scan_name.
Verified-Mozilla-Firefox-Connecting))
Note the following about this example:
w Inserting the NOT operator results in an OR NOT logic by default. If you want logic
for AND NOT, insert the AND operator before the NOT operator in your tree, as you
did in the preceding example.
w The Mozilla Firefox scan package verifies a minimum version number. In this
example, we want to verify any known version. To detect all known versions, we can
230

create the scan to verify that the client device is connecting with a minimum of
version 0.1.
Configuring Document Control

You can configure document control to limit the documents that users can download or
open by adding document file type extensions to the document control list. When you
allow file type association in Access Controller and choose the Limited document
control setting in the access policy, users can only open the documents using file type
association. If you set document control to Full in the access policy, the setting applies
to all extensions, not just to the extensions you added to the document control list.
Users cannot open a document unless you allow file type association in XenApp. If you
configure document control and do not allow file type association, users cannot open
documents. If you disable document control or if the list is empty, there are no
restrictions based on document type.
If you enable document control in an access policy, the allow setting for Web resources
is Limited document control. For file shares, you can configure both Limited and Full
settings.
To configure document control

2. Expand Citrix Resources, expand Access Gateway and then click CitrixController.
3. Under Common Tasks, click Edit cluster properties.
4. Click Document Control.
5. Under Default action when users double-click a file (applies only to file
resources), select one of the following:
a. Select Download to download the file to the user device.
b. Select Open with XenApp to open the file using a published application.
6. Under Document Control Extensions, click New.
7. Under New Extension, in Extension, type the extension, type a description
(optional), and then click Save.
Automatic enabling of extensions occurs when you add the extensions. You can
disable or enable extensions within the Document Control Extensions box.
8. Repeat Steps 6 and 7 for each extension you want to add and then click OK.
Alternatively, you can type all of the file extensions into a text file. To add the file
extensions, under Import or Export to or from a Text File, click Import. Each file
extension appears under Document Control Extensions.
Limitations of Clientless Access

If your Access Controller deployment does not require the Access Gateway Plug-in,
Citrix online plug-ins, or Desktop Receiver on user devices, your deployment is
considered to provide clientless access. In this scenario, users need only a Web browser
to access network resources.
231
Chapter 9

Clientless access to Web resources depends on the URL rewriting. Some Web
applications do not handle URL rewriting well or do not allow the cookie management
needed for clientless access. Such applications are better suited for access through the
Access Gateway using the Access Gateway Plug-in.
For example, the more a Web application uses the following advanced technologies,
the less likely it is to work smoothly with proxied URL rewriting:
w Flash animations
w ActiveX controls or Java applets
w Advanced Java scripting languages
Test the behavior of those Web applications that you plan to provide only through a
browser. If the applications do not behave as expected, you can consider creating a
network resource to provide users direct access to the application using the Access
Gateway Plug-in. Network resources do not appear in published lists of users
resources, for example, in the Access Interface.
Reviewing Policy Information with Policy Manager

Policy Manager enables you to search your Access Controller policies by resource, users,
and filters. You can use keywords for your searches. The search results can assist with
quick policy planning, management, or troubleshooting. The following are only a
sample of the type of information you can find quickly with Policy Manager:
w Find all the policies that affect a specified user or user group
w View all the policy settings that pertain to a specified resource
w List all policies that use a specified filter
w Find all policies that control the permission to log on
To search for policies and settings

expand the Access Controller with the policies you want to search.
3. Click Policies and under Common Tasks, click Manage policies to open Policy
Manager.
4. Use a mixture of keywords in the Resource, User, and Filter text boxes and then
click Search. For example, to find every policy assigned to All authenticated
users, type all in the User text box.
By default, all policies are shown when you open Policy Manager. Clicking Clear
at any time empties the search criteria boxes and returns to a view of all policies.
Double-click a filter to open the filters properties. Double-click in any other
column to open the policys properties.
Click a column heading to sort results alphabetically by that columns entries.
Click the same column again to reverse the sort order.
232
Note: Policy Manager does not present information about the filtered results of policy
control with currently connected users, such as the resulting set of access permissions
after endpoint analysis scans are taken into consideration.
Verifying Requirements on User Devices

Endpoint analysis is a process that scans a user device and detects information, such as
the presence and version level of an operating system, antivirus, firewall, or browser
software. You can use endpoint analysis scans to verify that the user device meets your
requirements before allowing the device to connect to your network. You can
incorporate the detected information as a filter within an access or connection policy,
which enables you to grant different levels of access based upon the user device. For
example, you can provide full access with download permission to users who connect
from the field using corporate laptops that are up-to-date with antivirus and firewall
software requirements. Endpoint analysis scans are run one time, during logon.
Configuring Endpoint Analysis

After you configure endpoint analysis, the Access Gateway performs these basic steps:
w Examines an initial set of information about the user device to determine which
scans to apply
w Runs all applicable scans
w Compares property values detected on the user device against desired property
values listed in your configured scans
w Produces an output verifying if desired property values are found
When a user tries to connect through a logon point, endpoint analysis checks the scans
that are filtered for the logon point. The Endpoint Analysis Plug-in runs on the user
device all scans with conditions met by the user device. These scans return results
(called scan outputs) of detected information or True or False results of required
property values.
Note: The Citrix Clientless Scans for Platform and Citrix Clientless Scans for Browser
Type do not require that the Endpoint Analysis Plug-in runs on the user device. These
scans can gather their results from information that the user device provides to the
server directly.
Scans with conditions that do not match the user device do not run on the user device;
however, even these scans receive a default output defined by the scan package, such
as False.
Endpoint analysis completes before the user session consumes a license.
To configure endpoint analysis

Follow these general steps to configure endpoint analysis:
233
Chapter 9

1. Identify the scan packages that check the properties you want to verify.
2. Create scans, configuring the conditions under which they run and the properties
they verify.
3. Add additional rules if you want a scan to apply to multiple scenarios.
4. Use scan outputs in policies when you configure policy filters.
You can log endpoint analysis events through the system Event Viewer. For more
information about auditing such events, see Auditing Access to Internal Network
Resources on page 351.
Creating Endpoint Analysis Scans

Endpoint analysis scans verify specific properties of the user devices that connect to
your network, such as the installed version of an antivirus software product or
verification that the user device belongs to a required domain.
Scans have rules that define when the scan is applied to a user device. Each rule
includes a set of conditions that are required attributes of the user device that must be
met for the scan to be applied.
Creating a scan includes defining the prerequisite conditions under which the scan runs
and configuring the properties to verify.
To create a scan
expand the Access Controller on which you want to configure a scan.
3. Expand Endpoint Analysis Scans and then click the type of scan you want to
create: antivirus, basic, browser, custom, firewall, machine identification,
miscellaneous, or operating system
4. In the right pane, under Contents, click a scan package.
5. Under Tasks, click Create scan.
The Create Scan wizard opens.
6. On the Define Scan Name page, enter a name for the scan.
7. On the Select Conditions page, select the conditions that will define when the
scan runs.
You can also click Use Another Scan's Output as a Condition to use the output
from another scan as a condition for your scan.
In the Use Scan Output as a Condition dialog box, select the scan package, the
scan, and then the scan output that you want to use as a condition for running
your new scan.
8. On the Define Rule page, enter a rule name for the set of conditions and
properties you are configuring.
9. On the various Configure Conditions pages, select all acceptable values for each
condition.
234

The condition is met if the user device matches any of the values you select.
The wizard presents a separate page for each condition.
10. On the Define Property to Verify page, configure the property values to verify.
For example, to verify that a minimum version of an antivirus program is
running on the user device, enter the minimum version number.
The wizard presents a separate page for each property value the scan verifies.
Each property value may be used to filter access policies.
Version numbers follow the typical syntax for the specific product and require
at least one decimal point; for example, 2.1 or 2.1.1.
After creating a scan, you can add more rules to make the scan apply to multiple user
scenarios.
Using Scan Outputs to Filter Policies

You can use endpoint analysis scan outputs to filter policy enforcement. Filtering with
scan outputs allows you to secure access to your network and resources based on
properties of the user device, such as whether or not it is running required minimum
levels of antivirus or firewall software.
The following steps describe the general process for using scan outputs in policies.
1. Create a scan that verifies the properties you require.
2. Create a policy filter that uses the scan output from Step 1.
3. Create a policy and assign to it the filter you created in Step 2.
Steps 2 and 3 above can be combined in the policy wizard.
Using Scan Outputs to Filter Logon Page Visibility

You can use the scanned information you discover about the user device to filter the
users ability to see the logon page. For more information, see Setting Conditions for
Showing the Logon Page on page 228.
Editing Conditions and Rules

All rules for an endpoint analysis scan share the scans list of available conditions. The
available conditions are the conditions that you can configure for the scans rules.
Interdependencies exist between the various rules and conditions of a scan.
If you edit the list of available conditions, be aware of the following considerations:
w If you add to a scans list of available conditions, all existing rules for the scan
receive the new condition with all possible values selected for use. To make sure
you do not change the conditions of existing rules in unexpected ways, check the
properties for the scans rules after you add to the list of available conditions.
w To remove a condition from a scans available conditions list, you must first remove
all rules that use the condition or select all possible values for the condition in
every rule that uses it.
235
Chapter 9
Editing Rules
You can view all condition settings for a rule in the Properties display for the rule. For
example, if you add to the conditions that are available for a scan, all existing rules of
that scan receive the condition you added with all the settings selected. You might
need to adjust the settings that are automatically copied to existing rules.
To edit the condition settings for a rule

1. Click Start>Programs>Citrix Management Consoles>Delivery Services Console.
3. Expand Endpoint Analysis Scans, expand the scan group, and click the scan for
which you want to edit the condition settings for a rule.
4. Under Common Tasks, click Edit available conditions.
5. In the Edit Available Conditions dialog box, select or clear the conditions options.
Adding Rules to Scans

Rules are sets of conditions that define when to apply an endpoint analysis scan and
which property values to check. Multiple rules can apply to a single scan. The first rule
of a scan is defined when you create the scan. After creating the scan, you can add
more rules to make the scan apply to multiple scenarios.
For example, the same scan can check for version X of an antivirus program on devices
running the Windows 7 operating system. You can create a different rule to check for
version Y of the same antivirus program on devices running earlier Windows operating
systems.
To add a rule to a scan

3. Expand Endpoint Analysis Scans, expand the scan type and then click the scan for
which you want to create an additional rule.
4. In the console tree, under Common Tasks, click Create rule.
5. Follow the wizard prompts to define the rules name, condition settings, and
property value settings.
Example: Adding Multiple Rules to a Scan

Assume that your network security policy is to prevent access to user devices unless
they have Service Pack 3 installed for Windows XP and Service Pack 1 installed for any
devices running Windows Vista. You have an exception for employees in the Tokyo
office, because the Tokyo IT department decided not to upgrade Windows XP to Service
Pack 3 until further testing takes place. You can use the same scan with different rules
236

to verify the correct service pack for all three of these scenarios. You must configure
each rule separately.
Your environment includes a logon point named Tokyo that is used by your Tokyo
office users. Logon points apply settings to the connections that initiate through their
URLs.
The following steps create a scan that verifies these three service pack requirements.
1. Create Citrix Scans for Service Pack scan, selecting the logon point condition to
configure.
a. Expand Operating System Scans and then click Citrix Scans for Windows
Service Packs.
b. Under Common Tasks, click Create Scan.
The Create Scan wizard opens.
c. Provide a name for the scan and then click Next.
d. Under Available conditions, select Logon Point and then click Next.
e. Provide a rule name and then click Next.
f. Under Operating System, select Windows XP as the condition and then click
Next.
g. Under Logon Point, select all logon points except Tokyo and then click Next.
h. For the property value to verify, select Service Pack 3 and then click Finish.
2. After you create the scan and the first rule, create another rule for Windows XP.
a. Select the scan you just created and under Common Tasks, click Create rule.
The Create Rule wizard opens.
b. Provide a rule name and then click Next.
c. Under Operating System, select Windows XP as the condition and then click
Next.
d. Under Logon Point, select Tokyo and then click Next.
e. For the property value to verify, select Service Pack 2 and then click Finish.
The second rule appears under the scan you created in Step 1.
3. After you create the scan and the two rules for Windows XP, create a third rule for
Windows Vista.
a. Select the scan you created above and under Common Tasks, click Create rule.
The Create Rule wizard opens.
b. Provide a rule name and then click Next.
c. Under Operating System, select Windows Vista as the condition and then click
Next.
d. Under Logon Point, select all logon points and then click Next.
237
Chapter 9

e. For the property value to verify, select Service Pack 1 and then click Finish.
The third rule appears under the scan you created in Step 1.
Scan Packages
Scan packages enable you to create scans to verify the properties of a user device, such
as the installed version of an antivirus software product. Each package is designed to
verify specific properties or software products.
Scan packages are listed in the Citrix Delivery Services Console under the Endpoint
Analysis Scans node.
You can view individual properties of a scan package in the console, including a
description of its scan outputs. Look at the scan output descriptions when you want to
know which information the endpoint analysis scan retrieves or verifies about the user
device.
A scan output can take one or both of the following forms depending on the scan
package and the rules you set:
w Information about the user device. For example, the scan package Citrix Scans for
Trend OfficeScan detects and retrieves a value that is the product version of Trend
OfficeScan running on the user device, if any.
w A True or False Boolean verification indicating if the scan package detected the
scans required property values.
To view the scan outputs produced by a scan package

3. Expand Endpoint Analysis Scans and then click the type of scan for which you
want to view the scan outputs.
4. In the right pane, under Contents, click a scan package.
5. Under Tasks, click Properties.
The scan output table describes each output that the scan package produces.
Adding Scan Packages

Each endpoint analysis scan package is designed to examine a set of properties for a
specific software product. You can expand the default set of scan packages by
importing new ones. Citrix, partners, or developers in your organization can use the
Endpoint Analysis Software Development Kit (SDK) available on your product CD or the
Citrix Web site at http://community.citrix.com/cdn to develop additional scan packages.
To import a scan package

238

3. Click Endpoint Analysis Scans or a scan group and under Common Tasks, click
Import scan package.
If you select Endpoint Analysis Scans, the scan package does not appear under a
scan group and appears directly under the Endpoint Analysis Scans node.
If you want the package to appear in a scan group, you must select that scan
group.
4. In the Select Scan Package File dialog box, browse to the scan package file and
then click Open.
Grouping Scans
The console tree lists default scan groups for categories, such as antivirus, firewall,
and operating system software to help you organize scan packages and their scans.
Scan groups can help you find scan packages or scans more quickly. You can create and
name your own groups.
Scan groups exist to organize items within the console tree only and have no effect on
how scans run.
To create a scan group
3. Click Endpoint Analysis and under Common Tasks, click Create scan group.
4. In the Create Scan Group dialog box, type a name for the new scan group and
then click OK.
Adding Language Packs

A scan package developer can create language packs to expand the languages in which
the package creates scans. For example, a developer can first develop a scan package
for English and decide later to add language packs for French, German, or Spanish as
development proceeds. Language packs are typically distributed as .cab files.
To import a language pack for a scan package
3. Click Endpoint Analysis Scans and under Common Tasks, click Import language
pack.
4. In the Select Language Pack File dialog box, browse to the language pack file and
then click Open.
239
Chapter 9
Scan Packages Reference

Scan packages contain the software you need to create endpoint analysis scans to
detect information about user devices. When creating scans, you typically specify one
or more property values that youre looking for, such as an operating system version or
service pack level. The scan can also contain properties that function as conditions that
must be met on the user device in order for the scan to run, such as a specific logon
point or the type of operating system. This topic contains links to the topics that
describe the properties and outputs you can configure for Citrix scan packages.
Note: This topic is available from the online help system of any server running the
Citrix Access Controller. If you need information about specific properties while
creating scans, use your online help to locate this reference topic.
Scan packages are organized alphabetically within the following groups by the type of
product or properties being scanned.
Antivirus Scan Packages

You can create a scan package to check user devices for antivirus software.
Citrix Scans for McAfee VirusScan

Detects if the required version of McAfee VirusScan software (personal edition) is
running on the user device.
Minimum Supported Versions
w VirusScan Plus 2004: Windows XP
w VirusScan Plus 2008: Windows XP, Windows Vista
w VirusScan Plus 2009: Windows XP, Windows Vista, Windows 7
w Internet Security 2010: Windows XP, Windows Vista, Windows 7
w Total Protection 2010: Windows XP, Windows Vista, Windows 7
Properties You Can Specify
Property name
Description/format
Minimum required file

version
Use format N.N, where N is an integer. You can find the

file version number on the Version tab in the properties
of the file mcvsshld.exe.
Scan Outputs
240
Scan output name
Description
File Version
This is the version of the key program executable file.

The major and minor version numbers are the same as
the numbers that appear in the program user interface.
Scan output name
Description
The rest of the version number may be ignored when
reported.
Verified-McAfeeVirusScan
This Boolean output indicates if the required minimum

version of the application is running on the user device.
Citrix Scans for McAfee VirusScan Enterprise

Detects if McAfee VirusScan software (Enterprise edition) is running on the user device.
w VirusScan Enterprise 8.0i: Windows XP
w VirusScan Enterprise 8.5i: Windows XP, Windows Vista
w VirusScan Enterprise 8.7: Windows XP, Windows Vista, Windows 7
Property name
Description/format
Minimum required
engine version
Use format N.N; for example, 4.4. Note that the

application user interface and registry may display the
engine version number in different formats. For
example, engine version 4.4 may display in the user
interface as 4400 and the same engine version may
display in the registry as 4.4.00. However, in both cases,
you should enter the minimum required engine version
as 4.4 when you create a scan.
Minimum required
pattern file version
number
Use format N, where N is an integer.
Scan Outputs
Scan output name
Description
Verified-McAfee-VirusScan-Enterprise
This Boolean output indicates if this application is

running on the user device.
Engine Version
Indicates the On-Access scan engine version running on

the user device. If this product is not installed or is not
executing, the version defaults to 0.0.0.0.
241
Chapter 9
Scan output name
Description
Pattern Version
Indicates the pattern file version running on the user

device. If this product is not installed or is not
executing, the version defaults to 0.
Citrix Scans for Norton AntiVirus Personal

Detects if Norton AntiVirus software (personal edition) is running on the user device.
w Norton AntiVirus 2008: Windows XP, Windows Vista
w Norton AntiVirus 2009: Windows XP, Windows Vista, Windows 7
w Norton AntiVirus 2010: Windows XP, Windows Vista, Windows 7
w Norton Internet Security 2008: Windows XP, Windows Vista
w Norton Internet Security 2010: Windows XP, Windows Vista, Windows 7
w Norton 360 v4.0: Windows XP, Windows Vista, Windows 7
Property name
Description/format
Minimum required
product version
Use the format N.N.N, where N is an integer.
Minimum required
number
Use the format YYYYMMDD.NNN, where YYYY is the fourdigit year, MM is the two-digit month, DD is the two-digit
day, and NNN is a three-digit integer.
Scan Outputs
242
Scan output name
Description
Product version
Indicates the software version running on the user

Verified-Norton-Antivirus
Indicates if this application is running on the user device.
Pattern version

Citrix Scans for Symantec AntiVirus Enterprise

Detects if Symantec AntiVirus Enterprise software is running on the user device.
w Symantec Endpoint Protection 11.0.4: Windows XP, Windows Vista
w Symantec Endpoint Protection 11.0.6: Windows XP, Windows Vista, Windows 7
Property name
Description/format
Minimum required
product version
Use the format N.N.N, where N is an integer.
Minimum required
number
Use the format YYYYMMDD.NNN, where YYYY is the fourdigit year, MM is the two-digit month, DD is the two-digit
day, and NNN is a three-digit integer.
Scan Outputs
Scan output name
Description
Product version

Pattern version

Verified-Symantec-AVEnterprise
Citrix Scans for Trend OfficeScan

Detects if Trend OfficeScan antivirus software is running on the user device.
w OfficeScan 8.0 SP1: Windows XP
w OfficeScan 10.0: Windows XP, Windows Vista, Windows 7
243
Chapter 9
Property name
Description/format
Minimum required client

version
Use the format N.N, where N is an integer.
Minimum required
number
The three-digit short form of the pattern file version

running on the client device. Use the format N, where N
is an integer. For example, for version 2.763, 763 is the
short form you enter.
Scan Outputs
Scan output name
Description
Product Version

Verified-TrendOfficeScan
Pattern Version

executing, the version defaults to -1.
Citrix Scans for Windows Security Center Antivirus

Detects if the Windows Security Center reports that the user device is using antivirus
software. There are no properties for you to specify in this scan beyond specifying the
conditions under which the scan is applied.
Note that accurate scan results require that antivirus software be monitored through
the Windows Security Center. If an antivirus software product does not register
properly with the Windows Security Center, it is possible for the scan to indicate
incorrectly that the user device has no antivirus software enabled. Test to ensure that
Windows Security Center correctly registers the antivirus software products you deem
acceptable or check the Windows Security Center documentation for details of the
products it supports.
Supported Versions
w Windows XP SP3 - Security Center
w Windows Vista - Security Center
w Windows 7 - Action Center
Scan Outputs
244
Property name
Description/format
Antivirus Enabled
Indicates (True/False) if the Windows Security Center

reports that the user device is using antivirus software.
Basic Scan Packages

You can create an endpoint analysis scan package to check user devices for
information, such as the presence of a specific version of a file or a specific registry
value on the user device.
Citrix Scans for Files

Citrix Scans for Files detects information such as the hash value and version of
specified files on the user device.
Property name
Description/format
Path to file
The string value indicates the complete path to the file.

Windows specific:
w The file path can include Windows Environment
Variables, for example:
%SystemRoot%System32\gdi32.dll
w File system redirection is disabled on the Windows
operating system.
Expand environment
strings
Indicates whether (True or False) expanding Windows

Environment Variables is needed in FilePath.
Hash algorithm
The string value indicates the hash algorithm specified.

The value set includes:
w None: When specified, no hash is calculated. The
AGA server side output IsFileHashOK is false.
w MD5: When specified, MD5 hash of the file is
calculated.
w SHA-1: When specified, SHA-1 hash of the file is
calculated.
w SHA-256: When specified, SHA-256 hash of the file is
calculated.
Required file hash
The string value indicates the required set of file hashes.
245
Chapter 9
Property name
Description/format
Operator to compare file

versions
The string value indicates the relational operator that is

used to compare the file versions.
Value set:
w None
w Greater_Than_or_Equal_To
w Equal_To
When None is specified, the file version is not detected
or compared. Access Controller server side output
IsFileVersionOK is false.
Required file version
The string value indicates the required file version.

The expected file version is in the following format:
xxxx.xxxx.xxxx.xxxx, where each set of integers can
contain from 1 through 4 integers.
For example, on Windows, this format stands for:
MajorVersion.MinorVersion.BuildNumber.RevisionNumber,
and may appear as 44.44.7.1234.
Scan Outputs
Scan output name
Description
Verify_File_Exist
Indicates whether (True or False) a file with the

specified name is located on the user device.
Verify_File_Hash_IS_OK
Indicates whether (True or False) the file hash is located

in the set of specified hashes.
Verify_File_Version_Is_O
K
Indicates whether (True or False) the file version is equal

to or greater than the specified version.
Citrix Scans for Platforms

Citrix Scans for Platforms detects operating system information, such as name, version,
and type, on the user device.
246
Property name
Description/format
Operating system name
The string value indicates the name of the operating

system.
The predefined operating system names are:
w Windows XP
w Windows Vista
w Windows 7
Operating system version
The string value indicates the version of the operating

system.
The expected operating system version is in the
following format:
Operating system bit type
The string value indicates the bit width of the operating

system.
w 32-Bit
w 64-Bit
w Either
Operating system service

pack
The string value indicates the service pack installed on

the operating system.
w Service Pack 1
w Service Pack 2
w Service Pack 3
w Service Pack 4
w Service Pack 5
w Service Pack 6
w Service Pack 7
247
Chapter 9
Property name
Description/format
w Service Pack 8
w Service Pack 9
Scan Outputs
Scan output name
Description
Verify_OS_Name_is_OK
Indicates whether (True or False) the name of the

operating system matches one of the predefined names.
Verify_OS_Version_is_OK
Indicates whether (True or False) the operating system

version equals the specified version.
Verify_OS_Bit_Width_is_
OK

bit width equals the specified type.
Verify_OS_Service_Pack_
is_OK

service pack equals the specified version.
Citrix Scans for Ports

Citrix Scans for Ports detects port information, such as whether or not a port is used.
Property name
Description/format
Port numbers
The string value indicates the port numbers or port

range separated by commas, for example:
25, 80, 110, 117-120
For listening state, the port numbers refer to local ports;
otherwise, the port numbers refer to remote ports.
Protocol
The string value indicates the protocol specified.

w TCP
w UPD
w Both
Scan Outputs
248
Scan output name
Description
Verify_Port_Is_Bound
Indicates whether (True or False) any of the ports are

bound.
For TCP on Windows, the port is bound if the port is in
one of the following states:
w MIB_TCP_STATE_LISTEN
w MIB_TCP_STATE_ESTAB
Citrix Scans for Process

Citrix Scans for Process detects process information, such as hash value and version, on
a user device.
Property name
Description/format
Path to process
The string value indicates the path to the process.

The path can be the absolute path to the process or only
the name of the process. When only the process name is
specified, this EPA package scans any process with a
matching name.
Windows specific:
w The process path can include Windows Environment
Variables, for example:
%SystemRoot%System32\gdi32.dll
w File system redirection is disabled on the Windows
operating system.
Expand environment
strings
Indicates whether (True or False) Windows Environment

Variables are present in the file path.
Hash algorithm
The string value indicates the hash algorithm specified.

w None: When specified, no hash is calculated. The
AGA server side output IsProcessRunning is not
affected by the hash.
w MD5: When specified, the MD5 hash of the process
module is calculated.
w SHA-1: When specified, SHA-1 hash of the process
module is calculated.
249
Chapter 9
Property name
Description/format
w SHA-256: When specified, SHA-256 hash of the
process module is calculated.
Required file hash
The set of string values indicates the required set of file

hashes.
Operator to compare file

versions
The string value indicates the relational operator that is

used to compare the file versions.
w None
w Greater_Than_Or_Equal_To
w Equal_To
When None is selected, the file version is not detected
or compared. Access Controller server side output
IsProcessRunning is not affected by the file version.
Required file version
The string value indicates the required file version.

The expected file version is in the following format:
Scan Outputs
Scan Output Name
Description
Verify_ProcessIs_Running
Indicates whether (True or False) the specified process is

running.
The output is True when all of the following conditions
are met:
w The specified process is found.
w The process modules hash (if specified) is in the
specified hash data set.
w The process modules version (if specified) is equal to
or greater than the version specified.
250
Scan Output Name
Description
When only the process name is specified and there are
multiple instances of process with that name running,
the output is True when all of the following conditions
are met:
w All the hashes (if specified) of the running processes
modules are in the specified hash data set.
w All the versions (if specified) of the running
processes modules meet the comparison version
requirement.
Citrix Scans for Registry

Citrix Scans for Registry detects information in the registry, such as the presence of a
registry key or registry value, on the user device.
Property name
Description/format
Key name
The string value indicates the name of the registry key.

The following abbreviations are supported:
w "HKCU" for "HKEY_CURRENT_USER"
w "HKLM" for "HKEY_LOCAL_MACHINE"
w "HKCR" for "HKEY_CLASSES_ROOT"
Registry redirection
The string value indicates which part of the registry is

searched.
w 32-Bit. When specified, only the 32-bit view of the
registry is searched.
w 64-Bit. When specified, only the 64-bit view of the
registry is searched.
w Both. When specified, both the 32-bit and 64-bit
views of the registry are searched.
Operator to compare
registry values
The string value indicates the operator value specified.

w None
w Exist
251
Chapter 9
Property name
Description/format
w Equal_To
w Not_Equal_To
w Less_Than
w Less_Than_or_Equal_To
w Greater_Than
w Greater_Than_or_Equal_To
When None is specified, the registrys value is not
detected or compared.
For values of type REG_BINARY and REG_MULTI_SZ, the
valid Value Relational Operators are Exist and
Equal_To; other Value Relational Operators will yield
negative output.
Value name
The string value indicates the name of the value.

When the value name is composed of spaces instead of
letters or numbers, it is treated as default value.
Value type
The string value indicates the required type of registry

value.
The value set includes the following:
w REG_SZ
w REG_BINARY
w REG_DWORD
w REG_QWORD
w REG_MULTI_SZ
w REG_EXPAND_SZ
For REG_BINARY and REG_MULTI_SZ values:
w Hexadecimal values are separated by commas.
w Spaces are also treated as separators.
w When you copy data from the exported registry file,
copy the string after "hex:".
w A maximum of 1,024 characters are allowed.
252
Property name
Description/format
Value data
The string value indicates the required data of the

registry value.
The value data is encoded using Base64 for URL before
being sent to EPA service; the value data is decoded by
EPA service.
Scan Outputs
Scan output name
Description
Verify_Registry_Key_Is_P
resent
Indicates whether (True or False) the specified registry

key is present.
Verify_Registry_Value_Is_
Present
Indicates whether (True or False) the specified registry

value is present.
Verify_Registry_Value_Is_
OK
Indicates whether (True or False) the data of the registry

value is as expected per the comparison requirements.
Browser Scan Packages

A Web browser scan includes type and/or specific versions of a Web browser.
Citrix Clientless Scans for Browser Type

The Citrix Clientless Scans for Web Browser Type detects if specified Web browser
software is being used to connect from the user device. You can scan for Microsoft
Internet Explorer, Mozilla Firefox, Google Chrome, Safari, or other software.
Scans from this package do not require client-side software to run on the user device.
Scan outputs are determined by examining the communication sent by the users browser.
w Microsoft Internet Explorer 7.0
w Mozilla Firefox 3.0
w Safari 5.0
w Google Chrome 5.0
Property name
Description/format
Expected browser type
The browser you want to the scan to detect on the client

device. Select from:
253
Chapter 9
Property name
Description/format
w Microsoft Internet Explorer
w Mozilla Firefox
w Google Chrome
w Safari
w Other
Scan Outputs
Scan output name
Description
Verified - Browser Type
Indicates whether (True or False) the browser type you

specified is being used to connect from the user device.
Browser Type
Returns the type of client browser. Other is returned if

a browser other than Microsoft Internet Explorer, Mozilla
Firefox, Google Chrome, or Safari is being used.
Citrix Scans for Internet Explorer

Citrix Scans for Internet Explorer detects if the specified version of the browser
software exists on the user device.
w Internet Explorer Version 7.0
Property name
Description/format
Minimum required
version
Use the format N.N.N.N, where N is an integer. However,

you can specify a version as simple as N.N or as detailed
as N.N.N.N (for example, 7.0).
Scan Outputs
254
Scan output name
Description
Product Version
The version of the key program executable file. The

major and minor version numbers are the same as the
numbers that appear in the program user interface. The
rest of the version number may be ignored when reported.
Scan output name
Description
Verified-InternetExplorer-Installed
This Boolean output indicates if the minimum or later

required version of the application is running on the user
device.
Verified-InternetExplorer-Connecting

required version of the application is being used to
perform the connection.
Citrix Scans for Internet Explorer Update

Citrix Scans for Internet Explorer Update detects if the specified version (including
update or hotfix version level) of the browser software exists on the user device.
w Internet Explorer Version 7.0
Property name
Description/format
Patch Data Set
Provides the name of a data set file containing the

specified updates or hotfix version levels required. For
more information, see Using Data Sets in Scans on page
265.
Scan Outputs
Scan output name
Description
Verified-InternetExplorer-Patch
Indicates if the updates specified in the data set are

present on the user device.
Citrix Scans for Mozilla Firefox

Citrix Scans for Mozilla Firefox detects if the specified version of the Mozilla Firefox
browser exists on the user device. The scan package uses the published Windows
registry settings.
w Firefox Version 3.0
255
Chapter 9
Property name
Description/format
Minimum required
version
Use the format N.N.N.N, where N is an integer. However,

you can specify a version as simple as N.N or as detailed
as N.N.N.N (for example, 1.0.3.3).
Scan Outputs
Scan output name
Description
Product Version

numbers shown in the program user interface. The rest
of the version number may be ignored when reported.
Verified-Mozilla-FirefoxInstalled

required version of the application is running on the user
device.
Verified-Mozilla-FirefoxConnecting

required version of the application is being used to
perform the connection.
Firewall Scan Packages

You can create a scan package that checks for personal firewall software on the user
device.
Citrix Scans for McAfee Desktop Firewall

Citrix Scans for McAfee Desktop Firewall detects if the specified version of the firewall
w McAfee Desktop Firewall 8.5 Build 260
Property name
Description/format
Minimum required
version number or
combined version and
build number
To specify the version number, use the format N.N,

where N is an integer. To specify the version and build
number, use the format N.N.NNN, where N is an integer.
Scan Outputs
256
Scan output name
Description
Version

numbers that appear in the program user interface. The
rest of the version number may be ignored when reported.
Verified-McAfeeDesktop-Firewall

Citrix Scans for McAfee Personal Firewall

Citrix Scans for McAfee Personal Firewall detects if the specified version of the firewall
w McAfee VirusScan Plus 2009
w McAfee Internet Security 2010
Property name
Description/format
Minimum required
version number
N.N, where N is an integer.
Scan Outputs
Scan output name
Description
Version

major and minor version numbers will be the same as
the numbers that appear in the program user interface.
The rest of the version number may be ignored when
reported.
Verified-McAfeePersonal-Firewall

Citrix Scans for Microsoft Windows Firewall

Citrix Scans for Microsoft Windows Firewall detects if the specified version of Microsoft
Windows Security Center Firewall exists on the user device.
Supported Versions
The scan can detect the following firewalls on these operating systems:
257
Chapter 9

w Microsoft Windows XP Home and Professional Service Pack 3
w Windows Vista
w Windows 7
Note: If the user device is running Windows XP with Service Pack 3, only Microsoft
Windows Security Center Firewall with third-party firewalls supports endpoint analysis
scans. Scans are not supported if the user device is running Windows Firewall only.
Property name
Description/format
Windows Firewall
without exceptions is
required
Select True if you require Windows Firewall to be active

without exceptions. Select False if you require Windows
Firewall to be active with exceptions. For an example
showing how to add multiple rules with exceptions to a
scan, see Adding Rules to Scans on page 236.
Scan Outputs
Scan output name
Description
Verified-WindowsFirewall

Citrix Scans for Norton Personal Firewall

Citrix Scans for Norton Personal Firewall detects if the specified version of Norton
Personal Firewall exists on the user device.
w Norton 360 v 4.0
w Norton Internet Security 2010
Property name
Description/format
Minimum required
version
Use the format N.N, where N is an integer.
Scan Outputs
258
Scan output name
Description
Version-Norton-PersonalFirewall
This Boolean output indicates if the required version of

the application is running on the user device.
Version

major and minor version numbers are the same as those
displayed in the program user interface. The rest of the
version number may be ignored when reported.
Citrix Scans for Symantec Firewall

Citrix Scans for Symantec Firewall detects if the specified version of Symantec Firewall
exists on the user device.
w Symantec Endpoint Protection 11.0.04
Property name
Description/format
Verified Symantec
Firewall
Detects if the minimum required version of Symantec

Firewall is running on the user device.
Scan Outputs
Scan output name
Description
Version

major and minor version numbers are the same numbers
as the numbers that appear in the program user
interface. The rest of the version number may be
ignored when reported.
MinVersion
This Boolean output indicates if the required version of

the application is running on the user device.
Citrix Scans for Windows Security Center Firewall

Citrix Scans for Windows Security Center Firewall detects if the Windows Security
Center reports that the user device is using a firewall. The Windows Security Center
allows you to monitor various security items on a user device running the Windows XP
SP2 operating system. You do not have properties to specify in this scan beyond
specifying the conditions under which the scan is applied.
Note that accurate scan results require that the firewall be monitored through the
Windows Security Center on the user device. If a firewall product does not register
259
Chapter 9

properly with the Windows Security Center, it is possible for the scan to indicate
incorrectly that the user device has no firewall enabled. Test to ensure that Windows
Security Center correctly registers the firewall products you deem acceptable or check
the Windows Security Center documentation for details of the products it supports.
Supported Versions
w Windows XP SP3 - Security Center
w Windows Vista - Security Center
w Windows 7 - Action Center
Scan Outputs
Property name
Description/format
Firewall Enabled
Indicates if (True/False) the Windows Security Center or

Windows Action Center reports that the user device is
using a firewall.
Machine Identification Scan Packages

You can create scans for specific user device properties. These settings include
membership in a domain and the MAC address of the user device.
Citrix Scans for Domain Membership

Citrix Scans for Domain Membership detects if the user device belongs to a specified
domain.
Property name
Description/format
Expected Domain
A valid domain name. Workgroup names are not valid.
Domain name
The NetBIOS name of the domain to which the computer

is joined
True means the user device must belong to a named
domain.
False means the user device is not required to belong to
a domain.
Scan Outputs
260
Scan output name
Description
Verified Domain
Indicates if the user device belongs to the specified

domain.
Domain
The name of the domain that the user device belongs to.
If a client domain name is not required, the output is
unknown.
Citrix Scans for MAC Address

Citrix Scans for MAC Address detects the MAC address for each network interface card
(NIC) or network adapter on the user device and compares the address against a data
set containing the list of group names mapped to valid MAC addresses.
This scan requires you to create a double-column data set listing valid MAC addresses
mapped to group names. The scan detects the network adapter (the first value or
column in the data set) and maps that address to a group name (the second value or
column in the data set). Scans use this mapping to verify to which group the user
device belongs. The MAC addresses in the data set should be in the format
NN:NN:NN:NN:NN:NN, such as 00:11:11:06:B3:E9. Note that you should use a colon (:)
as the separator in this format rather than a hyphen (-).
Important: This scan package treats data as case sensitive. Avoid creating conflicting
entries that differ in case. For example, it is possible to create an entry for the same
address and map it to two different groups. One entry might map the address
00:50:8b:e8:f9:28 to the Finance group. Another entry can map the same address with
different case lettering, 00:50:8B:E8:F9:28, to the Sales group. Such entries make
scan results unreliable.
Property name
Description/format
Data set name
Name of a data set file that maps each MAC address to a

group name.
Group name
Name of a group to which the NIC or network adapter

must belong.
Scan Outputs
Scan output name
Description
Group name
Returns the group name associated with the MAC address

of the user device network interface or adapter.
261
Chapter 9
Scan output name
Description
Matched-MAC-Address
This Boolean output indicates if the network interface or

adapter belongs to the specified group of MAC addresses.
Operating System Scan Packages

You can create a scan package to check for specific operating system versions. These
include Platform Type, Windows, and Windows Update.
Citrix Clientless Scans for Platform Type

Citrix Clientless Scans for Platform Type detects whether or not the user device is
running the following operating system software:
w Android
w BlackBerry
w iPad
w iPhone
w Linux
w Mac OS X
w Symbian
w Windows 7
w Windows Mobile
w Windows Vista
w Windows XP
Scans from this package do not require client-side software to run on the user device.
Scan outputs are determined by examining the communication sent by the users browser.
Supported Versions
w Android (Google Nexus), Version 2.2
w BlackBerry, Version 4.7.1.40
w iPad, Version 3.2
w iPhone (3G and 3GS), Version 3.1
w Mac OS X, Version 10.5 and 10.6 (English only)
w Nokia Symbian, Version 11.2021
w Windows 7
w Windows Mobile (htc), 6.5 Professional
w Windows Vista
262

w Windows XP, with Service Pack 3
Property name
Description/format
Expected platform type
Select the name of the operating system or platform

from the drop-down menu.
Scan Outputs
Property name
Description/format
Verified - Platform Type
This Boolean output indicates if the operating system or

platform is the one specified.
Platform Type
Indicates the type of operating system or platform.
Citrix Scans for Microsoft Windows Service Pack

Citrix Scans for Microsoft Windows Service Pack detects if the operating system
software on the user device is running at a required minimum service pack level.
Property name
Description/format
Minimum required
service pack
Select a Windows service pack version from the dropdown menu. Select None to detect a base, unpatched
operating system version.
Scan Outputs
Scan output name
Description
Service Pack
Returns the service pack version running on the user

device.
Verified-WindowsService-Pack

service pack level is met.
Citrix Scans for Microsoft Windows Update

Citrix Scans for Microsoft Windows Update detects whether a set of specified operating
system updates are installed on the user device.
Note: This scan package requires you to create a single-column data set listing the
update names you wish to detect.
263
Chapter 9

Property name
Description/format
Data set name
Name of a data set file that contains a single column list

of updates appropriate for the detected operating system.
Scan Outputs
Scan output name
Description
Verified-WindowsUpdates
This Boolean output indicates if the updates specified in

the data set file exist on the user device.
Using Scan Outputs in Other Scans

You can use scan outputs as conditions in other endpoint analysis scans. This feature
allows you to make the result of one scan a condition for another scan to run.
To create conditions from scan outputs

You can create conditions from scan outputs in the following three ways:
w In the Citrix Delivery Services Console, select Endpoint Analysis Scans in the
console tree and then click Edit available conditions list in Common Tasks.
w On the Select Conditions page of the Create Scan wizard, select Use Another
Scans Output as a Condition.
w Select a scan output in the Properties view for a specific scan and then click Create
condition.
Example: Using a Scan Output as a Condition

Assume that you have two divisions, Sales and Finance, that are each assigned their
own domain. The Sales group requires all of its user devices that connect remotely to
run Antivirus Program A, but the Finance group requires its user devices to run Antivirus
Program B.
Follow the steps below to verify that these user devices are running the required
antivirus program version.
1. Create two scans using Citrix Scans for Domain Membership:
A Sales domain scan to verify that user devices belong to the Sales domain
A Finance domain scan to verify that user devices belong to the Finance domain
2. Create a scan to check only Sales domain user devices for Antivirus Program A:
On the Select Conditions page of the Create Scan wizard, select Use Another
Scans Output as a Condition and follow the prompts to identify the scan
output for the Sales domain scan you created in Step 1.
264

Use the scan output Verified-domain from the Sales domain scan as your new
condition and require it to have a value of True.
3. Create a scan to check only Finance domain user devices for Antivirus Program B:
On the Select Conditions page of the Create Scan wizard, select Use Another
Scans Output as a Condition and follow the prompts to identify the scan
output for the Finance domain scan you created in Step 1.
Use the scan output Verified-domain from the Finance domain scan as your
new condition and require it to have a value of True.
You can use scan outputs in custom filters to achieve similar results for complex scenarios.
Using Data Sets in Scans

Some endpoint analysis scans reference a data set of values to compare against values
detected on the user device. For example, you might require multiple operating system
updates on the user device and need the scan to verify that the entire set of updates is
present. This list of required updates is an example of a data set. Data sets are stored
in the shared database for the cluster. You can create a data set by importing a commaseparated values (.csv) file or by entering individual values.
Lists
Lists are single-column data sets that indicate multiple required values for a single
property. Scan packages that use lists include:
w Citrix Scans for Windows Update, which verify that user devices are running all of
the updates you list in a data set.
w Citrix Scans for Internet Explorer Update, which verify that user devices are
running all of the updates you list in a data set.
Maps
Maps, or double-column data sets, detect a value on the user device and map it to
another value used in the scan.
For example, Citrix Scans for MAC Address detects the MAC address for each network
interface card (NIC) or network adapter on the user device. The scans reference a
double-column data set to map the address (the first column value) to a group name
(the second column value). Scans use this mapping to verify the logical group to
which the user device belongs.
Creating Data Sets

Follow the procedure below to create a named data set and then enter data into it. For
a list (single-column data set), you can enter data manually or import it from a .csv
file. For a map (double-column data set), you must import initial data from a .csv file.
Note: Data set values can be treated as case-sensitive, depending on the scan
package using the data set. If you are using a case-sensitive package, avoid creating
conflicting entries that differ in case. For example, with the Citrix Scans for MAC
265
Chapter 9
Address package, it is possible to create an entry for the same address and map it to
two different groups. One entry might map the address 00:50:8b:e8:f9:28 to the
Finance group. Another entry can map the same address with different case lettering,
00:50:8B:E8:F9:28, to the Sales group. Such entries make scan results unreliable.
To create a data set

3. Select Endpoint Analysis Scans and under Common Tasks, click Manage data sets.
4. In the Data Sets dialog box, click New.
The New Data Set dialog box opens.
5. Enter a name for the new data set.
6. Enter data in one of the following two ways:
Enter a path to a .csv file containing initial data to import. You must use this
method to create a double-column data set.
Leave the file path blank to create an empty single-column data set. Add values
by editing the data set after you create it.
7. Click OK.
You can also edit an existing data set from the Data Sets dialog box.
Example: Verifying a Set of Required Updates

This example describes the steps for creating a scan to verify that user devices are
running required updates for a particular version of Windows.
1. Use the Citrix Scans for Windows Update scan package to create a scan that
verifies whether or not the user device is running with the required updates.
2. Create a single-column data set listing the Windows updates you require if the user
device is running the correct updates. Example values for such a data set might be
KB898461, KB950760, and KB960225.
3. Use the Citrix Scans for Windows Update scan package to create a scan to check
for the required updates on user devices running the version of Windows you specify.
a. On the Select Conditions page of the Create Scan wizard, click Use Another
Scans Output as a Condition and identify the scan output that identifies the
product version from the scan you created in Step 1.
b. In the Define Values dialog box, name the new condition and add the
appropriate allowed value.
266
Scripting and Scheduling Scan Updates

Two command utilities are available to assist you in writing scripts or scheduling
endpoint analysis scan updates. You can run these utilities from a command prompt in
the following default location on the server:
%systemroot%\Program Files\Citrix\Access Gateway\MSAMExtensions\
Note: You must run discovery after using these utilities in order for the Citrix Delivery
Services console to find and display the new values.
The next two sections describe each utility.
Updating Property Values in Scans

You can use the CtxEpaParamUpdate utility to update the required property values for
a scan. For example, if you require user devices to have a specified pattern version
level of antivirus software, you can create a script to update the scan when you need
to change which pattern file is being detected. This command is designed for use as a
scheduled task on a server with the Delivery Services Console installed.
Use the following syntax, including quotation marks:
ctxepaparamupdate package_uri package_version scan_name
rule_name param_name new_value
where the parameters are:
Parameter
Description
package_uri
Uniform Resource Identifier (URI) of the scan package to which

the scan belongs. You can find the URI information for a scan
package in the Delivery Services Console Properties view for the
scan package.
package_version
Version of the scan package to which the scan belongs. You can
find the version information for a scan package in the Delivery
Services Console Properties view for the scan package.
scan_name
Name of the scan in which the property is set.
rule_name
Name of the rule in which the required property value is set.
param_name
Parameter name for the required value. You can find the
parameter name and its current setting in the Delivery Services
Console in the Properties view for the scan rule.
new_value
The new value. If the required property has a restricted value

range, this new value must be within that range.
267
Chapter 9
Example: To update a scan with the CtxEpaParamUpdate utility

Assume that you want to update an existing scan from the scan package Citrix Scans for
McAfee VirusScan Enterprise. To update the required engine version to 4.4 and the
pattern version to 4641, type:
C:\Program Files\Citrix\Access Gateway\MSAMExtensions\
CtxEpaParamUpdate.exe http://www.citrix.com/
EndpointAnalysisPackages/CitrixVSEMcAfee.cab 5.0.0.0 scan_name
rule_name PatternVersion 4641
and also type:
C:\Program Files\Citrix\Access Gateway\MSAMExtensions\
CtxEpaParamUpdate.exe
http://www.citrix.com/
EndpointAnalysisPackages/CitrixVSEMcAfee.cab 5.0.0.0 scan_name
rule_name EngineVersion 4.4
where scan_name and rule_name are the existing scan name and rule name.
Updating Data Sets

You can use CtxEpaDataSetUpdate to script or schedule updates to data sets. For
example, you might prefer to create your own script to automate a task, such as
updating the pattern file number required for an antivirus program.
Use the following command options (switches) with this utility:
268
Switch
option
Description
Syntax
/import
Creates a new data set by

importing a .csv file.
ctxepadatasetupdate /import
file_name.csv dataset_name
/reimport
Replaces all contents of an

existing data set by importing a
new .csv file.
ctxepadatasetupdate /reimport
/export
Exports the data set in a .csv

file.
ctxepadatasetupdate /export
/destroy
Deletes the data set.
ctxepadatasetupdate /destroy
dataset_name
/add
Adds an additional value to the

specified data set.
ctxepadatasetupdate /add
dataset_name key [value]
/overwrite
Replaces an entry in a mapping

(double-column) data set.
ctxepadatasetupdate /overwrite
dataset_name key value
Switch
option
Description
Syntax
/remove
Deletes an entry in a data set.
ctxepadatasetupdate /remove
dataset_name key
Use the following parameters in the preceding command options:

Parameter
Description
file_name.csv
The name of the .csv file that contains the data set.
dataset_name
The name for the data set.
key
If the data set is a list (single-column data set), this is a value in

the list. If the data set is a map (double-column data set), this is
the first column value.
value
If the data set is a map (double-column data set), this is the

second column value. If the data set is a list (single-column data
set), this parameter does not exist.
To locate official parameter names in scans

You can find parameter names from the scan properties in the console.
3. Expand Endpoint Analysis Scans, expand the scan types, and then select the scan
for which you want to view parameter names.
4. Select a rule associated with the scan and then choose the Properties view in the
right details pane.
5. Select the row that displays the property and then scroll to the right to view the
Parameter Name column.
Creating Advanced Endpoint Analysis Scans

You can create advanced endpoint analysis scans using the Citrix Endpoint Analysis
Portal, powered by OPSWAT. You can create custom endpoint analysis scans for a wide
variety of products. You use the Policy Generator on the Endpoint Analysis Portal to
create policies that enable you to secure user devices.
In Citrix Access Controller, you can use the Advanced Endpoint Analysis Scan policies in
SmartAccess policies or to control the visibility of a logon point.
For example, you can deny logon point visibility for users who fail the scan.
269
Chapter 9

Citrix recommends upgrading Access Controller to Access Gateway Version 5.0.1 or
later. For more information, see the maintenance release readme for Access Gateway
5.0 on the Citrix Support Web site.
For a list known issues with this release, see the readme Citrix Access Gateway 5.0
with Advanced Endpoint Analysis powered by OPSWAT on the Citrix Support Web site.
How the Citrix Endpoint Analysis Portal Works

The Citrix Endpoint Analysis Portal allows you to create advanced endpoint scan
packages for a wide variety of software products. When you create a policy, all
available products are shown in a tree view in the left pane of the Policy Generator.
The hierarchy of the tree is vendor name > product name > product version. To select a
product and version, simply click on the version and drag to the Selected Products
tree on the right.
When you drag a product and version to the Selected Products tree, you create rules.
When the Advanced Endpoint Analysis Plug-in scans the user device and a product is
found that satisfies all the rules, the plug-in stops checking the user device.
If you select all the versions for a product or vendor, the .csv file contains a wildcard
match against versions. If a new version of the product is released by the vendor, the
Advanced Endpoint Analysis Plug-in recognizes the new version automatically due to
the wildcard match.
Any time you change products within the Advanced Endpoint Analysis Portal, you must
create a new policy and upload it to the server.
The categories of product types that you can choose as part of the scan for end user
devices include:
w Antivirus software
w Antispyware software
w Antiphishing software
w Firewall software
w Hard disk encryption software
w Patch management
w Peer-to-peer networking
Peer-to-peer networking does not have any rules. By default, all peer-to-peer
networking products are blocked. The only rule you can chose decides which peer-topeer networking products to allow.
The Malware Scanner is a free tool that enables your advanced endpoint analysis
solution to conduct an active scan of the current running processes and memory
modules on a user device in only seconds. You can use the tool to detect malware
threats, such as keystroke loggers or viruses on the user device. The Malware Scanner is
enabled by default. You can disable it using the Policy Generator.
The steps for creating and deploying a custom advanced endpoint analysis scan are as
follows:
270

1. Download the configuration file (CustomScan.cab) and Endpoint Analysis Plug-in
(EPAPlugin.zip) from the Citrix Endpoint Analysis Portal for your version of Access
Gateway.
2. In the Citrix Endpoint Analysis Portal, use the Policy Generator to choose from a
variety of products as requirements for user devices. You select the products that
must be installed on the user device and then create a .csv file to download to the
server.
3. In the management console, import the configuration file (CustomScan.cab) to the
server.
4. In the management console, create a scan using the .csv file after you import the
configuration file.
5. Install the Advanced Endpoint Analysis Plug-in on the server.
6. Select the Advanced Endpoint Analysis Plug-in in the logon point. You must
associate the plug-in with a logon point to allow users to download the plug-in to
the user device. When users log on to Access Gateway, the Advanced Endpoint
Analysis Plug-in downloads to the user device and then scans the device for the
required software.
Note: Steps 1 through 4 are identical if you are using Access Gateway 4.5, Advanced
Edition or Access Gateway 5.0. For each Access Gateway version, you follow different
procedures for installing the Advanced Endpoint Analysis Plug-in.
How the Malware Scanner Works

The Malware Scanner is a free tool available from the Citrix Endpoint Analysis Portal.
When users log on, the Malware Scanner enforces an active scan of the currently
running processes and memory modules on the user device. You can use the Malware
Scanner to detect threats, such as keystroke loggers or viruses on the user device. The
Malware Scanner runs automatically and takes only a few seconds to scan the user
device. Users must be connected to the Internet to run the Malware Scanner. The
Malware Scanner connects to the OPSWAT portal and information is sent to the site for
verification.
You can use either the free version of the Malware Scanner or purchase the premium
version through OPSWAT. If you purchase the premium version, you need to enter the
license key on the Policy Generator tab in the Citrix Endpoint Analysis Portal. For more
information, see the OPSWAT Web site.
The Malware Scanner is enabled by default on the Policy Generator tab in the portal.
You can disable the Malware Scanner at any time.
Note: If you enable or disable the Malware Scanner, you must create the endpoint
analysis policy again and upload the new .csv file to server.
To disable or enable the Malware Scanner
1. Go to the Citrix Endpoint Analysis Portal and then click the Policy Generator tab.
271
Chapter 9

2. Select Enforce Malware Scan.
Downloading Files from the Citrix Endpoint Analysis Portal

To create advanced endpoint analysis scans using the Citrix Endpoint Analysis Portal,
you download the file CustomScan.cab from the Downloads tab. You must also
download the Advanced Endpoint Analysis Plug-in from the Endpoint Analysis Portal.
After you associate the plug-in with a logon point, when users log on, the plug-in
downloads to the user device and then scans the user device.
OPSWAT updates these two files monthly. Each month you need to download the
updated files and then install them on your server. This provides support for the latest
version of software products from manufacturers.
To download files from the Endpoint Analysis Portal

1. Go to the Citrix Endpoint Analysis Portal and then click the Downloads tab.
2. Select the file CustomScan.cab for your version of Access Gateway and then click
Download. Follow the prompts to save the file on your server.
3. Select the file EPAPlugin.zip for your Access Gateway version and then click
Download. Follow the prompts to save the file on your server.
Next, you import the files to the server as a custom scan. You then create a
custom scan and deploy the Advanced Endpoint Analysis Plug-in with logon points.
Creating an Advanced Endpoint Analysis Scan Policy

You can use the Policy Generator on the Citrix Endpoint Analysis Portal to create an
advanced endpoint analysis scan policy. The policy can contain any of the products
listed in each of the categories in the left pane of the Policy Generator. When you
select a product and version from a category, the Policy Generator shows you which
category is enabled and the number of rules you selected.
When you are finished building the policy, you then create and download a .csv file.
When you create a policy for an advanced endpoint analysis scan, you then upload
the .cvs file to Access Controller.
2. In the left pane, double-click a policy type, such as Antiphishing.
3. In the right pane, select Check to enable.
When you select this check box, a list of available products appears.
4. Under Available Products, expand the product list and then drag one or more
products to the Selected Products pane.
5. Repeat Steps 3 and 4 for each product you want to add to the policy.
6. Click Finish & Export Policy and then save the .csv file to your computer.
Before you create the advanced endpoint analysis scan in Access Gateway, you need to
download the custom configuration (.cab) file and Endpoint Analysis Plug-in from the
portal page. You then import the customscan.cab file to a scan group in Access Controller.
272
To import the custom .cab file to Access Controller

After you download the file customscan.cab from the Citrix Endpoint Analysis Portal,
you import the file to Access Controller.
2. In the console tree, expand the Access Controller cluster (the default name is
CitrixController).
3. Expand Endpoint Analysis Scans and then select a scan group.
Note: You can import the .cab file into any scan group listed under Endpoint
Analysis Scans. Typically, you import the .cab to Custom Scans.
4. In the middle pane, under Common Tasks, click Import scan package.
5. On the Select Scan Package Rule dialog box, browse to and select the
customscan.cab file you downloaded from the Citrix Endpoint Analysis Portal page
and then click Open.
The Advanced Endpoint Scan appears under Custom Scans in the console tree.
Next, you can create a policy for the scan.
To create an advanced endpoint analysis policy in Access Controller

After you import the endpoint analysis files to Access Controller, you then upload
the .csv file to Access Controller and create the policy.
Note: If you have not already created the .csv file in the Citrix Endpoint Analysis
Portal, you can do so by following the steps in Creating an Advanced Endpoint
Analysis Scan Policy on page 272. You can also generate a new policy file at any time.
2. In the console tree, expand the Access Controller cluster name (the default is
CitrixController).
3. Expand Endpoint Analysis Scans.
4. Under Custom Scans, or within the scan group where you installed the .cab file,
select Advanced Endpoint Scan.
5. Under Common Tasks, click Create scan.
6. In the Create Scan dialog box, in Scan name, enter a name for the scan and then
click Next.
7. In Select Conditions, select Logon Point and then click Next.
8. On the Define Rule page, in Rule name, enter a name for the rule and then click
Next.
9. In Operating System, select one or more operating systems you want the scan to
detect and then click Next.
273
Chapter 9

10. In Configure Conditions, under Condition, select the logon points for the policy
11. In Define Property to Verify, click Create Data Set.
12. In the New Data Set dialog box, in Enter a name for the data set, type a name.
13. In Enter a path to a .csv file to provide an initial set of data. To create an empty
data set, leave the field blank., click Browse.
14. Navigate to the .csv file you saved on your computer, click Open, click OK and
then click Finish.
Configuring Additional Options for Advanced Endpoint Analysis Scans

When you create an endpoint analysis policy in the Citrix Endpoint Analysis Portal, you
can select additional options for enforcing requirements on user devices. You enable
the options when you select the products to include in the advanced endpoint analysis
scan. When you create the .csv file, these options are included in the file. Not all of
the options are available for all products. For example, some antivirus products might
not require users to enable the software on the user device.
The options include:
w Is Product Authentic. Each service that is part of the product detected on the user
device must be digitally signed. This option is available with antivirus, antispyware,
firewall, patch management, and hard disk encryption policies.
w Real-Time Protection. Users must enable the software product on the user device
to pass the endpoint analysis scan. This option is available with antivirus and
antispyware policies.
w Last Full System Scan. A scan of the user device must be successfully completed
within the number of days provided. When you enable this option, enter the number
of days allowed since the last successful scan. This option is available with antivirus
and antispyware policies.
w Last Update. You can specify the number of days since the software product was
last updated. When you enable this option, enter the number of days allowed since
the last successful scan. This option is available with antivirus and antispyware
policies.
w Firewall Protection. Users must enable their firewall product for the user device to
pass this scan. This option is available for firewall policies only.
w Automatic Update. The selected patches in the policy must be set to automatically
deploy the patches on the user device. If you select this option and automatic
deployment is not set on the user device, the device fails the scan. This option is
available for Patch Management policies only.
w Missing Patches. You can specify the number of patches that can be missing from
the user device to pass the endpoint analysis scan. If the user device exceeds this
limit, the scan fails. This option is available for Patch Management policies only.
274

w Antiphishing Protection. User devices must have at least one browser protected by
the required antiphishing product. This option is available for antiphishing policies
only.
w Encryption Status. The hard drive of the user device must be encrypted to pass the
scan. This option is available for hard disk encryption policies only.
To enable additional options in the Citrix Endpoint Analysis Portal
2. Select a product type on the right and then select Check to enable.
3. Under the product list, select the options you want to enable.
To configure global settings in the Citrix Endpoint Analysis Portal
You can configure global settings within the advanced endpoint analysis polices to allow
or deny access when users log on. You can allow or deny access based on the results of
the scan. There are two global settings that you can configure. These include:
w Information was missing or unavailable. When the endpoint analysis scan runs on
the user device, if information is missing, you can choose whether the user device is
allowed to pass or fail the scan. For example, if you select the product ClamAV, an
antivirus product, and select Real-Time Protection, the scan might fail because
ClamAV does not require users to enable the product. In this instance, you can
choose to allow the scan to pass and allow users to log on. The default setting for
this option is allow.
w Unexpected error occurred. Occasionally, there might be an internal error on the
user device when the endpoint analysis scan runs. You can choose to allow or deny
access from the user device if an internal error occurs. The default setting for this
option is deny.
2. In the product list on the left, click Global Settings and then select your options.
Deploying the Advanced Endpoint Analysis Plug-in

When you create advanced endpoint analysis policies from the Citrix Endpoint Analysis
Portal, you also need to download and then deploy the Advanced Endpoint Analysis Plugin. The plug-in is software that downloads to the user device and then scans the device
for the items required in the endpoint analysis scan, such as antivirus or firewall software.
You download the Advanced Endpoint Analysis Plug-in from the Downloads tab in the
Citrix Endpoint Analysis Portal and save it to your computer as a .zip file.
After you configure the custom endpoint analysis scan policy, you then install the
Endpoint Analysis Plug-in on Access Gateway using Server Configuration. You do not
need to extract the files to install the plug-in on Access Gateway. You then associate
the plug-in with one or more logon points.
To install the Advanced Endpoint Analysis Plug-in on Access Controller

1. Click Start> Programs>Citrix>Access Gateway>Server Configuration.
275
Chapter 9

2. Under Tasks, click Import Plug-in Package.
The default package appears selected in the middle pane.
3. Click Import and then navigate to the epaplugin.zip file you downloaded from the
Citrix Endpoint Analysis Portal.
The plug-in appears in the list with the name Advanced Endpoint Analysis Plugin.
After you install the plug-in, you then associate it with one or more logon points.
To associate the Advanced Endpoint Analysis Plug-in with a logon point

1. Click Start> Programs>Citrix>Management Consoles>Delivery Services Console.
2. Expand the Access Controller cluster name, expand Logon Points and then select a
logon point you want to associate with the Advanced Endpoint Analysis Plug-in.
3. Under Common Tasks, click Edit logon point properties.
4. In the Logon Point Properties dialog box, click Select Plug-in.
5. Under Package Display Name, select Advanced Endpoint Analysis Plugin and then
click OK.
6. Select the same logon point in the navigation pane.
7. Under Common Tasks, click Refresh logon page information and then click OK.
When you refresh the logon page information, the Advanced Endpoint Analysis Plugin is uploaded to the Access Gateway appliance. When users log on, the plug-in
downloads to the user device and the scan runs.
Repeat these steps for each logon point with which you want to associate the plug-in.
Configuring Clustering and Load Balancing

You can deploy multiple Citrix Access Gateway appliances and Citrix Access Controller
servers in your network. When you add multiple servers and appliances, you create a
cluster. When you create a cluster, you configure the Access Gateway appliance with
the settings of one Access Controller server. The appliance then discovers automatically
all of the Access Controller servers in the cluster.
When you install Access Controller on a server, you can add the server to the cluster
when Server Configuration runs. If you want to add an Access Controller server to the
cluster at a later time, you add it by installing Access Controller on another server.
Then, when Server Configuration runs, you join the server to cluster.
If you need to remove a server from the cluster, you delete it from the Delivery
Services Console. If you uninstall Access Controller, the server is removed automatically
from the cluster.
All servers in the cluster must run Access Controller 5.0. To create a cluster, you must
have Access Controller as part of your deployment.
After you create a cluster, you can load balance user connections without using an
external load balancer. Load balancing provides improved scalability for user
276

connections. Load balancing supports both the physical Access Gateway appliance and
Access Gateway VPX. Load balancing is for end user sessions and is per session.
You configure load balancing on Access Controller as part of the server cluster
properties and the global properties for the Access Gateway appliances.
How Clustering and Load Balancing Work

Clustering works by installing multiple Access Gateway appliances and Access
Controller servers in your network. When you create a cluster, Access Gateway and
Access Controller work together to load balance user connections. When you create a
cluster of Access Controller servers, all Access Gateway appliances share the same
configuration settings provided by Access Controller.
All Access Controller servers share the same configuration because they are in the same
cluster and they use a shared SQL Server database.
When you add an Access Controller server to Access Gateway, the appliance learns
about the Access Controller servers in the cluster. From there, Access Gateway can
connect to any Access Controller based on load balancing settings.
When you run the Server Configuration wizard, you select the IP address or fully
qualified domain name (FQDN) as the advertised address of the Access Controller. You
can also choose to secure connections between Access Gateway and Access Controller.
You provide the Access Gateway Web address to your users. One Access Gateway in
your deployment monitors all user connections and then determines to which Access
Controller to send the connection request. When Access Gateway contacts Access
Controller, the server then determines which Access Gateway to redirect the session.
When Access Gateway contacts Access Controller, Access Gateway determines the
following:
w Load on each Access Controller server
w Capability of each server
w Number of Access Gateway appliances
Load balancing on Access Controller uses two methods:
w Round robin which balances the load among all Access Controllers. You select this
option when all the servers have the same configuration.
w Least loaded which routes the user session to the Access Controller that has the
least amount of connections.
Load balancing on Access Gateway uses the following three methods:
w Round robin
w Least loaded
w Weighted by permissible logon rate
If your environment has certain periods of time when a large number of users logs on
simultaneously, to avoid overloading Access Gateway, use the weighted method to
balance the user load.
277
Chapter 9

You use cluster properties to configure Access Controller load balancing for each server.
You use the Access Gateway properties page to configure load balancing for all Access
Gateway appliances.
To add Access Controller servers to a cluster

If your network contains multiple Access Controller servers, you can join them together
in a cluster. When you first install Access Controller and run Server Configuration, you
can join the server to the cluster at that time. You can also change individual servers to
a different cluster at a later time by using Server Configuration.
1. Click Start>Progams>Citrix>Access Gateway>Server Configuration.
2. Under Tasks, click Cluster Information.
3. In Cluster name, type the name of the cluster and then click OK.
Administering Multiple Clusters in the Delivery Services

Console
If your network contains multiple Access Controller clusters, you can use the Delivery
Services Console to administer them together.
2. Expand Citrix Resources and then click Access Gateway.
3. Under Common Tasks, click Add cluster.
4. In Server, type the fully qualified domain name (FQDN) or IP address of any Access
Controller server in the cluster and then click OK.
To configure load balancing for Access Controller

When you deploy Access Gateway with Access Controller, authentication, authorization,
endpoint analysis, and other events rely on communication from Access Gateway to
Access Controller. When you deploy multiple Access Controller servers, this traffic can
be load balanced across the servers.
2. Expand Citrix Resources, expand Access Gateway, and then expand an Access
Controller.
3. Click Access Gateway appliances.
4. Under Common Tasks, click Edit Access Gateway appliance properties.
5. In the left pane, click Load Balancing Settings.
6. In the right pane, in Select a method for load balancing Access Controller
servers, select a load balancing method.
7. In Appliance status notification interval (in seconds), select the time interval
between status updates from Access Gateway to Access Controller and then click
OK.
278
To configure load balancing for Access Gateway

When you configure load balancing for Access Gateway appliances, Access Controller
routes user connections to Access Gateway appliances based on the load balancing
algorithm you select. For example, to distribute user connections evenly to Access
Gateway, you could use the least loaded algorithm.
2. Expand Citrix Resources, expand Access Gateway, and then click an Access
Controller.
4. In the left pane, click Clustering.
5. In the right pane, in Select load balancing method for Access Gateway
appliances, select a load balancing method and then click OK.
To remove an Access Controller server from the cluster

You can remove a server from the Access Controller cluster at any time. When you
remove a server, the associated resources, policies, and logon points are also removed
from the configuration settings.
2. Expand Citrix Resources and then expand Access Gateway.
3. Expand CitrixController and then expand Servers.
4. Click the server you want to remove and under Common Tasks, click Remove
server.
To remove an Access Gateway appliance from the cluster

You can remove an Access Gateway appliance from the cluster at any time. When the
appliance is removed, user connections are routed through other appliances in your
network.
2. Expand Citrix Resources, expand Access Gateway and then expand Access
Gateway appliances.
3. Select an appliance and under Common Tasks, click Remove Access Gateway
appliance and then click Yes.
When you remove an Access Gateway appliance from Access Controller, you must
disable Access Controller using the Access Gateway Management Console. If you do not
disable Access Controller on the appliance, Access Controller registers Access Gateway
again.
To use an external load balancer with Access Controller

You can use an external load balancer with Access Gateway. An external load balancer
can send a query to Access Controller to discover the load metrics for a single server or
279
Chapter 9

all the servers in the cluster. The query results are returned to you in either a text or
an XML file. You can locate these files at the following URLs:
w For Access Controller, use http://AccessGatewayAddress/CitrixLoadBalanceInfo/
QueryLB.aspx
w For Access Gateway, use http://AccessGatewayAddress/u/QueryLB.do
When users log on, the external load balancer queries Access Gateway or Access
Controller to determine where to send the user request.
When you configure an external load balancer, you configure a shared secret on Access
Controller. The shared secret enables the query interface.
2. Expand Citrix Resources, expand Access Gateway and then click an Access
Controller.
4. In the left pane, click Clustering.
5. In Shared secret for external load monitor, type the shared secret and then click
OK.
280
Chapter 10

Topics:
Connection Type
Descriptions
How User Connections Work
Defining Global Settings for
User Connections on the
Access Gateway supports a variety of end user connection

types based on the deployment scenario and endpoint device
type in use. When users make a connection, Access Gateway
creates a secure tunnel to the secure network and handles the
Secure Sockets Layer (SSL) handshake.
The following table describes the different connection types
and indicates which connection types are supported on Basic
or SmartAccess logon points.
Configuring Access Gateway

Plug-in Settings in Access
Controller
Installing the Access
Gateway Plug-in by Using the
Microsoft Installer (MSI)
Package
Connecting to Access
Gateway and Network
Resources
281
Chapter 10
Connection Type Descriptions

Connection type
Description
Logon point types
XenApp or XenDesktop
Access Gateway accepts

Secure Sockets Layer
(SSL)encrypted traffic
from Citrix online plugins. Citrix online plug-ins
send a connection request
to Access Gateway that
includes a ticket
generated by the Secure
Ticket Authority (STA).
Access Gateway validates
the ticket by contacting
the appropriate STA and
then sends the ICA traffic
to a XenApp or a
XenDesktop server if the
ticket is validated
successfully.
Basic
SmartAccess
For more information, see

Integrating Access
Gateway with XenApp or
XenDesktop on page 308.
Citrix Receiver
VPN
282
Access Gateway enables

users to log on using Citrix
Receiver. The user
launches Citrix Receiver,
is authenticated, and can
then connect to XenApphosted applications from
the user's Start menu or
desktop. Users can also
connect using the Access
Gateway Plug-in to access
resources in the secure
network. Users can use
Citrix Dazzle to subscribe
to virtualized applications.
Basic
The Access Gateway Plugin establishes a networklayer connection between
SmartAccess
SmartAccess
Connection type
Description
Logon point types
a user device and Access

Gateway. Network traffic
is intercepted on the user
device and redirected to
Access Gateway. Access
Gateway terminates SSL
and authorizes the traffic
before forwarding packets
to the intended target on
the secure network.
Clientless access
Access Gateway can serve

as a secure reverse proxy
for multiple Web sites on
the secure network.
Access Gateway supports
clientless access to
internal Web sites and file
shares without requiring
network interception
technology on the user
device. Users are able to
access Web applications
and file shares from any
supported Web browser.
SmartAccess
Clientless access is only

supported when Access
Gateway is deployed with
Access Controller.
For additional information about user devices, see User Device Requirements on page
42.
The topics in this section discuss configuring settings in Access Gateway and Access
Controller for user connections with the Access Gateway Plug-in for Windows and the
Access Gateway Plug-in for Mac OS X.
How User Connections Work

Access Gateway user connections work as follows:
w Users can connect to Access Gateway by using a Web address. The way in which
users download and install the Access Gateway Plug-in depends on your Access
Gateway deployment and operating systems.
283
Chapter 10

If you deploy Access Gateway as a standalone appliance, users click the padlock
icon in the Web browser and then they receive the option to download and
install the plug-in.
If you deploy Access Gateway with Access Controller, when users log on, the
Access Interface appears. Users click Connect to Network and then they receive
the option to download the plug-in.
On a computer running Mac OS X, users download the plug-in by using one of the
two previous options. After the plug-in downloads, users then receive a dialog
box with the option to install the Access Gateway Plug-in.
On a Windows-based computer, the Access Gateway Plug-in downloads and installs
automatically.
w After the first download and installation of the Access Gateway Plug-in, the user
logs on again. When the user successfully authenticates, Access Gateway establishes
a secure tunnel. When a user uses the Access Gateway Plug-in to log on, Access
Gateway prompts the user for authentication. Access Gateway uses an
authentication type, such as RSA SecurID, LDAP, or RADIUS to authenticate the user's
credentials. If the credentials are correct, Access Gateway finishes the handshake
with the plug-in.
Note: This logon step is required only when a user initially downloads the Access
Gateway Plug-in. If the Access Gateway Plug-in is already installed on the user
device, when the user logs on again with the plug-in, the Access Gateway Plug-in
checks for updates and then logs the user on.
w When users attempt to access network resources through Access Gateway, the
Access Gateway Plug-in encrypts all network traffic destined for the internal
network and forwards the packets to Access Gateway.
w Access Gateway terminates the Secure Sockets Layer (SSL) tunnel, accepts incoming
traffic destined for the private network, and forwards traffic to the private
network. Access Gateway sends traffic back to the user device over a secure tunnel.
If the user is behind a proxy server, the user can specify the proxy server and
authentication credentials.
The Access Gateway Plug-in is installed on the user device. After the first connection,
users can log on using a Web browser or from the Start menu.
When users log on with a Mac OS X computer, they can change settings from the Citrix
Access Gateway menu. For more information, see the Access Gateway Plug-in for Mac
OS X online Help that installs with the plug-in.
If users connect from a Windows-based computer, when logging on from the Start
menu, the user can also open the Citrix Access Gateway Options dialog box, which is
used to configure user device settings, such as selecting a different Web address to log
on to or selecting a different logon point.
284
To open the Citrix Access Gateway Options dialog

box from the Start menu
w Users click Start >All programs >Citrix >Citrix Access Clients >Citrix Access
Gateway - Properties.
Establishing the Secure Tunnel

After the Access Gateway Plug-in starts, it establishes a secure tunnel over port 443 (or
any configured port on Access Gateway) and sends authentication information. When
the tunnel is established, Access Gateway sends configuration information to the
Access Gateway Plug-in. The configuration information describes the networks to be
secured and contains an IP address if you enable and configure address pools.
Tunneling Private Network Traffic over Secure Connections

When the Access Gateway Plug-in starts and the user is authenticated, all network
traffic destined for specified private networks is captured and redirected over the
secure tunnel to Access Gateway.
Access Gateway intercepts all network connections from the user device and multiplexes/
tunnels them over Secure Sockets Layer (SSL) to Access Gateway. Access Gateway then
demultiplexes the traffic and forwards the connections to the correct host and port
combination. A total of 66 tunnels are allowed. The tunnels can be TCP, UDP, or a
combination of both. If more than 66 tunnels are created, users receive an error message.
The connections are subject to administrative security policies that apply to a single IP
address or an entire intranet. You specify the network resources (ranges of IP address/
subnet pairs) that remote users can access through the VPN connection. You can also
specify destination ports and protocols for user connections.
Access Gateway intercepts all IP packets, regardless of protocol, and transmits the
packets over the secure link. Connections from local applications on the user device
are securely tunneled to Access Gateway, which reestablishes the connections to the
target server. Target servers view connections as originating from the local Access
Gateway on the private network, thus hiding the user device. This functionality is also
called reverse Network Address Translation (NAT). Hiding IP addresses adds security to
source locations.
Locally, on the user device, the Access Gateway Plug-in recreates all connectionrelated traffic, such as SYN-ACK, PSH, ACK, and FIN packets, to appear from the
private server.
Making Connections Through Firewalls and Proxies

Users of the Access Gateway Plug-in are sometimes located inside another
organization's firewall, as shown in the following illustration:
285
Chapter 10

Figure 10-1. Client connection through two internal firewalls
Network Address Translation (NAT) firewalls maintain a table that allows them to route
secure packets from Access Gateway back to the user device. For circuit-oriented
connections, Access Gateway maintains a port-mapped, reverse NAT translation table.
The reverse NAT translation table enables Access Gateway to match connections and
send packets back over the tunnel to the user device with the correct port numbers so
that the packets return to the correct application.
Access Gateway uses industry-standard connection establishment techniques, such as
HTTPS, Proxy HTTPS, and SOCKS, to establish the tunnel. This operation makes the
Access Gateway firewall accessible and allows remote computers to access private
networks from behind other organizations firewalls without creating any problems.
For example, Access Gateway can make the connection through an intermediate proxy,
such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate
proxy. Any credentials that the intermediate proxy requests are obtained from the
remote user (by using single sign-on information or by requesting the information from
the remote user) and are presented to the intermediate proxy server. When the proxy
establishes the HTTPS session, the payload of the session is encrypted and carries
secure packets to Access Gateway.
Terminating the Secure Tunnel and Returning

Packets to the User Device
Access Gateway terminates the Secure Sockets Layer (SSL) tunnel and accepts any
incoming packets destined for the private network. If the packets meet the
authorization and access control criteria, Access Gateway regenerates the packet IP
headers so that they appear to originate from the Access Gateways private network IP
address range or the client-assigned private IP address. Access Gateway then transmits
the packets to the network.
The Access Gateway Plug-in maintains two tunnels: an SSL tunnel over which data is
sent to Access Gateway and a tunnel between the user device and local applications.
The Access Gateway Plug-in decrypts the encrypted data that arrives over the SSL
tunnel before sending the data to the local application over the second tunnel.
286

If you run a packet sniffer, such as Wireshark on the user device where the Access
Gateway Plug-in is running, you will see unencrypted traffic that appears to be
traveling between the user device and Access Gateway. That unencrypted traffic,
however, is not over the tunnel between the user device and Access Gateway, but is
over the tunnel to the local applications.
Defining Global Settings for User Connections

on the Access Gateway Appliance
You can configure user connections settings globally in the Access Gateway
Management Console. You can configure options, such as single sign-on with Windows,
split tunneling, split DNS, and session time-outs.
You can also configure some of the options in Advanced Options in SmartGroups. The
SmartGroup settings override the global options. In addition, you can configure session
time-outs in logon points and SmartGroups. The session time-out setting in logon points
overrides the global setting. The session time-out setting in SmartGroups overrides
both global and logon point settings.
Configuring Single Sign-on with Windows

Users typically open a connection to Access Gateway by starting the Access Gateway Plugin. You can specify that the Access Gateway Plug-in start automatically when the user
logs on to Windows by enabling single sign-on with Windows. When you configure single
sign-on, the user's Windows logon credentials are passed to Access Gateway for
authentication.
Enable single sign-on only if users are logging on to your organizations domain.
Enabling single sign-on for the Access Gateway Plug-in facilitates operations on the
user device, such as installation scripts.
2. Under Access Control, click Global Options.
3. In the Access Gateway and User Options panel, under Client Options, select the
Single sign-on with Windows check box.
4. Click Save.
Note: If you configure double-source authentication on Access Gateway, you cannot
use single sign-on.
Enabling Split Tunneling in Access Gateway

You can enable split tunneling to prevent the Access Gateway Plug-in from sending
unnecessary network traffic to Access Gateway.
287
Chapter 10

When you do not enable split tunneling, the Access Gateway Plug-in captures all
network traffic originating from a user device and sends the traffic through the VPN
tunnel to Access Gateway.
If you enable split tunneling, the Access Gateway Plug-in sends only traffic destined for
networks protected by the Access Gateway through the VPN tunnel. The Access
Gateway Plug-in does not send network traffic destined for unprotected networks to
Access Gateway.
Enable split tunneling check box.
4. Click Save.
Authenticating Users After Network Interruption or

System Resume
By default, if a users network connection is briefly interrupted, the user does not have
to log on again when the connection is restored. You can require that users log on after
interruptions, such as when a computer comes out of hibernation or standby, when the
user switches to a different wireless network, or when a connection is forcefully closed.
Note: If you have an appliance failover pair and if a failover occurs, connections from
the Access Gateway Plug-in terminate and then reinstate automatically. Users must
log on again.
3. In the Access Gateway and User Options panel, under Client Options, select one
or both of the following:
Authenticate after network interruption. Users are forced to log on again if
the network connection is briefly interrupted.
Authenticate after system resume. Users are forced to log on again if the
users computer awakens from standby or hibernation. This option provides
additional security for unattended computers.
4. Click Save.
Enabling Split DNS

When you enable split DNS, when a user attempts to go to a Web site, if the site
matches the DNS suffix configured on Access Gateway, the DNS connection is routed
through the appliance. Otherwise, the DNS connection is not routed through the
appliance and goes through the local DNS server configured on the user device. A user
288

can override this setting in the Citrix Access Gateway Options dialog box opened from
the Start menu.
Enable split DNS check box.
4. Click Save.
Access Gateway does not failover to the local DNS server if the specified DNS server
returns a negative response.
Enabling Access Gateway Plug-in Session Time-Outs

You can configure the Access Gateway Plug-in to force a disconnection with Access
Gateway if there is no activity on the connection for a specified number of minutes. If
the session closes, the user must log on again.
You can configure time-out settings in Access Gateway globally, with a logon point, and
within a SmartGroup. Logon point time-out settings override global settings.
You can enable the following three time-out settings:
w User inactivity. If you enable this setting, the user session times out if Access
Gateway does not detect mouse or keyboard activity on the user device for the
specified interval. The global default time-out setting is 30 minutes. If you set this
value to zero within the logon point, the setting is disabled. Mouse and keyboard
monitoring requires the Access Gateway Plug-in.
w Network inactivity. If you enable this setting, the user session times out if Access
Gateway does not detect network traffic. The global default setting is 30 minutes. If
you set this value to zero in the logon point, the setting is disabled. Network
activity monitoring requires the Access Gateway Plug-in.
action the user can take to prevent the disconnection from occurring when the timeout interval elapses. One minute before a session times out (disconnects), the user
receives an alert indicating that the session will close. The global default setting is
30 minutes. You cannot disable this setting. The minimum value is 1 minute.
If you enable more than one of the time-out settings, the first time-out interval to
elapse closes the client connection.
To enable Access Gateway Plug-in session time-outs

3. In the Access Gateway and User Options panel, under Time-Out Options, type
the number of minutes in any of these settings:
289
Chapter 10

User inactivity
Network inactivity
Session time-out
Note: By default, all of the time-out options are enabled for 30 minutes. You can
enter a value between 1 and 10008 to specify the number of minutes for the timeout interval. You can disable the user inactivity and network inactivity settings by
entering a 0 (zero). If you enter a 0, the session time-out is not activated and the
setting has no effect on client connections.
4. Click Save.
Connecting with Earlier Versions of the Access

Gateway Plug-in
You can configure Access Gateway to accept connections from earlier versions of the
Access Gateway Plug-in.
Important: Access Gateway 5.0 does not support connections from Access Gateway
Plug-in Version 4.6.x and earlier. Likewise, when you select this option, when Access
Gateway detects version 4.6.x of the Access Gateway Plug-in, the user is forced to
upgrade the plug-in.
To enable earlier versions of the Access Gateway Plug-in to

connect to Access Gateway
3. In the Access Gateway and User Options panel, under Access Gateway Settings,
select the Allow earlier versions of Access Gateway Plug-in check box.
Note: You do not need to specify the encryption type for user connections or
enter a query token.
4. Click Save.
Closing User Connections

You can configure the Access Gateway Plug-in so that when users log on to Access
Gateway, any existing connections to other networks close, for security purposes.
290

Close existing connections check box.
4. Click Save.
Configuring Access Gateway Plug-in Settings

in Access Controller
You configure Access Gateway Plug-in settings in Access Controller to deploy the Access
Gateway Plug-in. You can control the interaction between Access Gateway and the
Access Gateway Plug-in by configuring settings that create connection policies, enable
split tunneling, allow users to run earlier versions of the Access Gateway Plug-in, and
enable the use of Citrix Branch Repeater to support application acceleration.
Create Connection Policies

You configure connection policies to control Access Gateway Plug-in connections. After
you configure Access Gateway to use the Access Gateway Plug-in to establish
connections to resources on the network, you create connection policies to control
those connections.
Enable Split Tunneling

Split tunneling enables user devices to communicate with public Internet resources and
your internal network resources concurrently.
When you enable split tunneling, the setting prevents the Access Gateway Plug-in from
sending unnecessary network traffic to Access Gateway. The plug-in sends only traffic
destined for networks protected by Access Gateway through the VPN tunnel. The plugin does not send network traffic destined for unprotected networks to Access Gateway.
Split tunneling can improve the efficiency of the client connection when users access
resources on the Internet or your internal network.
When you disable split tunneling, the Access Gateway Plug-in sends all network traffic
that originates from a user device through the VPN tunnel to Access Gateway, including
traffic to public Internet Web sites.
Use Branch Repeater for Application Acceleration

When users use the Access Gateway Plug-in to log on, the Repeater Plug-in can
optimize the connection. When you enable the Repeater Plug-in, network traffic is
compressed and accelerated through Access Gateway.
Allow Earlier Versions of the Access Gateway Plug-in

You can configure the Access Gateway appliance to accept connections from earlier
versions of the Access Gateway Plug-in.
291
Chapter 10
Enable Endpoint Analysis Scans

Access Controller determines if, based on policies associated with that logon point, an
endpoint analysis scan is required. If a scan is required, Access Controller detects if the
Endpoint Analysis Plug-in is present on the user device. If Access Controller detects the
plug-in on the user device, the Endpoint Analysis Plug-in performs the appropriate
scans. However, if Access Gateway does not detect the plug-in, the Endpoint Analysis
Plug-in downloads and installs automatically.
If users refuse to allow the Endpoint Analysis Plug-in to install and scan the user
device, they receive the same level of access they would if the policies associated with
the scans were denied. This level can be limited or no access.
Note: Endpoint Analysis is supported only on Windows-based computers.
For more information, see Verifying Requirements on User Devices on page 233.
Creating Connection Policies

Connection policies control connections that use the Access Gateway Plug-in. When you
create a connection policy, you have the option of creating filters for the policy. You
can use an existing filter, create a filter, or modify an existing filter. For more
information, see Creating Policy Filters on page 225.
To create a connection policy

2. In the console tree, expand Policies>Connection Policies and under Common
Tasks, click Create connection policy.
3. On the Define Policy Page, in Policy name and Description, type a name and
describe the policy.
4. On the Configure Policy Settings page, under Setting, select the setting you want
to configure. Configure the connection settings you want to apply by selecting
each setting and choosing Yes or No under Allow this setting for the connection
to allow or deny it. Select from among the following settings, and then click Next:
Authenticate after system resume forces authentication after the user device
goes into standby or hibernate mode.
Authenticate after network interruption forces authentication if the network
connection is interrupted.
Enable split DNS allows failover to a users local DNS if the remote DNS is not
available. By default, Access Gateway checks a users remote DNS only.
Execute logon scripts runs Windows logon scripts when the connection is
established.
292

5. If you want to give user devices a unique IP address, add and define the address
pools from which address aliases are assigned. On the Define Address Pools page,
click New to add each address pool. To configure address pools, you must have at
least one Access Gateway appliance configured in Access Controller.
For Access Gateway, select the Access Gateway appliance.
In Start IP address type the IP address.
In Number of IPs, type the number of IP addresses to use for the address pool
For Gateway, enter the IP address of the default gateway if you use one. If you
do not use a default gateway, you can leave this box blank.
Each IP range should be valid, but unused on the network.
To avoid conflicting assignments, ensure that you configure a unique IP range or
ranges for each Access Gateway appliance. You should not assign the same IP
range or ranges to multiple appliances.
Note: If you add address pools, you must restart each Access Gateway
appliance in the cluster before the address pool becomes available. You might
want to schedule address pool configuration for a convenient time.
6. On the Select Filters page, select the filters that define the conditions for policy
enforcement.
7. On the Select Users or Groups page, select users and user groups to whom the
policy applies, and then click Finish. You can choose from the following:
Apply this policy to all authenticated users. The policy is applied to all users
who successfully connect to the Access Gateway.
Choose users or groups from the selected authentication profile. The policy
is applied to users who are authenticated from Active Directory, LDAP, or
RADIUS servers.
To prioritize connection policies

Because multiple connection policies can apply to the same user, you can prioritize
connection policies. The settings in policies with a higher ranking priority take
precedence over those in lower ranking policies.
2. In the console tree, select Connection Policies and under Common Tasks, choose
Set connection policy priority.
3. Select a policy and use the arrow buttons to move its position in the ordered list.
The highest priority policy appears at the top of the list.
Enabling Split Tunneling in Access Controller

You can enable split tunneling to prevent the Access Gateway Plug-in from sending
unnecessary network traffic to Access Gateway.
293
Chapter 10

When you do not enable split tunneling, the Access Gateway Plug-in captures all
network traffic originating from a user device and sends the traffic through the VPN
tunnel to the Access Gateway appliance.
If you enable split tunneling, the Access Gateway Plug-in sends only traffic destined for
the secure network through Access Gateway through the VPN tunnel. The Access
Gateway Plug-in does not send network traffic to public networks, such as the Internet.
Note: If users are going to use Citrix XenApp online plug-ins to connect to virtual
applications or desktops, you do not need to configure split tunneling.
To configure split tunneling

2. In the console tree, expand Citrix Resources, expand Access Gateway, expand the
Access Controller server that you want to configure, and then click Access
Gateway appliances.
3. Under Common Tasks, click Edit Access Gateway appliances properties.
4. In the Access Gateway appliances - Global Properties dialog box, click Plug-in
Properties and then select Enable split tunneling.
5. Click OK.
Enabling the Repeater Plug-in

Access Gateway works with Citrix Branch Repeater to support application acceleration.
Branch Repeater enhances and accelerates traffic through Access Gateway, for
example, for Common Internet File System (CIFS) and HTTP connections. Access
Gateway is installed in the demilitarized zone (DMZ) and the Branch Repeater
appliance is installed behind Access Gateway in the secure network. Users connect
through the Access Gateway appliance and Branch Repeater to resources in the secure
network.
Gateway appliances.
Properties and then select Use Repeater for acceleration.
5. Click OK.
Granting Access to the Entire Network

The Entire Network resource represents all visible servers and services in your secure
network. If you set policies in Access Controller to allow connections and access to this
294

resource, users logging on with the Access Gateway Plug-in can access these servers or
services through a Secure Sockets Layer (SSL) virtual private network tunnel created
between the user device and the network. The Entire Network resource is a built-in
network resource, the properties of which you cannot edit or delete. To control the
conditions under which the Entire Network resource is accessed, you must create
access policies in the Delivery Services Console as you do for all other types of resources.
You can use the Entire Network resource to:
w Quickly set up your deployment and test access
w Provide unlimited access to a special class of user, such as administrators who need
wide access for disaster recovery or emergency operations
w Provide open access by default and later develop policies that deny access to
specified resources according to your security plan
The general steps involved in granting access to the Entire Network include:
1. Create an access policy for the Entire Network resource allowing access to
selected users.
2. Create a connection policy allowing user connections.
3. Filter the policies according to the conditions or requirements you want to impose.
Because the Entire Network resource includes all visible servers on the network, take
care to allow access to this resource only under the conditions you intend. Access to
this resource is a powerful level of access.
Installing the Access Gateway Plug-in by Using

the Microsoft Installer (MSI) Package
You can use an MSI package to install the Access Gateway Plug-in on a user device. The
Access Gateway Plug-in is installed on a per-computer basis. When you create the
package, you can designate which installations occur with elevated privileges, which
allows non-administrative users to install the plug-in.
You can create the package by downloading the file CitrixAGP.exe from the Access
Gateway appliance. When you download the executable file, you can run the file to
automatically unpack and install the MSI file.
To download and install the MSI package

1. In a Web browser, go to https://AccessGatewayFQDN/CitrixAGP.exe where
AccessGatewayFQDN is the fully qualified domain name (FQDN) of Access Gateway.
2. Click Save to save the file to your computer.
3. Double-click CitrixAGP.exe to unpack and install the MSI file.
295
Chapter 10

There are two ways you can distribute the MSI file to users who are not administrative
users on the user device:
w Use an Active Directory Group Policy (or similar tool) to push installation of the
package to the user device
w Advertise the installation package to the user device
Installing the MSI Package by Using Group Policy

For users who connect to Microsoft Active Directory Domain Services from within the
internal network, you can use the Group Policy feature to download and install the
Access Gateway Plug-in. The software installation feature of Group Policy
automatically installs or upgrades the Access Gateway Plug-in when the user device
connects to the domain.
The procedure for using Group Policy to install the MSI package is similar to the
procedure for advertising a package. You should extract the CitrixAGP.exe package. If
the default installation configuration needs to change, run the administrative
installation and create an administrative image. Place either the original MSI or the
administrative image on a shared network location. Use Group Policy to assign the
package to computers and reference the shared network location.
To use Group Policy to deploy the Access Gateway Plug-in

1. On the Windows server, create and open a temporary directory.
2. At a command prompt, type CitrixAGP -extract to extract the MSI file and
related files into the new directory that you created in Step 1.
3. Use Group Policy to publish the MSI and appropriate files.
Installing the MSI Package by Using Advertisement

To advertise the client installation, you need to extract the CAGSE.MSI and *.MST files.
When you create the image, you need to provide a path to the image and specify the
language. You then use a command-line switch to the MSIEXEC utility to advertise the
package.
The Windows Installer only considers the advertised file path to be trusted. If users try
to install CAGSE.MSI from a CD or a local path that is different from the advertised
path, the installation fails.
To extract the MSI and MST files and create an

administrative image
1. At a command prompt, type:
CitrixAGP -extract
296

This command unpacks the files to the folder on the server share where
CitrixAGP.exe is located. To unpack and install the Access Gateway Plug-in, type:
CitrixAGP
2. To create a configured administrative image, at a command prompt, type:
msiexec /a CAGSE.MSI
3. When the image is created, advertise the product to all users on the user device.
To do so, on the user device, at a command prompt, type:
misexec /jm path to administrative image\CAGSE.MSI
This command advertises the Access Gateway Plug-in, but does not install it on the
user device. The plug-in appears to be installed; an entry appears in Add or
Remove Programs and the Start menu shortcuts are present; however, no files are
copied to the user device.
4. To install the Access Gateway Plug-in, at a command prompt, type:
msiexec /I path to administrative image\CAGSE.MSI
You can also start the installation by clicking the shortcut on the Start menu.
The preceding steps deal with the initial installation of the Access Gateway Plug-in on
the user device.
When an upgrade to the plug-in is available, you can upgrade the package on the file
share. When users connect to Access Gateway, users navigate to the share and run
cagsetup.exe to upgrade.
If the Access Gateway Plug-in runs logon scripts, the script can check for the upgrade
and install the plug-in. You can also send an email to users that announces the upgrade
and provides a link to the file share with the updated version of cagsetup.exe, and
the .MSI and .MST files.
Connecting to Access Gateway and Network

Resources
Users can log on, download the Access Gateway Plug-in, and then establish a
connection from a Web browser. Users type in the Access Gateway Web address and
then enter their logon credentials. When authentication completes, users can then
download the Access Gateway Plug-in and establish a connection.
Important: If users configure security settings in Internet Explorer to High, when
users log on to Access Gateway, the logon page does not appear. In this instance,
users must add the Access Gateway Web address to the Trusted sites list.
If you deploy the Access Gateway appliance only, when users log on, the Web page
displays a padlock icon. If this is the first time users log on, they click the icon and the
Download page appears. Users click Download to install the Access Gateway Plug-in.
After installation, users return to the icon page and click the icon again to establish the
connection.
297
Chapter 10

If Access Controller is part of your deployment, when users log on, the Access Interface
appears. Users click Connect to Network and the Download page appears. After users
download and install the plug-in, they return to the Access Interface and then click
Connect to Network again to establish the connection. The default home page is the
Access Interface if Access Controller is in your deployment.
If you configure double-source authentication on Access Gateway users type their user
name and passwords for each type of authentication. For example, if you configure
users to use LDAP authentication and RSA SecurID, they would type their password,
their RSA SecurID personal identification number (PIN), and an RSA SecurID code.
You can also configure a different home page for users. The home page can be the Web
Interface, SharePoint 2007, Outlook Web Access, Outlook Web App, or a custom home
page of your choosing. If you want to use the Access Gateway Plug-in with one of the
listed home pages, Citrix recommends installing the plug-in by using a Microsoft
Installer (MSI) package. For more information, see Installing the Access Gateway Plugin by Using the Microsoft Installer (MSI) Package on page 295.
Important: You must configure network resources on Access Gateway in order for
user devices to connect.
The resource access granted by the security policies enables a user to work with the
remote system as if the user is logged on locally. For example, the user might be
granted permission to applications, including Web, client-server, and peer-to-peer
applications, such as instant messaging and video conferencing. Access to network
resources is allowed or denied within a SmartGroup on the Access Gateway appliance
or as part of a policy in Access Controller.
If you enabled single sign-on with Windows in the Access Gateway Management
Console, users can log on automatically with the Access Gateway Plug-in when users log
on to Windows. This provides full access to resources on the network. Single sign-on
with Windows only occurs if you are using Active Directory with LDAP authentication or
RADIUS authentication. When users log on to Windows, the Access Gateway Plug-in
attempts to use single sign-on using the preferred logon point set by the user.
Installing the Access Gateway Plug-in

Users install the Access Gateway Plug-in from the Access Gateway download portal
page. The way users download and install the Access Gateway Plug-in depends on your
Access Gateway deployment. The following procedures detail the steps for users in an
Access Gateway appliance-only deployment or an Access Controller deployment.
To install the Access Gateway Plug-in from an applianceonly deployment

1. In a Web browser, type the Web address of the Access Gateway; for example, https://
www.mycompany.com.
2. On the Welcome page, type the logon credentials and then click Submit.
3. On the Web page, under Connect Using the Method Below, click the icon.
298

The Download page appears.
4. Click Download to start the installation of the Access Gateway Plug-in.
After installation of the plug-in, users must log on again from the Web page by clicking
the icon, or from the Start menu.
To install the Access Gateway Plug-in from an Access

Controller deployment
1. In a Web browser, type in the Web address of the Access Gateway; for example,
https://www.mycompany.com.
2. On the Welcome page, type the logon credentials and then click Submit.
3. In the Access Interface, click Connect to Network.
The Download page appears.
4. Click Download to start the installation of the Access Gateway Plug-in.
After the Access Gateway Plug-in installs on the user device, users return to the Access
Interface and click Connect to Network again to start the plug-in and establish the
connection to the secure network.
Logging On Through the Logon Point

When you deploy a logon point, a logon point folder is created in a virtual directory
named CitrixLogonPoint. A URL pointing to the logon point folder can be used to access
the network. For example:
https://appliancename/lp/logonpointname
where appliancename is the fully qualified domain name (FQDN) or IP address of the
Access Gateway appliance and logonpointname is the name of the logon point folder.
Users can also access the default logon point by typing the following URL:
https://appliancename/
where appliancename is the FQDN or IP address of the Access Gateway appliance.
Logging On with the Access Gateway Plug-in for

Windows
Users can log on to your network through Access Gateway using the Access Gateway Plugin. Users perform the following steps to log on.
Important: If users configure security settings in Internet Explorer to High, when
users log on to Access Gateway, the logon page does not appear. In this instance,
users must add the Access Gateway Web address to the Trusted sites list.
299
Chapter 10
To log on with the Access Gateway Plug-in

1. Users click Start>All Programs>Citrix>Citrix Access Clients>Citrix Access
Gateway.
2. In the Citrix Access Gateway dialog box, users enter their logon credentials and
then click Submit.
Note: If a digital certificate signed by a Certificate Authority is not installed on Access
Gateway, users will see a Security Alert. For more information, see Installing and
Managing Certificates on page 123.
When the connection is established, a status window briefly appears and the Access
Gateway Plug-in window is minimized to the notification area. The icon indicates
whether the connection is enabled or disabled and displays any status messages.
To change logon settings on a Windows-based device

Users might want to change plug-in logon settings.
1. Users click Start>All Programs>Citrix>Citrix Access Clients>Citrix Access
Gateway - Properties.
2. In the Citrix Access Gateway Options dialog box, users can change the following
settings:
Web address of the appliance. This also displays the last 10 IP addresses or
fully qualified domain names (FQDNs) to which the user connected.
Logon point for the user device. Users can select from a list of logon points.
Proxy settings for the user device. Users can configure automatic proxy server
detection or manually configure a proxy server.
Enabling split DNS. You enable this setting in the Access Gateway Management
Console, but users can disable it. For more information about split DNS, see
Enabling Split DNS on page 288.
Disable security certificate warnings. If you did not install a secure certificate
signed by a Certificate Authority, users see a certificate warning when they log
on. This setting disables the warning.
To view Access Gateway Plug-in status properties when

users are logged on
w Double-click the Access Gateway connection icon in the notification area.
Alternatively, users can right-click the icon and choose Connection Status from the
menu.
The Citrix Access Gateway dialog box appears.
The properties of the connection provide information that is helpful for
troubleshooting. The properties include:
w The General tab displays connection information.
300

w The Details tab displays server information and a list of the secured networks the
clients are allowed to access.
w The Access Lists tab displays the network resources that are configured for the user
connection.
To close the window, click Close.
To disconnect the Access Gateway Plug-in

w Right-click the Access Gateway icon in the notification area and then choose
Disconnect from the menu.
Logging On with the Access Gateway Plug-in for

Mac OS X
After users install the Access Gateway Plug-in for Mac OS X, they can connect to the
Access Gateway appliance in the secure network. After establishing a connection, users
can then work with applications, file shares, and other network resources as if they are
in the office.
When the Access Gateway Plug-in is installed, users can log on from the following
locations:
w Connection drop-down menu on the Access Gateway menu
w Menu bar status icon
w Dock context menu
w Applications window
If a digital certificate signed by a Certificate Authority is not installed on Access
Gateway, users will see a Security Alert. For more information, see Installing and
Managing Certificates on page 123.
To change logon settings on Mac OS X

Users can change their logon settings in the Preferences control dialog box. Users can
create new connections, change connections, change the logon point, and show the
secondary password field. Users can also change their logging levels and configure
proxy servers.
1. Start the Access Gateway Plug-in.
2. On the Citrix Access Gateway menu, click Preferences.
Users can then change their settings.
Upgrading the Access Gateway Plug-in

You do not need to configure any settings to allow users to upgrade the Access Gateway
Plug-in from an earlier version.
301
Chapter 10

When users use the Access Gateway Plug-in from the Start menu to log on to Access
Gateway, they are not prompted to uninstall the old version of the plug-in. If the plugin is an older version, the connection to Access Gateway will fail.
Access Gateway 5.0 does not support connections from Access Gateway Plug-in Version
4.6x and earlier. Therefore, all users must uninstall versions of the Access Gateway Plugin earlier than 5.0 and install the current version to successfully log on to Access
Gateway 5.0.
Allowing Users to Log On with Earlier Versions of

the Access Gateway Plug-in
You can configure Access Gateway to accept connections from earlier versions of the
Access Gateway Plug-in. You can configure settings in either the Access Gateway
Management Console or in Access Controller.
Important: Access Gateway 5.0 does not support connections from Access Gateway
Plug-in Version 4.6.x and earlier. Likewise, when you select this option, when Access
Gateway detects version 4.6.x of the Access Gateway Plug-in, the user is forced to
upgrade the plug-in.
To allow users to log on with earlier versions of the plug-in

in Access Gateway
3. In the Access Gateway and User Options panel, under Access Gateway Settings,
select Allow earlier versions of Access Gateway Plug-in.
To allow users to log on with earlier versions of the plug-in

in Access Controller
If you are using Access Controller in your deployment, the setting in the Access
Gateway Management Console is not available.
Gateway appliances.
Properties and then select the Allow earlier versions of Access Gateway Plug-in
check box.
5. Click OK.
302
Providing Logon Information to Users

To enable users to connect to and use Access Gateway, you need to give them the
following information:
w The Access Gateway Web address, such as https://AccessGatewayFQDN/.
w The logon point required for logon (if you do not want the user to log on with the
default logon point).
w Any system requirements for running the Access Gateway Plug-in if you configured
device profiles.
Depending on the configuration of the user device, you might also need to provide the
following additional information:
w To start the Access Gateway Plug-in, Windows XP, Windows Vista, and Windows 7
users must be a local administrator or a member of the Administrators group to
install the Access Gateway Plug-in for the first time. Users do not need to be an
administrator for upgrades.
w If a user runs a firewall on the user device, the user might need to change the
firewall settings so that the firewall does not block traffic to or from the IP
addresses corresponding to the resources for which you granted access. The Access
Gateway Plug-in automatically handles Internet Connection Firewall in Windows XP
and Windows Firewall in Windows XP Service Pack 3, Windows Vista, and Windows 7.
w Users who want to send traffic to FTP over the Access Gateway connection must set
their FTP application to perform passive transfers. A passive transfer means that
the user device establishes the data connection to your FTP server, rather than your
FTP server establishing the data connection to the remote computer.
Because users work with files and applications as if they were on the organization's
network, you do not need to train users or configure applications.
Web Browser Security Considerations

Certain custom Web browser security settings can prevent users from accessing Access
Gateway. Follow the guidelines below to ensure that users can access the appropriate
servers within your network.
For users to properly access network resources through Access Gateway, you must
enable the following browser settings:
w Cookies. Access Gateway uses per-session cookies that are not stored on disk.
Therefore, third parties cannot access the cookies. Disallowing per-session cookies
prevents connections to Access Gateway. Users cannot log on to Access Gateway
because logging on requires a session cookie.
w File download. Disabling file download prevents the downloading of files from the
corporate network, the launching of any seamless ICA sessions, and access to
internal Web servers outside the access server cluster.
303
Chapter 10

w Scripting. Disabling active scripting makes Access Gateway inaccessible. Disabling
Java applet scripting prevents users from launching published applications that use
Client for Java.
Change the security settings only for zones that contain resources accessed through
Access Gateway. If you fully trust the sites on your companys intranet, you can set the
Local Intranet zone security level to Low. If you do not fully trust the sites on your
intranet, keep the Local Intranet zone set to Medium-Low or Medium.
Note: When you deploy Access Gateway with Access Controller, users will need to
add the Access Gateway Web address to the list of Trusted sites or Local intranet sites
in Internet Explorer security settings to allow applications to reconnect properly.
Several browser security settings required to access Access Gateway are disabled under
the High security settings. Therefore, if the security level for the Local Intranet zone is
set to High, customize the browser security settings as described in the next section.
Customizing Web Browser Security Settings

The following table lists additional Internet Explorer browser security settings required
for deployment scenarios requiring client software. Most of these settings are available
on the Security tab in Internet Options.
Deployment scenario
Required settings
Endpoint Analysis Plug-in
w Run ActiveX controls and plug-ins (Enable)

w Script ActiveX controls marked safe for scripting
(Enable)
w File download (Enable)
Citrix XenApp Web Plugin (Version 11.0)

Citrix online plug-ins
(Version 11.2 or later)
w Run ActiveX controls and plug-ins (Enable)

w Script ActiveX controls marked safe for scripting
(Enable)
w File download (Enable)
w Do not save encrypted pages to disk (Disable)
Adding Proxy Servers for the Access Gateway Plugin

When the Access Gateway Plug-in connects, the plug-in queries the operating system
on the user device for client proxy settings before downloading policies from Access
Gateway. If auto-detection is enabled on the plug-in, the Access Gateway Plug-in
automatically changes client proxy settings to match the settings stored in the
operating system.
304

Users can configure automatic detection of the proxy settings in the Citrix Access
Gateway Options dialog box in the Access Gateway Plug-in. Users can also manually
configure a proxy server from the Access Gateway Plug-in. When the user configures
the proxy server manually, automatic detection of proxy settings is disabled. By
default, the plug-in does not use a proxy server.
Note: During installation, an installation log file, called cag_plugin.log, is installed in
the %TEMP% directory on the user device. You can use this log file to solve problems
with the installation.
To manually configure a proxy server

1. On the user device, click Start>All Programs>Citrix>Citrix Access Clients>Citrix
Access Gateway - Properties.
2. In the Citrix Access Gateway Options dialog box, under Proxy settings, select
Manually configure proxy server.
3. In IP address and Port, type the IP address and port number.
4. If authentication is required by the server, select the Proxy server requires
authentication check box.
305
Chapter 10
306
Chapter 11
Integrating Access Gateway 5.0 with

XenApp and XenDesktop
Topics:
Providing Access to Virtual
Applications and Desktops
Setting Up a Web Interface
Site to Work with Access
Gateway
Configuring Access Gateway
to Communicate with the
Web Interface
Configuring Single Sign-on
to the Web Interface on the
If you are a system administrator responsible for installing and

configuring Citrix Access Gateway, you can configure the
appliance to work with Citrix XenApp and Citrix XenDesktop.
It is assumed that Access Gateway is connected to an existing
network and that you have experience configuring that
network.
To allow user connections to a server farm through Access
Gateway, you configure settings in the Web Interface and on
the Access Gateway appliance.
The configuration steps assume that you have deployed Access
Gateway as a standalone appliance and that users connect
directly to Access Gateway.
Integrating XenApp and

XenDesktop with Access
Controller
307
Chapter 11
Integrating Access Gateway 5.0 with XenApp and XenDesktop
Providing Access to Virtual Applications and

Desktops
One or more computers running XenApp or XenDesktop creates a server farm. If your
enterprise network contains a server farm, you can deploy Access Gateway to provide
secure Internet access to virtual applications or desktops.
In such deployments, Access Gateway works with the Web Interface and Secure Ticket
Authority (STA) to provide authentication, authorization, and redirection to virtual
applications hosted on a computer running XenApp or on virtual desktops provided by
XenDesktop.
You achieve this functionality by integrating Access Gateway components with the Web
Interface, XenApp, or XenDesktop. This integration provides advanced authentication
and an access control option to the Web Interface. For more information about the Web
Interface, see the Web Interface documentation in Citrix eDocs.
Remote connectivity to a server farm does not require the Access Gateway Plug-in. To
access virtual applications and desktops, users connect using Citrix online plug-ins. To
access virtual desktops in XenDesktop 3.0, users connect using Desktop Receiver.
Important: Installation of either Desktop Receiver or Desktop Receiver Embedded
Edition on the same computer as Citrix online plug-ins is not supported. If you want
your users to access both virtual desktops and applications from the same computer,
Citrix recommends installing Citrix online plug-ins on the virtual desktops that you
create with XenDesktop. This allows your virtual desktops to receive published
applications.
Integrating Access Gateway with XenApp or

XenDesktop
When you configure Access Gateway for user connections, you can configure settings to
direct network traffic to XenApp, XenDesktop, or both. To do so, you configure Access
Gateway and the Web Interface to communicate with each other.
The tasks for integrating these three products include:
w Creating a Web Interface site in the XenApp or XenDesktop farm
w Configuring settings within the Web Interface to route user connections through
Access Gateway
w Configuring Access Gateway or Access Controller to communicate with the Web
Interface and Secure Ticket Authority (STA)
Access Gateway and the Web Interface use the STA and Citrix XML Service to establish
user connections. The STA and XML Service runs on the XenApp or XenDesktop server.
308
Establishing a Secure Connection to the Server Farm

The following example shows how Access Gateway deployed in the demilitarized zone
(DMZ) works with the Web Interface to provide a secure, single point-of-access to
published resources available in a secure enterprise network.
In this example, all of the following conditions exist:
w User devices from the Internet connect to Access Gateway using Citrix online plugins or Citrix Desktop Receiver.
Note: If you use Citrix XenDesktop 4.0, you use Citrix online plug-ins, which was
formerly called Desktop Receiver in XenDesktop version 3.0.
w The Web Interface resides behind Access Gateway in the secure network. The user
device makes the initial connection to Access Gateway and the connection is passed
to the Web Interface.
w The secure network contains a server farm. Servers within this server farm run the
Secure Ticket Authority (STA) and the Citrix XML Service. The STA and the XML
Service can run on either XenApp or XenDesktop.
The following illustration shows an Access Gateway appliance deployed with the
Web Interface installed behind the appliance in the DMZ and the server farm in the
secure network.
Process Overview: User Access to Published Resources in

the Server Farm
1. A remote user types the Access Gateway address of, for example, https://
www.ag.companyname.com, in the address field of a Web browser. The user
device attempts this Secure Sockets Layer (SSL) connection on port 443, which
must be open through the firewall for this connection to succeed.
309
Chapter 11

2. Access Gateway receives the connection request and prompts users for their
credentials. The credentials are passed back through Access Gateway, users are
authenticated, and the connection is passed to the Web Interface.
3. The Web Interface sends the user credentials to the XML Service running in the
server farm.
4. The XML Service authenticates the user credentials and sends the Web Interface a
list of the published applications or desktops the user is authorized to access.
5. The Web Interface populates a Web page with the list of published resources
(applications or desktops) that the user is authorized to access and sends this Web
page to the client.
6. The user clicks a published application or desktop link. An HTTP request is sent to
the Web Interface indicating the published resource that the user clicked.
7. The Web Interface interacts with the XML Service and receives a ticket indicating
the server on which the published resource runs.
8. The Web Interface sends a session ticket request to the STA. This request specifies
the IP address of the server on which the published resource runs. The STA saves
this IP address and sends the requested session ticket to the Web Interface.
9. The Web Interface generates an ICA file containing the ticket issued by the STA and
sends the file to the client Web browser.
The ICA file that the Web Interface generated contains the Fully Qualified Domain
Name (FQDN) or the Domain Name System (DNS) name of Access Gateway. Note
that the IP address of the server running the requested resource is never revealed
to users.
10. The ICA file contains data instructing the Web browser to start online plug-ins. The
user device connects to Access Gateway using the Access Gateway FQDN or DNS
name in the ICA file. Initial SSL/TLS handshaking occurs to establish the identity of
Access Gateway.
11. The user device sends the session ticket to Access Gateway and Access Gateway
contacts the STA for ticket validation.
12. The STA returns the IP address of the server on which the requested application
resides to Access Gateway.
13. Access Gateway establishes a TCP connection to the server.
14. Access Gateway completes the connection handshake with the user device and
indicates to the user device that the connection is established with the server.
All further traffic between the user device and the server is simply proxied through
Access Gateway.
The traffic between the user device and Access Gateway is encrypted.
310
Setting Up a Web Interface Site to Work with

Access Gateway
The Web Interface provides users with access to XenApp applications and content and
to XenDesktop virtual desktops. Users access their published applications through a
standard Web browser or through the Citrix online plug-ins. Users use Desktop Receiver
to access published desktops.
You can configure Web Interface sites created on Windows-based platforms using the
Access Management Console in XenApp 5.0 and Web Interface 5.1. For Web Interface
5.2 and 5.3, you use the Citrix Web Interface Management console to configure sites.
You can install the Access Management Console and Web Interface Management console
on Windows-based platforms only.
Note: The Access Management Console, the Web Interface Management console,
and the Delivery Services Console can all reside on the same computer.
To configure the Web Interface to work with Access Gateway, create the Web Interface
site, configure the settings in the Web Interface, and then configure Access Gateway.
Web Interface Features

Before configuring the Web Interface to work with Access Gateway, you need to
understand the features of the Web Interface and the differences between the
following two options:
XenApp Web Sites

The Web Interface provides functionality to create and manage XenApp Web sites.
Users access published resources and streamed applications remotely using a Web
browser and a plug-in.
XenApp Services Sites

XenApp is a plug-in designed for flexibility and ease of configuration. When you use
XenApp in conjunction with XenApp Services sites on the Web Interface, you can
integrate published resources with users desktops. Users click icons on their desktops
or from the Start menu, or they click in the notification area of their desktop to access
remote and streamed applications, and remote desktops and content. You can
determine what, if any, configuration options your users can access and modify, such as
audio, display, and logon settings.
Access to published desktops is not supported if you choose to configure the Web
Interface with XenApp and XenApp Services sites.
For more information about the Web Interface, see the Web Interface documentation in
the Technologies node in Citrix eDocs at http://edocs.citrix.com.
311
Chapter 11
Setting Up a Web Interface Site

Install and configure the Web Interface before you install Access Gateway. For more
information, see the Web Interface documentation in the Technologies node in the
Citrix eDocs library at http://edocs.citrix.com. If you deployed the Web Interface in
the secure network and configured authentication on Access Gateway, when users
connect to Access Gateway, the appliance provides authentication.
The steps for setting up a Web Interface site include:
w Selecting how users log on. Users can log on through a Web browser, the Access
Gateway Plug-in, online plug-ins, or Desktop Receiver. You can configure the Web
Interface to work with Access Gateway in one of the following ways:
Create and manage XenApp Web sites, in which users access virtual resources
remotely using a Web browser and online plug-ins.
Use XenApp in conjunction with a XenApp Services site on the Web Interface, to
integrate virtual applications with users' desktops.
Note: Access to published desktops is not supported if you choose to configure
the Web Interface a XenApp Services sites. To use a XenApp Services site, you
must be running Access Gateway 5.0.2.
w Identifying where users are authenticated: Access Gateway or the Web Interface.
Note: If you install the Web Interface in the secure network, Citrix recommends that
Access Gateway authenticate network traffic before sending the request to the Web
Interface. Network traffic that is not authenticated should not be allowed to be sent to
the Web Interface in the secure network.
Make sure you install a valid server certificate on Access Gateway. For more
information about working with certificates, see Installing and Managing Certificates on
page 123.
Important: In order for the Web Interface to work properly with Access Gateway, the
server running the Web Interface must trust Access Gateway and be able to resolve
the fully qualified domain name (FQDN) to the correct IP address.
Selecting the Access Method

When you configure settings in XenApp or XenDesktop, you need to select one of the
following access methods. These settings determine how users connect to a server
farm. For more information, see the Web Interface documentation for your version in
Note: Access Gateway only supports Gateway Direct and Gateway Alternate if you
are using Access Controller in your Access Gateway deployment.
312

w Direct. The online plug-in connects to the real IP address of the target XenApp
server. Use this method if users connect from the LAN or if users have established a
connection using the Access Gateway Plug-in.
w Alternate. This method functions in the same way as the Direct method, except
users connect to an alternate IP address instead of the real IP address of the XenApp
server. The alternate IP address is defined on each XenApp server using the
command ALTADDR on XenApp.
w Translated. This method functions in the same way as the Alternate method, except
the alternate address for each XenApp server is defined in the Web Interface
configuration instead of by running ALTADDR on each XenApp server.
w Gateway Direct. The online plug-in initiates a Secure Sockets Layer (SSL)
connection to the full qualified domain name (FQDN) of Access Gateway, which then
terminates the SSL connection and completes an ICA connection to the real address
of the target XenApp server. This method relies on the Secure Ticket Authority (STA)
to validate incoming connections. This method is used if users are outside the LAN
and have not established a connection using the Access Gateway Plug-in. The Access
Gateway Plug-in is not required for this connection type, but the plug-in can be used.
Note: If users are connecting through Access Gateway to a server farm, Citrix
recommends using Gateway Direct.
w Gateway Alternate. This method functions in the same way as Gateway Direct,
except Access Gateway makes a connection to the alternate address of the XenApp
server as defined using the command ALTADDR.
w Gateway Translated. This method functions in the same way as Gateway Alternate,
server as defined in the Web Interface configuration.
Creating a Web Interface Site in XenApp 5.0

When you create a Web Interface site, you can configure user logon to occur through a
Web browser or Citrix online plug-ins. You can use the following procedure to use the
Access Management Console to create multiple Web Interface sites.
1. Click Start>All Programs>Citrix>Management Console>Access Management
Console.
If prompted, configure and run discovery.
2. Under Citrix Resources>Configuration Tools, click Web Interface, and under
Common Tasks, click Create site.
3. Select one of the following and then click Next:
XenApp Web. Users log on to the Web Interface using a Web browser.
XenApp Services. Users log on using online plug-ins.
Note: If you select XenApp Services, do not perform Steps 5 and 6.
313
Chapter 11

4. Keep the default Internet Information Services (IIS) site and path.
If you selected XenApp Web in Step 3, the site path is /Citrix/XenApp. Continue
with Step 5.
If you selected XenApp Services, the site path is /Citrix/PNAgent. Click Next to
complete the configuration.
Note: If there are any preexisting XenApp Web sites or XenApp Services that use
the default path, an appropriate increment is added to distinguish the new site.
5. In Specify where user authentication takes place, select one of the following:
At Web Interface to have users authenticate using the Web Interface.
Select this option if the Web Interface is deployed as a standalone server
parallel to Access Gateway in the demilitarized zone (DMZ).
At Access Gateway to have users authenticate using the Access Gateway
appliance.
If you select this option, Access Gateway authenticates users and initiates
single sign-on to the Web Interface if it is configured on the appliance.
6. If you selected At Access Gateway in Step 5, in Authentication service URL, type
the Web address to the Access Gateway authentication service URL, such as
https://access.company.com/CitrixAuthService/AuthService.asmx
Note: If you select At Web Interface in Step 5, you do not need to perform Step
6. If you are using Access Controller in your Access Gateway deployment, use the
IP address or fully qualified domain name (FQDN) of the Access Controller server.
You receive a summary screen showing your settings. Click Next to create the Web
Interface site. When the site is successfully created, Access Management Console
prompts you to configure the remaining settings in the Web Interface. Follow the
instructions in the wizard to complete the configuration.
Configuring Access Gateway Settings for the Web Interface

on XenApp 5.0
After you create the Web Interface site, you can use the Access Management Console to
configure settings for Access Gateway.
1. Click Start>All Programs>Citrix>Management Consoles>Access Management
Console.
2. In the left pane of the Access Management Console, click Citrix Resources, click
Configuration Tools, click Web Interface and then click the Web Interface site.
3. Under Common Tasks, click Manage secure client access and then click Edit
secure client access settings.
4. In Specify Access Methods, select the Default entry and then click Edit.
5. In Access Method, select Gateway direct, click OK and then click Next.
314

6. In Address (FQDN), type the Access Gateway fully qualified domain name (FQDN).
This must be the same FQDN that is used on the Access Gateway certificate.
7. In Port, type the port number. The default is 443.
8. To enable session reliability, click Enable session reliability and then click Next.
9. Under Secure Ticket Authority URLs, click Add.
10. In Secure Ticket Authority URL, type the name of the primary server running the
XML Service on XenApp, click OK and then click Finish.
For example, type http://xenappsrv01/Scripts/CtxSta.dll.
After you configure the settings in the Web Interface, configure Access Gateway. For
more information, see Configuring Access Gateway to Communicate with the Web
Interface on page 324.
Configuring Access Gateway Settings in Web

Interface 5.2
You can configure the Web Interface 5.2 to accept connections from Access Gateway. In
addition, Web Interface 5.2 supports Secure Ticket Authority (STA) redundancy. To
configure the Web Interface, use the Secure Access task in the Web Interface
Management console. When you finish this procedure, the Web Interface is configured
for use with Access Gateway and STA redundancy is also enabled.
This procedure assumes you have the Web Interface installed and configured in your
network.
1. Click Start>All Programs>Citrix>Management Consoles>Citrix Web Interface
Management.
2. In the navigation pane of the Web Interface Management Console, click either
XenApp Web Sites or XenApp Services Sites.
3. In the middle pane, select the Web Interface site.
4. In the right pane, under Edit Settings, click Secure Access.
5. On the Specify Access Methods page, under Client device addresses (in order),
select an item from the list and then click Edit.
6. In Access method, select Gateway direct, click OK and then click Next.
7. On the Specify Gateway Settings page, in Address (FQDN) type the fully qualified
domain name (FQDN) of Access Gateway. This must be the same FQDN that is used
on the Access Gateway certificate.
9. Click Enable session reliability and Use Two Tickets and then click Next.
When both check boxes are selected, session reliability and STA redundancy are
enabled. The Web Interface obtains tickets from two different STAs so that user
sessions are not interrupted if one STA becomes unavailable. If the Web Interface
is unable to contact two STAs, it falls back to using a single STA.
315
Chapter 11
Note: You must enable session reliability to configure STA redundancy.

10. On the Specify Secure Ticket Authority Settings page, click Add.
11. In the Add Secure Ticket Authority dialog box, in Add Secure Ticket Authority
URL, type the STA Web address, such as http[s]://ServerName.Domain.com/
scripts/ctxsta.dll and then click OK.
12. Repeat Steps 10 and 11 for each STA server you want to add.
13. Click Use for load balancing.
Enabling load balancing allows you to evenly distribute connections among servers
so that an individual server does not become overloaded.
14. Click Bypass failed servers for and then select the length of time.
If a STA cannot be contacted, this setting specifies the length of time that STAs
should be bypassed. The Web Interface provides fault tolerance among the servers
on the Secure Ticket Authority URLs list so that if a communication error occurs,
the failed server is bypassed for the specified time period.
Note: If this setting is enabled, STA redundancy might not work.
15. Click Finish.
Creating a Web Interface 5.3 Site

When you create a Web Interface 5.3 site, you can configure user logon to occur
through a Web browser or Citrix online plug-ins. You can use the following procedure to
use the Web Interface Management console to create multiple Web Interface sites.
Version 5.3 of the Web Interface can run on XenApp 5.0 and 6.0 and Xen Desktop 4.0.
Web Interface 5.3 runs on the following operating systems:
w Windows Server 2008
w Windows Server 2008 R2
w Windows Server 2003
Note: XenApp 6.0 runs only on Windows Server 2008 R2.
Management.
2. In the left pane, select XenApp Web Sites.
Users log on to the Web Interface using a Web browser.
316

3. On the Action menu, click Create Site.
4. Keep the default Internet Information Services (IIS) site and path and then click
Next.
The default site path is /Citrix/Xenapp or you can type a site path of your own
choosing.
Note: If any preexisting XenApp Web sites use the default path, an appropriate
increment is added to distinguish the new site.
5. In Specify where user authentication takes place, select one of the following:
At Web Interface to have users authenticate using the Web Interface.
Select this option if the Web Interface is deployed as a standalone server
parallel to Access Gateway in the demilitarized zone (DMZ).
At Access Gateway to have users authenticate using the Access Gateway
appliance.
If you select this option, Access Gateway authenticates users and initiates
single sign-on to the Web Interface if it is configured on the appliance.
6. Click Next.
7. If you selected At Access Gateway in Step 5, in Authentication service URL, type
the Web address to the Access Gateway authentication service URL, such as
https://access.company.com/CitrixAuthService/AuthService.asmx
8. Under Authentication Options, select Explicit.
When you select Explicit, users log on using a Web browser.
Note: Smart card authentication is not supported in Access Gateway 5.0.
9. Click Next.
You receive a summary screen showing your settings.
10. Click Next to create the Web Interface site.
You receive a page showing the progress of the site creation.
11. Click Configure this site now and then follow the wizard to configure the site.
Configuring Access Gateway Settings in Web Interface 5.3

After you create the Web Interface site, you can use Web Interface Management
console to configure settings for Access Gateway.
Management.
2. In the left pane of Citrix Web Interface Management, click XenApp Web Sites.
3. In the middle pane, click a XenApp Web site.
317
Chapter 11

4. In the Action pane, click Secure Access.
5. In the Edit Secure Access Settings dialog box, click Add.
6. In the Add Access Route dialog box, type the IP address and subnet mask.
7. In Access Method, select Gateway direct, click OK and then click Next.
8. In Address (FQDN), type the Access Gateway full qualified domain name (FQDN).
This must be the same FQDN that is used on the Access Gateway certificate.
10. Click Enable session reliability and Request tickets from two STAs, where
available and then click Next.
When both check boxes are selected, session reliability and Secure Ticket
Authority (STA) redundancy are enabled. The Web Interface obtains tickets from
two different STAs so that user sessions are not interrupted if one STA becomes
unavailable. If the Web Interface is unable to contact two STAs, it falls back to
using a single STA.
Note: You must enable session reliability to configure STA redundancy.
11. Under Secure Ticket Authority URLs, click Add.
12. In the Add Secure Ticket Authority dialog box, in Secure Ticket Authority URL,
type the name of the master server running the XML Service on XenApp, click OK
and then click Finish.
For example, type http://xenappsrv01/Scripts/CtxSta.dll.
13. Repeat Steps 10 and 11 for each STA server you want to add.
14. Click Use for load balancing.
Enabling load balancing allows you to evenly distribute connections among servers
so that an individual server does not become overloaded.
15. Click Bypass failed servers for and then select the length of time.
If a STA cannot be contacted, this specifies the length of time that STAs should be
bypassed. The Web Interface provides fault tolerance among the servers on the
Secure Ticket Authority URLs list so that if a communication error occurs, the
failed server is bypassed for the specified time period.
Note: If this setting is enabled, STA redundancy might not work.
16. Click Finish.
318
Adding XenApp and XenDesktop to a Single Site

If you are running XenApp and XenDesktop, you can add both applications to a single
Web Interface site. This configuration allows you to use the same Secure Ticket
Authority (STA) server from either XenApp or Desktop Delivery Controller.
Note: XenDesktop supports Web Interface 5.0, Web Interface, 5.2, and Web Interface
5.3.
If you are using Web Interface 5.0 or 5.1, you use the Access Management Console to
combine the XenApp and XenDesktop sites.
If you are using Web Interface 5.2, 5.3 or 5.4, you use the Web Interface Management
console to combine the XenApp and XenDesktop sites.
Note: If the server farms are in different domains, you must establish two-way trust
between the domains.
To add XenApp or XenDesktop to a single site using Web

Interface 5.0 or 5.1
1. Click Start>All Programs>Citrix>Management Consoles>Access Management
Console.
2. Expand Citrix Resources>Configuration Tools>Web Interface.
3. Click a Web Interface site and under Common Tasks, click Manage server farms.
4. In the Manage Server Farms dialog box, click Add.
5. Complete the settings for the server farm and then click OK twice.
To add XenApp or XenDesktop to a single site using Web

Interface 5.2 or 5.3
1. Click Start>All Programs>Citrix>Management Consoles> Citrix Web Interface
Management.
2. In the left pane, select XenApp Web Sites.
3. In the Action pane, right-click a site and then click Server Farms.
4. In the Manage Server Farms dialog box, click Add.
5. Complete the settings for the server farm and then click OK twice.
For the best experience using XenDesktop, change the setting
UserInterfaceBranding to Desktops in the WebInterface.conf configuration file.
319
Chapter 11
Creating User Connections to XenApp 6 or

XenDesktop 5
In XenApp 6 or XenDesktop 5, you can configure the server to only accept connections
that are routed through the Access Gateway. You configure filters in the XenApp
Delivery Services Console or Desktop Studio that point to Access Gateway.
You can create a policy that is applied to Access Gateway connections or to Access
Gateway connections with certain properties.
You can create XenApp 6 policies to accommodate different access scenarios based on
factors, such as authentication type, the logon point, and user device information, such
as endpoint analysis. In XenApp, you can enable client-side drive mapping, cut and
paste functionality, and local printing based on the logon point used to access the
published application.
Prerequisites for Filtering on Access Gateway Connections

For Citrix XenApp or XenDesktop to filter on the Access Gateway connection, you must
do the following on the Access Gateway:
w Create a SmartAccess logon point. For more information, see To configure a
SmartAccess logon point on Access Gateway on page 172.
w Select the Access Gateway cluster name and the access condition.
w Ensure that you configure your server farm to allow Access Gateway connections,
which is the default setting.
w Create a computer policy within XenApp that enables the Trust XML requests policy
setting.
w Use PowerShell to create a command that enables the Trust XML requests policy in
XenDesktop
w Create a user policy within XenApp and XenDesktop that includes a filter
referencing Access Gateway filters.
To configure these settings, see the additional topics in this section.
To create a XenApp 6.0 policy filter for Access Gateway

connections
1. On the XenApp server, click Start>All Programs>Citrix>Management
Consoles>Citrix Delivery Services Console.
2. In the left pane, click Policies.
3. In the middle pane, click Users.
4. Under Citrix User Policies, click New.
5. On the New Policy page, under Identify your policy, in Name, type a name.
6. Click Next twice.
320

7. In the filters dialog box, under Filters, click Access Control and then click Add.
8. In the New Access Control Filter dialog box, click Add.
9. In the New Access Control Filter Element dialog box, in Connection Type, select
With Access Gateway.
To apply the policy to connections made through Access Gateway without
considering Access Gateway policies, accept the default entries in AG farm name
and Access condition.
10. If you are using Access Controller and want to apply the policy to connections
made through Access Gateway based on Access Controller policies, do the
following:
a. In AG farm name type the name of the Access Controller cluster.
b. In Access condition, type the name of the Access Controller filter for XenApp
to use.
Important: XenApp does not validate Access Controller cluster, server, and filter
names. Make sure the information is correct.
11. Click OK twice, click Next and then click Save.
To create a XenApp 6.0 XML Trusts policy

Configuring an XML Trusts policy specifies whether the Citrix XML Service should trust
requests that it receives. Before enabling this rule, avoid security risks by using IPSec,
firewalls, or another technology that ensures that only trusted services communicate
with the Citrix XML Service.
Trusting requests sent to the XML Service means that XenApp can use the information
passed on from Access Gateway to control application access and session policies. This
information includes the use of Access Gateway filters to control access to published
applications and to set XenApp session policies. If you do not trust requests sent to the
XML Service, this additional information is ignored.
1. On the XenApp server, click Start>All Programs>Citrix>Management
Consoles>Citrix Delivery Services Console.
2. In the left pane, click Policies.
3. In the middle pane, click Computer.
4. Under Citrix Computer Policies, click New.
5. In the New Policy wizard, in Identify Your Policy, in Name, type a name and then
click Next.
6. On the Choose the settings that will be applied page, under Settings, scroll down
toTrust XML requests and then click Add.
7. In the Trust XML Settings dialog box, click Enabled and then click OK.
8. Complete the New Policy wizard.
321
Chapter 11
To create a XenDesktop 5 policy filter for Access Gateway

connections
1. On the XenDesktop server, click Start>All Programs>Citrix>Management
Consoles>Desktop Studio.
2. In the left pane, click to expand HDX Policy and then click Users.
3. Under Users, click New.
4. In the New Policy dialog box, under Identify your policy, in Name, type a name.
5. Click Next twice.
6. In the New Policy dialog box, on the filters page, under Filters, click Access
Control and then click Add.
7. In the New Filter dialog box, click Add.
8. In the New Filter Element dialog box, in Connection Type, select With Access
Gateway.
To apply the policy to connections made through Access Gateway without
considering Access Gateway policies, leave the default entries in AG farm name
and Access condition.
9. If you are using Access Controller and want to apply the policy to connections
made through Access Gateway based on Access Controller policies, do the
following:
a. In AG farm name type the name of the Access Controller cluster.
b. In Access condition, type the name of the Access Controller filter for
XenDesktop to use.
Important: XenDesktop does not validate Access Controller cluster, server, and
filter names. Make sure the information is correct.
10. Click OK twice, click Next and then click Create.
To create a XenDesktop 5 XML Trusts policy

Configuring an XML Trusts policy specifies whether the Citrix XML Service should trust
requests that it receives. Before enabling this rule, avoid security risks by using IPSec,
firewalls, or another technology that ensures that only trusted services communicate
with the Citrix XML Service. When you configure XML trusts, establish firewall rules in
Desktop Studio to allow only trusted Web Interface servers to connect to it. After you
establish your firewall rules, you then enable XML trusts using a PowerShell command.
You configure XML trusts for SmartAccess logon points and filters. You do not need to
configure trusts for a basic logon point.
Trusting requests sent to the XML Service means that XenDesktop can use the
information passed on from Access Gateway to control desktop access and session
policies. This information includes the use of Access Gateway filters to control access
322

to virtual desktops and to set XenDesktop session policies. If you do not trust requests
sent to the XML Service, this additional information is ignored.
To configure an XML trusts policy in XenDesktop, you use the following commands in
PowerShell:
Set -BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Set -BrokerSite -TrustRequestsSentToTheXmlServicePort $false
If you set the command to $false, the SmartAccess filters are ignored during single signon. If you set the command to $true, the SmartAccess filters are accepted and
available for use with the XenDesktop access policies.
For more information about using PowerShell to configure an XML trusts policy on
XenDesktop 5, see the following:
w Getting Started with PowerShell in XenDesktop 5
w PowerShell Help
w About the XenDesktop SDK
Enabling Users to Change Their Passwords with

Web Interface
If you have Web Interface 5.4 configured as the home page for a logon point, you can
allow users to change their passwords. To do so, you manually change parameters in
the file WebInterface.conf. The parameters are:
Name: AllowUserPasswordChange
Possible values: Never | Expired-Only | Always
Name: ShowPasswordExpiryWarning
Possible values: Never | WindowsPolicy | Custom
Name: PasswordExpiryWarningPeriod
Possible values: Number of days between 0 and 999
Note: The parameter PasswordExpiryWarningPeriod must be an integer.
For example, to allow users to change their password at any time and to show a
warning seven days before their password expires, use the following settings in
WebInterface.conf:
AllowUserPasswordChange=Always
ShowPasswordExpiryWarning=Custom
PasswordExpiryWarningPeriod=7
When you configure these settings, links appear in the Web Interface. When users click
the link, Access Gateway makes the password change. For this feature to succeed, the
following requirements apply:
w Enable the setting Allow users to change password within the LDAP authentication
profile that you create on Access Gateway.
323
Chapter 11

w Enable the setting Use secure connection in the LDAP authentication profile and
define the connection to use the secure LDAP port of 636 instead of port 389.
w Install the root certificate from the LDAP server as a trusted certificate on Access
Gateway.
Configuring Access Gateway to Communicate

with the Web Interface
You can configure Access Gateway to communicate with the Web Interface running on
XenApp or XenDesktop. When you configure a basic logon point, Access Gateway
automatically creates a SmartGroup and assigns the logon point to the SmartGroup.
Before you configure a basic logon point, make sure you install the Web Interface and
verify that it is communicating with the network. When you configure a basic logon
point, you must also configure at least one Secure Ticket Authority (STA) server.
If you want to set the Web Interface as the home page, you configure the SmartGroup
settings to display the home page.
To configure the Access Gateway appliance to use

the Secure Ticket Authority
The Secure Ticket Authority (STA) is responsible for issuing session tickets in response
to connection requests for published applications on XenApp and published desktops on
XenDesktop. These session tickets form the basis of authentication and authorization
for access to published resources.
If you are securing communications between Access Gateway and the STA, make sure a
server certificate is installed on the server running the STA.
By default, connections to the STA are secure.
2. Under Applications and Desktops, click Secure Ticket Authority.
3. In the Security Ticket Authority panel, click New.
4. In the Security Ticket Authority Properties dialog box, in Server, type the fully
qualified domain name (FQDN) or IP address of the server running the STA.
5. In Connection type, choose whether the connection is secure or unsecure.
6. In Port, you can use the default port number 443 for secure connections or port 80
for unsecure connections. You can also type your own port number.
7. In Path, you can use the default path of /Scripts/CtxSTA.dll or type a path of your
own.
8. Click Add.
324

When you click Add, the settings for the STA appear in the Security Ticket Authority
panel. You can repeat this procedure to add additional servers running the STA.
To configure ICA Access Control on the Access

Gateway appliance
You can configure an ICA access control list so that Access Gateway allows access to
only specific servers in the server farm. To allow user connections using Citrix online plugins, you must configure ICA Access Control. If you do not configure an access control
list, users cannot connect to their published applications or desktops.
To create an ICA access control list, you must enter an IP address range that
corresponds to the servers within the server farm to which you want to grant access
and then specify the appropriate protocol and port for connection to these servers.
If you create one or more ICA access control lists, a server running XenApp or
XenDesktop must be included in an access control list before users can access it. Access
Gateway allows connections only to the servers specified in the access control lists.
2. Under Applications and Desktops, click XenApp or XenDesktop.
3. In the ICA Access Control List panel, click New.
4. To specify a range of servers running XenApp or XenDesktop, in the ICA Access
Control List dialog box, type the IP addresses in Beginning IP address and Ending
IP address.
5. In Protocol, select either ICA or Session reliability.
6. In Port, either accept the default port number or type a new number.
The default port for ICA connections is 1494. The default port for session reliability
is 2598.
7. Click Add.
To configure the Web Interface as the logon page

You can configure Access Gateway to allow users to authenticate through the Web
Interface instead of through Access Gateway. To do so, you configure a basic logon
point and then configure the logon point to authenticate users. When users log on, they
receive the Web Interface logon page instead of the Access Gateway logon page.
4. In the Logon Points Properties page, in Name, type a name for the logon point.
325
Chapter 11

6. Click Authenticate with the Web Interface, in Web Interface, type the URL for
the Web Interface and then click Save.
Configuring Access Gateway to Use a XenApp

Services Site
You can configure Access Gateway 5.0.2 to allow users to connect by using Citrix online
plug-ins or mobile receivers that work with the Web Interface XenApp Services site. To
do so, you configure the Web Interface to use XenApp Services sites and then on Access
Gateway, create a basic logon point and configure it to use the Web Interface for
authentication. When users log on, they can start published applications directly from
the computer desktop or mobile device. To give users this type of access, the basic
steps are:
1. Create a XenApp Services site in the Web Interface, setting the fully qualified
domain name (FQDN), Secure Ticket Authority (STA), and the access method.
2. On Access Gateway, create a basic logon point and configure it to use the Web
Interface for authentication.
If users log on to the default logon point, they only need to type in the Access
Gateway FQDN. If users do not log on to the default logon point, they must enter
the FQDN of Access Gateway, plus the full path of the logon point. For example,
users would type in https://AccessGatewayFQDN/lp/logon-point-name.
3. In the basic logon point, set the XenApp Services sites as the home page. When you
configure the home page, enter the full path to the config.xml file. For example,
<WI-ServerName>/citrix/pnagent/config.xml.
4. On Access Gateway, configure the STA and the ICA access control list.
When users log on with Citrix online plug-ins and enter the Access Gateway FQDN as
the server address, the XenApp Services site enumerates applications and the user
connection routes through Access Gateway.
Note: You must use Access Gateway 5.0.2 to enable this feature.
To configure Access Gateway to connect to the XenApp

Services site
4. In the Logon Points Properties dialog box, in Name, type a unique name for the
logon point.
6. Select Authenticate with Web Interface.
326

7. In Web Interface, type the full path to the config.xml file within the XenApp
Services site and then click Save.
Configuring Single Sign-on to the Web Interface

on the Access Gateway Appliance
You can configure Access Gateway 5.0 to provide single sign-on to the Web Interface.
You can configure Access Gateway to work with the Web Interface for the following:
w XenApp 5.0
w XenApp 6.0
w XenDesktop 3.0
w XenDesktop 4.0
w XenDesktop 5.0
Before configuring single sign-on, make sure the Web Interface is already configured
and working with Access Gateway.
You can configure single sign-on to the Web Interface using a basic logon point or as
part of a SmartGroup if you configure the SmartGroup to use the Web Interface as the
home page.
Configuring Access Gateway to use single sign-on has the following benefits:
w Users authenticate one time to Access Gateway and the Web Interface does not
prompt them to authenticate again.
w Access Gateway terminates and authenticates Inbound secure HTTPS traffic,
allowing the Web Interface to reside in the secure network instead of the
demilitarized zone (DMZ).
w The servers running the Web Interface are protected because users are
authenticated by Access Gateway before the connection reaches the secure network.
To configure a basic logon point for single sign-on

to the Web Interface
2. Under Access Points, click Logon Points.
4. In the Logon Points Properties page, in Name, type a name for the logon point.
6. Under Authentication Profiles, in Primary, select an authentication profile.
327
Chapter 11

7. Click Single sign-on to Web applications and then click Save.
To configure a SmartGroup for single sign-on to the

Web Interface
3. In the SmartGroups panel, click Add.
4. In the SmartGroups Properties page, in Name, type a name for the SmartGroup.
5. Under Home Page, click Use specified home page.
6. In Web Address, type the URL for the Web Interface.
7. In Type, select Web Interface.
8. Click Single sign-on to Web application and then click Save.
Configuring the Web Interface for Single Sign-On

You can configure single sign-on to the Web Interface using XenApp 5.0 or XenApp 6.0.
The following are guidelines to use when configure single sign-on with XenApp.
Guidelines for XenApp 5.0

If you are configuring XenApp 5.0 and the Web Interface for single sign-on, use the
following guidelines:
w In the XenApp Access Management Console, you must select the access method as
Advanced Access Control for the Web Interface site.
w The Authentication Service URL can begin with HTTP or HTTPS.
Note: If you configure the URL to use HTTP, user credentials are sent from Access
Gateway to the Web Interface in clear text. Also, if you use HTTP, you must
configure redirection to port 443 in the Access Gateway Management Console. For
more information, see Redirecting Connections on Port 80 to a Secure Port on
page 132.
w The server running the Web Interface must trust the Access Gateway certificate and
be able to resolve the certificate fully qualified domain name (FQDN) to the actual
IP address of Access Gateway.
w The Web Interface must be able to open a connection to Access Gateway.
w If there is a firewall between the Web Interface and Access Gateway, firewall rules
could prevent user connections preventing single sign-on. Loosen your firewall rules
to allow the Web Interface to connect with Access Gateway.
328
Guidelines for XenApp 6.0

If you are configuring XenApp 6.0 and the Web Interface for single sign-on, use the
following guidelines:
w Configure pass-through authentication as the authentication method using the Web
Interface Management console.
w On the XenApp server on the Authentication Methods properties page, enable
automatic logon.
Integrating XenApp and XenDesktop with

Access Controller
You can integrate Access Controller with XenApp and XenDesktop so that users can
easily access all of their resources, including published applications, from a common
interface. For example, you can embed a XenApp or XenDesktop Web site within the
Access Interface. The Access Interface is a navigation page shipped with Access
Gateway that can list available virtual applications and desktops alongside other
available resources, such as Web resources and file shares. You enable Access Interface
in Access Controller.
In addition, you can share information that Access Controller collects to extend the
policy-based access control capabilities of XenApp. By integrating Access Controller
filters within XenApp policies, you can control which published applications users can
access and what they can do within those applications when they get access. This
feature allows you to create XenApp policies to accommodate different access
scenarios based on a variety of factors, such as authentication strength, logon point,
and user device information, such as endpoint analysis.
For example, you can include endpoint analysis information collected by Access
Controller within a XenApp policy to determine access to a virtual application. In
addition, you can selectively enable client-side drive mapping, cut and paste
functionality, and local printing based on the logon point through which users access
the published application.
The topics in this section discuss the supported deployments, as well as the procedures
required to integrate XenApp and Access Controller. If you are passing Access Controller
information into XenApp for policy evaluation, you must complete the following steps
as well:
w Create one or more filters within Access Controller. For more information about
creating filters, see Creating Policy Filters on page 225.
w Create policies within XenApp that reference Access Controller filters. See the
XenApp documentation for more information about creating policies.
329
Chapter 11
Linking from Access Controller to XenApp or

XenDesktop
You can link Access Controller to farms running XenApp. This feature allows you to
offer published resources from XenApp through file type association or the Web
Interface. When you set policies to allow file type association, a user opens a document
in an associated application running on a server.
To link Access Controller to farms running XenApp, you:
w Specify one or more farms that you want to link to Access Controller.
w Configure load balancing or failover if the server farm includes multiple servers.
w Configure address modes if the server farm is behind a firewall configured for
Network Address Translation (NAT). Access Controller supports two address modes.
Gateway Direct is the default setting. You can also use Gateway Alternate if XenApp
is behind a firewall.
w Configure extended access in the access policy for the Web Interface Web resource.
This allows published applications to appear in the Web Interface.
Before you link Access Controller, ensure the following requirements are met in XenApp:
w Published resources are assigned to the same user groups that are assigned to
resources in Access Controller.
w The option Allow connections made through Access Gateway is enabled for each
published resource. This option appears in the access control settings of the
published resource properties.
w In each servers properties, the option Trust requests sent to the XML Service is
selected.
For more information, see To create a XenApp 6.0 XML Trusts policy on page 321.
Complete the steps below to enable XenApp to allow connections from Access Controller.
To link Access Controller and XenApp

1. Ensure that published resources are assigned to the same user groups that are
assigned to resources in the Access Controller cluster.
2. In Citrix XenApp:
Enable Allow connections made through Access Gateway Advanced Edition
(4.0 or later) for each published resource. This option appears in the access
control settings of the published resource properties.
In each server's properties, select the option Trust requests sent to the XML
Service.
3. Complete the steps required to integrate published applications within your
deployment. Integration options include:
330

Citrix XenApp Web site created by Web Interface. Display published
applications within a XenApp Web site.
File type association. Documents are launched in an associated application
running on a server in a XenApp farm.
Third-party portals. Embed a XenApp Web site within a third-party portal, such
as Microsoft SharePoint.
Specifying XenApp Server Farms

You can add multiple servers running XenApp to Access Controller. On Access Controller,
create a list of the server farms that are available to users connecting to Access
Gateway. This list is used in logon point properties to specify which farms are available
to users of the logon point. Each server farm you configure contains a list of servers
that you can use to specify load balancing or failover among servers within the farm.
To specify server farms

the Access Controller on which you want to create a list of server farms.
4. In Access Controller Cluster Properties, click XenApp Farms and then click New.
5. In the Add Citrix XenApp Farm wizard, in Citrix XenApp farm name, type the
name or IP address of the farm to which you want to link your cluster.
Note:
Access Controller accepts server farm names up to 50 characters long. If the
server farm name is longer than 50 characters, type the IP address instead.
6. If you want to secure the link between Access Controller and XenApp, select the
Secure communication with the farm by applying a secure protocol check box.
Note: To apply a secure protocol, you must have the appropriate certificates
installed on the Access Controller servers and Access Gateway appliances.
7. Click Next and then click Add.
8. In Server name, type the computer name of the server running XenApp.
9. Click OK, click Finish, and then click OK.
Configuring Address Modes

If your server farm is behind a firewall and the firewall is configured for Network
Address Translation (NAT), you can define settings on Access Controller to determine
the address mode of the server included in ICA files.
331
Chapter 11
To configure address modes for client IP addresses

the Access Controller on which you want to configure address modes.
4. In Access Controller Cluster Properties, click XenApp Farms, select the farm and
then click Edit.
5. ClickServers and in Server Address Mode, select either Gateway Direct or
Gateway Alternate.
6. Click OK twice.
Selecting the Access Method

When you configure settings in XenApp or XenDesktop, you need to select one of the
following access methods. These settings determine how users connect to a server
farm. For more information, see the Web Interface documentation for your version in
Note: Access Gateway only supports Gateway Direct and Gateway Alternate if you
are using Access Controller in your Access Gateway deployment.
w Direct. The online plug-in connects to the real IP address of the target XenApp
server. Use this method if users connect from the LAN or if users have established a
connection using the Access Gateway Plug-in.
w Alternate. This method functions in the same way as the Direct method, except
users connect to an alternate IP address instead of the real IP address of the XenApp
server. The alternate IP address is defined on each XenApp server using the
command ALTADDR on XenApp.
w Translated. This method functions in the same way as the Alternate method, except
the alternate address for each XenApp server is defined in the Web Interface
configuration instead of by running ALTADDR on each XenApp server.
w Gateway Direct. The online plug-in initiates a Secure Sockets Layer (SSL)
connection to the full qualified domain name (FQDN) of Access Gateway, which then
terminates the SSL connection and completes an ICA connection to the real address
of the target XenApp server. This method relies on the Secure Ticket Authority (STA)
to validate incoming connections. This method is used if users are outside the LAN
and have not established a connection using the Access Gateway Plug-in. The Access
Gateway Plug-in is not required for this connection type, but the plug-in can be used.
Note: If users are connecting through Access Gateway to a server farm, Citrix
recommends using Gateway Direct.
332

w Gateway Alternate. This method functions in the same way as Gateway Direct,
server as defined using the command ALTADDR.
w Gateway Translated. This method functions in the same way as Gateway Alternate,
server as defined in the Web Interface configuration.
Integrating the Web Interface

Access Controller provides several methods for integrating published applications
created with the Web Interface including:
w XenApp Web site embedded within the Access Interface. When you select the Access
Interface as the default home page, a XenApp Web site is displayed alongside file
shares and Web applications.
w XenApp Web site configured as the default home page for a SmartAccess logon
point. After they log on, users are presented the XenApp Web site.
In a SmartAccess logon point, the home page that users receive is based on the policies
you configure. For Basic logon points, you select a Web Interface site as the home page.
Note: The Web Interface and its accompanying documentation is available in the
Technologies node on the Citrix eDocs Web site.
To integrate a XenApp Web site

This procedure requires that you use the either the Access Management Console in
XenApp 5.0 or the Delivery Services Console in XenApp 6.0 and the Web Interface
Management console for Versions 5.2 or later to create and manage XenApp Web sites
integrated with Access Controller. You cannot use earlier versions of the Access
Management Console or command-line tool to manage sites created with later versions
of the console or with the Delivery Services Console. In addition, after you configure a
XenApp Web site with the Access Controller access method, users can access this site
only through Access Controller. Attempts to directly access the site are denied.
Complete the following steps in Access Controller.
1. Configure XenApp to communicate with Access Controller.
2. Create a Web resource for the XenApp Web site with the following settings:
Select Citrix Web Interface as the application type.
Select the Publish for users in their list of resources check box.
For more information about creating a Web resource, see Creating Web Resources
on page 213.
3. Specify the appropriate policy settings for the Web resource referencing the
XenApp Web site.
4. Provide access to the XenApp Web site in one of the following ways:
333
Chapter 11

Display the XenApp Web site as the default home page. Configure a logon
point to display the application with the highest display priority as the home
page. Then, configure the XenApp Web site as the application with the highest
priority.
Embed a XenApp Web site within the Access Interface. Configure a logon
point to display the Access Interface as the home page. The XenApp Web site is
embedded as a frame within the Access Interface.
For more information, see Creating Logon Points on Access Controller on page 205.
5. In Web Interface, complete the following steps. For additional information about
configuring Web Interface, see the Web Interface documentation.
a. Select Gateway direct when specifying an access method for the site.
Note: You can also select Gateway Alternate or Gateway Translated as the
access method.
b. Enter the URL of the Access Controller authentication service.
In both Web Interface and Access Controller, ensure that the Workspace Control and
session time-out settings are configured properly.
Preserving Workspace Control

When users log on to Access Controller, the credentials they enter are used to provide
Workspace Control with the XenApp server farms specified in the cluster properties. If
users enter one set of credentials to log on to Access Controller and a different set of
credentials to log on to the XenApp Web site, they may not be able to disconnect or
reconnect their applications when you enable multiple sites to be displayed.
To preserve Workspace Control for users with differing sets of credentials, you must
define the Secure Ticket Authority (STA) so Access Gateway can authenticate users to
the farm.
Coordinating Access Controller and Web Interface Settings

Certain XenApp settings are available for configuration within Access Controller and
Web Interface. However, because more than one logon point can reference a XenApp
Web site integrated with Access Controller, it is possible for one logon point to embed a
XenApp Web site within its Access Interface page while another logon point displays the
site as its default home page. This can cause conflicts with certain published
application settings. To ensure that your settings work as intended, configure the
settings in the Delivery Services Console as follows:
w Workspace Control. Disable all Access Controller Workspace Control settings for all
logon points that have a XenApp Web site as their home page. This ensures that the
settings configured within the Web Interface are used. You can configure Workspace
Control on all other logon points as desired.
w Session time-out. Ensure that all logon points use the same settings as the XenApp
Web site.
334
Configuring Single Sign-on to the Web Interface on Access Controller

If Access Gateway authenticates users and you configure the Web Interface on Access
Controller, you must enable single sign-on to the Web Interface. If the Web Interface
authenticates users, you must disable single sign-on.
With single sign-on enabled, when users log on and Access Gateway confirms user
credentials, users log on automatically to Web Interface.
You enable or disable single sign-on in the Delivery Services Console when you create a
Web resource and set the application type to use the Web Interface.
To enable or disable single sign-on to the Web Interface

3. Click Resources and under Common Tasks, click Create Web resource.
4. In Web resource name and Description, type a name and description for the Web
resource and then click Next.
6. In theNew Web address dialog box, in Web address type the fully qualified
domain name (FQDN) of the Web Interface. If you want to use a secure connection
to the Web Interface, use the prefix https://. Otherwise, use the default prefix of
http://.
7. In Application type, select Citrix Web Interface.
8. Select Enable single sign-on, click OK and then click Next.
9. Select how you want to create an access policy and then click Finish.
Adding ICA Access Control on Access Controller

Citrix XenApp and XenDesktop uses the Independent Computing Architecture (ICA)
protocol for communication between user software and servers. When using Access
Gateway as a proxy to tunnel ICA traffic without the Access Gateway Plug-in, you can
control which servers running XenApp and XenDesktop that users can access. To do this,
you provide an access control list (ACL) in the Delivery Services Console. When users
request virtual applications or desktops through Access Controller, they are granted or
denied access based on the ACL you provide.
To allow user connections using Citrix online plug-ins, you must configure ICA Access
Control. If you do not configure an access control list, users cannot connect to their
published applications or desktops.
If you are using the Web Interface to deliver virtual applications and desktops through
the Access Gateway, you must configure the Web Interface settings with the fully
qualified domain name (FQDN) of the Access Gateway.
335
Chapter 11
Important: ACLs you specify are not applied when virtual applications are configured
as network resources.
To configure ICA access control

2. In the console tree, select Access Gateway appliances and under Common Tasks,
click Edit Access Gateway appliances properties.
3. In the Gateway Appliances - Global Properties dialog box, in the left pane, click
ICA Access Control and then click New.
4. In the ICA Access Control Entry dialog box, in Start IP address and End IP
address, type the range of IP addresses of the XenApp servers you want to include.
5. In Port, type the port number or enable the default port.
6. In Protocol, select the protocol you want to use.
Select ICA to allow ICA/SOCKS connections to the selected servers. Typically,
you would use ICA for servers running XenApp that accept ICA/SOCKS connections.
Select CGP to allow session reliability for connections to the selected servers.
Typically, you would use session reliability for servers running XenApp that
accept session reliability.
7. Click OK when you have entered the required information.
8. To enable logging, select the Enable Logging check box and then click OK.
Defining File Type Association

When file type association is allowed in Access Controller, when users open a
document, the document opens in an associated application running with the XenApp
server farm. For example, if a user opens a document within a file share configured
with file type association, the document opens within a published application. File type
association is available to file shares and Web resources.
To configure file type association for file shares and Web resources
Before you configure file type association, verify that published application settings in
XenApp specify the associations you want. For example, if you want a published
application to be launched for users when they open a bitmap image (.bmp) file, make
sure that the applications settings associate it with .bmp files.
1. Configure Citrix XenApp to communicate with Access Controller.
2. Specify one or more farms that you want to link to your cluster.
3. Specify the XenApp farms available to the logon point.
For more information, see Creating Logon Points on Access Controller on page 205.
4. Create an access policy for the file share or Web resource and enable and allow
the File Type Association action control.
336

For more information, see Creating Policy Settings to Control User Actions on page
224.
Configuring Load Balancing or Failover for XenApp

In Access Controller, you can balance the load of requests that are sent to servers
running XenApp. Requests follow the sequence of the server list as it appears in the
XenApp farm properties. The initial request goes to the first server on the list, the next
request goes to the second server, and so on. After the last server, the process starts
again at the top of the list.
Important: Citrix recommends adding the data collector or master ICA browser server
to the server list to minimize unnecessary network traffic when resolution requests
occur and to ensure that application enumeration occurs smoothly. For more
information, see the XenApp documentation in the Citrix eDocs library.
You can use the list to sequence failover in case connectivity to a server becomes
unavailable. Use failover support to ensure continued access to published resources.
The server list can sequence load balancing or failover support, but not both. By
default, the server list is used for failover.
To implement load balancing or failover support

2. Click Access Gateway and then click the Access Controller on which you want to
implement load balancing or failover support.
4. In Access Controller Cluster Properties, click XenApp Farms, select the farm and
then click Edit.
5. In XenApp Farm Properties, click Servers and then click Up and Down to change
the sequence of servers.
6. Select one of the following:
Load balance requests to servers
Set failover sequence of unavailable servers
7. To change the bypass interval, in Bypass interval for failed server, change the
value displayed in minutes. The default is five minutes.
8. To change the access method, in Server Address Mode, select the method.
9. Click OK twice.
Integrating Third-Party Portals

You can incorporate a XenApp Web site into a third-party portal, such as Microsoft
SharePoint to provide convenient access to published applications next to other Web
applications and content. You can integrate Access Controller within this deployment to
provide granular policy-based control over files, Web content and applications, and
published applications.
337
Chapter 11
Note: The Web Interface for Microsoft SharePoint is a Web Part that allows the
integration of a Web Interface within SharePoint. For more information about the Web
Interface for Microsoft SharePoint, see the Web Interface documentation in the
Technologies node in the Citrix eDocs library. Generic third-party portals must support
the display of IFRAME-based Web content to properly integrate a XenApp Web site.
To display a XenApp Web site in a portal

1. Configure XenApp to communicate with Access Controller. For more information,
see Integrating XenApp and XenDesktop with Access Controller on page 329.
2. Create a Web resource for the XenApp Web site with the following settings:
When integrating with SharePoint, select the application type SharePoint with
Web Interface Web Part.
When integrating with a generic third-party portal, select the application type
Citrix Web Interface.
For more information about creating a Web resource, see Creating Web Resources
on page 213.
3. Enable the Publish for users in their list of resources check box.
4. Specify the appropriate policy settings for the Web resource referencing the
XenApp Web site.
5. Create a Web resource for the SharePoint site or third-party portal containing the
XenApp Web site and specify the appropriate policy settings.
6. In Web Interface, configure a XenApp Web site to use Access Controller as its
access method by:
a. Selecting Gateway Direct, Gateway Alternate, or Gateway Translated when
specifying an access method for the site. For more information about access
methods, see Selecting the Access Method on page 312.
b. Entering the URL of the Access Controller authentication service.
7. In both the Web Interface and Access Controller, ensure that the Workspace
Control and session time-out settings are configured properly. For more
information, see Coordinating Access Controller and Web Interface Settings on
page 334.
338
Chapter 12
Maintaining and Monitoring Access

Gateway 5.0
Topics:
Setting Up Event Logging on
Access Gateway
After you install and configure Citrix Access Gateway, you can
then maintain the appliance and Citrix Access Controller using
a variety of features and tools.
Managing Your Access

Controller Environment
You can use the Snapshots panel in the Access Gateway

Management Console to upload new versions of the Access
Gateway software or to revert to an earlier configuration.
Auditing Access to Internal

Network Resources
If you need to reimage the appliance, you can use the Imaging
Tool available from My Citrix.
To download the Imaging Tool
1. Go to http://www.citrix.com and under Citrix, click My
Citrix.
2. Log on to My Citrix and then click Downloads.
3. In Search Downloads by Product, select Access Gateway.
4. Select the Access Gateway version and then under
Appliance Firmware, click the Get Software button for
the Imaging Tool.
5. Accept the End User License Agreement and then click
Download Now.
6. Click Install and then save the ZIP file to your computer.
After you download the software, you can copy it to a USB
storage device and then reimage Access Gateway.
Caution: When you copy the Access Gateway
software to the USB storage device, any data on the device
is erased. Make sure you are using a USB storage device
that does not contain critical information. In addition, if you
restart your computer or Access Gateway with the USB
storage device in the USB port, the storage device attempts
to reimage the computer or Access Gateway.
After you configure the Access Gateway appliance for your
network environment, you can maintain the appliance in the
following ways:
339
Chapter 12
Maintaining and Monitoring Access Gateway 5.0

w Create snapshots to manage the configuration settings
w Upgrade the appliance software
w Reinstall the Access Gateway 5.0 software
w Restart or power off Access Gateway
After configuring the Access Controller servers in your cluster,
you perform a variety of tasks to manage your Access Gateway
environment. These tasks help you ensure your environment is
set up to run smoothly and efficiently.
340
Setting Up Event Logging on Access Gateway

You can use the Access Gateway Management Console to archive Access Gateway log
files to an external server. By default, Access Gateway log files are stored locally.
You can configure Access Gateway to record specific user activities for auditing
purposes. For example, you can monitor successful logon attempts, unsuccessful
attempts to access resources, such as Web e-mail and file shares, and endpoint analysis
scan results.
On the Monitor panel in the Management Console, you can view network activity on
Access Gateway and you can view audit log, information log, endpoint analysis scan
log, and debug log details. You can also view the following appliance data:
w System information, such as the host name for the appliance and the software
version running on the appliance
w Running information, such as whether or not appliance failover and log transfers are
enabled
w The number of active sessions on the appliance
w Configuration information, such as whether or not SmartGroups and device profiles
are enabled
Types of Available Access Gateway Event Logs

Access Gateway supports the following four types of event logging.
w Audit logs. User-related events are stored in audit logs. You use this information for
compliance and security purposes.
w Information logs. System-specific events are stored in information logs. You use this
information to solve issues with Access Gateway. For example, if the system could
not bind to an interface, an event is recorded in the system log.
w Debug logs. Technical support technicians use debug logs for in-depth debugging
and troubleshooting purposes. Different debug levels help make the technicians
determine whether or not to log a message based on the Access Gateway
configuration.
w Endpoint analysis scan logs. Results from device profile scans are stored in
endpoint analysis scan logs. You use this information to audit and troubleshoot
issues related to failed scans. If a device profile scan fails, users are provided with a
reference number that they can send to you. You use the reference number to look
for information about the scan failure in the log file.
Note: You can transfer all log files, except debug logs, from Access Gateway to a
remote server manually or you can schedule automatic transfers.
341
Chapter 12
Configuring Access Gateway Event Logging

You can archive Access Gateway event logs to an external server. You can manually save
and archive the files or you can automatically archive the files at scheduled intervals.
To configure the remote server

2. Under System Administration, click Logging.
3. In the Access Gateway Logging panel, under Remote Server Settings, set the
following options:
In Server, type the IP address or host name of the remote server.
In Username, type the user name.
In Password, type the user's password
In Confirm password, retype the password.
In Transfer protocol, select one of the following:
w SCP. The Secure Copy Protocol (SCP) allows you to transfer files from one
computer to another with encryption through the Secure Shell (SSH) protocol.
w FTP. The File Transfer Protocol (FTP) allows you to transfer files from one
computer to another without encryption.
In Port, type the port number for the server.
In Remote directory, type the path of the directory in which you want to store
the log files on the remote server.
In Log type, select one or more types of log file you want to archive on the
remote server: EPA, Info, and Audit.
4. Click Save.
To transfer log files to the remote server

You can transfer log files to the remote server manually or you can schedule automatic
archives.
2. Under System Administration, click Logging.
3. In the Access Gateway Logging panel, under Log Settings, set the following options:
To use the local time in the log files, select the Use local time in logs check box.
To change the scheduled intervals in hours at which log files are archived
locally, in Archive logs every, select 4 or 8 hours.
To archive log files automatically, select the Transfer archived log files
automatically check box and then in Transfer logs every, select the frequency
342

with which you want the archived files transferred to the remote server, 4, 8,
or 16 hours.
To manually save and transfer the log files immediately, click Transfer Now.
Viewing Access Gateway Logs

The Access Gateway audit logs, information logs, endpoint analysis logs, and debug logs
contain real-time connection information that is useful for solving problems on Access
Gateway. By reviewing the logs details, you can track changes that affect the stability
of the appliance. You can view logs for the Access Gateway appliance on the Monitor
tab in the Access Gateway Management Console.
To view Access Gateway logs

1. In the Access Gateway Management Console, click Monitor.
2. Under System and Configuration Information, under Running Information, click
one of the following:
Audit Log to view information about user-related events.
Info Log to view information about system-specific events.
EPA Log to view information about device profile and endpoint analysis scan
events.
Debug Log to view information that technical support technicians use to
troubleshoot issues.
3. To view the log file data in a Web browser, click Text.
To filter Access Gateway logs

You can filter audit log, information log, endpoint analysis log, and debug log entries on
the Monitor tab in the Access Gateway Management Console to view specific information.
1. In the Access Gateway Management Console, click Monitor.
2. Under System and Configuration Information, under Running Information, click
one of the following:
Audit Log to view information about user-related events.
Info Log to view information about platform or system specific events.
EPA Log to view information about device profile and endpoint analysis scan
events.
Debug Log to view information that technical support technicians use to
troubleshoot issues.
3. In Search, type the search string and then click the filter symbol to apply the
search keyword.
To view the entire log again, click the clear filter symbol to clear the search keyword.
343
Chapter 12
Viewing Access Gateway Plug-in Connection Logs

The Access Gateway Connection Log contains real-time connection information that is
particularly useful for troubleshooting Access Gateway Plug-in connection issues. The
connection log is opened from the Access Gateway icon on the user device. The user
can send you this information when solving a problem with a connection.
To view the connection log

Right-click the Access Gateway Plug-in icon in the notification area and then select
Connection Log.
The Connection Log for the session appears.
Note: The Connection Log is written to the users computer at %Temp%
\cag_plugin_connection_log.txt. The log is overwritten each time the user establishes
a new Access Gateway connection.
To turn on verbose mode in the client connection log

Citrix recommends that when you are getting the Connection Log from the user, that
the user turns on verbose mode, which provides detailed information for solving
problems, such as certificate verification.
1. Right-click the Access Gateway icon and then click Connection Log.
2. On the Options menu, click Verbose Mode.
Managing Your Access Controller Environment

After configuring the Access Controller servers in your cluster, you perform a variety of
tasks to manage your environment. These tasks help you ensure your environment is set
up to run smoothly and efficiently. You can:
w Install the Delivery Services Console on multiple computers to manage your cluster
w Secure the Delivery Services Console to manage user access
w Increase security on Access Controller by using certificates
w Create backups and create clusters of multiple SQL Server databases
w Import and export Access Controller configuration data
This section contains information about configuring these settings to maintain your
Access Controller cluster.
Controlling Access by Using Multiple Consoles

When the Citrix Delivery Service Console connects to a cluster, other administrators can
actively manage the cluster simultaneously through other console instances. If any
changes are made to the same configuration settings, Access Controller writes the first
344

change that you save to the database based on the timestamp when the change occurs.
If you and another administrator save two changes simultaneously, the change with the
earlier timestamp prevails.
You are notified if an instance of the console connects to a cluster and another
instance is detected. If you make any configuration changes, they may be overridden
depending on when each console instance saves each change. Choose Yes to
acknowledge and close the message.
Important: Administering Access Controller using multiple console instances
simultaneously can result in data corruption and inconsistent server performance.
Citrix recommends that you use only one console instance at a time to administer the
cluster.
Using Groups in Policy Assignments

It is generally good practice to assign policies to domain user groups or account
authority groups only. If, however, you use the console on a remote computer and
assign the computers local users to a policy, you may receive an error message when
editing the policy from another console. You can remove or edit such a policy using the
console on the server running Access Controller.
Securing the Delivery Services Console by Using

COM+
Depending on your organizations needs, you can allow other administrators to manage
the Access Controller servers in your cluster. Through the use of COM+ role-based
security, you can specify the users who can use the Citrix Delivery Services Console to
make changes to your cluster.
During installation, Access Controller creates the following security roles for the Access
Gateway Server COM+ application:
w Administrators. Users in this role are allowed to use the console to make changes to
the Access Controller environment.
w Non Appliance Administrators. Users in this role are allowed to make changes to
resources and policies only. Users assigned to this role are not allowed to modify
Access Gateway appliance settings. You must not assign users who are assigned to
this role to the Administrators role as well. If you assign the user to both roles, the
Non Appliance Administrators role is not enforced.
w System. This role includes the service account and other local accounts that require
access to the Access Gateway Server COM+ application.
If you add users to the Administrators or Non Appliance Administrators roles, they may
have access to the API published by the application in addition to the console. Consider
all risks carefully before adding other users to the Administrators role.
Important: The accounts appearing in the System role are required for Access
Controller to function. You must also close the Delivery Services Console before
345
Chapter 12
adding users to the Administrators or Non Appliance Users role. If these System
accounts are modified or if the console is open when COM+ security is applied, your
cluster could stop functioning and you might lose data.
To allow administrators to use the Delivery Services Console

1. Close the Delivery Services Console if it is open.
2. Click Start>Programs>Administrative Tools>Component Services.
3. In the Component Services window, expand Component Services>Computers>My
Computer>COM+ Applications.
4. Expand Access Gateway Library>Roles and then select the role that is appropriate
for one or more users you want to add:
To allow administrators to access all cluster settings with the console, expand
Administrators.
To allow administrators to access resources and policies only, expand Non
Appliance Administrators.
5. Right-click Users, point to New and then click User.
6. In the Select Users or Groups dialog box, enter one or more user accounts you
want to add and then click OK.
7. Restart the Access Gateway Library COM+ application.
8. Repeat Steps 4 through 7 for the Access Gateway Server COM+ application.
Enabling Security Between Access Gateway and

Access Controller
All messages that pass between Access Gateway and Access Controller are secure. Each
message includes a time stamp, the Access Gateway identifier, and an authentication
token encrypted with a key derived from the shared key on Access Controller. In
addition, passwords, personal identification numbers (PINs), and session identifiers are
encrypted in all communication between Access Gateway and Access Controller.
You can enable additional security between Access Gateway and Access Controller using
certificates. To do so, you create a Certificate Signing Request using Internet
Information Services (IIS) and have it signed by a Certificate Authority or by Microsoft
Active Directory Certificate Services. When you receive the signed certificate, use the
Certification Authority on Windows server to download and install the certificate on
the server.
After the certificate is installed the server, use the Secure Sockets Layer (SSL) Settings
in the Default Web site in IIS to configure the Site Bindings. Set the type as https and
the port to 443. You can disable connection attempts using an unsecure connection
(HTTP) by selecting Require SSL in SSL Settings for the Default Web site. For more
information, see the Windows Server 2008 online help.
346

After you configure certificate and SSL settings on Windows Server, you then enable
secure communication on Access Controller and Access Gateway.
To enable secure communication on Access Controller

2. In Tasks, click Web Service Settings.
3. Click Secure communication with this server and then click OK.
Enabling Secure Communication on Access Gateway

You must install a corresponding root certificate on Access Gateway. After you install
the certificate, enable secure communication using the Deployment Mode panel.
To install a root certificate on Access Gateway

2. Click Import and select Trusted Certificate (.pem).
3. Navigate to the certificate and then click Open.
The certificate appears in the list under Display All.
To enable secure communication on Access Gateway

3. Under Access Controller Settings, click Secure connection and then click Save.
When you select Secure connection, the port changes automatically to 443. You
can use this port number or a different port number.
Maintaining Availability of the Cluster

Access Controller maintains all configuration, session, and user data for the cluster in a
SQL database on the database server. If the database server becomes unavailable,
Access Controller cannot retrieve data in response to user or server requests. If the
Access Controller server becomes unavailable, users cannot log on to the server or
access resources. This topic describes how you can maximize the availability of your
cluster.
w Create a backup of the SQL database. After you create the initial backup, you
should ensure that the database is backed up regularly at appropriate intervals.
Additionally, you should verify that the data can be restored from the backups.
w Cluster the database server. Clustering allows another database server to continue
cluster operations in the event that the first database server becomes unavailable.
The clustered servers appear to Access Controller as a single database server.
w Cluster Access Controller servers. As with the database server, clustering allows
another Access Controller server to continue operations for an unavailable server.
Users can continue to log on to the server and access resources.
347
Chapter 12
Exporting and Importing Configuration Data

You can use the Citrix Delivery Services Console to export and import your cluster
configuration data. This feature can be helpful when, for example, you want to save
the configuration data from a cluster in a staging environment and copy it to a cluster
in a production environment.
When you export your cluster configuration, a .cab file is created which consists of
compressed XML files containing the following data:
w Global cluster settings, such as display order of home page applications, license
server, and authentication profiles
w XenApp farm settings
w Network and Web resource settings
w Logon point settings
w Policy settings
w Endpoint analysis settings
w Access Gateway appliance settings
Data that is not exported includes:
w Cluster name
w Data that is valid only when the Access Controller server is running, such as user
session data
w Server information, such as computer names
After you export your cluster configuration, you can import the .cab file to restore the
configuration on another server running the same version of Access Controller.
Before you export your cluster configuration, be aware of the following conditions:
w You can import only .cab files that were exported using the same version of Access
Controller. For example, if you export the configuration of a cluster running Version
5.0 of Access Controller, you can import the configuration data only on another
Access Controller server running Version 5.0. If you import the configuration data on
a server running a different version of Access Controller, the import fails.
Note: If you want to import configuration data from a previous version of Access
Controller, you must first use the Migration Wizard to prepare your data for import
into a cluster running Version 5.0. For more information about migrating
configuration data to Access Controller, see Migrating from Access Gateway
Advanced Edition on page 109.
w Incremental export or import of cluster configuration data is not supported. You can
export or import only entire cluster configurations.
w When you import cluster configuration data, Access Controller deletes the existing
cluster configuration replaces the configuration with the imported data.
348
Note: Before you import cluster configuration data, Citrix recommends creating a
backup of the SQL database for the cluster.
To export your cluster configuration

2. In the console tree, expand Citrix Resources, expand Access Gateway, click the
Access Controller on which you want to export settings and then under Other
Tasks, click Export Cluster.
3. In Target file to export configuration data, enter the location where you want to
create the .cab file, click Next and then click Finish.
When you click Next, the XML files are compressed into a .cab file and saved to the
location you specified.
To import your cluster configuration

2. In the console tree, expand Citrix Resources, expand Access Gateway, click the
Access Controller on which you want to export settings and then under Other
Tasks, click Import Cluster.
3. In Source file for configuration data, enter the location of the .cab file you want
to import, click Next and then click Finish.
When you click Next, the .cab file is decompressed and the existing configuration data
is replaced with the imported data.
Important: Before you import configuration settings, backup your current configuration.
Changing Service Account and Database Credentials

The service account is the administrator account that you use to log on to and manage
Access Controller. You can use Server Configuration to change the service account user
name and password.
To change the service account

2. In the left pane, click Services Account.
3. In User name, Password, and Domain, type the new credentials and then click OK.
To change Access Controller to a different database

If you want to join the Access Controller server to a different database, you use Server
Configuration to change the database settings.
349
Chapter 12

2. In the left pane, click Cluster Information.
3. In Configuration database server, type the name of the database.
4. In Cluster name, type the name of the cluster and then click OK.
Monitoring Sessions
The Access Controller Session Viewer is a session monitoring tool that allows
administrators to review user access to the cluster and to terminate user sessions.
Note: You must have administrative privileges to run the Session Viewer. An Access
Controller session is not required to run the Session Viewer.
The Session Viewer displays data from the server on which you are logged on or from
other Access Controller servers. This data includes:
w Client Language, which is the language set on the user device
w Gateway server, which is the Access Gateway through which the user is connected
w Logon Point with which the user connected
w Session Type, which is how the user connected: the Access Gateway Plug-in, Citrix
online plug-ins, or clientless access
w Traffic Inactivity Timeout, which is the length of time before the session times out
w User Agent, which is the type of Web browser the user device is connecting with
w User Domain, which is the Windows domain the user is connected through
w User Name, which is the user name of the logged-on user
w WI Embedded Mode, which is if you configure the Web Interface to be embedded in
the Access Interface or a Web browser window
For example, the values might appear as follows:
Client Language = en-US
Gateway server = 10.199.241.10
Logon Point = lp1
Session Type = CVPN
Traffic Inactivity Timeout = 1440
User Agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30618)
User Domain = AGDEV
User Name = aaa
WI Embedded Mode = Yes
To access the Session Viewer

Click Start>Programs>Citrix>Access Gateway>Session Viewer.
350

When you select a session from the Sessions pane, the data for that session appears in
the Session Values pane. You can sort sessions by clicking the column headings in the
Sessions pane.
To end users sessions

1. From the Sessions pane, select one or more user sessions that you want to close.
2. Click End Session.
If the user attempts to access resources after you end the session, an error page
appears and the user must log on again.
Auditing Access to Internal Network Resources

You can use the event logging capabilities in Access Controller to audit and monitor
user access to network resources. Event logs allow you to:
w Prove compliance with regulatory requirements
w Prove compliance with internal, corporate-specific requirements
w Take proactive measures to address existing vulnerabilities, such as incidents that
circumvent intended access
w Assist support personnel in troubleshooting issues related to user access to network
resources
Configuring Audit Logging

You can configure Access Controller to record specific user activities for auditing
purposes. For example, you can monitor endpoint analysis scan results and successful
logon attempts. Before configuring event log settings, you should determine the
information you need to collect and enable logging only for the associated events. This
approach ensures that logging does not impact system performance or use unnecessary
hard disk space. In addition, you should limit logging to only the information relevant
to the auditing process to streamline the evaluation of this data.
The following table describes the events that you can audit through event logs.
Event
Description
Endpoint analysis
results
Logs all endpoint analysis results. Access Controller generates

three events for each check of the user device. The first event
contains the raw endpoint analysis data from the user device.
The second event contains the check results (true/false) based
on analysis within Access Controller. The third event contains
the results (true/false) specific to the requirements for
displaying the logon page.
351
Chapter 12
Event
Description
Logon page denied
Logs an event when a logon page does not appear to the user
due to your configured requirements.
Logon allowed
Logs an event when a successful Windows NT authentication is

passed to the domain controller. Events are not logged when a
user sends valid credentials but is denied access due to policy
restrictions.
Logon denied
Logs an event when an unsuccessful Windows NT

authentication is passed to the domain controller or when the
Allow Logon policy denies a user access to the logon page.
User logged off
Logs an event when a user closes a session.
Session timed out
Logs an event when a session times out. The session time-out

value is configured as a logon point setting.
Resource access
permissions
Logs the resources to which a user has access permission.
Important: You set audit log configuration at the cluster level and the settings apply to
all resources within the cluster. Therefore, if your cluster is distributed across multiple
servers, audit logs are written to each server within the cluster.
The general steps involved in configuring event logging are:
w Specify the events to log for the cluster. Use the Delivery Services Console to specify
the type of events logged by servers within a cluster.
w Configure log settings for each server within the cluster. Use the Windows Event
Viewer to configure log settings for each server including specifying the maximum
log size, determining when to overwrite events, and so on. By default, the
maximum size of the CitrixAGE Audit log is 5,120 KB and is retained for seven days
before being overwritten. Access Controller does not add new events if the log
reaches the maximum size and no events older than this period occur. If this
configuration does not meet your auditing needs, you can increase the size of the
log file and you can modify the event overwrite settings.
w Consolidate event logs into a single view. Each server within a cluster maintains its
own event log. Use the Event Log Consolidator in Access Controller to collect event
log data from all servers within the cluster and display this data in a single,
consolidated view. After the Event Log Consolidator collects the data, you can
perform additional analysis by running a variety of reports based on user access,
resource access, and so on.
352
To select events to be logged for a cluster

click the Access Controller you want to audit.
The Access Controller Cluster Properties dialog box opens.
4. On the Event Logging page, select from among the following auditing options:
Endpoint analysis scan results
Logon point data including logon page denial, logon allowed, logon denied, user
logged off, and session time-out
Resources, including Web resources, file shares, and network resources, to
which the user has access
Note: To generate session-based reports in the Event Log Consolidator, you
must enable the Logon allowed event.
To configure log settings for Access Controller servers

You must be logged on as an administrator or as a member of the Administrators group
to configure Access Controller auditing information within the Windows Event Viewer.
After you enable and configure auditing within Access Controller, you can use the
Windows Event Viewer to configure audit log settings, including:
w Specifying the maximum log size
w Determining when to overwrite events
Important: By default, the maximum size of the CitrixAGE Audit log is 5,120 KB and
is retained for seven days before being overwritten. Access Controller does not add
new events if the log file reaches the maximum size and no events older than this
period occur. If this configuration does not meet your auditing needs, you can increase
the size of the log file and you can modify the event overwrite settings.
1. Open the Windows Event Viewer of a server running Access Controller.
2. In the console tree, expand Applications and Services Logs and then click
CitrixAGE Audit.
3. Configure logging properties as appropriate.
4. Repeat this task for all servers in the cluster.
To consolidate event logging results

353
Chapter 12

2. In the console tree, expand Citrix Resources and then click Access Gateway.
3. Under Other Tasks, click View events.
4. In the Event Log Consolidator, on the File menu, click Configure.
The Configuration dialog box opens.
5. In Polling Interval (sec), specify the time interval (in seconds) at which the Event
Log Consolidator collects audit log data from Access Controller servers and then
click OK.
6. On the File menu, click Collect to begin polling Access Controller servers.
Important: Excessive logging and polling can impact a systems performance.
Therefore, avoid logging unnecessary events for a cluster. In addition, avoid
unnecessary polling of audit log data by the Event Log Consolidator.
Interpreting Audit Events

Access Controller writes audit information to the Windows Event Viewer. The following
table lists the audit event information that you can interpret.
Field
Description
Reference ID
Reference number assigned to each event that is logged.
User Name
Name of the authenticated user accessing the resource.
Start Date
Date the request begins.
Start Time
Time the request begins.
End Date
Date the request ends.
End Time
Time the request ends.
Logon Point
The name of the logon point.
Although logging is enabled at the cluster level, each server maintains its own log file.
To gather logging information from all servers within the cluster into a single view use
the Event Log Consolidator. To help you interpret the data, you can use the Event Log
Consolidator to sort events and generate reports.
To view logging results in the Event Log Consolidator

2. In the console tree, expand Citrix Resources and click Access Gateway.
354

3. Under Other Tasks, click View events.
4. In the Event Log Consolidator, sort events or generate reports.
Troubleshooting User Access to Resources

A user might not be able to access a network resource for a variety of reasons, ranging
from failed endpoint analysis scans, incorrect authentication credentials, policy-based
restrictions, and so on. Often, it is not possible for users to know why access was
denied. Therefore, they rely on support personnel for assistance in troubleshooting
these issues.
If the user is denied access to the logon point due to a failed endpoint analysis check, a
unique value appears in the users browser. Access Controller also writes this
information to the event log as the PolicyReference or EPAReference value,
respectively. For this reason, consider instructing users to record reference numbers
and to provide this information to support personnel because it expedites the
troubleshooting process. Support personnel can use this information to quickly search
and identify the specific event and begin troubleshooting the problem. In addition,
support personnel can use the table from Interpreting Audit Events on page 354 as a
resource when evaluating events.
355

Ag 50 PDF BK

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ag 50 PDF BK

Загружено:

Авторское право:

Доступные форматы

Access Gateway 5.

Access Gateway 5.0

Copyright and Trademark Notice

Citrix Systems, Inc. All rights reserved.

How to Use This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

About This Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Planning Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Access Gateway 5.0 Administrator's Guide

Developing Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Deploying Access Gateway in Your Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Installing Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Installing Licenses on Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Obtaining Your Platform or Universal License Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Upgrading and Migrating to Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Access Gateway 5.0 Administrator's Guide

Migrating Custom Endpoint Analysis Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Managing the Access Gateway Appliance and Access Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Setting Up Multiple Appliances to Use an External Load Balancer. . . . . . . . . . . . . 141

Access Gateway 5.0 Administrator's Guide

Configuring Group Membership in a SmartGroup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Customizing the EPA Remediation Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

10 Configuring User Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

Access Gateway 5.0 Administrator's Guide

How User Connections Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

To install the Access Gateway Plug-in from an appliance-only deployment. . . .298

11 Integrating Access Gateway 5.0 with XenApp and XenDesktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Access Gateway 5.0 Administrator's Guide

Configuring Access Gateway Settings in Web Interface 5.2. . . . . . . . . . . . . . . . . . . . . . . . . 315

Defining File Type Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

12 Maintaining and Monitoring Access Gateway 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Access Gateway 5.0 Administrator's Guide

Interpreting Audit Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354

How to Use This Guide

How to Use This Guide

About This Release

Citrix Access Gateway 5.0 provides new features and

About This Release

Access Gateway 5.0 Pre-Installation

Provides planning information to review

Deploying Access Gateway in Your

Provides information about deploying the

Migrating to Access Gateway 5.0 on page

Provides information about migrating to

Access Gateway Management Console on

Provides information about using the

Installing Licenses on Access Gateway on

Provides information about installing

Access Gateway 5.0 Administrator's Guide

licenses on multiple Access Gateway

Access Controller Components and Features

About This Release

Access Gateway Modes of Operation

Compatibility with Citrix Products

Access Gateway 5.0 Administrator's Guide

5.7 and 5.5

9.2 and 9.1

5.4 and 5.3

6.0 for Windows Server 2008 R2

5.0 and 4.0

5.6 and 5.5

access server farm