Академический Документы
Профессиональный Документы
Культура Документы
0 Administrator's
Guide
Citrix and ICA (Independent Computing Architecture) are registered trademarks and Citrix Access Gateway is a
trademark of Citrix Systems, Inc. in the United States and other countries.
Document code: May 12 2011 13:40:05
Contents
Contents
Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Web Server IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
.NET Framework 3.5.1 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Microsoft SQL Server User Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Service Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Applying Security Templates with the Service Account. . . . . . . . . . . . . . . . . . . . . . . . . . .38
Database Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Authentication Software Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
SmartAccess Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Third-Party Portal Integration Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Delivery Services Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
System Requirements for Clustering and Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Requirements for Configuring an External Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
User Device Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Access Gateway Plug-in System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Endpoint Analysis Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Citrix XenApp and XenDesktop Integration Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
System Requirements for Single Sign-on to the Web Interface. . . . . . . . . . . . . . . . . . . . . . .47
iv
Contents
vi
Contents
Contents
Contents
Contents
xv
Contents
xvi
Chapter 1
17
Chapter 1
18
Chapter 2
Key Features
What's New
w SmartGroups
Topics:
Introduction
w Logon Points
w Device Profiles
w Snapshots
w Appliance failover
w Clustering and load balancing with Access Controller
New features in Access Controller include the Delivery
Services Console, Active Directory authentication (not LDAP),
advanced endpoint analysis, central control of multiple Access
Gateway appliances, and centralized logging.
This section introduces Access Gateway, new and key features
for Access Gateway and Access Controller and known issues
for Access Gateway, Access Controller, and the Access
Gateway Plug-in.
19
Chapter 2
Introduction
Before you install and configure Access Gateway, you want to plan your deployment.
This can include where to install the appliance, installing multiple appliances in the
DMZ, deploying the optional Access Controller software on Windows Server 2008, and
where to install licenses. You can also use the Access Gateway Pre-Installation Checklist
so you can write down your settings before you configure Access Gateway.
Access Gateway can be installed in any network infrastructure without requiring
changes to the existing hardware or software running in the secure network. It works
with other networking products, such as server load balancers, cache engines,
firewalls, routers, and IEEE 802.11 wireless devices.
Before you install Access Gateway, review the following topics for information about
getting started with Access Gateway.
20
Key Features
Access Gateway is easy to deploy and simple to administer. The most typical
deployment configuration is to locate the Access Gateway appliance in the
demilitarized zone (DMZ). You can install multiple Access Gateway appliances in the
network for more complex deployments. You can also deploy Access Controller for
additional capabilities.
The first time you start Access Gateway, you use the Access Gateway Management
Console to configure the basic settings that are specific to your internal network, such
as the IP address, subnet mask, default gateway IP address, and Domain Name System
(DNS) address. After you complete configuration of the basic network settings, you
then configure the settings specific to the Access Gateway operation, such as the
options for authentication, authorization, network resources, logon points,
SmartGroups, address pools, and device profiles to configure endpoint policies.
The key features of Access Gateway are:
w Authentication
w Termination of encrypted sessions
w Access control (based on permissions)
w Data traffic relay (when the first three functions are met)
w Support for multiple logon points
Chapter 2
22
Citrix product
Release version
Branch Repeater
NetScaler
Web Interface
XenApp
XenDesktop
XenServer
Terminology Changes
With the release of Access Gateway 5.0, some of the terminology used to describe
product components has changed. The following list contains updated terminology for
the client software, Citrix XenApp, and the management consoles.
From
To
cluster
Administration Tool
Administration Portal
Access Management
Console
authentication realm
authentication profile
Program Neighborhood
Agent
23
Chapter 2
From
To
Citrix WANScaler
Endpoint Analysis
Client
endpoint analysis
policies
IP pools
Address pools
Access Interface
WANScaler Client
Repeater Plug-in
Web Client
What's New
Access Gateway 5.0 includes the following new features on the appliance:
w Access Gateway Management Console. The Management Console replaces the
Administration Tool and Administration Portal in earlier versions of the appliance.
The Management Console, a Web-based application, makes it easy to install
certificates, configure access control, and monitor activity from any Flash-enabled
Web browser.
w Authentication profiles. Authentication profiles replace authentication realms. You
can configure LDAP, RADIUS, and RSA profiles on the appliance. You can configure
double source authentication using logon points. You can also use Active Directory
authentication on Access Controller. For more information about configuring
authentication on Access Gateway or Access Controller, see either Creating
Authentication and Authorization Profiles on Access Gateway on page 144 and
Creating Authentication and Authorization Profiles on Access Controller on page
199.
w Logon points. Each Access Gateway appliance can host multiple logon points to
support different features or different user communities. You can configure Basic
and SmartAccess logon points. Basic logon points allow users to connect with Citrix
online plug-ins only, providing access to virtual applications or desktops. Users do
not need a Universal license to log on using a basic logon point. SmartAccess logon
24
25
Chapter 2
27
Chapter 2
SmartGroups Overview
SmartGroups contain a collection of settings that group users according to their
identity, location, authentication type, and the results of endpoint analysis (as defined
in device profiles). First, you define the criteria users must match to become a
member of a SmartGroup. Then, you define the network resources, actions, and other
settings for the SmartGroup.
You can define one or more SmartGroups on the Access Gateway appliance to control
access to resources. You can also configure logon points that define the criteria for
becoming a member of a SmartGroup.
For more information about using and configuring SmartGroups, see Adding
SmartGroups on page 175.
Snapshots Overview
You use configuration snapshots to capture all the Access Gateway settings, licenses,
and certificates for a specific point in time. The feature allows you to easily restore
your configuration settings by importing a saved snapshot if, for example, you need to
reimage the appliance.
When you install Access Gateway 5.0 for the first time, the Access Gateway appliance
creates a snapshot of the configuration automatically. In addition, when you switch
Access Gateway to use Access Controller, the appliance creates a configuration
snapshot automatically. You can also take snapshots at different periods of time, such
as after you configure the initial settings or create logon points or SmartGroups.
For more information about snapshots, see Creating Snapshots to Manage Access
Gateway Configuration Settings on page 114.
Chapter 2
Access Gateway
Access Controller
Comment
Double-hop
demilitarized zone
(DMZ)
Dynamic routing
with the Routing
Information
Protocol (RIP)
Windows NT LAN
Manager (NTLM) as
an authentication
method
Locally defined
users on Access
Gateway
Users are
determined based
on group
membership in the
SmartGroup.
Administration Tool
This feature is
replaced by the
Access Gateway
Management
Console.
Administration
Portal
This feature is
replaced by the
Access Gateway
Management
Console.
HTML Preview
31
Chapter 2
Feature
32
Access Gateway
Access Controller
Comment
LiveEdit
Web e-mail
This feature is
replaced by
Outlook Web
Access or Outlook
Web App.
Chapter 3
System Requirements
Topics:
Access Gateway Appliance
Requirements
Access Controller System
Requirements
System Requirements for
Clustering and Load
Balancing
User Device Requirements
Citrix XenApp and
XenDesktop Integration
Requirements
33
Chapter 3
System Requirements
34
System Requirements
The following are the recommended hardware and software requirements for Access
Controller:
w Computer with a one gigahertz (GHz) processor. Citrix recommends a two GHz dual
core processor.
w 2048 megabytes (MB) minimum of RAM or above. Citrix recommends four gigabytes
(GB) or more.
w 40 GB of available hard disk space. Citrix recommends 100 GB or more.
w Microsoft Windows Server 2008 32-bit, Standard Edition or Enterprise Edition, with
all service packs and updates.
w Microsoft Windows Server 2008 64-bit, Standard Edition or Enterprise Edition, with
all service packs and updates.
w Microsoft Windows Server 2008 R2 64-bit, Standard Edition or Enterprise Edition,
with all service packs and updates.
w IIS 7.0 with 6.0 Metabase Compatibility Components and ASP.NET.
w Microsoft Windows Installer 4.5.
w Microsoft .NET Framework 3.5 with Service Pack 1.
w Application server with Microsoft Windows Communication Foundation (WCF) with
HTTP activation enabled.
w COM+ network access enabled.
In the Internet Information Services (IIS) Management Console make sure you allow
ASP.NET on the ISAPI and CGI Restrictions feature page before installing Access
Controller.
If you configure Windows Server 2008 to be a Terminal Server, installation of Access
Controller is not supported.
35
Chapter 3
System Requirements
Application Server
w Application Server Foundation
w Web Server Internet Information Services (IIS) Support
w COM+ Network Access
Network Requirements
Before installing Access Controller, ensure that your network configuration meets the
following requirements:
36
Account Requirements
Before you install Access Controller, the following server accounts are required.
Chapter 3
System Requirements
one prior to installing Access Controller. Valid service accounts meet the following
requirements:
w The service account must be a member of the local Administrators group on every
server in the cluster.
w The service account must be enabled and not subject to password expiration or
other credential changes. If you remove the service account, the operation of the
cluster ceases.
w The service account can be a local user account only if you are creating a singleserver cluster and do not intend to scale up the cluster. You cannot install Access
Controller on multiple servers with a local user account selected for the service
account. Citrix strongly recommends using a domain account instead of a local user
account when installing Access Controller.
Important: If you specify a local user account as the service account, ensure that
the local user account also has owner permissions for the database Access
Controller creates during Server Configuration. If the local user account does not
have database owner permissions, some features might not be available to users.
w In an Active Directory environment, when specifying the service account user name
as User Principal Name (UPN) or alternate UPN format, you must enter the full
domain name.
If necessary, you can change the service account after installing Access Controller.
Note: If you are deploying Access Controller in an environment where the Restricted
Group policy is used to control the membership to the local Administrators group,
ensure that the user associated with the service account is in a group added by the
Restricted Group policy.
Database Requirements
Access Controller supports the following database packages:
w Microsoft SQL Server 2008
w Microsoft SQL Server Express 2008
Note: If you install SQL Server and you create a database before you install Access
Controller, be sure to specify case-insensitive collation when you create the database.
38
This requirement ensures that the names you assign to resources remain unique and
prevents you from creating resources with duplicate names.
SmartAccess Requirements
The SmartAccess feature enables organizations to better control how network
resources and virtual applications are accessed and used.
You can use SmartAccess with Access Controller to control which network resources
users can access based on the users' access scenario, and what users can do within
those resources after they get access. SmartAccess integrates with the Web Interface
for Citrix XenApp to give organizations granular control over virtual applications. To use
SmartAccess, you must have the following components in your environment:
w Citrix Access Controller
w Citrix XenApp 6
w Citrix XenApp 5
Note: SmartAccess is not supported with Citrix Presentation Server for UNIX or
XenApp for UNIX 4.0 with Feature Pack 1.
If you are using the Web Interface to access virtual applications, you must also have the
following software:
w XenApp Advanced Configuration (in Version 5.0)
w Delivery Services Console in XenApp 6.0
w Web Interface Version 5.0 or later
You must also ensure that address translation and firewall settings are identical for the
Web Interface and Access Controller.
Chapter 3
System Requirements
applications. To integrate with SharePoint, you must have one of the following versions
installed in your environment:
w SharePoint 2007
w SharePoint 2010
Typically, users can work with documents managed by SharePoint through menu-driven
commands. The following table describes these menu items:
Menu item
Requires ActiveX?
Available to users by
default?
View Properties
No
Yes
Edit Properties
No
Yes
Yes
No
Delete
No
Yes
Check In
No
Yes
Check Out
No
Yes
Version History
No
Yes
Alert Me
No
Yes
Discuss
Yes
No
No
Yes
Chapter 3
System Requirements
server, you can enable NTP by configuring Windows Time Service Tools and Settings
by using the Net time command.
Web browser
Windows 7
Internet Explorer 8
Windows Vista
Internet Explorer 7
42
Safari
Blackberry
OS 4.7.1.40
iPad Version
iOS 3.2
iPhone 3G
iOS 3.1
iPhone 3GS
iOS 3.1
Microsoft
Nokia
Symbian OS 11.2021
Note: If you are using Mac OS X, apply all updates, service packs, and security
updates to ensure that Web-based features function properly.
Access Gateway delivers content to Web browsers by transmitting Web pages encoded
with HTML and JavaScript. In most cases, standard client configurations can support
Access Gateway.
You must ensure that you enable execution of client-side JavaScript for each Web browser.
32-bit
64-bit
x
Browser
x
Safari
43
Chapter 3
System Requirements
Operating system
Windows 7 Home
Basic Edition
32-bit
64-bit
x
Browser
x
Microsoft Internet
Explorer, Version 7
Internet Explorer,
Version 8
Mozilla Firefox
Version 3.6
Windows 7 Home
Premium Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Windows 7
Professional
Edition
Windows 7
Enterprise Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Internet Explorer,
Version 8
Firefox Version 3.6
Windows 7
Ultimate Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Windows Vista
Home Basic Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
44
Windows Vista
Home Premium
Edition
Windows Vista
Enterprise Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Internet Explorer,
Version 7
Operating system
32-bit
64-bit
Browser
Internet Explorer,
Version 8
Firefox Version 3.6
Windows Vista
Business Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Windows Vista
Ultimate Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
Windows XP Home
Edition
Internet Explorer,
Version 8
Firefox Version 3.6
Windows XP
Professional
Edition
Internet Explorer,
Version 7
Internet Explorer,
Version 8
Firefox Version 3.6
45
Chapter 3
System Requirements
You can configure endpoint analysis scans to run on user devices to check them for
protective measures, such as an operating system with or without service packs and
antivirus software, before users access resources in the secure network.
Endpoint analysis scans require the Endpoint Analysis Plug-in for Windows that is
installed as a Windows 32-bit application. To download and install the plug-in, Windows
users must be members of the Administrators or Power Users group of the user device.
The Endpoint Analysis Plug-in downloads and installs on the user device when users log
on to Access Gateway for the first time.
Important: If a user does not install the Endpoint Analysis Plug-in on the user device
or chooses to skip the scan, the user cannot log on with the Access Gateway Plug-in.
The user can access resources for which a scan is not required by using either
clientless access or by using Citrix online plug-ins.
46
Client
English
Japanes
e
Germa
n
Spanis
h
French
Simplified
Chinese
Citrix online
plug-in
Version 11.2
or later
Yes
Yes
Yes
Yes
Yes
Yes
Client
English
Japanes
e
Germa
n
Spanis
h
French
Simplified
Chinese
Citrix XenApp
Web Plug-in
Version 11.0
Yes
Yes
Yes
Yes
Yes
Yes
Citrix XenApp
Plug-ins 11.0
Yes
Yes
Yes
Yes
Yes
Yes
For more information about configuring Access Controller to access virtual applications
and desktops, see Integrating Access Gateway 5.0 with XenApp and XenDesktop on page
307.
47
Chapter 3
48
System Requirements
Chapter 4
Topics:
Preliminary Steps
As you start preparing your access strategy, take the following
preliminary steps:
w Identify resources. List the network resources for which
you want to provide access, such as Web or published
applications, services, and data that you defined in your
risk analysis.
w Develop access scenarios. Create access scenarios that
describe how users access network resources. An access
scenario is defined by the logon point used to access the
network, endpoint analysis scan results, authentication
type, SmartGroups, or a combination thereof. These access
scenarios also determine the actions users can perform
when they gain access. For example, you can specify
whether users can modify documents using a published
application or by connecting to a file share.
w Associate policies with users. The policies you create on
Access Gateway and Access Controller enforces when the
individual or set of users meets specified conditions. You
will determine the conditions based on the access
scenarios that you create. You then create policies that
extend the security of your network by controlling which
resources users can access and what actions users can
perform on those resources. You associate the policies with
appropriate users. For more information about how to
49
Chapter 4
50
User Devices
1
Chapter 4
Network speed
Enter the rate at which your network
transmits data. This rate can be 10
Mbps, 100 Mbps, or 1,000 Mbps.
Note: You use the Access Gateway
Management Console to configure
network speeds. You cannot use the
command line to configure network
speeds.
Port
Enter the port on which the Access
Gateway listens for Secure Sockets Layer
(SSL) user connections. The default is
TCP port 443. This port must be open on
the firewall between Access Gateway
and the first firewall in the demilitarized
zone (DMZ).
10
11
52
12
13
14
15
16
Authentication Settings
17
18
19
20
Chapter 4
Vendor code
This value must be the same as the
vendor-specific attribute number that
you enter in the Vendor-Specific
Attribute Information dialog box in IAS.
If you select RADIUS Standard, the
default value is 0 (zero).
22
Vendor attribute
This value is the assigned number for the
User Group attribute. The default value
is 0.
23
24
Separator
The separator is the punctuation used
between groups in the attribute value
prefix. The default value is a semicolon
(;).
54
26
27
Administrator bind DN
If your LDAP server requires
authentication, enter the Administrator
bind DN that Access Gateway should use
to authenticate when making queries to
the LDAP directory. An example is
cn=administrator, cn=Users, dc=ace,
dc=com.
28
Administrator password
The password associated with the
Administrator bind DN.
29
Base DN
DN (or directory level) under which users
are located; for example, ou=users,
dc=ace, dc=com.
30
31
55
Chapter 4
33
56
35
36
57
Chapter 4
Logon Points
You can configure logon points for user access. When you configure a logon point, you
select the type, authentication and authorization, device profiles, logon point visibility
and remediation message, and user time-out settings.
The user time-out settings that you configure within a logon point overrides the global
user time-out settings.
37
38
39
40
SmartGroups
SmartGroups in Access Gateway contain a collection of settings that group users
according to their identity, location, authentication and authorization type, and the
results of endpoint analysis (as defined in device profiles).
A SmartGroup also contains a collection of settings that define what resources in the
network to which users are allowed to connect, unique IP addresses (if needed) and
Access Gateway Plug-in connection settings, including user session time-out values. The
user session time-out values configured in a SmartGroup override the settings that you
configure globally or within a logon point.
41
58
42
43
44
45
46
47
48
Appliance Failover
You can configure two Access Gateway appliances for appliance failover. If the primary
Access Gateway fails, the secondary appliance can accept user connections.
49
50
51
59
Chapter 4
52
53
54
55
61
Chapter 4
62
63
Chapter 4
64
Chapter 5
65
Chapter 5
Access Gateway is installed in the DMZ and configured to connect to both the Internet
and the internal network.
When Access Gateway is deployed in the secure network, you connect one interface on
Access Gateway to the firewall between the appliance and the Internet and the other
interface to servers that are running in the secure network. Installing Access Gateway
in the secure network provides access for local and remote users. With only one
firewall, however, this scenario is less secure for users who are connecting from a
remote location. Although Access Gateway intercepts traffic from the Internet, the
traffic enters the secure network before users are authenticated. When the Access
Gateway is deployed in a DMZ, users are authenticated before network traffic reaches
the secure network.
When Access Gateway is deployed in the secure network, Access Gateway Plug-in
connections must traverse the firewall to connect to Access Gateway. By default, user
connections use the Secure Sockets Layer (SSL) on port 443 to establish this
connection. To support this connectivity, you must open port 443 on the firewall.
67
Chapter 5
68
Chapter 5
Chapter 5
User connections are first sent to the Web Interface for authentication. After
authentication, the connections are routed through Access Gateway.
73
Chapter 5
74
Chapter 6
75
Chapter 6
76
Pre-Installation Tasks
Many Access Controller features require that you install certain components or
configure settings before you install the software.
The following table describes the required pre-installation tasks and includes
references to additional information about each component or feature.
Component or
feature
Required task
Additional information
Access Gateway
appliance
77
Chapter 6
Component or
feature
Required task
Additional information
Access Gateway
Management Console on
page 26
Access Controller
Account Requirements on
page 37
Ensure network
configuration meets
requirements.
Network Requirements on
page 36
Account Requirements on
page 37
Account Requirements on
page 37
Authentication
Authentication Software
Requirements on page 39
Delivery Services
Console
If installing on a standalone
server, ensure that required
software is installed.
Database server
Database Requirements on
page 38
Post-Installation Tasks
The following table describes the tasks you perform immediately after installing the
Access Controller software and includes references to additional information about
each component or feature.
78
Component or feature
Required task
Additional information
Access Controller
Configuration
Configure communication
with Access Controller.
Access Controller
79
Chapter 6
80
However, you must remove the Citrix Delivery Services Console - Framework
component last.
81
Chapter 6
82
Chapter 7
Exchanging or Migrating
Existing Licenses
If you are a current Subscription Advantage member, you can
exchange or migrate your existing Access Gateway licenses to
update your license files.
Migrating licenses involves the following steps:
w Migrate existing licenses through MyCitrix.com.
w Download a new license file.
w Copy the new license to the license server.
83
Chapter 7
Chapter 7
86
Note: This option is available only if you have a valid Subscription Advantage
or purchased the universal license as a standalone license.
7. Click Submit.
A second Web browser window opens with the selection for the platform or
universal license.
8. Under the Access Gateway appliance description, click on one of the serial
numbers and click Continue.
The Confirmation page appears. This screen displays an agreement between you
and Citrix. Click Accept.
The Fulfillment Request Confirmation page appears showing that your request is
registered. When this is complete, you will receive an email containing download
links for media, license code and sever (if needed) from the GTL License
Administrator.
9. When you receive the license email from Citrix, click the link to allocate the
license.
The Citrix Activation System page appears. You need the host name or host ID
reference to activate your license.
The host name or host ID is based on the MAC address of Access Gateway VPX or
the host ID of the Access Gateway appliance on which you install the license.
10. Click Continue.
The platform or universal license name, license code and quantity appears.
11. In Host name of your citrix license server, enter the host name of Access
Gateway VPX or of the physical appliance, click Allocate and then click Confirm.
When you click Confirm, a screen appears with your licensing information. To download
and save the license file, click Download License File and save the file to your
computer. You can then install the license on the Access Gateway.
To install the license on Access Gateway Enterprise Edition, see To install a license on
the Access Gateway using the configuration utility.
Chapter 7
89
Chapter 7
90
Chapter 8
Chapter 8
92
Chapter 8
94
Chapter 8
97
Chapter 8
98
Feature
Comment
Network adapter
management
Authentication and
authorization realms
Authentication
Authentication
Feature
Comment
Enable application
accelerator with the
Accelerator Plug-in
Interoperability with
Branch Repeater is the
default setting.
Network resources
Migrated network
resources appear as
multiple network
resources in the Network
Resources panel in the
Access Gateway
Management Console.
Routes
Licensing
Chapter 8
Feature
Comment
XenApp settings
Security
100
Setting or tab
Comment
NetTools tab
Setting or tab
Comment
Administration tab
Authentication after
network interruption
Authenticate upon
system resume
Global Cluster Policies
101
Chapter 8
Setting
Comment
Access Gateway
Cluster >
Administration tab
Manage client
certificates
Initialize the
appliance
Access Gateway
Cluster > Licensing tab
102
Vendor port
Setting
Comment
Access Gateway
Cluster > Statistics tab
All settings
User groups
Local users
Application policies
Endpoint resources
Endpoint policies
Global Cluster Policies
Prompt or force
upgrades from earlier
versions of the Access
Gateway Plug-in
Enable incorrect
password cache and
password cache timeout setting
Enable internal
failover
Enable logon page
authentication
Security options
103
Chapter 8
Setting
Comment
Authentication
Portal Page
Configuration
Group priority
Publish
104
Feature
Comment
Network adapter
management
Feature
Comment
Authentication
Authentication
Branch Repeater
Enable application
accelerator with the
Accelerator Plug-in
Interoperability with
Branch Repeater is the
default setting.
Network resources
Migrated network
resources appear as
multiple network
resources in the Network
Resources panel in the
105
Chapter 8
Feature
Comment
Access Gateway
Management Console.
Name Service Providers
Routes
Licensing
106
XenApp settings
Feature
Security
Comment
Feature
Comment
Access Policy
Allow logon
HTML Preview
LiveEdit
Email as attachment
Bypass URL rewriting
Email synchronization
Connection Policy
Continuous scans
Desktop sharing
Launch Secure Access
Client if access is allowed
Internal failover
Improve latency for Voice
over IP
Global accessible networks
107
Chapter 8
Feature
Comment
Lotus Notes
Email Synchronization
108
Chapter 8
110
Task
Installing Licenses on
Access Gateway on page
83
Installing Access
Controller on page 79
Migrating Existing
Configuration Data
Migrating Existing
Configuration Data on
page 111
Importing Cluster
Configuration Data
Importing Cluster
Configuration Data on
page 112
Migrating Custom
Endpoint Analysis Scan
Packages
Migrating Custom
Endpoint Analysis Scan
Packages on page 113
Chapter 8
113
Chapter 8
To create a snapshot
1. In the Access Gateway Management Console, click Snapshots.
2. In the Software Releases and Configuration Snapshots panel, under Software
Releases, select a software version and then click Create.
3. In the Snapshot Description dialog box, type a description and then click Save.
Note: Special characters are not allowed in the description.
When you create the snapshot, it becomes active automatically.
To export a snapshot
You can create a copy of a snapshot and save it to a computer in your network by
exporting the snapshot from the Access Gateway Management Console. At a later time,
you can import the snapshot to restore the configuration settings to Access Gateway.
Saving snapshots to your computer allows you to reinstate configuration settings in case
you need to reimage the appliance. This prevents you from having to configure the
appliance again.
When you export a snapshot, it is encrypted to ensure the validity and guarantee the
integrity of the snapshot. If you import the snapshot to Access Gateway at a later time,
the software version of the snapshot must match the software version installed on
Access Gateway.
1. In the Access Gateway Management Console, click Snapshots.
2. In the Software Releases and Configuration Snapshots panel, under Software
Releases, select the software version.
3. Under Snapshots, click a snapshot and then click Export.
4. In the Download Snapshot message box, click Yes.
5. Save the snapshot to a location on your computer.
115
Chapter 8
To delete a snapshot
You can delete one or more snapshots from Access Gateway, except the snapshot that is
currently active.
1. In the Access Gateway Management Console, click Snapshots.
2. In the Software Releases and Configuration Snapshots panel, under Snapshots,
select a snapshot and then click Delete.
System Requirements
To create the installation package on a USB storage device, you need the following:
w One gigabyte (GB) USB storage device
w .NET Framework 1.0
w One of the following Windows operating systems:
Windows Server 2003
Windows Server 2008
Windows XP
Windows Vista
117
Chapter 8
118
119
Chapter 8
120
Chapter 9
121
Chapter 9
In This Section
This section of eDocs contains information about configuring and managing Access
Gateway 5.0.
122
123
Chapter 9
Chapter 9
126
127
Chapter 9
Exporting Certificates
You might need to export certificates when migrating to a new appliance, backing up
an appliance, and sharing certificates between a pair of appliances used for appliance
128
129
Chapter 9
130
131
Chapter 9
133
Chapter 9
7.
8.
134
135
Chapter 9
136
Chapter 9
Chapter 9
Note: The shared key must be identical on the primary and secondary appliances.
5. In Peer IP address, type the IP address of the network adapter on which you
enable appliance failover on the secondary appliance.
If the primary IP address fails for any reason, this is the IP address to which
failover to the secondary appliance occurs.
6. In Internal virtual IP address and External virtual IP address, type the internal
and external IP addresses that accept user connections.
The primary appliance uses the external IP address for user connections.
7. Click Start and then click Save.
Chapter 9
The load balancer is configured with a unique IP address or fully qualified domain name
(FQDN). This address is used by the Citrix Access Gateway Plug-in or a Web browser to
connect to the load balancer. The load balancer distributes the user connections evenly
among the appliances deployed behind it.
Upon receiving a user connection, the load balancer uses an algorithm to select one of
the appliances from the list and directs the user connection to the selected Access
Gateway.
In addition to an equal distribution of user connections, a load balancer also provides
greater access to the internal network.
To provide increased access, some load balancers can detect when appliances deployed
behind them are failing. If the load balancer detects that an appliance is failing, the
load balancer removes the appliance from the list of available appliances and redirects
user connections to the remaining active appliances. When Access Gateway comes back
online, the load balancer adds it back to the list of active appliances. This approach
ensures that all user connections have continuous access to the internal network if one
Access Gateway fails.
142
Chapter 9
Chapter 9
User attribute
Case
sensitive
sAMAccountName
No
Novell eDirectory
cn
Yes
uid
Yes
Lotus Domino
CN
Yes
uid or cn
Yes
The following table contains examples of the base DN, which is the top level of the
LDAP directory tree:
146
LDAP server
Base DN
DC=citrix, DC=local
Novell eDirectory
dc=citrix,dc=net
cn=users
Lotus Domino
ou=People,dc=citrix,dc=com
The following table contains examples of bind DN, which is an administrative user and
password:
LDAP server
Bind DN
Novell eDirectory
LDAP_dn
Lotus Domino
uid=admin,ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot
147
Chapter 9
Chapter 9
151
Chapter 9
Chapter 9
154
Chapter 9
156
Secondary authentication
profile
LDAP
RADIUS
RSA SecurID
LDAP
LDAP, None
LDAP, RADIUS,
None
LDAP, None
RADIUS
LDAP, RADIUS,
None
LDAP, RADIUS,
None
LDAP,
RADIUS, None
RSA SecurID
LDAP, None
LDAP, RADIUS,
None
LDAP, None
None
LDAP, None
LDAP, RADIUS,
None
LDAP, None
Group attribute
memberOf
Novell eDirectory
groupMembership
ibm-allGroups
nsRole
Chapter 9
158
How LDAP Group Extraction Works from the User Object Directly
LDAP servers that evaluate group memberships from group objects work with Access
Gateway authorization.
Some LDAP servers enable user objects to contain information about groups to which
the objects belong, such as Active Directory (by using the memberOf attribute) or IBM
eDirectory (by using the groupMembership attribute). A users group membership can
be attributes from the user object, such as IBM Directory Server (by using ibmallGroups) or Sun ONE directory server (by using nsRole). Both of these types of LDAP
servers work with Access Gateway group extraction.
For example, in IBM Directory Server, all group memberships, including the static,
dynamic, and nested groups, can be returned through the use of the ibm-allGroups
attribute. In Sun ONE, all roles, including managed, filtered, and nested, are
calculated through the use of the nsRole attribute.
How LDAP Group Extraction Works from the Group Object Indirectly
LDAP servers that evaluate group memberships from group objects indirectly will not
work with Access Gateway authorization.
Some LDAP servers, such as Lotus Domino, enable group objects only to contain
information about users. These LDAP servers do not enable the user object to contain
information about groups and thus will not work with Access Gateway group extraction.
For this type of LDAP server, group membership searches are performed by locating the
user in the member list of groups.
Chapter 9
Policies, under the applied policy's properties on the Authentication tab, select
Unencrypted Authentication (PAP, SPAP).
160
161
Chapter 9
163
Chapter 9
164
Chapter 9
Suppose that you want to provide a user with secure access to the following subnets on
your network:
w The 10.10.x.x subnet
w The 10.20.10.x subnet
w The IP addresses of 10.50.0.60 and 10.60.0.10
To provide that access, you create a network resource profile by specifying the
following IP address/subnet pairs:
10.10.0.0/255.255.0.0
10.20.10.0/255.255.255.0
10.50.0.60/255.255.255.255
10.60.0.10/255.255.255.255
You can specify the mask in Classless Inter-Domain Routing (CIDR) notation. For
example, you could specify 10.60.0.10/32 for the last entry.
The following tips describe ways to achieve more granular control when creating
network resource groups:
w You can further restrict access by specifying a port, a port range, and protocol for
an IP address/subnet pair. For example, you might specify that a network resource
can use only port 80 and the TCP protocol.
167
Chapter 9
168
Chapter 9
170
171
Chapter 9
Chapter 9
Adding SmartGroups
SmartGroups in Access Gateway contain a collection of settings that group users
according to their identity, location, authentication and authorization type, and the
results of endpoint analysis (as defined in device profiles).
Before you configure a SmartGroup, Citrix recommends that you configure
authentication profiles, logon points, network resources, and device profiles in the
Access Gateway Management Console. Then, you when you create the SmartGroup, you
can enable the settings that apply when users log on. To define the users, you configure
Group Membership within the SmartGroup. The name of the group must match the
group configured on the authorization server. You cannot configure users on Access
Gateway.
175
Chapter 9
To create a SmartGroup
1. In the Access Gateway Management Console, click Management.
2. Under Access Control, click SmartGroups.
3. In the SmartGroups panel, click Add.
4. In the SmartGroups Properties dialog box, configure the settings and then click
Save.
176
177
Chapter 9
Chapter 9
181
Chapter 9
182
183
Chapter 9
184
Chapter 9
Chapter 9
188
Chapter 9
In This Section
This section of eDocs contains information about installing, setting up, and configuring
Access Controller.
Initial Configuration of Access Controller
on page 190
Chapter 9
Manager before you change the user account for database access. The database user
account must have system administrator privileges.
The Server Configuration utility does not add the service account to network shares.
The Server Configuration utility does not remove previous service accounts from the
local security policy or network shares. If this is a security concern, remove the old
accounts after updating the account information with the utility.
Changing Settings with the Server Configuration Utility
If necessary at a later time, you can also run the Server Configuration utility to change
your settings. You can carry out the following configuration tasks:
w Changing the administrator service account
w Selecting or changing a cluster database and specifying a database server
w Deploying logon points
w Importing endpoint analysis plug-in packages
w Starting or stopping Access Controller services
w Configuring Web Services settings
Important: If you want to select a SQL Server database, be sure the SQL
Service is running on the server you want to specify. If the SQL Service is not
running, the Server Configuration utility cannot detect the server.
If you select SQL Server as your database, the Server Configuration utility
prompts you to specify the server on which SQL Server is installed.
w Configuration database server. Type the name of the database server.
w Cluster name. Type the name of the cluster you want to create or join.
w Use the Service Account to access the configuration database. Choose this
option to use the Access Controller service account credentials to access the
SQL database.
w Use SQL Authentication to access the configuration database. Choose this
option to use the SQL database account credentials to access the SQL
database. If you choose this option, you must also enter the database user
name and password.
Microsoft SQL Server Express
Choose this option if you want Access Controller to install the necessary
components for a local database server and create a database for the cluster.
The Server Configuration utility searches for an instance of SQL Server Express
labeled CitrixController. If this instance is not found, the Server Configuration
utility installs this instance for you.
Note: Use the Microsoft SQL Server Express option for a pilot deployment of
Access Controller. Citrix recommends the use of SQL Server for large-scale
deployments.
4. Select a Web Site path. The Web site path is the location where all Web content
for Access Controller is installed. Review the Web site path that Access Controller
detects to ensure that the path is valid for your deployment.
To change the physical path:
a. Select the Web site you want to change.
b. Click Use custom path for Web content.
c. In Path, type the physical path you want to use for the Web site. You can also
click Browse to navigate to the directory you want to specify.
5. Secure Web Site traffic with SSL. When you select a Web site path, you can also
enable the Secure Sockets Layer (SSL) protocol to secure communication with
Access Gateway. To secure Web site traffic, select the Secure communication
with this server check box.
Important: You must have the required digital certificates installed on the server
before configuring Access Controller. This check box is not enabled unless SSL is
enabled on the server.
193
Chapter 9
Chapter 9
Chapter 9
To run discovery
1. Click Start>Programs>Citrix>Management Consoles>Delivery Services Console.
2. In the console tree, click Citrix Resources.
3. In the task pane, under Common Tasks, click Run discovery.
199
Chapter 9
200
201
Chapter 9
202
Chapter 9
204
205
Chapter 9
206
Chapter 9
208
Chapter 9
210
Chapter 9
212
Note: If you create a default policy, you can edit its properties later.
Add a policy to grant access to all users later.
11. Click Finish.
After defining a network resource, you can change the default policy settings or create
policies that control its user access and connection settings.
The only access control permission you can grant for a network resource is to allow or
deny access. Because users connect directly to the services defined by the specified
port or network subnode, URL rewriting is not used. Connecting to resources through
URL rewriting is required if you want to tailor the level of access with action controls.
When users connect with the Access Gateway Plug-in, they can view a list of their
network resources in the plug-in properties.
Chapter 9
214
Chapter 9
216
Chapter 9
218
219
Chapter 9
220
User device
Company
computer
running required
antivirus
software
w Download files
w Upload files
w Edit files on servers running
XenApp
w Published applications
through XenApp
w Other applications
Remote user
device running
required
antivirus and
firewall software
w Web applications
w Published applications
through XenApp
w Limited access to file
systems
w Servers or services
defined as network
resources
Public kiosk
running a
required browser
w Web applications
w Outlook Web Access or
Outlook Web App access
only
w Limited access to
published applications
Small form factor
device, including
SmartPhones,
iPhone, and iPad
Remote laptops
for system
administrators
who cover
emergencies
from home
After you develop an access strategy, you configure resources, policies, and filters in
combinations that comply with and extend your security guidelines. Resources and
221
Chapter 9
Note: Take care to review selections in the available resources tree. When you
select or clear a category of resource, such as File Shares, all items grouped
under that category are selected or cleared. Expand nodes to display the
selections under each category.
6. On the Configure Policy Settings page, enable each desired setting individually
and then click Next.
It is possible to select policy settings on the Configure Settings page for types of
resources that you did not select for the policy to control. The policy applies
settings only for the resources that are selected for the policy.
7. On the Select Filter page, select a filter that defines the conditions to be met for
the policy to be enforced.
You can create a new filter from the Select Filter page by clicking New and
following the steps in the wizard.
If you have not yet configured filters, you can edit the policy and assign a filter to
it later.
8. On the Select Users or Groups page, select the users to whom the policy applies.
You can select to apply the policy to all authenticated users or click Add to choose
individual groups or users.
Note: If multiple policies apply to a resource, a policy that denies access takes
precedence over other policies that allow access.
Naming Policies
All policy names must be unique. Developing a consistent naming convention or
practice eases the administration of policies. Because you define policies per resource
to provide granular control, you can potentially create many policies. The naming
convention you develop should help you quickly identify the resource and, if possible,
the level of access you are applying.
You can develop a convention that meets your organizations needs. In general, the
policy name should include the resource. One typical naming convention names policies
by resource name and contains an access level phrase that coincides with your access
strategy or the permissions allowed. For example:
w Web resource X_full access_all users
w Web resource X_limited access_field users
w Web resource X_full access_administrators
w File share Z_all actions_all users
w File share Z_restricted actions_unknown devices
You can change the name of default policies.
223
Chapter 9
Chapter 9
226
Chapter 9
OR
Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan
Citrix Scans for McAfee VirusScan Enterprise.scan_
name.Verified-McAfee-VirusScan-Enterprise
229
Chapter 9
OR
Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan
Citrix Scans for McAfee VirusScan Enterprise.scan_
name.Verified-McAfee-VirusScan-Enterprise
NOT
Citrix Scans for Mozilla Firefox.scan_name.
Verified-Mozilla-Firefox-Connecting
Chapter 9
Note: Policy Manager does not present information about the filtered results of policy
control with currently connected users, such as the resulting set of access permissions
after endpoint analysis scans are taken into consideration.
233
Chapter 9
To create a scan
1. Click Start>Programs>Citrix>Management Consoles>Delivery Services Console.
2. In the console tree, expand Citrix Resources, expand Access Gateway, and then
expand the Access Controller on which you want to configure a scan.
3. Expand Endpoint Analysis Scans and then click the type of scan you want to
create: antivirus, basic, browser, custom, firewall, machine identification,
miscellaneous, or operating system
4. In the right pane, under Contents, click a scan package.
5. Under Tasks, click Create scan.
The Create Scan wizard opens.
6. On the Define Scan Name page, enter a name for the scan.
7. On the Select Conditions page, select the conditions that will define when the
scan runs.
You can also click Use Another Scan's Output as a Condition to use the output
from another scan as a condition for your scan.
In the Use Scan Output as a Condition dialog box, select the scan package, the
scan, and then the scan output that you want to use as a condition for running
your new scan.
8. On the Define Rule page, enter a rule name for the set of conditions and
properties you are configuring.
9. On the various Configure Conditions pages, select all acceptable values for each
condition.
234
Chapter 9
Editing Rules
You can view all condition settings for a rule in the Properties display for the rule. For
example, if you add to the conditions that are available for a scan, all existing rules of
that scan receive the condition you added with all the settings selected. You might
need to adjust the settings that are automatically copied to existing rules.
237
Chapter 9
Scan Packages
Scan packages enable you to create scans to verify the properties of a user device, such
as the installed version of an antivirus software product. Each package is designed to
verify specific properties or software products.
Scan packages are listed in the Citrix Delivery Services Console under the Endpoint
Analysis Scans node.
You can view individual properties of a scan package in the console, including a
description of its scan outputs. Look at the scan output descriptions when you want to
know which information the endpoint analysis scan retrieves or verifies about the user
device.
A scan output can take one or both of the following forms depending on the scan
package and the rules you set:
w Information about the user device. For example, the scan package Citrix Scans for
Trend OfficeScan detects and retrieves a value that is the product version of Trend
OfficeScan running on the user device, if any.
w A True or False Boolean verification indicating if the scan package detected the
scans required property values.
238
Grouping Scans
The console tree lists default scan groups for categories, such as antivirus, firewall,
and operating system software to help you organize scan packages and their scans.
Scan groups can help you find scan packages or scans more quickly. You can create and
name your own groups.
Scan groups exist to organize items within the console tree only and have no effect on
how scans run.
To create a scan group
1. Click Start>Programs>Citrix Management Consoles>Delivery Services Console.
2. In the console tree, expand Citrix Resources, expand Access Gateway, and then
expand the Access Controller on which you want to configure a scan.
3. Click Endpoint Analysis and under Common Tasks, click Create scan group.
4. In the Create Scan Group dialog box, type a name for the new scan group and
then click OK.
239
Chapter 9
Description/format
Scan Outputs
240
Description
File Version
Description
The rest of the version number may be ignored when
reported.
Verified-McAfeeVirusScan
Description/format
Minimum required
engine version
Minimum required
pattern file version
number
Scan Outputs
Scan output name
Description
Verified-McAfee-VirusScan-Enterprise
Engine Version
241
Chapter 9
Description
Pattern Version
Description/format
Minimum required
product version
Minimum required
pattern file version
number
Use the format YYYYMMDD.NNN, where YYYY is the fourdigit year, MM is the two-digit month, DD is the two-digit
day, and NNN is a three-digit integer.
Scan Outputs
242
Description
Product version
Verified-Norton-Antivirus
Pattern version
Description/format
Minimum required
product version
Minimum required
pattern file version
number
Use the format YYYYMMDD.NNN, where YYYY is the fourdigit year, MM is the two-digit month, DD is the two-digit
day, and NNN is a three-digit integer.
Scan Outputs
Scan output name
Description
Product version
Pattern version
Verified-Symantec-AVEnterprise
243
Chapter 9
Property name
Description/format
Minimum required
pattern file version
number
Scan Outputs
Scan output name
Description
Product Version
Verified-TrendOfficeScan
Pattern Version
244
Property name
Description/format
Antivirus Enabled
Description/format
Path to file
Expand environment
strings
Hash algorithm
245
Chapter 9
Property name
Description/format
Scan Outputs
Scan output name
Description
Verify_File_Exist
Verify_File_Hash_IS_OK
Verify_File_Version_Is_O
K
246
Property name
Description/format
247
Chapter 9
Property name
Description/format
w Service Pack 8
w Service Pack 9
Scan Outputs
Scan output name
Description
Verify_OS_Name_is_OK
Verify_OS_Version_is_OK
Verify_OS_Bit_Width_is_
OK
Verify_OS_Service_Pack_
is_OK
Description/format
Port numbers
Protocol
Scan Outputs
248
Description
Verify_Port_Is_Bound
Description/format
Path to process
Expand environment
strings
Hash algorithm
249
Chapter 9
Property name
Description/format
w SHA-256: When specified, SHA-256 hash of the
process module is calculated.
Scan Outputs
Scan Output Name
Description
Verify_ProcessIs_Running
250
Description
When only the process name is specified and there are
multiple instances of process with that name running,
the output is True when all of the following conditions
are met:
w All the hashes (if specified) of the running processes
modules are in the specified hash data set.
w All the versions (if specified) of the running
processes modules meet the comparison version
requirement.
Description/format
Key name
Registry redirection
Operator to compare
registry values
251
Chapter 9
Property name
Description/format
w Equal_To
w Not_Equal_To
w Less_Than
w Less_Than_or_Equal_To
w Greater_Than
w Greater_Than_or_Equal_To
When None is specified, the registrys value is not
detected or compared.
For values of type REG_BINARY and REG_MULTI_SZ, the
valid Value Relational Operators are Exist and
Equal_To; other Value Relational Operators will yield
negative output.
Value name
Value type
252
Property name
Description/format
Value data
Scan Outputs
Scan output name
Description
Verify_Registry_Key_Is_P
resent
Verify_Registry_Value_Is_
Present
Verify_Registry_Value_Is_
OK
Description/format
253
Chapter 9
Property name
Description/format
w Microsoft Internet Explorer
w Mozilla Firefox
w Google Chrome
w Safari
w Other
Scan Outputs
Scan output name
Description
Browser Type
Description/format
Minimum required
version
Scan Outputs
254
Description
Product Version
Description
Verified-InternetExplorer-Installed
Verified-InternetExplorer-Connecting
Description/format
Scan Outputs
Scan output name
Description
Verified-InternetExplorer-Patch
255
Chapter 9
Property name
Description/format
Minimum required
version
Scan Outputs
Scan output name
Description
Product Version
Verified-Mozilla-FirefoxInstalled
Verified-Mozilla-FirefoxConnecting
Description/format
Minimum required
version number or
combined version and
build number
Scan Outputs
256
Description
Version
Verified-McAfeeDesktop-Firewall
Description/format
Minimum required
version number
Scan Outputs
Scan output name
Description
Version
Verified-McAfeePersonal-Firewall
Chapter 9
Description/format
Windows Firewall
without exceptions is
required
Scan Outputs
Scan output name
Description
Verified-WindowsFirewall
Description/format
Minimum required
version
Scan Outputs
258
Description
Version-Norton-PersonalFirewall
Version
Description/format
Verified Symantec
Firewall
Scan Outputs
Scan output name
Description
Version
MinVersion
Chapter 9
Description/format
Firewall Enabled
Description/format
Expected Domain
Domain name
Scan Outputs
260
Description
Verified Domain
Domain
The name of the domain that the user device belongs to.
If a client domain name is not required, the output is
unknown.
Description/format
Group name
Scan Outputs
Scan output name
Description
Group name
261
Chapter 9
Description
Matched-MAC-Address
Description/format
Scan Outputs
Property name
Description/format
Platform Type
Description/format
Minimum required
service pack
Select a Windows service pack version from the dropdown menu. Select None to detect a base, unpatched
operating system version.
Scan Outputs
Scan output name
Description
Service Pack
Verified-WindowsService-Pack
263
Chapter 9
Description/format
Scan Outputs
Scan output name
Description
Verified-WindowsUpdates
Chapter 9
Address package, it is possible to create an entry for the same address and map it to
two different groups. One entry might map the address 00:50:8b:e8:f9:28 to the
Finance group. Another entry can map the same address with different case lettering,
00:50:8B:E8:F9:28, to the Sales group. Such entries make scan results unreliable.
266
Description
package_uri
package_version
Version of the scan package to which the scan belongs. You can
find the version information for a scan package in the Delivery
Services Console Properties view for the scan package.
scan_name
rule_name
param_name
Parameter name for the required value. You can find the
parameter name and its current setting in the Delivery Services
Console in the Properties view for the scan rule.
new_value
267
Chapter 9
268
Switch
option
Description
Syntax
/import
ctxepadatasetupdate /import
file_name.csv dataset_name
/reimport
ctxepadatasetupdate /reimport
file_name.csv dataset_name
/export
ctxepadatasetupdate /export
file_name.csv dataset_name
/destroy
ctxepadatasetupdate /destroy
dataset_name
/add
ctxepadatasetupdate /add
dataset_name key [value]
/overwrite
ctxepadatasetupdate /overwrite
dataset_name key value
Switch
option
Description
Syntax
/remove
ctxepadatasetupdate /remove
dataset_name key
Description
file_name.csv
The name of the .csv file that contains the data set.
dataset_name
key
value
Chapter 9
Chapter 9
Chapter 9
274
Chapter 9
Chapter 9
278
Chapter 9
280
Chapter 10
281
Chapter 10
Description
XenApp or XenDesktop
Basic
SmartAccess
VPN
282
Basic
SmartAccess
SmartAccess
Connection type
Description
SmartAccess
283
Chapter 10
284
285
Chapter 10
Network Address Translation (NAT) firewalls maintain a table that allows them to route
secure packets from Access Gateway back to the user device. For circuit-oriented
connections, Access Gateway maintains a port-mapped, reverse NAT translation table.
The reverse NAT translation table enables Access Gateway to match connections and
send packets back over the tunnel to the user device with the correct port numbers so
that the packets return to the correct application.
Access Gateway uses industry-standard connection establishment techniques, such as
HTTPS, Proxy HTTPS, and SOCKS, to establish the tunnel. This operation makes the
Access Gateway firewall accessible and allows remote computers to access private
networks from behind other organizations firewalls without creating any problems.
For example, Access Gateway can make the connection through an intermediate proxy,
such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate
proxy. Any credentials that the intermediate proxy requests are obtained from the
remote user (by using single sign-on information or by requesting the information from
the remote user) and are presented to the intermediate proxy server. When the proxy
establishes the HTTPS session, the payload of the session is encrypted and carries
secure packets to Access Gateway.
Chapter 10
Chapter 10
290
Chapter 10
292
Chapter 10
295
Chapter 10
296
Chapter 10
299
Chapter 10
Chapter 10
302
303
Chapter 10
Required settings
305
Chapter 10
306
Chapter 11
307
Chapter 11
308
309
Chapter 11
310
311
Chapter 11
312
Chapter 11
Chapter 11
317
Chapter 11
318
319
Chapter 11
321
Chapter 11
Chapter 11
Chapter 11
326
Chapter 11
328
329
Chapter 11
330
Chapter 11
332
Chapter 11
334
335
Chapter 11
Important: ACLs you specify are not applied when virtual applications are configured
as network resources.
To configure file type association for file shares and Web resources
Before you configure file type association, verify that published application settings in
XenApp specify the associations you want. For example, if you want a published
application to be launched for users when they open a bitmap image (.bmp) file, make
sure that the applications settings associate it with .bmp files.
1. Configure Citrix XenApp to communicate with Access Controller.
2. Specify one or more farms that you want to link to your cluster.
3. Specify the XenApp farms available to the logon point.
For more information, see Creating Logon Points on Access Controller on page 205.
4. Create an access policy for the file share or Web resource and enable and allow
the File Type Association action control.
336
Chapter 11
Note: The Web Interface for Microsoft SharePoint is a Web Part that allows the
integration of a Web Interface within SharePoint. For more information about the Web
Interface for Microsoft SharePoint, see the Web Interface documentation in the
Technologies node in the Citrix eDocs library. Generic third-party portals must support
the display of IFRAME-based Web content to properly integrate a XenApp Web site.
338
Chapter 12
After you install and configure Citrix Access Gateway, you can
then maintain the appliance and Citrix Access Controller using
a variety of features and tools.
If you need to reimage the appliance, you can use the Imaging
Tool available from My Citrix.
To download the Imaging Tool
1. Go to http://www.citrix.com and under Citrix, click My
Citrix.
2. Log on to My Citrix and then click Downloads.
3. In Search Downloads by Product, select Access Gateway.
4. Select the Access Gateway version and then under
Appliance Firmware, click the Get Software button for
the Imaging Tool.
5. Accept the End User License Agreement and then click
Download Now.
6. Click Install and then save the ZIP file to your computer.
After you download the software, you can copy it to a USB
storage device and then reimage Access Gateway.
Caution: When you copy the Access Gateway
software to the USB storage device, any data on the device
is erased. Make sure you are using a USB storage device
that does not contain critical information. In addition, if you
restart your computer or Access Gateway with the USB
storage device in the USB port, the storage device attempts
to reimage the computer or Access Gateway.
After you configure the Access Gateway appliance for your
network environment, you can maintain the appliance in the
following ways:
339
Chapter 12
340
341
Chapter 12
343
Chapter 12
Chapter 12
adding users to the Administrators or Non Appliance Users role. If these System
accounts are modified or if the console is open when COM+ security is applied, your
cluster could stop functioning and you might lose data.
Chapter 12
Note: Before you import cluster configuration data, Citrix recommends creating a
backup of the SQL database for the cluster.
Chapter 12
Monitoring Sessions
The Access Controller Session Viewer is a session monitoring tool that allows
administrators to review user access to the cluster and to terminate user sessions.
Note: You must have administrative privileges to run the Session Viewer. An Access
Controller session is not required to run the Session Viewer.
The Session Viewer displays data from the server on which you are logged on or from
other Access Controller servers. This data includes:
w Client Language, which is the language set on the user device
w Gateway server, which is the Access Gateway through which the user is connected
w Logon Point with which the user connected
w Session Type, which is how the user connected: the Access Gateway Plug-in, Citrix
online plug-ins, or clientless access
w Traffic Inactivity Timeout, which is the length of time before the session times out
w User Agent, which is the type of Web browser the user device is connecting with
w User Domain, which is the Windows domain the user is connected through
w User Name, which is the user name of the logged-on user
w WI Embedded Mode, which is if you configure the Web Interface to be embedded in
the Access Interface or a Web browser window
For example, the values might appear as follows:
Client Language = en-US
Gateway server = 10.199.241.10
Logon Point = lp1
Session Type = CVPN
Traffic Inactivity Timeout = 1440
User Agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30618)
User Domain = AGDEV
User Name = aaa
WI Embedded Mode = Yes
Description
Endpoint analysis
results
351
Chapter 12
Event
Description
Logs an event when a logon page does not appear to the user
due to your configured requirements.
Logon allowed
Logon denied
Resource access
permissions
Important: You set audit log configuration at the cluster level and the settings apply to
all resources within the cluster. Therefore, if your cluster is distributed across multiple
servers, audit logs are written to each server within the cluster.
The general steps involved in configuring event logging are:
w Specify the events to log for the cluster. Use the Delivery Services Console to specify
the type of events logged by servers within a cluster.
w Configure log settings for each server within the cluster. Use the Windows Event
Viewer to configure log settings for each server including specifying the maximum
log size, determining when to overwrite events, and so on. By default, the
maximum size of the CitrixAGE Audit log is 5,120 KB and is retained for seven days
before being overwritten. Access Controller does not add new events if the log
reaches the maximum size and no events older than this period occur. If this
configuration does not meet your auditing needs, you can increase the size of the
log file and you can modify the event overwrite settings.
w Consolidate event logs into a single view. Each server within a cluster maintains its
own event log. Use the Event Log Consolidator in Access Controller to collect event
log data from all servers within the cluster and display this data in a single,
consolidated view. After the Event Log Consolidator collects the data, you can
perform additional analysis by running a variety of reports based on user access,
resource access, and so on.
352
353
Chapter 12
Description
Reference ID
User Name
Start Date
Start Time
End Date
End Time
Logon Point
Although logging is enabled at the cluster level, each server maintains its own log file.
To gather logging information from all servers within the cluster into a single view use
the Event Log Consolidator. To help you interpret the data, you can use the Event Log
Consolidator to sort events and generate reports.
355