Академический Документы
Профессиональный Документы
Культура Документы
Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included with the installation media. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. 2003-2008 Citrix Systems, Inc. All rights reserved. v-GO code 1998-2003 Passlogix, Inc. All rights reserved. Citrix and ICA (Independent Computing Architecture) are registered trademarks and Citrix Access Gateway is a trademark of Citrix Systems, Inc. in the United States and other countries. RSA Encryption 1996-1997 RSA Security Inc., All Rights Reserved. This product includes software developed by The Apache Software Foundation (http://www.apache.org/) This product includes software developed by Salamander Software Ltd. 2002 Salamander Software Ltd. Parts 2003 Citrix Systems, Inc. All rights reserved. Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright 2003-2006 Macrovision Corporation and/or Macrovision Europe Ltd. All rights reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc. RealOne is a trademark of RealNetworks, Inc. Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners. Document Code: October 29, 2008 (KKW)
Contents
Chapter 1
Welcome
How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Additional Maintenance Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Knowledge Center Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Chapter 2
Chapter 3
Deploying the Access Gateway to Access Published Applications . . . . . . . . . . . . 27 Deploying the Access Gateway in the DMZ with a Server Farm . . . . . . . . . . . 27 Deploying the Access Gateway in a Double-Hop DMZ. . . . . . . . . . . . . . . . . . . . . 29
Chapter 4
Contents
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Contents
Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Choosing RADIUS Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . .121 Configuring IP Address Extraction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Configuring the Access Gateway to Use One-Time Passwords . . . . . . . . . . . . . .122 Configuring RSA SecurID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Configuring Secure Computing SafeWord Authentication . . . . . . . . . . . . . . .123 Configuring Gemalto Protiva Authentication. . . . . . . . . . . . . . . . . . . . . . . . . .125 Configuring NTLM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Configuring TACACS+ Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Configuring Client Certificate Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Configuring a Client Certificate as a Secondary Method of Authentication . .130 Configuring a Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Configuring a Common Access Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Configuring Multifactor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Setting Priorities for Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . .131 Configuring Double-Source Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . .132 Disabling Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Configuring the Number of User Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Configuring the Global User Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Configuring Authentication for Specific Times. . . . . . . . . . . . . . . . . . . . . . . . . . .137 Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Setting Default Global Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Configuring Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Setting the Priority for Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . .140 Configuring LDAP Group Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 LDAP Group Attribute Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Configuring RADIUS Group Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Configuring LDAP Group Extraction for Multiple Domains . . . . . . . . . . . . . . . .145 Creating Session Policies for Group Extraction . . . . . . . . . . . . . . . . . . . . . . . .145 Creating LDAP Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Creating Groups and Binding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Chapter 9
Configuring the Access Gateway Plugin for Windows . . . . . . . . . . . . . . . . . . . . 155 Installing the Access Gateway Plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Deploying the Access Gateway Plugin from Active Directory. . . . . . . . . . . . 156 Monitoring and Ending User Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring Access to Published Applications Using the Access Gateway Plugin 160 How the Access Gateway Plugin for ActiveX Works . . . . . . . . . . . . . . . . . . . . . 162 Using the Access Gateway Plugin for ActiveX. . . . . . . . . . . . . . . . . . . . . . . . 162 Selecting the Plugin Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Connecting Using the Access Gateway Plugin for Java . . . . . . . . . . . . . . . . . . . . 164 How Clientless Access Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Enabling Clientless Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 How Clientless Access Policies Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Configuring Domain Access for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Configuring Clientless Access for SharePoint 2003 and SharePoint 2007. . . 171 Configuring the Client Choices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Showing the Client Choices Page at Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring Client Choices Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Configuring Access Scenario Fallback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Using the WANScaler Accelerator Plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 How SmartAccess Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Chapter 10
Contents
Configuring Split Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Configuring Split Tunneling and Authorization. . . . . . . . . . . . . . . . . . . . . . . .208 Configuring Name Service Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209 Supporting Voice over IP Phones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209 Configuring Application Access for the Access Gateway Plugin for Java . . . . . .210 Accessing Applications using the HOSTS File Modification Method . . . . . .211 Accessing Applications Using the SourceIP and SourcePort Method. . . . . . .211
Chapter 11
Chapter 12
10
Chapter 13
Appendix A
11
Appendix B
Advanced Concepts
Configuring DNS Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Resolving DNS Name Servers Located in the Secure Network . . . . . . . . . . . . . . 278 Using Operators and Operands in Policy Expressions . . . . . . . . . . . . . . . . . . . . . 279 Configuring Server-Initiated Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Enabling Access Gateway Plugin Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12
C HAPTER 1
Welcome
This chapter describes who should read the Citrix Access Gateway Enterprise Edition Administrators Guide, how it is organized, and its document conventions.
Document Conventions
Access Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:
Convention Boldface Italics Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other name you specify when you install Windows. Text displayed in a text file or command-line interface. A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.
14
Convention [ brackets ]
Meaning Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves. A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type /hold or /release or /delete. You can repeat the previous item or items in command statements. For example, /route:devicename[,] means you can type additional devicenames separated by commas.
| (vertical bar)
(ellipsis)
Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organizations Citrix products.
Chapter 1
Welcome
15
Subscription Advantage
Your product includes a one-year membership in the Citrix Subscription Advantage program. The Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at http://www.citrix.com/services/ (select Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Network program for more information.
16
To set up an alert, log on to the Citrix Support Web site at http://support.citrix.com. After you are logged on, under Products, select a product. Under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and click Remove from your Hotfix Alerts.
Related Documentation
For additional information about the Access Gateway, refer to the following guides: Getting Started with Citrix Access Gateway Enterprise Edition Citrix Access Gateway Enterprise Edition Pre-Installation Checklist Citrix Web Interface Administrators Guide Secure Gateway to Access Gateway Migration Guide Citrix Access Gateway Enterprise Edition Readme
C HAPTER 2
The Access Gateway is a network appliance that securely delivers any application with policy-based SmartAccess control anywhere. Users can obtain easy-touse secure access to all of the enterprise applications and data they need to be productive. IT organizations can cost-effectively extend access to applications outside the data center while maintaining strict control through SmartAccess application-level policies. IT organizations are empowered to cost-effectively meet the demands of all workers, deliver flexible working options, and implement business continuity while ensuring the highest-level of information security and reducing support calls. Access Gateway Enterprise Edition offers the following benefits: Remote access for the most demanding and complex environments that require increased scalability and/or performance High availability for uninterrupted access to critical applications and resources Tightest level of integration and control of remotely delivered Citrix XenApp applications, data through SmartAccess and published desktops with XenDesktop Natural replacement for existing Citrix XenApp customers who use the Secure Gateway Enterprise-class SSL VPN features including client-side cache clean-up, detailed auditing, and policy-based access control for Web and server applications Remote users can work with files on shared network drives, access email and intranet sites, and run applications just as if they are working inside of your organizations firewall Certified to meet government and commercial security standards such as Federal Information Processing Standard (FIPS) 140-2 and ICSA
18
Supports the Access Gateway universal license (included in Citrix XenApp Platinum Edition, Citrix XenDesktop Platinum Edition and Citrix NetScaler Platinum Edition)
New Features
This release of the Access Gateway includes the following new features: Citrix Accelerator Plugin (formally known as the WANScaler Client). When the Access Gateway Plugin and the Accelerator Plugin are installed on a client device, network traffic from the client device and the secure network is optimized by WANScaler before going through the Access Gateway tunnel. When both versions of the client software are used, users logging on to the Access Gateway over wide area networks with high latency and limited bandwidth can have improved response time and faster downloads when the Accelerator Plugin is also used. Remote Access to Citrix XenDesktop. Provides remote access through the Access Gateway to XenDesktop using the ICA protocol for connections. Users can log on to the Access Gateway and in the Web Interface, click a link that starts XenDesktop and allows users to open virtualized desktops in the secure network. Internet Protocol version 6 (IPv6). Provides support for IPv6. Users connect using IPv6 and servers in the secure network use Internet Protocol version 4 (IPv4). You can create a virtual server where the Access Gateway listens on an IPv6 address and then accepts connections from XenApp Plugin for Hosted Apps. User connections with IPv6 is only supported for connections to XenApp. Connections to XenDesktop, with the Access Gateway Plugin or clientless access are not supported using IPv6. Clientless Access for Microsoft SharePoint. Provides support for user connections to SharePoint 2003 and 2007 using pre-configured clientless access policies. Single Sign-On to File Shares. Provides support for users logging on to a domain to also log on to files shares in the secure network.
Terminology Changes
Some of the terminology used to describe product components have changed. The following list contains updated terminology used in this document. There are
Chapter 2
19
several name changes you need to be aware of for client software and Citrix XenApp.:
From navigation page or home page Secure Access Citrix Presentation Server Citrix Presentation Server Clients Web Client Program Neighborhood Agent Endpoint Analysis Client WANScaler Client To Access Interface Access Gateway Plugin Citrix XenApp Citrix XenApp Plugin for Hosted Apps Citrix XenApp Web Plugin Citrix XenApp Plugin Endpoint Analysis Plugin Accelerator Plugin
20
Client connections. Users can log on to the Access Gateway using the following access methods: The Access Gateway Plugin is client software that is downloaded to the client device. Users log on by right-clicking an icon in the notification area on a Windows computer. Users can add an icon to the desktop that they can click to log on. If users are using a computer where the Access Gateway Plugin is not installed, they can log on using a Web browser to download and install the plugin. The Access Gateway Plugin for ActiveX is a version of client software that users can use only through Internet Explorer. The Access Gateway Plugin for ActiveX works only on Windows XP. The Access Gateway Plugin for Java, which enables Mac OS X, Linux, and optionally, Windows users to log on using a Web browser. Citrix XenApp Plugin for Hosted Apps allow connections to published applications in a server farm. Clientless access that provides users with the access they need without installing client software When configuring the Access Gateway, you can configure how users log on using policies. You can also restrict user logon with session and endpoint analysis policies.
Network resources. These include all network services to be accessed using the Access Gateway, such as file servers, applications, and Web sites.
Chapter 2
21
When the user types the Access Gateway Web address, the Access Gateway checks to see if there are any client-based security policies in place. This is called a pre-authentication policy. If there are, it checks for the specified condition on the client device. These are generally security checks that verify that the client device has the necessary security-related operating system updates, antivirus protection, and perhaps a properly configured firewall. If the client device fails the security check, the Access Gateway blocks the user from logging on. A user unable to log on needs to download the necessary updates or packages and install them on the client device. After a user successfully logs on, the client device can be scanned for the required client security policies. This is called a post-authentication scan. If the client device fails the scan, either the policy is not applied or the user is placed in a quarantine group. Configuring preauthentication and post-authentication policies are optional. When the session is established, users are directed to an Access Gateway home page where they can select resources to access. The home page that is included with the Access Gateway is called the Access Interface. If the users log on using the Access Gateway Plugin for Windows, an icon in the notification area on Windows shows that it is connected and users receive a message that the connection is established. If the clients request passes both checks, the Access Gateway then contacts the requested resource and initiates a secure connection between the client and that resource. The client can close an active session by right-clicking the Access Gateway icon in the notification area and then clicking Logoff. The session can also time out due to inactivity. When the session is closed, the tunnel is shut down and the client no longer has access to internal resources.
Hardware Platforms
Access Gateway Enterprise Edition is available on the following hardware platforms: Access Gateway Model 7000 appliance Access Gateway Model 9000 series appliance Access Gateway Model 10010 appliance
Access Gateway Enterprise Edition is available as an optional feature on all versions of Citrix NetScaler.
22
C HAPTER 3
This chapter discusses deployment scenarios for the Access Gateway. You can deploy the Access Gateway at the perimeter of your organizations internal network to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Access Gateway before they can access any resources on the internal network. In This Chapter Planning for Security with the Access Gateway Deploying the Access Gateway in the Network DMZ Deploying the Access Gateway in a Secure Network Deploying the Access Gateway to Access Published Applications Deploying the Access Gateway in a Double-Hop DMZ
24
For example, if you deploy the Access Gateway with Citrix XenApp and the Web Interface, you can encrypt connections from the Access Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on the Access Gateway. For more information, see Installing Certificates on the Access Gateway on page 76 and Securing Connections with Digital Certificates on page 255.
If your environment supports none of the authentication types listed above or you have a small population of remote users, you can create a list of local users on the Access Gateway and configure the Access Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory. For more information about authentication and authorization, see Configuring Authentication and Authorization on page 107.
Chapter 3
25
Deploying additional Access Gateway appliances to support load balancing and failover
26
The Access Gateway decrypts the SSL connections from the client and establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access. For example, if you authorize external users to access a Web server in the internal network and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall.
Chapter 3
27
28
Access Gateway and Web Interface deployed in the DMZ. Computers in the secure network are running Citrix XenApp. When the Access Gateway is deployed in the DMZ to provide remote access to a server farm, you can implement one of the following three deployment possibilities: Deploy the Web Interface behind the Access Gateway in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ. The initial client connection goes to the Access Gateway and is then redirected to the Web Interface. Deploy the Access Gateway parallel to the Web Interface in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ, but the initial client connection goes to the Web Interface instead of the Access Gateway. The Web Interface interacts with the Secure Ticket Authority (STA) and generates an ICA file to ensure the XenApp plugin traffic is routed through the Access Gateway to a computer running XenApp in the server farm. Deploy the Access Gateway in the DMZ and deploy the Web Interface in the internal network. In this configuration, user requests are authenticated by the Access Gateway before they are relayed to the Web Interface in the secure network. The Web Interface does not perform authentication, but interacts with the STA and generates an ICA file to ensure ICA traffic is routed through the Access Gateway to the server farm.
For more information about deploying the Web Interface behind or parallel to the Access Gateway, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
Chapter 3
29
Two Access Gateway appliances deployed in a double-hop DMZ The figure above shows two Access Gateway appliances deployed in a doublehop DMZ to control access to a server farm. You can also deploy one Access Gateway in the DMZ and the second Access Gateway in the secure network. When you deploy a double-hop scenario in this manner, you can simplify your firewall rules. In this deployment, the clients, the Access Gateway appliances, and the Web Interface perform these operations: Users from the Internet use a Web browser and Citrix XenApp Plugin for Hosted Apps to connect to the Access Gateway in the first DMZ. The Access Gateway in the first DMZ receives the client connections and redirects these connections to the Web Interface in the second DMZ. This
30
Access Gateway also handles connections from the clients that connect to the server farm on the internal network. The Web Interface performs various interactions with the Web browser clients and components of the server, including the XML Service and the Secure Ticket Authority (STA). These interactions provide users with a list of published applications and enable the user to access a published application by clicking a link in this list. Important: The Web Interface must be installed parallel to the Access Gateway in the second DMZ. The Access Gateway in the second DMZ acts as a proxy that enables ICA traffic to traverse the second DMZ and connect to the server farm in the internal network. The Access Gateway in the second DMZ also enables the Access Gateway in the first DMZ to communicate with the STA in the internal network.
Alternatively, you can deploy a double-hop scenario with one appliance in the DMZ and the second appliance in the secure network. For detailed information about these interactions and the configurations required to deploy two Access Gateway appliances in a double-hop DMZ configuration, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
C HAPTER 4
The Access Gateway installs in any network infrastructure without requiring changes to the existing hardware or internal network. It works with other networking products, such as server load balancers, firewalls, routers, and IEEE 802.11 wireless devices. Citrix recommends installing the Access Gateway in the demilitarized zone (DMZ). When installed in the DMZ, the Access Gateway participates on two networks: a private network and a public network with a publicly routable IP address. Typically, the private network is the internal enterprise network and the public one is the Internet. You can also use the Access Gateway to partition local area networks internally in the organization for access control and security. In This Chapter Identifying Access Gateway Prerequisites Using the Configuration Utility Configuring the Access Gateway Using Wizards Installing the Access Gateway Configuring Settings Using the Serial Console Configuring Settings Using the Configuration Utility Configuring the Host Name Installing Licenses on the Access Gateway Creating Additional Virtual Servers Configuring IP Addresses on the Access Gateway Configuring Routing on the Access Gateway Testing Your Access Gateway Configuration Configuring Name Service Providers
32
Chapter 4
33
Quick Links. This is a list of commonly used wizards and policy managers on the appliance. You can use this button to quickly navigate to the task you want to complete.
Details Pane. The details pane is the right portion of the configuration utility displays tasks and entities of the corresponding node in the navigation pane. Configuration Buttons. These are located at the bottom of the details pane. The buttons change depending on that path you opened in the navigation pane. Other Links. The following are description for some of the links: Settings. When you click this link, your settings are saved to your computer. Save. This saves the configuration on the Access Gateway. Refresh All. When ever you do any operation in the configuration utility, the configuration utility checks whether the configuration is same as on the kernel. This link helps you synchronize the latest configuration changes. Help. This links opens the online help for the configuration utility. Refresh. This button helps you to reflect the latest data. Add to Favorites. This button allows you to save the current details pane to a favorites list on the Access Gateway. You can access your favorites by clicking Favorites at the bottom of the navigation pane.
34
Configuration utility
Chapter 4
35
Note: Before running the Setup Wizard, download your licenses from the Citrix Web site. For more information, see Installing Licenses on the Access Gateway on page 44.
36
Within the wizard, you can also create session policy expressions for client connections. For more information about configuring the Access Gateway to connect to a server farm, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
One AC power cable for the Model 7000 appliance Two AC power cables for the Model 9000 or 10000 series appliances Getting Started with Citrix Access Gateway Enterprise Edition Citrix Access Gateway Enterprise Edition Pre-Installation Checklist
When configuring the Access Gateway for the first time, identify the IP addresses you need to configure the appliance. These include:
Chapter 4
37
The system IP address that the Access Gateway administrator uses to configure the appliance The mapped IP address that routes network traffic to servers in the secure network (required) The subnet IP address that is an optional IP address to a different subnet in your network The default gateway IP address The IP addresses for virtual servers to which users connect The community name and IP address of the management station for SNMP access (optional)
For additional information for the settings you need to configure, see the Access Gateway Enterprise Edition Pre-Installation Checklist. Caution: The flash disk cannot be changed when the appliance is powered on. Remove the flash disk only when the appliance is turned off.
1. 2. 3. 4. 5.
Place the Access Gateway appliance in your server room rack, and secure it to the rack using the screws provided with the appliance. Position the appliance in the rack. Make sure that there is adequate ventilation. Verify that the screw holes are aligned with the corresponding holes on the rack. Insert two mounting screws on each side. Tighten the mounting screws.
38
1. 2.
Connect the Ethernet cables. Connect a computer to the serial console on the front of the appliance. The terminal emulation application must have a baud rate and character format configured to 9600 baud, 8 data bits, 1 stop bit, and no parity.
3.
Power on the Access Gateway. Caution: Ensure that you do not create a network loop. This occurs if you connect any two cables to the same switch or virtual local area network (VLAN).
39
1. 2. 3.
Starting from the right side, align the two square holes on the rail against the hooks on the right side of the chassis. Attach the rail to the chassis with screws. Repeat Steps 2 and 3 to install the left rear inner rail.
1. 2. 3. 4.
Determine where you want to place the system in the rack. Position the chassis rail guides at the desired location in the rack, keeping the sliding rail guide facing inward. Screw the assembly to the rack using the brackets provided. Repeat Steps 2 and 3 for attaching the assembly to the other side of the rack. Ensure that both the rack rails are at same height and that the rail guides are facing inward.
1. 2. 3. 4.
Line up the rear inner rails with the rack rails. Slide the chassis rails into the rack rails keeping the pressure even on both sides. You may have to depress the locking tabs when inserting the chassis. When the system is pushed completely into the rack, you hear the locking tabs click. Insert and tighten the thumbscrews to secure the front of the chassis to the rack.
1.
40
2. 3. 4.
Insert the copper SFP in the socket with the locking hinge in the DOWN position. Push the copper SFP until it is in the locking position. Move the locking hinge to the UP position and push it inward into the socket.
1. 2. 3. 4. 5. 6.
Carefully remove the fiber SFP module from the box. Insert the fiber SFP in the socket with the locking hinge in the UP position. Push the fiber SFP until it is in the locking position. Move the locking hinge to the DOWN position. Remove the fiber dust protector. Move the locking hinge to the UP position and push it inward into the socket.
1. 2.
Connect the Ethernet cables. Connect a computer to the serial console on the front of the appliance. The terminal emulation application must have a baud rate and character format configured to 9600 baud, 8 data bits, 1 stop bit, and no parity.
3.
Important: The Access Gateway 9000 or 10000 series appliance have two power supplies. Citrix recommends that you use both power supplies. If only one power supply is used, the Access Gateway emits a high-pitched alert. Some models of the Access Gateway allow you to turn off the alert by pushing the small red button on the back of the appliance or under the face plate, near the LCD screen. If your appliance does not have this button, you cannot override the alert and you must use both power supplies.
Chapter 4
41
1. 2. 3.
At a command prompt, log on using the default user name and password, nsroot. At a command prompt, type:
config ns
1.
In a Web browser, type the system IP address of the Access Gateway, such as http://192.168.100.1. Note: The Access Gateway is configured with a default IP address of 192.168.100.1 and subnet mask of 255.255.0.0.
2.
In User Name and Password, type nsroot. Note: Citrix recommends changing the administrator password using the Setup Wizard.
3.
42
When you start the configuration utility, you are given the option of starting it one of two ways. The Applet Client is a Java-based client that allows you to start the configuration utility in a Web browser. The Web Start Client allows you to download Java components and start future connections to the configuration utility without typing the system IP address. Both clients require Java Runtime Environment (JRE) Version 1.4.x or later. The configuration utility has left and details panes that you can use to configure the Access Gateway. The left pane, called the navigation pane, contains the nodes that are used to configure settings on the Access Gateway. Depending on the node that you select in the navigation pane, the details pane displays the information for the node. After you log on, you can run the Setup Wizard to configure the initial settings on the Access Gateway.
1. 2. 3.
In the configuration utility, in the navigation pane, click System. In the details pane, click Setup Wizard. Click Next and follow the directions in the wizard.
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Getting Started, click Access Gateway wizard. Click Next and follow the instructions in the wizard.
Chapter 4
43
The Access Gateway comes with a test certificate. If you do not have a signed certificate from a Certificate Authority, you can use the test certificate when using the Access Gateway wizard. When you receive the signed certificate, you can remove the test certificate and install the signed certificate. Citrix recommends obtaining the signed certificate before making the Access Gateway publicly available for users. Important: You can create a Certificate Signing Request (CSR) from within the Access Gateway wizard. If you create the CSR using the Access Gateway wizard, you must exit from the wizard and then start it again when the signed certificate is received from the Certificate Authority (CA). For more information about certificates, see Installing and Managing Certificates on page 75. Your can configure client connections for Internet Protocol version 6 (IPv6) in the Access Gateway wizard when you configure a virtual server. For more information about using IPv6 for client connections, see Configuring IPv6 for Client Connections on page 51.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Network and click Interfaces. In the details pane, select the interface and click Open. Do one of the following: To enable auto negotiation, click Yes and click OK. When this is enabled, the Access Gateway uses full duplex. To disable auto negotiation, click No and click OK. When this setting is selected, the Access Gateway uses half-duplex.
44
1. 2. 3.
In the configuration utility, in the navigation pane, expand SSL and click Certificates. In the details pane, select a certificate and click Details. In the Certificate Details dialog box, click Subject.
Chapter 4
45
Before installing licenses on the Access Gateway, set the host name of the appliance and then restart the Access Gateway. The host name is configured using the Setup Wizard. When you generate the universal license for the Access Gateway, the host name is used in the license.
1. 2. 3. 4. 5. 6. 7.
In a Web browser, go to http://www.citrix.com and log on to My Citrix. Click Support and then click Downloads at the top of the Web page. Click Product Software. Under Citrix Access Gateway > Enterprise Edition, click Access Gateway 9.0, Enterprise Edition - Appliance Firmware. Accept the end user license agreement. Next to Platform License, click Get File. Save the license to your computer.
The platform license is downloaded as a .zip file. When the platform license is copied to your computer, you can install the platform license on the Access Gateway.
To install the platform license on the Access Gateway
1. 2. 3. 4.
Unzip the platform license. In the configuration utility, in the navigation pane, expand System and click Licenses. In the details pane, click Manage Licenses. Click Add, navigate to the platform license, click Select, and click OK.
When the platform license is installed, you are prompted to restart the Access Gateway. You can restart the appliance after installing the platform license or you can restart it after installing the universal license.
46
This process involves going to http://www.mycitrix.com/ to access your available licenses and generating a license file. When the license file is generated, download it to the computer you are using to configure the appliance. After the license file is on the computer, you can upload it to the Access Gateway. Before going to the Citrix Web site, you need the following information: The license code. You can find the code on the Access Gateway CD, in an email you receive from Citrix, or from the Subscription Advantage Management-Renewal-Information system (SAMRI). Your user ID and password for My Citrix. You can register for this password on My Citrix. Note: If you cannot locate either of these items, contact Citrix Customer Care.
Chapter 4
47
The host name of the Access Gateway. The entry field for this name on My Citrix is case-sensitive, so make sure that you copy the host name exactly as it is configured on the Access Gateway appliance. How many licenses you want to include in the license file. You do not have to download all of the licenses you are entitled to at once. For example, if your company purchases 100 licenses, you can choose to download 50. You can allocate the rest in another license file at a later time. Multiple license files can be installed on the Access Gateway.
Before obtaining your licenses, make sure you configure the host name of the appliance using the Setup Wizard and then restart the appliance. When you are ready to install the universal license on the Access Gateway, go to My Citrix to get your license.
To obtain your universal license file
1. 2.
From a Web browser, go to http://www.citrix.com/ and click My Citrix. Enter your user name and password. If this is the first time you are logging on to the site, you are asked for additional background information.
3. 4.
Under My Tools, click Choose a toolbox, and click Activation System/ Manage Licenses. In the drop-down menu, select Activate/Allocate and follow the directions to obtain your license file.
After you successfully download the license file to your computer, you can install it on the Access Gateway. The license is installed on the Access Gateway in the /nsconfig/license directory. When you go to My Citrix to download your license, use the host name to bind the license to the appliance before generating the license file. When the file is generated, install the license on the Access Gateway. If you used the Setup Wizard to configure the initial settings on the Access Gateway, the license file is installed when you run the wizard. If you allocated part of your licenses, and then at a later date allocate an additional number, you can install the licenses without using the Setup Wizard.
To install licenses on the Access Gateway using the configuration utility
1. 2.
In the configuration utility, in the navigation pane, expand System and click Licenses. Click Manage Licenses and then click Add.
48
3.
Navigate to the license file, select it, click Select, and then click OK to restart the Access Gateway.
After the Access Gateway restarts, verify that the license is correctly installed.
To view license information in the configuration utility
In the configuration utility, in the navigation pane, expand System and click Licenses. In the list, a green check mark will be next to Access Gateway. The field Maximum Access Gateway Users Allowed shows the number of licenses installed on the appliance.
Chapter 4
49
To create or modify a policy, such as a session policy, click on the node under Available Policies / Resources and then under Related Tasks, select the action you want to perform. In Related Tasks, you can create, modify, show bindings or remove policies.
Access Gateway Policy Manager You can start the Access Gateway Policy Manager in the configuration utility.
To start the Access Gateway Policy Manager
1. 2.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Policy Manager, click Change group settings and user permissions.
50
If you ran the Access Gateway wizard, a virtual server is configured during the wizard. You can configure additional virtual servers using the Access Gateway wizard, the Access Gateway Policy Manager, or the virtual servers node in the navigation pane of the configuration utility. If you use the Access Gateway Policy Manager, you can create a virtual server and then bind a certificate to the virtual server. You can also bind the following to virtual servers: Preauthentication policies Authentication policies Auditing policies Session policies Traffic policies Clientless access policies Bookmarks Intranet applications Access Gateway proxy (double-hop configuration) IP pooling (also known as intranet IPs) Secure Ticket Authority
If you want users to log on and use a specific authentication type, such as RADIUS, you can configure a virtual server and assign it a unique IP address. When users log on, they are directed to the virtual server and then are asked for their RADIUS credentials. You can also configure how users log on to the Access Gateway. You can use a session policy to configure the type of client software, the access method, and the home page users see after logging on. You can add, modify, enable or disable, and remove virtual servers using the Access Gateway Policy Manager or the virtual server node in the navigation pane of the configuration utility.
To create a virtual server using the Access Gateway Policy Manager
1. 2. 3. 4.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Access Gateway Policy Manager, click Change group settings and user permissions. Under Configured Policies / Resources, click Virtual Servers. Under Related Tasks, click Create new virtual server.
Chapter 4
51
5.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, click Add. Configure the settings you want, click Create, and click Close.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, click Add. In Name, type a name for the virtual server. Click IPv6 and in IP Address, type the IPv6 address, configure your other settings, click Create and click Close.
52
The Access Gateway is configured with a default IP address of 192.168.100.1 and subnet mask of 255.255.0.0 for management access. The default IP address is used whenever a user-configured value for the systems IP address is absent. System IP address. The management IP address for the Access Gateway that is used for all management-related access to the appliance. Mapped IP address. Used by the Access Gateway to represent the client when communicating with servers in the secure network. Default gateway. The router that forwards traffic from outside the secure network to the Access Gateway. Subnet IP address. Represents the client by communicating with a server on a secondary network. This is similar to the mapped IP address.
The system IP address, the mapped IP address, and default gateway are configured using the Setup Wizard.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Network and click IPs. In the details pane, click Add. In the Create IP dialog box, in IP Address, type the IP address. In Netmask, type the subnet mask. Under IP Type, select Mapped IP, click Create, and click Close.
Chapter 4
53
The mapped IP address and subnet IP address use ports 1024 through 64000.
To configure a subnet IP address
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Network and click IPs. In the details pane, click Add. In the Create IP dialog box, in IP Address, type the IP address. In Netmask, type the subnet mask. Under IP Type, select Subnet IP, click Create, and click Close.
54
1. 2. 3.
In the configuration utility, in the navigation pane, expand Network > Routing and click Routes. In the details pane, on the Basic tab, click Add. Configure the settings for the route and click Create.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand System and click Diagnostics. In the details pane, under Utilities, click Ping. Under Parameters, in Host name, type the name of the device. Under Advanced, in Source IP Address, type the IP address of the device and click Run. If you are successfully communicating with the other device, messages indicate that the same number of packets were transmitted and received, and zero packets were lost. If you are not communicating with the other device, the status messages indicate that zero packets were received and all the packets were lost. To correct this, repeat the procedure to add a static route.
To stop the test, in the Ping dialog box, click Stop and click Close.
55
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click Users. Under Related Tasks, click Create new user. In User Name, type the user name. Clear External Authentication. In Password and Confirm Password, type the password, click Create, and click Close.
If you receive a certificate warning, either a test certificate or an invalid certificate is installed on the Access Gateway. If a certificate signed by a CA is installed on the appliance, make sure there is a corresponding CA root certificate installed on the client device. If you used a CA-signed certificate, verify that you generated the site certificate correctly using the signed CSR, and that the distinguished name data entered in the CSR is accurate. The problem may also be a host name to IP address mismatch with the signed certificate. Check that the configured certificates common name corresponds to the configured virtual server IP address information. If the logon screen does not appear or if any other error message appears, review the setup process and confirm that all steps were performed correctly and that all parameters were entered accurately. At the logon screen, enter the user name and password of the user account you created earlier. You are prompted to install the Access Gateway Plugin.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Network Configuration tab, in DNS Server Addresses, click Add.
56
4. 5.
In Enter the Name Server IP Address, type the IP address of the DNS server, click Create, click Close, and then click OK. Click Save in the configuration utility.
You can also add additional WINS name servers to the Access Gateway.
To add a WINS name server to the Access Gateway
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway > Global Settings. In the details pane, under Settings, click Change global settings. On the Network Configuration tab, under DNS Server Addresses, in WINS Server IP, type the IP address of the WINS server and click OK.
Next, specify the DNS virtual server name and IP address. Like the Access Gateway virtual server, an IP address must be assigned to the virtual server. However, this IP address must be on the internal side of the targeted network so that all internal addresses are resolved properly by clients. The DNS port must also be specified. If you configure a DNS server and WINS server for name resolution, you can select which server performs name resolution first using the Access Gateway wizard.
To specify name lookup priority
1. 2. 3. 4.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Getting Started, click Access Gateway wizard. Click Next to accept the current settings until you come to the Name Service Providers page. In Name Lookup Priority, select WINS or DNS and then continue to the end of the wizard.
C HAPTER 5
If you have two Access Gateway appliances, you can deploy them in a configuration where one Access Gateway accepts and manages connections, while a second Access Gateway monitors the first appliance. If the first Access Gateway stops accepting connections for any reason, the second Access Gateway takes over and begins actively accepting connections. This prevents downtime and ensures that the services provided by the Access Gateway remain available, even if one Access Gateway is not working. This chapter covers configuring the Access Gateway in a high availability pair to support failover. In This Chapter How High Availability Works Configuring the Access Gateway for High Availability Customizing Your High Availability Deployment Synchronizing Access Gateway Appliances Enabling High Availability Propagation Forcing the Primary Access Gateway to Stay Primary Forcing the Secondary Appliance to Stay Secondary Forcing Failover between Access Gateway Appliances Configuring the Virtual MAC Address Configuring High Availability Pairs over Routed Networks Configuring Route Monitors Configuring Link Redundancy
58
Chapter 5
59
For example, if you have two appliances, named AG1 and AG2, you must configure AG1 with the unique Access Gateway ID and IP address of AG2, and AG2 with the unique Access Gateway ID and IP address of AG1. Note: Each Access Gateway appliance always refers to itself as Node 0. Configure each appliance with a unique node ID. Each appliance in the high availability pair must have the same license. For more information about licensing, see Installing Licenses on the Access Gateway on page 44. Any configuration file that you create or copy onto either Access Gateway using a method other than direct commands (such as SSL certificates or changes to startup scripts) must be created on or copied to both the primary and secondary Access Gateway.
When you configure a high availability pair, make sure the mapped IP addresses and default gateway address of both the primary and the secondary appliances are exactly the same. If necessary, you can change the mapped IP address at any time by running the Setup Wizard. For more information, see Configuring TCP/IP Settings Using the Setup Wizard on page 42.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, click Add. In the High Availability Setup dialog box, in Remote Node IP Address, type the IP address of the second Access Gateway appliance. Leave the default settings, click OK and click Close.
60
Access Gateway Enterprise Edition Administrators Guide To configure settings for high availability
1. 2. 3. 4.
In the configuration utility, expand System and click High Availability. In the details pane, on the Nodes tab, select a node and click Open. In ID, type the number of the node identifier. ID specifies the unique node number for the other appliance. In IP Address, type the system IP address and click OK. IP Address specifies the IP address of the other appliance.
Chapter 5
61
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand Network and click RPC. In the details pane, select the node and then click Open. In Password, type the new password. In Confirm Password, type the password again. In Source IP Address, type the system IP address of the other Access Gateway appliance. Click Secure and click OK.
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select a node and click Open. Under High Availability Status, click Enabled and click OK.
1. 2.
In the configuration utility, in the navigation pane, expand Network and click Interfaces. In the details pane, select a network interface and click Disable.
62
3.
Repeat Steps 1 and 2 for each network interface you want to disable.
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select the node whose status must be changed and click Open. Under Intervals, do one or both of the following: In Hello Interval (msecs), type the value and click OK. In Dead Interval (msecs), type the value and click OK.
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select the node you want to change and click Open. Under HA Synchronization, click Secondary node will fetch the configuration from Primary and click OK.
Chapter 5
63
You can prevent the secondary Access Gateway from synchronizing its configuration with the primary Access Gateway whenever there is a change on the primary.
To disable a node from synchronizing automatically
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select the node you want to change and click Open. Under HA Synchronization, click to clear Secondary node will fetch the configuration from Primary and click OK.
1. 2.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Nodes tab, click Force Synchronization.
To verify that synchronization occurred, on the Nodes tab, check the entry under Synchronization State.
64
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Nodes tab, select the node you want to change and click Open. Under HA Propagation, click Primary node will propagate configuration to the Secondary and click OK.
Disabling Propagation
When propagation is disabled on the primary Access Gateway after synchronization is successful, changes to settings on the primary appliance are not propagated to the secondary Access Gateway. However, if synchronization occurs during this period, the configuration changes that were made when propagation was disabled are synchronized with the secondary Access Gateway. This is also true for cases where propagation is disabled when synchronization is in progress. When you disable propagation on both appliances, it is effective only on the primary Access Gateway. When propagation is enabled again, force the synchronization between the appliances. When you disable propagation on a primary node after synchronization is successfully completed, commands executed on the primary node are not propagated to the secondary node. However, if synchronization occurs during this period, the configuration-related changes that you made when propagation was disabled are synchronized with the secondary node. This is also true for cases where propagation is disabled while synchronization is in progress. Note: If command propagation is disabled and then enabled, force synchronization between the appliances to make sure the commands are properly synchronized.
To disable command propagation
1.
In the configuration utility, in the navigation pane, expand System and click High Availability.
Chapter 5
65
2. 3.
On the Nodes tab, select the node you want to change and click Open. Under HA propagation, click to clear Primary node will propagate configuration to the Secondary and click OK.
1. 2.
On the Nodes tab, click a node and click Open. Verify that the settings are the same as for the other node in the high availability pair and click OK.
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select a node and click Open. Under High Availability Status, click Stay Primary and click OK.
66
This setting can be configured only on Access Gateway appliances that are a standalone and the Access Gateway that is the primary in a high availability pair. On a standalone Access Gateway appliance, this setting must be configured before adding a second Access Gateway to create a high availability pair. When you add the new appliance, the existing Access Gateway stops processing traffic and becomes the secondary Access Gateway in the high availability pair. The new Access Gateway becomes the primary appliance. This configuration can be cleared only by using the following command:
clear configuration full
Setting the Access Gateway as primary is not propagated or synchronized and affects only the Access Gateway on which the setting is configured.
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select a node and click Open. Under High Availability Status, click Stay Secondary and click OK.
When the Access Gateway is configured to stay secondary, it remains secondary even if the primary Access Gateway fails. If the status of an Access Gateway in a high availability pair is configured to stay secondary, it does not participate in high availability state machine transitions. You can check the status of the Access Gateway in the configuration utility on the Nodes tab. This setting works on both a standalone and a secondary Access Gateway.
Chapter 5
67
On a secondary Access Gateway, this setting forces the Access Gateway to remain a secondary Access Gateway even if there is a failure in the primary Access Gateway. When you set the high availability node, it is not propagated or synchronized and affects only the Access Gateway on which the setting is configured.
To return the Access Gateway to service as an active high availability appliance
1. 2. 3.
In the configuration utility, in the navigation pane, expand System > High Availability. In the details pane, on the Nodes tab, select the appliance that is going to stay the primary node and click Open. Under High Availability Status, click Enabled and click OK.
1. 2.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, select the appliance to which you want to force failover and click Force Failover.
When this force failover is set, the Access Gateway appears in a down state. Force failover is not propagated or synchronized. Synchronization happens automatically whenever there is a change to the configuration of the primary Access Gateway. The synchronization status appears in the configuration utility. Note: When the force failover is executed on the primary Access Gateway and the second Access Gateway is configured to remain as the secondary appliance, an error message appears. Change your configuration to allow the secondary appliance to become primary.
68
1. 2.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, select the appliance that is going to stay the primary node and click Force Synchronization.
Chapter 5
69
1. 2. 3.
In the configuration utility, in the navigation pane, expand Network and click VMAC. In the details pane, click Add. In Virtual Router ID, type the value.
70
4.
Under Associated Interfaces, in Available Interfaces, select a network interface, click Add, click Create, and click Close.
When the virtual MAC address is created, it appears in the configuration utility. If you selected a network interface, the virtual router identifier is bound to that interface.
1. 2.
In the configuration utility, in the navigation pane, expand Network and click VMAC. In the details pane, select an item and click Remove.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Network and click VMAC. In the details pane, select an item and click Open. Under Configured Interfaces, select a network interface, click Remove, click OK, and click Close.
Chapter 5
71
This section also discusses link redundancy and route monitors, Access Gateway functions that can be helpful in a cross-network high availability configuration, and covers the health check process used by each Access Gateway to ensure that its partner appliance is active.
72
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand System and click High Availability. In the details pane, on the Nodes tab, click Add. In the High Availability Setup dialog box, in the Remote Node IP Address, type the IP address. Click Turn on INC (Independent Network Configuration) mode on self node, click OK and click Close.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Route Monitors tab, click Configure. Under Specify Route Monitor, in Network, type the IP address of the network of the other Access Gateway appliance. In Netmask, type the subnet mask of the other network, click Add, and click OK.
When this procedure is complete, the route monitor is bound to the Access Gateway.
Chapter 5
73
Note: When a route monitor is not bound to an Access Gateway, the high availability state of either appliance is determined by the state of the interfaces. You can remove a route monitor from the Access Gateway.
To remove a route monitor
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Route Monitors tab, click Configure. Under Configured Route Monitors, select the monitor, click Remove, and click OK.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Failover Interface Set tab, click Add. In Name, type a name for the set. Under Available Interfaces, select an interface and click Add. Repeat Step 4 for the second interface, click Create, and click Close.
You can add as many interfaces as you need for failover between the interfaces. After you configure a failover interface set, you can remove interfaces.
74
Access Gateway Enterprise Edition Administrators Guide To remove an interface from the failover interface set
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Failover Interface Set tab, select a set and click Open. In the Configure FIS dialog box, under Configured Interfaces, select the interface(s) you want to remove, click Remove, and click OK.
If the failover interface set is no longer needed, you can remove it from the Access Gateway.
To remove a failover interface set
1. 2.
In the configuration utility, in the navigation pane, expand System and click High Availability. On the Failover Interface Set tab, select a set and click Remove.
C HAPTER 6
On the Access Gateway, certificates are used to create secure connections and authenticate users. To establish a secure connection, you require a server certificate at one end of the connection and a root certificate of the Certificate Authority (CA) that issued the server certificate at the other end. Server certificate. A server certificate certifies the identity of a server. The type of digital certificate that is required by the Access Gateway is called a server certificate. Root certificate. A root certificate identifies the CA that signed the server certificate. The root certificate belongs to the CA. This type of digital certificate is required by a client device to verify the server certificate.
When establishing a secure connection with a Web browser on a client device, the server sends its certificate to the client. When receiving a server certificate, the Web browser (for example, Internet Explorer) on the client device checks to see which CA issued the certificate and if the CA is trusted by the client. If the CA is not trusted or if it is a test certificate, the Web browser prompts the user to accept or decline the certificate (effectively accepting or declining the ability to access this site). The Access Gateway supports three types of certificates: A test certificate that is bound to a virtual server and can also be used for connections to a server farm. The Access Gateway comes with a preinstalled test certificate. A certificate in PEM or DER format that is signed by a Certificate Authority (CA) and is paired with a private key. A certificate in PKCS#12 format that is used for storing or transporting the certificate and private key. The PKCS#12 certificate is typically exported from an existing Windows certificate as a PFX file and then installed on the Access Gateway.
Citrix recommends using a certificate signed by a trusted Certificate Authority, such as Thawte or Verisign.
76
In This Chapter Installing Certificates on the Access Gateway Creating a Private Key Creating a Certificate Signing Request Installing the Signed Certificate on the Access Gateway Unbinding Test Certificates from the Virtual Server Configuring Intermediate Certificates Importing an Existing Certificate to the Access Gateway
The steps for creating and installing a CA-signed certificate on the Access Gateway are: Creating a private key that is paired with the certificate Creating a Certificate Signing Request that is sent to the CA Installing the signed certificate and private key on the Access Gateway Installing root certificates on client devices
You can manage your certificates using the configuration utility. You can add and remove certificates; create Certificate Signing Requests; and create root, intermediate, and server certificates.
Chapter 6
77
1. 2.
In the configuration utility, in the navigation pane, click SSL. In the details pane, under SSL Keys, click Create RSA Key.
78
3. 4. 5. 6. 7.
In Key Filename, type the name of the private key or click Browse to navigate to an existing file. In Key Size (Bits), type the size of the private key. In Key Format, select PEM or DER. Citrix recommends PEM format for the certificate. In PEM Encoding Algorithm, select DES or 3DES. In PEM Passphrase and Verify Passphrase, type the password, click Create and click Close.
To create a DSA private key in the configuration utility, click Create DSA Key. Follow the same steps above to create the DSA private key.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Getting Started, click Access Gateway wizard. Follow the directions in the wizard until you come to the Specify server certificate page. Click Create a Certificate Signing Request and complete the fields.
Chapter 6
79
Note: The FQDN does not need to be the same as the Access Gateway host name. 5. 6. Click Save to save the certificate on your computer and click Close. Exit the Access Gateway wizard without saving your settings.
You can also create a CSR using the configuration utility, without running the Access Gateway wizard.
To create a Certificate Signing Request in the configuration utility
1. 2. 3.
In the configuration utility, in the navigation pane, click SSL. In the details pane, under SSL Certificates, click Create Certificate Request. Complete the settings for the certificate and click Create.
After you create the certificate and private key, email the certificate to the CA, such as Thawte or Verisign.
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand SSL and click Certificates. In the details pane, click Add. In Certificate-Key Pair Name, type the name of the certificate. Under Details, in File Location, click Local Computer, click Browse, navigate to the certificate, click Select, and click Install. In File Location, click Appliance. In Private Key File Name, click Browse, click the file, and click Select. The name of the private key is the same name as the Certificate Signing Request. The private key is located on the Access Gateway in the directory \nsconfig\ssl.
7.
If the certificate is PEM-format, in Password, type the password for the private key.
80
8.
If you want to configure notification for when the certificate expires, in Expiry Monitor, click Enable. In Notification Period, type the number of days, click Install, and click Close.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, select a virtual server and click Open. On the Certificates tab, under Available, select a certificate and click Add.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, click a virtual server and click Open. On the Certificates tab, under Configured, select the test certificate and click Remove.
Chapter 6
81
Responsibility for issuing certificates can be delegated by setting up subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs. In this model, the root CA is at the top of the hierarchy and has a self-signed certificate. The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the subordinate CAs.
The X.509 model showing the hierarchical structure of a typical digital certificate chain CAs can sign their own certificates (that is, they are self-signed) or they can be signed by another CA. If the certificate is self-signed, it is called root CAs. If they are not self-signed, they are called subordinate or intermediate CAs. If a server certificate is signed by a CA with a self-signed certificate, the certificate chain is composed of exactly two certificates: the end entity certificate and the root CA. If a user or server certificate is signed by an intermediate CA, the certificate chain is longer.
82
The following figure shows that the first two elements are the end entity certificate (in this case, gwy01.company.com) and the certificate of the intermediate CA, in that order. The intermediate CAs certificate is followed by the certificate of its CA. This listing continues until the last certificate in the list is for a root CA. Each certificate in the chain attests to the identity of the previous certificate.
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the navigation pane, expand SSL and click Certificates. In the details pane, click Add. In Certificate-Key Pair Name, type the name of the certificate. Under Details, select either Local Computer or Appliance. Next to Certificate File Name, click Browse to navigate to the certificate on your computer or on the Access Gateway. In Certificate Format, select PEM. Click Install and click Close.
When you install an intermediate certificate on the Access Gateway, you do not need to specify the private key or a password. After the certificate is installed on the appliance, the certificate needs to be linked to the server certificate.
To link an intermediate certificate to a server certificate
1. 2. 3.
In the configuration utility, in the navigation pane, expand SSL and click Certificates. In the details pane, select the intermediate certificate and click Link. Next to CA Certificate Name, select the certificate from the list and click OK.
Chapter 6
83
1.
From the console of the Secure Gateway or an Internet Information Services (IIS) server where a secure certificate is installed, click Start > Run and type mmc.exe. On the File menu, click Add/Remove Snap-in. On the Standalone tab, click Add and select Certificates. Click Add, select Computer account, and click Next. Select Local computer, click Finish, click Close and click OK. In the MMC, expand Certificates (Local Computer) > Personal > Certificates. Right-click the server certificate, click All tasks, and click Export. Follow the directions in the Certificate Export Wizard.
2. 3. 4. 5. 6. 7. 8.
84
As you go through the wizard, click Yes to export the private key with the certificate. If this option is not available, you cannot use the certificate. Leave the default values for all the other options, define a password, and save the PFX file to your computer. When the certificate is exported, you then install it on the Access Gateway.
To install the certificate and private key on the Access Gateway
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Getting Started, click Access Gateway wizard. Click Next, select an existing virtual server and click Next. In Certificate Options, select Install a PKCS#12 (.pfx) file. In PKCS#12 File Name, click Browse and navigate to the certificate. In Password, type the password for the private key. This is the password you used when converting the certificate to PEM format.
7.
Click Next to finish the Access Gateway wizard without changing any other settings.
When the certificate is installed on the Access Gateway, it appears in the configuration utility in the SSL > Certificates node.
C HAPTER 7
Policies allow you to manage and implement configuration settings under specified scenarios or conditions. An individual policy states or defines the configuration settings that go into effect when a specified set of conditions are met. Each policy has a unique name and can have a profile bound to the policy. In This Chapter How Policies Work Configuring System Expressions Creating Policies on the Access Gateway How Session Policies Work How a Traffic Policy Works How TCP Compression Policies Work
For more information about authentication and authorization policies, see Configuring Authentication and Authorization on page 107. For more information about configuring clientless access, see How Clientless Access Works on page 166. For more information about configuring endpoint policies, see Configuring Endpoint Polices on page 217.
86
Policies, with the configured conditions and profiles, can be bound to virtual servers, groups, users, or globally. Policies are referred to by the type of configuration settings they control. For example, in a session policy, you can control how users log on and the amount of time users can stay logged on. If you are using the Access Gateway with Citrix XenApp, Access Gateway policy names are sent to XenApp as filters. When configuring the Access Gateway to work with XenApp and SmartAccess, the administrator uses the settings in XenApp for Access Gateway Advanced Edition, substituting the following to create the policy: The name of the virtual server that is configured on the appliance is sent to XenApp as the Access Gateway farm name The names of the pre-authentication or session policies are sent as filter names
For more information about configuring the Access Gateway to work with Citrix Presentation Server, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop. For more information about preauthentication policies, see Configuring Endpoint Polices on page 217.
Chapter 7
87
Policy conditions based on endpoint analysis results cannot be used if the policy rule is configured as part of security settings in a session profile. Another example of configuring a conditional policy is varying the authentication policy for users. For example, users who are connecting using the Access Gateway Plugin from outside the internal network, such as from their home computer, can be authenticated using LDAP. Users who are connecting through a WAN can be authenticated using RADIUS.
Access Gateway Enterprise Edition can also be used as a Citrix NetScaler appliance. Some expressions on the appliance are more applicable to NetScaler. General and network-based expressions are used commonly with NetScaler and are not generally used with Access Gateway. Client security expressions are used on the Access Gateway to determine that the correct items are installed on the client device.
88
User certificates
Named expressions are independent entities. A named expression can be reused by other policies and are included within the policy. Named expressions are configured at the system level in the configuration utility. You can use a predefined named expression in the policy or create one of your own.
To create a named expression
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand AppExpert and click Expressions. In the details pane, click Add. In the Create Policy Expression dialog box, in Expression Name, type a name for the expression. In Error Message, type the message that users see in the connection log if the client device fails to meet the policy criteria. To create an expression, click Add. Configure the parameters of the expression, click OK, and click Create.
Chapter 7
89
90
A session policy is used for configuring the settings for client connections. You can define settings to configure the client software users log on with, such as the Access Gateway Plugin for Windows or the Access Gateway Plugin for ActiveX. Session policies are evaluated and applied after the user is authenticated. Session policies are applied according to the following rules: Session polices always override global settings in the configuration Any attributes or parameters that are not set using a session policy are set on those established for the virtual server Any other attributes that are not set by a session policy or by the virtual server are set by the global configuration
The following instructions are general guidelines for creating session policies. Specific instructions for configuring session policies are located throughout this manual. The instructions might contain directions for configuring a specific setting; however, that setting can be one of many that are contained within a session profile and policy. The instructions in this manual direct you to create a setting within a session profile and then apply the profile to a session policy. You can change settings within a profile and policy without creating a new session policy. In addition, you can create all of your settings on a global level and then create a session policy to override global settings.
To create a session policy
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. Complete the settings for the session profile and click Create. In the Create Session Profile dialog box, add an expression for the policy, click Create, and click Close.
Note: In the expression select True value so the policy is always applied to the level where it is bound.
Chapter 7
91
Session profiles specify the actions that are applied to a user session if the policy expression conditions are met. You can use session profiles to configure the following network settings: DNS server WINS server IP address Using the mapped IP address as the client IP address Intranet IP address (also called IP pooling) Intranet IP DNX suffix Spoof intranet IP address HTTP ports Forced time-out settings
The following settings are used for when users log on to the appliance: Access Interface or customized home page Web address for Web-based email, such as Outlook Web Access Windows plugin type (Access Gateway Plugin for Windows or Access Gateway Plugin for ActiveX) Plugin type (Access Gateway Plugin or Access Gateway Plugin for Java) Split tunneling Session and idle time-out settings Clientless access
92
Clientless access URL encoding Single sign-on to Web Applications Credential index for authentication Single sign-on with Windows Logon scripts Client debug settings Split DNS Access to private network IP addresses and local LAN access Client choices Client cleanup behavior Proxy settings
For more information about configuring settings for client connections, see Configuring Connections for the Access Gateway Plugin on page 185. The following are security settings that can be configured using a session profile: Default authorization action (allow or deny) Quarantine groups Authorization groups
For more information about configuring authorization on the Access Gateway, see Configuring Authorization on page 138. The following are settings for connections to servers running Citrix XenApp or XenDesktop: ICA proxy, which are client connections using Citrix XenApp Plugin for Hosted Apps Web Interface address Web Interface portal mode Single sign-on to the server farm domain
For more information about configuring settings for connecting to published applications in a server farm, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
Chapter 7
93
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. In the details pane, click the Profiles tab and click Add. Configure the settings for the profile, click Create and click Close.
1. 2.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. On the Policies tab, do one of the following: Click Add to create a new session policy. -orSelect a policy and click Open.
3. 4.
In Request Profile, select a profile from the list. Finish configuring the session policy and exit the dialog box.
For more information about using session policies for client connections and configuring the settings, see Configuring Connections for the Access Gateway Plugin on page 185.
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Session Policies and click a policy. Drag the session policy to the user, group, virtual server, or Access Gateway global session policy under Configured Policies / Resources.
94
When the traffic policy is created, you can bind the policy to virtual servers, users, groups or globally. For example, you have the Web application PeopleSoft Human Resources installed on a server in the internal network. You can create a traffic policy for this application that defines the destination IP address, the destination port, and set the amount of time a user can stay logged on to the application, such as 15 minutes. If you want to configure other features, such as HTTP compression to an application, you can use a traffic policy to configure the settings. When creating the policy, use the HTTP parameter for the action. In the expression, create the destination address for the server running the application.
To create a traffic policy
1.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Traffic Policies.
Chapter 7
95
2. 3. 4. 5. 6.
Under Related Tasks, click Create new traffic policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. In Protocol, select either HTTP or TCP. Note: If you select TCP as the protocol, single sign-on cannot be configured and is disabled in the profile dialog box.
7. 8. 9. 10. 11.
To limit the time users can stay logged on to the Web application, in AppTimeout (mins), type the number of minutes. To enable single sign-on to the Web application, in Single Sign-On, select ON. To specify a file type association, in File Type Association, select ON and click Create. To use the WANScaler Accelerator Plugin to optimize network traffic, in WanScaler, select ON. In the Create Traffic Policy dialog box, create or add an expression, click Create and click Close.
1. 2.
Under Available Policies / Resources, expand Traffic Policies and click a traffic policy. Drag the policy to Traffic Policies under Configured Policies / Resources for the level to which you want the policy bound.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies > Traffic. In the details pane, select a policy and click Global Bindings. In the Bind / Unbind Traffic Policies dialog box, under Active, select the policy and click OK.
96
1.
Under Configured Policies / Resources, expand the node that has the traffic policy bound to it, click Traffic Policies, and then click the traffic policy. Under Related Tasks, click Unbind traffic policy.
2.
After the traffic policy is unbound, you can remove the policy.
To remove a traffic policy using the Access Gateway Policy Manager
1. 2.
Under Available Policies / Resources, expand Traffic Policies and select the traffic policy. Under Related Tasks, click Remove traffic policy.
Chapter 7
97
The steps for creating file type association include: Creating a Web Interface site Configuring file type association using a traffic policy on the Access Gateway Defining file extensions in XenApp
Note: When you copy these directories to the Web Interface site, the existing directories are overwritten. If you are using Web Interface 4.6 or 5.0, open the web.config file in the Web Interface site directory and add the following code. You can download this code from the Citrix Support site at http://support.citrix.com/CTX116253.
<location path="site/contentLaunch.ica"> <system.web> <httpHandlers> <add verb="*" path="*.ica" type="System.Web.UI.PageHandlerFactory"/ > </httpHandlers> </system.web> </location> <location path="site/contentLaunch.rad"> <system.web> <httpHandlers> <add verb="*" path="*.rad" type="System.Web.UI.PageHandlerFactory"/ >
98
This code must be added after the following section in the web.config file:
<location path="site/launch.rad"> <system.web> <httpHandlers> <add verb="*" path="*.rad" type="System.Web.UI.PageHandlerFactory"/> </httpHandlers> </system.web> </location>
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Published Applications tab, configure the following settings: A. Next to Web Interface Address, click Override Global and type the Web address of the Web Interface.
Chapter 7
99
B. C.
Next to Web Interface Portal Mode, click Override Global and select either Normal or Compact. Next to Single Sign-on Domain, click Override Global and type the name of the domain in which the user accounts reside and click Create.
7.
In the Create Session Policy dialog box, next to Named Expression, select True value, click Add Expression, click Create, and click Close.
After creating the session policy and binding it to the virtual server, create the traffic policy and also bind it to the virtual server. When you configure a traffic policy for file type association, create an expression to define the file extensions to be used. For example, you want to enable file type association for Microsoft Word and Microsoft Excel. An example expression is:
REQ.HTTP.URL == /*.doc || REQ.HTTP.URL == /*.xls
First, create the traffic profile for file type association. Then, create a traffic policy using the profile and creating the expression. Create both the policy and the profile using the configuration utility. Note: When creating a traffic profile for file type association, the protocol must be HTTP.
To create a traffic profile for file type association
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Traffic. In the details pane, on the Profiles tab, click Add. In Name, type a name for the profile. In File Type Association, select ON and click Create.
After you create the profile, create the policy and add the profile.
To configure file type association using a traffic policy
1. 2. 3. 4.
On the Policies tab, click Add. In Name, type a name for the policy. In the Create Traffic Policy dialog box, under Expressions, select Advanced Free-Form and click Add. In the Add Expression dialog box, do the following: A. In Expression Type, click General.
100
B. C. D. E. F. 5. 6.
In Flow Type, select REQ. In Protocol, select HTTP. In Qualifier, select URL. In Operator, select = =. In Value, type /*.FileExtensionType, where .FileExtensionType is the file type, such as .doc or .xls, and click OK.
In the Create Traffic Policy dialog box, under Expressions, next to Advanced Free-Form, click OR. Repeat Steps 4 and 5 for each file extension you want to include, click Create, and click Close.
Chapter 7
101
Enabling file extensions in Citrix XenApp After file extensions are enabled in XenApp, file type association is enabled and functional with Access Gateway.
102
Wide area network (WAN) latency reduction. The number of round trips of the network traffic is reduced due to the reduced number of packets after compression. Reduce bandwidth costs. The bandwidth requirements of the site are reduced, resulting in lower expenses. Faster transmission. Transmission of compressed data is between the Access Gateway and the client device. The server in the internal network is free from transmitting the data.
The Access Gateway combines compression with the SSL acceleration feature to ensure continuous delivery of secure content without compromising performance. The Access Gateway supports the following compression methods: GNU zip (GZIP) Deflate Compress No compression
When a TCP compression profile is configured and saved, the parameters cannot be changed. If you want to change the profile for a TCP compression policy, create a new profile and then select it in the policy.
Chapter 7
103
A configured TCP compression policy with the profile configured to use GZIP and the destination ports for the expression In this illustration, traffic from the client device to all destination ports other than 22 and 443 are compressed using GZIP. TCP compression policies are bound to the Access Gateway globally.
To create a TCP compression policy
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click TCP Compression Policies. Under Related Tasks, click Create new TCP compression policy. In Policy Name, type a name for the policy. Next to Action, click New to create the profile. In the Create Compression Action dialog box, in Name, type a name for the profile. Under Compression Type, select the compression type and click Create. Configure the expression, click Create, and click Close.
After you create a TCP compression policy, you can modify the policy at a later time using the Access Gateway Policy Manager. Note: When a TCP compression profile is created, after it is saved it cannot be modified. To use different settings, create a new profile and bind it to the policy.
104
Access Gateway Enterprise Edition Administrators Guide To modify a TCP compression policy using the Access Gateway Policy Manager
1. 2. 3.
Under Available Policies / Resources, click TCP Compression Policies and then select a policy. Under Related Tasks, click Modify TCP compression policy. Make the changes to the policy and click OK.
Note: TCP compression policies are bound only at the global level.
To bind a TCP compression policy using the Access Gateway Policy Manager
1. 2. 3.
Under Configure Policies / Resources, expand Access Gateway Global. Under Available Policies / Resources, click TCP Compression Policies and then click a policy. Drag the policy to TCP Compression Policies under Access Gateway Global.
You can also bind the policy globally using the configuration utility.
To bind a TCP compression policy using the configuration utility
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway > Policies > TCP Compression. In the details pane, select a policy and click Global Bindings. Under Available, select the policy, and click OK.
You can remove TCP compression policies from the Access Gateway. If the policy is bound, the binding must be removed before the policy can be removed from the appliance.
To unbind a TCP compression policy using the Access Gateway Policy Manager
1. 2. 3.
Under Configured Policies / Resources, expand the node for Access Gateway Global. Expand the node for TCP Compression Policies and select a policy. Under Related Tasks, click Unbind TCP compression policy.
After the policy binding is removed, you can remove the policy.
Chapter 7
105
To remove a TCP compression policy using the Access Gateway Policy Manager
1. 2.
Under Available Policies / Resources, expand the node for TCP Compression Policies. Select a policy and under Related Tasks, click Remove TCP compression policy.
1. 2.
On the client device, in the notification area, right-click the Access Gateway icon and click Configure Access Gateway. In the Configuration dialog box, click the Compression tab.
106
C HAPTER 8
Authentication allows users to log on to the Access Gateway and connect to resources in the internal network. Authentication provides security for your internal network and is configured using policies. After authentication is configured, you can add the policy globally or to virtual servers. In This Chapter Configuring Authentication on the Access Gateway Configuring Local Users Configuring Groups How Authentication Policies Work Configuring LDAP Authentication Configuring RADIUS Authentication Configuring the Access Gateway to Use One-Time Passwords Configuring NTLM Authentication Configuring TACACS+ Authentication Configuring Client Certificate Authentication Configuring Multifactor Authentication Disabling Authentication Configuring the Number of User Sessions Configuring Authentication for Specific Times Configuring Authorization Configuring LDAP Group Extraction Configuring RADIUS Group Extraction
108
Chapter 8
109
The Access Gateway also supports RSA SecurID, Secure Computings SafeWord products, and Gemalto Protiva. Authentication using these products is configured using a RADIUS server. You can also configure smartcard authentication using client certificates.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Authentication, click authentication settings. In Maximum Number of Users, type the number of users who can be authenticated using this authentication type. In Default Authentication Type, select the authentication type. Configure the settings for your authentication type and click OK.
110
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click Users. Under Related Tasks, click Create new user. In User Name, type the user name. If using local authentication, click to clear External Authentication and in Password and Confirm Password, type the password for the user, click Create, and click Close. Note: Select External Authentication to have users authenticate against an external authentication server, such as LDAP or RADIUS. Clear the check box to have the Access Gateway authenticate against the local user database.
After creating a local user you can change the users password or configure the user account to be authenticated against an external authentication server.
To change a users password
1. 2. 3.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand Users and click the user name. Under Related Tasks, click Modify user. In Password and Confirm Password, type the new password for the user, click Create and click Close.
If you have users who are configured for local authentication, you can change the authentication to an external authentication server. To do this, enable external authentication.
Chapter 8
111
1. 2. 3.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click the user name. Under Related Tasks, click Modify user. Select External Authentication and click OK.
1. 2.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click the user name. Under Related Tasks, click Remove user and click Yes.
When the user is removed from the Access Gateway, all associated policies are also removed.
Configuring Groups
You can have groups on the Access Gateway that are local groups and can authenticate users with local authentication. If you are using external servers for authentication, groups on the Access Gateway are configured to match groups configured on authentication servers in the internal network. When a user logs on and is authenticated, if a group name matches a group on an authentication server, the user inherits the settings for the group on the Access Gateway. After configuring groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP address of file shares and servers to which the user has access. If you are using local authentication, create users and add them to groups that are configured on the Access Gateway. The users then inherit the settings for that group. Important: If users are a member of an Active Directory group, the name of the group on the Access Gateway must be the same as the Active Directory group.
To create a group
1. 2.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click Groups. Under Related Tasks, click Create new group.
112
3.
In Group Name, type the group name, click Create, and click Close.
You can also delete user groups from the Access Gateway.
To delete a group
1. 2.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand Groups and select a user group. Under Related Tasks, click Remove group.
1. 2. 3.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click Groups and select a user group. Under Related Tasks, click Modify group. On the Users tab, under Available Users, select the users, click Add and click OK.
Chapter 8
113
If an authentication policy is not bound to a virtual server or globally, the user is authenticated using the default authorization type, which is local authentication
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select the authentication type. If you are using an external authentication type, next to Server, click New. Configure the settings for your authentication type and click Create. In the Create Authentication Policy dialog box, next to Named Expressions, select True value, click Add Expression, click Create, and click Close.
You can modify configured authentication policies and profiles, such as changing the IP address of the authentication server or modifying the expression. Note: When an authentication type is selected and the authentication profile is saved, the authentication type cannot be changed.
To modify an authentication policy
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, select the authentication policy. Under Related Tasks, click Modify authentication policy.
114
3.
In the Configure Authentication Policy dialog box, make the changes and click Close.
If you changed or removed an authentication server from your network, remove the corresponding authentication policy from the Access Gateway.
To remove an authentication policy
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, select the authentication policy. Under Related Tasks, click Remove authentication policy and click Yes.
1. 2.
Under Available Policies / Resource, expand Authentication Policies and select a policy. Drag and drop the policy to the virtual server, System Global, or Access Gateway Global Authentication Policies under Configured Policies / Resources.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. On the Policies tab, click Global Bindings. Under Active, select the check box for the policy you want bound and click OK.
If multiple authentication policies are configured on the Access Gateway, and the policies are bound at different levels, use the Access Gateway Policy Manager to find where authentication policies are bound. In the Access Gateway Policy Manager, under Configured Policies / Resources, expand the System Global, Access Gateway Global, or Virtual Servers node to see the authentication policies that are bound. You can also remove bound authentication policies using either the Access Gateway Policy Manager or the configuration utility.
Chapter 8
115
To remove a bound authentication policy using the Access Gateway Policy Manager
1. 2.
Under Configured Policies / Resources, expand the node for the authentication policy. Under Related Tasks, click Unbind authentication policy and click Yes.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. On the Policies tab, click Global Bindings. Under Active, click to clear the check box for the policy you want to unbind and click OK.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. On the Policies tab, click Global Bindings. In the Bind/Unbind Authentication Global Polices dialog box, under Priority, select the number and click OK.
You can also modify an authentication policy that is bound to a virtual server.
To change the priority for an authentication policy bound to a virtual server
1.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand Virtual Servers, expand a virtual server node, expand Authentication Policies, and select a policy. Under Related Tasks, click Modify priority. In Priority, type the number of the priority and click OK.
2. 3.
116
LDAP connections that use the StartTLS command use port number 389. If port numbers 389 or 3268 are configured on the Access Gateway, the Access Gateway tries to use StartTLS to make the connection. If any other port number is used, connection attempts are made using SSL/TLS. If StartTLS or SSL/TLS cannot be used, the connection fails. When configuring the LDAP server, the letter case must match on the server and on the Access Gateway. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large directories, this can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU). The following table contains examples of user attribute fields for LDAP servers:
LDAP Server Microsoft Active Directory Server Novell eDirectory IBM Directory Server Lotus Domino Sun ONE directory (formerly iPlanet) User Attribute sAMAccountName cn uid CN uid or cn Yes Case Sensitive No Yes
Chapter 8
117
Note: For further information regarding LDAP server settings, see Determining Attributes in your LDAP Directory on page 119.
To configure LDAP authentication
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select LDAP. Next to Server, click New. In Name, type the name of the server. Important: network. This must match the name of the LDAP server in the secure
118
7. 8.
Under Server, in IP Address and Port, type the IP address and port number of the LDAP server. Under LDAP server information, complete the following: In Base DN (location of users), type the base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for base DN are: ou=users,dc=ace,dc=com cn=Users,dc=ace,dc=com In Administrator Bind DN, type the administrator bind DN for queries to the LDAP directory. Examples for syntax of bind DN are: domain/user name ou=administrator,dc=ace,dc=com user@domain.name (for Active Directory) cn=Administrator,cn=Users,dc=ace,dc=com For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Access Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname. The Access Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Access Gateway unbinds the administrator credentials and rebinds with the user credentials. In Administrator Password and Confirm Administrator Password, type the administrator password for the LDAP server. In Server Logon Name Attribute, type the attribute under which the Access Gateway should look for user logon names for the LDAP server that you are configuring. The default is samAccountName. In Group Attribute, leave the default memberOf for Active Directory or change it to that of the LDAP server type you are using. This attribute enables the Access Gateway to obtain the groups associated with a user during authorization.
9. 10.
In Security Type, select the security type and click Create. Create an expression, click Create and click Close.
Chapter 8
119
Note: If you select Plaintext or TLS for security, use port number 389. If you select SSL, use port number 636.
120
You can search through the LDAP browser to locate other attributes. For more information see the LDAP browser online Help.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
In the Access Gateway Policy Manager, under Available Resources / Policies, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the RADIUS authentication policy. In Authentication Type, select RADIUS. Next to Server, click New. Under Server, in IP Address, type the IP address of the RADIUS server. In Port, type the port. The default is 1812. In Secret Key and Confirm Secret Key, type the RADIUS server secret. In NAS ID, type the identifier number and click Create. In the Create Authentication Policy dialog box, next to Named Expressions, select the expression, click Add Expression, click Create, and click Close.
Chapter 8
121
After the RADIUS server settings are configured on the Access Gateway, bind the policy to make it active. This can be done either globally or to a virtual server. For more information about binding authentication policies, see Binding Authentication Policies on page 114.
If your deployment of the Access Gateway is configured to use RADIUS authentication and your RADIUS server is configured to use PAP, you can strengthen user authentication by assigning a strong shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase letters, numbers, and punctuation and are at least 22 characters long. If possible, use a random character generation program to determine RADIUS shared secrets. To further protect RADIUS traffic, assign a different shared secret to each Access Gateway appliance or virtual server. When you define clients on the RADIUS server, you can also assign a separate shared secret to each client. If you do this, you must configure separately each Access Gateway policy that uses RADIUS authentication. Shared secrets are configured on the Access Gateway when a RADIUS policy is created.
When configuring the RADIUS server for IP address extraction, you configure the vendor identifier and the attribute type.
122
The vendor identifier enables the RADIUS server to assign an IP address to the client from a pool of IP addresses that are configured on the RADIUS server. The vendor ID and attributes are used to make the association between the RADIUS client and the RADIUS Server. The vendor ID is the attribute in the RADIUS response that provides the IP address of the internal network. A value of zero indicates that the attribute is not vendor encoded. The attribute type is the remote IP address attribute in a RADIUS response. The minimum value is one and the maximum value is 255. A common configuration is to extract the RADIUS attribute framed IP address. The vendor ID is set to zero or is not specified. The attribute type is set to eight.
To configure IP address extraction
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies / Resources, select a RADIUS authentication policy. Under Related Tasks, click Modify authentication policy. In the Configure Authentication Policy dialog box, next to Server, click Modify. Under Details, in Vendor Identifier, type the value. In Attribute Type, type the value, and click OK twice.
Chapter 8
123
Provide a description (not mandatory) Provide the system IP address Provide the shared secret between Access Gateway and the RADIUS server Configure the make/model as Standard Radius
In the agent host configuration, you need the following information: Provide the fully qualified domain name (FQDN) of the Access Gateway (as it appears on the certificate bound to the virtual server). After providing the FQDN, click the tab button and the Network Address window populates itself. When the FQDN is entered, the network address automatically appears. If it does not, enter the system IP address. Provide the Agent Type using Communication Server. Configure to import all users or a set of users that are allowed to authenticate through the Access Gateway.
If it is not already configured, create an Agent Host entry for the RADIUS server, including the following information: Provide the FQDN of the RSA server. When the FQDN is entered, the network address automatically appears. If it does not, provide the IP address of the RSA server. Provide the Agent Type, which is the RADIUS Server.
For more information about configuring an RSA RADIUS server, see the manufacturers documentation. To configure RSA SecurID, create an authentication profile and policy and then bind the policy globally or to a virtual server. To create a RADIUS policy to use RSA SecurID, see Configuring RADIUS Authentication on page 120. After creating the authentication policy, bind it to a virtual server or globally. For more information, see Binding Authentication Policies on page 114.
124
Access Gateway and continue to allow the Web Interface to provide SafeWord authentication for incoming HTTP traffic. For more information about configuring the Web Interface, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop. The Access Gateway supports SafeWord authentication to the following Secure Computing products: SafeWord PremierAccess SafeWord for Citrix SafeWord RemoteAccess
Configuring the Access Gateway to authenticate using Secure Computings SafeWord products can be done in several ways: Configure authentication to use a PremierAccess RADIUS server that is installed as part of SafeWord PremierAccess and allow it to handle authentication. Configure authentication to use the SafeWord IAS agent, which is a component of SafeWord RemoteAccess, SafeWord for Citrix, and SafeWord PremierAccess 4.0. Install the SafeWord Web Interface Agent to work with the Citrix Web Interface. Authentication does not have to be configured on the Access Gateway and can be handled by the Web Interface. This configuration does not use the PremierAccess RADIUS server or the SafeWord IAS Agent.
When configuring the SafeWord RADIUS server, you need the following information: The IP address of the Access Gateway. This should be the same as that configured on the RADIUS server client configuration. A shared secret. The IP address and port of the SafeWord server.
Configure a SafeWord policy to authenticate users. The Access Gateway acts as a SafeWord agent authenticating on behalf of users logged on using the Access Gateway Plugin. To configure SafeWord authentication on the Access Gateway, follow the steps for configuring a RADIUS server. For more information, see Configuring RADIUS Authentication on page 120.
Chapter 8
125
If authentication on the Access Gateway is configured to use a one-time password with RADIUS, such as provided by an RSA SecurID token, the Access Gateway attempts to reauthenticate users using the cached password. This occurs when changes are made to the Access Gateway or if the connection between the Access Gateway Plugin and the Access Gateway is interrupted and then restored. This can also occur when connections are configured to use Citrix XenApp Plugin for Hosted Apps and connect to the Web Interface using RADIUS or LDAP. When a user starts an application and uses it, then returns to the Web Interface to start another application, the Access Gateway uses cached information to authenticate the user.
126
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select NT4. Next to Server, click New. Complete the settings as they are configured on your Windows NT 4.0 server and click Create. Next to Named Expressions, select True value, click Add Expression, click Create, and click Close.
When the settings for Windows NT 4.0 authentication are configured, bind the authentication policy to a virtual server or globally. For more information, see Binding Authentication Policies on page 114.
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create Authentication Policy. In Name, type a name for the policy. In Authentication Type, select TACACS. Next to Server, click New. Under Server, type the IP address and port number of the TACACS+ server. Under TACACS server information, in TACACS Key and Confirm TACACS key, type the key.
Chapter 8
127
8. 9.
In Authorization, select ON and click Create. In the Create Authentication Policy dialog box, next to Named Expressions, select True value, click Add Expression, click Create, and click Close.
After the TACACS+ server settings are configured on the Access Gateway, bind the policy to make it active. This can be done on either the global or virtual server level. For more information about binding authentication policies, see Binding Authentication Policies on page 114.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, click Access Gateway > Global Settings. Under Settings, click Change authentication settings. In Maximum Number of Users, type the number of users who can be authenticated using the client certificate. In Default Authentication Type, select Cert. In User Name Field, type the name of the certificate field that holds the user names.
128
6.
In Group Name Field, type the name of the certificate field that holds the group name and click OK.
You can also create a client certificate authentication policy and bind it to a virtual server. This policy takes precedence over the global policy and can be used to restrict access to specific groups or users.
To configure a client certificate authentication policy
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policy. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select Cert. Next to Server, click New. In Name, type a name for the profile. Next to Two Factor, select OFF. In User Name Field and Group Name Field, enter the values and click Create. Note: If you previously configured client certificates as the default authentication type, use the same names as for the policy. If you completed the User Name Field and Group Name Field for the default authentication type, use the same values for the profile.
9.
In the Create Authentication Policy dialog box, next to Named Expressions, select an expression, click Add Expression, click Create, and click Close.
When the client certificate authentication policy is configured, you can bind it to a virtual server.
To bind a client certificate policy to a virtual server
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, select a virtual server from the list and click Open. In the Configure Access Gateway Virtual Server dialog box, click the Authentication tab. Under Active, select the check box next to the certificate authentication policy and click OK.
Chapter 8
129
When you want to use a client certificate for authentication, you must configure the virtual server so that client certificates are requested during the SSL handshake.
To configure a virtual server to request the client certificate
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the right-pane, select a virtual server and click Open. On the Certificates tab, click SSL Parameters. Under Others, click Client Authentication. In Client Certificate, select Optional or Mandatory and click OK twice.
Select Optional if you want to allow other authentication types on the same virtual server and do not require the use of client certificates.
Group information that is extracted during the second round of authentication is appended to the group information extracted from the certificate (if any).
130
When the client certificate is created, you can flash the certificate onto the smart card. When that is completed, test the smart card. To configure a client certificate on the Access Gateway, see To configure a client certificate authentication policy on page 128.
To test smart card authentication
1. 2.
Connect the smart card to the client device. Open your Web browser and log on to the Access Gateway.
Chapter 8
131
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. On the Servers tab, click Add. In Name, type a name. In Authentication Type, select CERT. In User Name Field, type the following: SubjectAltName:PrincipalName and click Create.
6.
On the Policies tab, create a policy that uses this server and then bind the policy to the virtual server.
132
If a user fails to authenticate against a policy in the primary cascade, or if that user succeeds in authenticating against a policy in the primary cascade but fails to authenticate against a policy in the secondary cascade, the authentication process stops and the user is redirected to an error page. Note: Citrix recommends that when multiple policies are bound to a virtual server or globally, define unique priorities for all authentication policies.
To set the priority for global authentication policies
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. On the Policies tab, click Global Bindings. In the Bind/Unbind Authentication Global Polices dialog box, under Priority, select the number and click OK.
You can also modify an authentication policy that is bound to a virtual server.
To change the priority for an authentication policy bound to a virtual server
1.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand Virtual Servers, expand a virtual server node, expand Authentication Policies, and select a policy. Under Related Tasks, click Modify priority. In Priority, type the number.
2. 3.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. In the details pane, click Global Bindings. In Bound To, select Primary or Secondary.
Chapter 8
133
When you select one of these settings, when users log on, two password fields appear for double-source authentication. 4. 5. 6. 7. Next to the authentication policy, select Active and click OK. Click Global Bindings. In Bound To, select Secondary. Next to the authentication policy, select Active and click OK.
1. 2.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. In the details pane, click the Profile tab and do one of the following: To create a new profile, click Add To modify an existing profile, click Open
3.
On the Client Experience tab, next to Credential Index, click Override Global, select either the primary or secondary password and click OK.
134
Before configuring a client certificate, do the following: Create a virtual server Create an LDAP authentication policy for the LDAP server Set the expression for the LDAP policy to True value
1. 2. 3. 4. 5. 6. 7. 8. 9.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select Cert. Next to Server, click New. In the Configure Authentication Server dialog box, in Name, type the name of the server. Next to Two Factor, select ON. In the User Name Field, type Subject:CN and click Create. In the Create Authentication Policy dialog box, next to Named Expressions, select True value, click Add Expression, click Create, and click Close.
When the certificate authentication policy is created, bind the policy to the virtual server. After binding the certificate authentication policy, bind the LDAP authentication policy to the virtual server. Important: The certificate authentication policy must be bound to the virtual server before the LDAP authentication policy. After creating the policy, download and install a root certificate from your Certificate Authority in Base 64 format and save it on your computer. You can then upload the root certificate to the Access Gateway.
To install a root certificate on the Access Gateway
1. 2. 3.
In the configuration utility, in the navigation pane, expand SSL and click Certificates. In the details pane, click Add. In Certificate - Key Pair Name, type a name for the certificate.
Chapter 8
135
4.
Under Details, in File Location, select Local Computer, click Browse, navigate to the root certificate, and click Install.
After installing the root certificate on the Access Gateway, add it to the certificate store of the virtual server.
To add a root certificate to a virtual server
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand Virtual Servers and select the virtual server. Under Related Tasks, click Modify virtual server. On the Certificates tab, under Available, select the certificate, click Add as CA, and click OK. Repeat Step 2. On the Certificates tab, click SSL Parameters. Under Others, select Client Authentication. Under Others, next to Client Certificate, select Optional and click OK twice.
After configuring the client certificate, test the authentication by logging on to the Access Gateway using the Access Gateway Plugin. If you have more than one certificate installed, you receive a prompt asking you to select the correct certificate. After selecting the certificate, the logon screen appears with the user name populated with the information obtained from the certificate. Type the password and click Login. If you do not see the correct user name in the User Name field on the logon screen, check the user accounts and groups in Active Directory. The groups that are defined on the Access Gateway must be the same as those in Active Directory. In Active Directory, configure groups at the domain root level. If you create Active Directory groups that are not in the domain root level, this could cause incorrect reading of the client certificate. If users and groups are not at the domain root level, the Access Gateway logon page displays the user name that is configured in Active Directory. For example, in Active Directory, you have a folder called Users and the certificate says CN=Users. In the logon page, in User Name, the word Users appears. If you do not want to move your group and user accounts to the root domain level, when configuring the certificate authentication server on the Access Gateway, leave User Name Field and Group Name Field blank.
136
Disabling Authentication
If your deployment does not require authentication, you can disable it. This should be done for each virtual server that does not require authentication.
To disable Access Gateway authentication
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, select a virtual server and click Open. On the Authentication tab, under User Authentication, click to clear Enable Authentication.
Important: Disabling authentication stops the use of authentication, authorization, and accounting features that control and monitor connections to the Access Gateway. When users type a Web address to connect to the Access Gateway, the logon page does not appear.
1. 2.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change authentication settings.
Chapter 8
137
3.
In the Global Authentication Settings dialog box, in Maximum Number of Users, type the number of users and click OK.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, select a virtual server and click Open. In Max Users, type the number of users and click OK.
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies / Resources, select an authentication policy. Under Related Tasks, click Modify authentication policy. Under Expression, next to Match Any Expression, click Add. In the Add Expression dialog box, in Expression Type, select Date/Time. In Qualifier, select one of the following: TIME to configure the time users cannot log on DATE to configure the date users cannot log on DAYOFWEEK to configure the day users cannot log on
6. 7.
In Operator, select the value. In Value, click the calendar next to the text box and select the day, date, or time.
138
8.
Click OK twice, click Close, and click OK. The Add Expression dialog box appears as follows:
Configuring Authorization
Authorization specifies the network resources users have when they log on to the Access Gateway. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access. Authorization on the Access Gateway is configured using an authorization policy and expressions. When an authorization policy is created, you can bind it to users or groups configured on the appliance.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Security tab, next to Default Authorization Action, select Allow or Deny and click OK.
If you set the default authorization policy to deny, you must to explicitly authorize access to any network resource, which improves security.
Chapter 8
139
Any global authorization action you create is applied to all users who do not already have an authorization policy associated with them, either directly or through a group. A user or group authorization policy always overrides the global authorization action. If the default authorization action is set to deny, you must apply authorization policies for all users or groups before network resources are accessible to those users or groups.
Configuring an authorization policy Authorization policies are applied to users and groups. After a user is authenticated, the Access Gateway performs a group authorization check by obtaining the users group information from either an LDAP server, a RADIUS server, or a TACACS+ server. If group information is available for the user, the Access Gateway checks the network resources allowed for the group. To control which resources clients have access to, you must create authorization policies. If you do not need to create authorization policies, you can configure default global authorization.
To configure an authorization policy
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authorization Policies. Under Related Tasks, click Create new authorization policy.
140
3. 4. 5. 6.
In Name, type a name for the policy. In Action, select Allow or Deny. Next to Match Any Expression, click Add. Configure the expression, click OK twice, and click Close.
When the authorization policy is configured, bind it to a user or group. You can bind the policy using either the Access Gateway Policy Manager or the configuration utility.
To bind an authorization policy to a user or group using the Access Gateway Policy Manager
1.
Under Configured Policies / Resources, expand Groups or Users and then expand the node for the user or group to which you want to add the authorization policy. Under Available Policies / Resources, select the authorization policy and drag it to Authorization Policies for the user or group.
2.
1. 2. 3.
In the configuration utility, in the navigation pane, select Access Gateway > Users. In the details pane, select a user and click Open. On the Authorization tab, under Active, select the authorization policy and click OK.
1. 2. 3.
In the configuration utility, in the navigation pane, select Access Gateway > Groups. In the details pane, select a group and click Open. On the Authorization tab, under Active, select the authorization policy and click OK.
Chapter 8
141
You can set the priority of an authorization policy. For example, you configured an authorization policy for a group and for a user. You set the priority so that the Access Gateway checks the group policy before checking the user policy. A numeric value is assigned to the priority. For example, you can set the group priority to zero and the user priority to one for the Access Gateway to check the group authorization policy first.
To set the priority for authorization policies
1.
In the configuration utility, in the navigation pane, do one of the following: Select Access Gateway > Groups. - or Select Access Gateway > Users.
2. 3.
In the details pane, select a user or group and click Open. On the Authorization tab, next to the policy, under Priority, select the priority number and click OK.
142
For example, in IBM Directory Server, all group memberships, including the static, dynamic, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed, filtered, and nested, are calculated using the nsRole attribute.
LDAP authorization is configured in the authentication policy by setting the group attribute name and the subattribute.
To configure LDAP authorization
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select LDAP. Next to Server, click New. Under Server, type the IP address and port of the LDAP server. In Group Attribute, type memberOf. In Sub attribute Name, type CN and click Create.
Chapter 8
143
9.
In the Create authentication policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and click Close.
If IAS is not installed on the RADIUS server, you can install it from Add/Remove Programs in Control Panel. For more information, see the Windows online Help. To configure IAS, use the Microsoft Management Console (MMC) and install the snap-in for IAS. Follow the wizard, making sure you select the following settings: Select local computer. Select Remote Access Policies and create a custom policy. Select Windows-Groups for the policy. Select one of the following protocols: Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2) Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) Challenge-Handshake Authentication Protocol (CHAP)
144
Select the Vendor-Specific Attribute. The Access Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the server with those on the Access Gateway. This is done by sending the Vendor-Specific Attributes to the Access Gateway. Make sure you type RADIUS=Standard.
The RADIUS default is 0. Use this number for the vendor code. The vendor-assigned attribute number is 0. This is the assigned number for the User Group attribute. The attribute is in string format.
Select String for the Attribute format. The Attribute value requires the attribute name and the groups. For the Access Gateway, the attribute value is CTXSUserGroups=groupname. If two groups are defined, such as sales and finance, the attribute value is CTXSUserGroups=sales;finance. Separate each group with a semicolon.
Remove all other entries in the Edit Dial-in Profile dialog box, leaving the one that says Vendor-Specific.
When you are finished configuring the Remote Access Policy in IAS, go to the Access Gateway and configure RADIUS authorization. When configuring RADIUS authentication, use the settings that are configured on the IAS server.
To configure RADIUS authorization
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Authentication Policies. Under Related Tasks, click Create new authentication policy. In Name, type a name for the policy. In Authentication Type, select RADIUS. Next to Server, click New. In Name, type the name of the RADIUS server. Under Server, type the IP address and port of the RADIUS server. Under Details, enter the values for Group Vendor Code and Group Attribute Type.
Chapter 8
145
9. 10.
In Password Encoding, select the authentication protocol and click Create. In the Create Authentication Policy dialog box, next to Named Expressions, click General, select True value, click Add Expression, click Create, and click Close.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. In the details pane, click the Profiles tab and click Add. In Name, type a name for the profile, such as Sampa.
146
4.
On the Published Applications tab, do the following: A. B. C. Next to ICA Proxy, click Override Global and select ON. Next to Web Interface Address, click Override Global and type the URL of the Web Interface. Next to Single Sign-On Domain, click Override Global, type the name of the domain, and click Create.
5. 6.
In Name, clear the name of the first domain and type the name of the second domain, such as Child. Next to Single Sign-On Domain, clear the name of the first domain and type the name of the second domain, click Create, and click Close.
When the session profiles are created, create two session policies. Each session policy use one of the profiles.
To create a session policy
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. In the details pane, on the Policies tab, click Add. In Name, type a name for the policy. In Request Profile, select the profile for the first domain. Next to Named Expressions, click General, select True value, click Add Expression, and click Create. In Name, change the name to the second domain. In Request Profile, select the profile for the second domain, click Create, and click Close.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Authentication. In the details pane, click the Servers tab and click Add. In Name, type the name of the first domain, such as Sampa.
Chapter 8
147
4.
Authentication profile for the first domain. In this example, the domain name is Sampa. 5. Repeat Step 3 and 4 to configure the authentication profile of the second domain. Click Close.
148
Authentication profile for the second domain. In this example, the domain name is Child. When the profiles are created and saved, create the authentication policies.
To create authentication policies for multiple domain group extraction
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the details pane, click the Policies tab and click Add. In Name, type the name of the first domain. In Authentication Type, select LDAP. In Server, select the authentication profile for the first domain. Next to Named Expressions, click General, select True value, click Add Expression, and click Create. In Name, type the name of the second domain. In Server, select the authentication profile for the second domain, click Create, and click Close.
Chapter 8
149
Important: When creating groups on the Access Gateway for group extraction from multiple domains, group names must be the same as those defined in Active Directory. Group names are also case-sensitive and must match those in Active Directory.
To create groups on the Access Gateway
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand Access Gateway and click Groups. In the details pane, click Add. In Group Name, type the name of the first Active Directory group. On the Policies tab, select the session policy for the group and click Create. In Group Name, type the name of the second Active Directory group. On the Policies tab, select the session policy for the group and click Create.
After creating the groups, bind the authentication policy to a virtual server.
To bind the authentication policies to a virtual server
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Virtual Servers. In the details pane, select a virtual server and click Open. On the Authentication tab, select the two authentication policies. On the Policies tab, click to clear any policies that are selected and click OK.
150
C HAPTER 9
Users can connect to your organizations network resources using several different methods. These include: Citrix XenApp Plugin for Hosted Apps that establish an ICA session to a server farm Access Gateway Plugin for Windows that is software installed on the client device Access Gateway Plugin for Java that is software that allows connections using a Macintosh, Linux, UNIX, or Windows computer Access Gateway Plugin for ActiveX that allows connections from a computer running Windows XP and Internet Explorer Clientless access that provides users with the access they need without installing client software Interoperability with Citrix WANScaler Accelerator Plugin
SmartAccess determines automatically the methods of access that are allowed for a client device based on the results of an endpoint analysis scan. For more information about SmartAccess, see How SmartAccess Works on page 182. In This Chapter Choosing the Client Access Method Configuring Citrix XenApp Plugin for Hosted Apps Configuring the Access Gateway Plugin for Windows How the Access Gateway Plugin for ActiveX Works Selecting the Plugin Type Connecting Using the Access Gateway Plugin for Java How Clientless Access Works
152
Configuring the Client Choices Page Configuring Access Scenario Fallback Using the WANScaler Accelerator Plugin
The Access Gateway Plugin is software that is downloaded and installed on a client device. When users log on using the plugin, users can access resources in the secure network as if they were in the office. Resources include email servers, file shares, and intranet Web sites. Citrix XenApp Plugin for Hosted Apps is software that uses the ICA network protocol to establish user connections. The XenApp Plugin for Hosted Apps work with the Web Interface to provide users with access to published applications in a server farm. Clientless access provides users with the access they need without installing client software, such as the Access Gateway Plugin or XenApp Plugin for Hosted Apps. Clientless access allows connections to Web resources such as Outlook Web Access or SharePoint, applications published on Citrix XenApp, desktops published on Citrix XenDesktop, and file shares in the secure network using the Access Interface. Access scenario fallback allows a client device to fall back from the Access Gateway Plugin to the Web Interface (using XenApp Plugin for Hosted Apps) if the client device does not pass the initial endpoint analysis check.
Chapter 9
153
154
Direct connections using XenApp Plugin for Hosted Apps or Access Gateway Plugin. This scenario allows users to connect to the internal network using two separate connections at the same time. The first connection is using the XenApp Plugin for Hosted Apps to establish the connection using the steps listed in the scenario above. If users need to access other resources on the internal network, they can also log on using the Access Gateway Plugin. For example, users want to connect to a Microsoft Exchange server in the network; they start Microsoft Outlook on their computer. The secure connection is made using the Access Gateway Plugin, which connects to the Access Gateway. The SSL VPN tunnel is created to the Exchange server and users can access their email.
Access Gateway Plugin and XenApp Plugin for Hosted Apps simultaneously connected When the Web Interface is configured for authentication or to access resources in the server farm, it could be deployed in the secure network. Important: Citrix recommends configuring authentication on the Access Gateway if the Web Interface is running behind the Access Gateway or is in the secure network. When the Web Interface is in the secure network, authentication must be enabled on the virtual server. When authentication is disabled, unauthenticated HTTP requests are sent directly to the server running the Web Interface. Disabling authentication is recommended only when the Web Interface is in the DMZ and users are connecting directly to the Web Interface. For more information about deploying the Web Interface with the Access Gateway, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
Chapter 9
155
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Client Experience tab, next to Windows Plugin Type, select Access Gateway. Next to Plugin Type, select Windows and click OK.
To configure a session policy, see To configure a session policy for client connections on page 163.
Depending on the configuration of a remote users system, you might also need to provide additional information: If a user runs a firewall on their computer, the user might need to change the firewall settings so that it does not block traffic to or from the IP addresses corresponding to the resources for which you granted access. The Access Gateway Plugin automatically handles Internet Connection Firewall in Windows XP and Windows Firewall in Windows XP Service Pack 2. For information about configuring a variety of popular firewalls, see Configuring Third-Party Personal Firewalls on page 231.
156
Users who want to send traffic to FTP over the Access Gateway connection must set their FTP application to perform passive transfers. A passive transfer means that the remote computer establishes the data connection to your FTP server, rather than your FTP server establishing the data connection to the remote computer. Users who want to run X client applications across the connection must run an X server, such as XManager, on their computers.
Because users work with files and applications just as if they were local to the organizations network, no retraining of users or configuration of applications is needed. To establish a secure connection for the first time, log on to the Access Gateway using the Web logon page. The typical format of a Web address is https://companyname.com. When users log on, they can install the Access Gateway Plugin on their computer.
To install the Access Gateway Plugin
1. 2.
In a Web browser, type the Web address of the Access Gateway. Type the user name and password and click Logon.
When the download is complete, the Access Gateway Plugin connects and displays a message in the notification area. If you want users to connect using the Access Gateway Plugin without using a Web browser, you can configure the plugin to display the logon dialog box when you click the icon on your desktop. Users can also right-click the Access Gateway icon in the notification area on a Windows computer.
To configure logon using the Access Gateway Plugin
1. 2. 3.
In the notification area, right-click the Access Gateway icon and click Configure Access Gateway. Click the Profile tab and then click Change Profile. On the Options tab, click Use the Access Gateway Plugin for logon.
Users can log on by double-clicking the Access Gateway icon on the desktop or by right-clicking the Access Gateway icon in the notification area.
Chapter 9
157
When you deploy the Access Gateway Plugin using this method, you can extract the installation program and then deploy it using a group policy. The general steps for this type of deployment are: Extracting the MSI package Distributing the plugin using a group policy Creating a distribution point Assigning the Access Gateway Plugin package using a Group Policy Object Note: Distribution of the Access Gateway Plugin from Active Directory is supported on Windows XP and Windows Vista only. You can download the MSI package from the configuration utility or from My Citrix.
To download the Access Gateway Plugin MSI package from the configuration utility
1. 2.
In the configuration utility, click Downloads. Under Citrix Access Gateway Plugin, click Download Access Gateway Plugin for Windows and save the file nsvpnc_setup.exe to your Windows server. Note: If the File Download dialog box does not appear, press the CTRL key when you click the link Download Access Gateway Plugin for Windows.
3.
At a command prompt navigate to the folder that you saved nsvpnc_setup.exe to and type:
nsvpnc_setup /c
This extracts the file agee.msi. 4. Save the extracted file to a folder on the Windows server. After the file is extracted, you want to distribute the file using a group policy on Windows Server 2003. Before starting the distribution, install the Group Policy Management Console on Windows Server 2003. For more information, see the Windows online help.
158
Note: When you are publishing the Access Gateway Plugin using a group policy, Citrix recommends assigning the package to the client device. The MSI package is designed to be installed on a per-device basis. Before you can distribute the software, create a distribution point on a network share on a publishing server, such as Microsoft Internet Security and Acceleration (ISA) Server.
To create a distribution point
1. 2. 3.
Log on to the publishing server as an administrator. Create a folder and share it on the network with read permission for all accounts that need access to the distribution package. At a command prompt, navigate to the folder where the extracted file is and type:
msiexec -a agee.msi
4.
On the Network Location screen, click Change and navigate to the shared folder where you want to create the administrative installation of the Access Gateway Plugin. Click OK and click Install.
After you have put the extracted package on the network share, assign the package to a Group Policy Object in Windows. When the Access Gateway Plugin is successfully configured as a managed software package, it is installed automatically the next time the client device starts. Note: When the installation package is assigned to a computer, restarting the computer is required. When the installation starts, users receive a message that the Access Gateway Plugin is installing.
Chapter 9
159
To do so, create a new distribution point of the Access Gateway Plugin. Create a new Group Policy Object and assign the new version of the plugin to it. Then create a link between the new package and the existing package. When this link is created, the Access Gateway Plugin is updated.
This error is caused by Fast Logon Optimization in Windows XP where users are allowed to log on before the operating system initialized all of the networking components, including Group Policy Object processing. Some policies might require more than one restart to take effect. To resolve this issue, disable Fast Logon Optimization in Active Directory. To troubleshoot other installation issues for managed software, Citrix recommends enabling Windows Installer Logging using a group policy.
1. 2.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Monitor Connections, click Active user sessions.
160
3.
Under To end session(s), select a user or group from the list and click on the [Terminate] button, select a user and click Terminate.
You can also terminate user sessions using the Intranet IP address and subnet mask.
To terminate user session based on IP addresses
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Monitor Connections, click Active user sessions. Under To end session(s), enter Intranet IP and/or netmask and click on [Terminate] button in Intranet IP type the IP address, in Netmask, type the subnet mask and click Terminate.
For more information about configuring SmartAccess, see How SmartAccess Works on page 182.
Chapter 9
161
When configuring user logon to Citrix XenApp, you first create a session profile to select the Access Gateway Plugin for Windows. Then you create a profile for intranet applications for access to Citrix XenApp and the Web Interface.
To configure global settings for the Access Gateway Plugin for access to published applications
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Published Applications tab, in Web Interface Address, type the URL of the Web Interface site. This becomes the home page for users. Next to ICA Proxy, select OFF. In Single Sign-On Domain, type the Active Directory domain name. On the Client Experience tab, next to Windows Plugin Type, select Access Gateway. Next to Plugin Type, select Windows and click OK.
1.
In the configuration utility, in the details pane, under Intranet applications, click Create the necessary mappings to the TCP Applications behind the Access Gateway for clients using the Java Plug-in. In the Bind Intranet Applications dialog box, click New. In Name, type a name for the application. Under Options, next to Interception Mode, select Transparent. Under Destination, click Specify an IP Address and Netmask and type the IP address and subnet mask that represents your internal network and click Create. For example, type 172.16.100.0 and the subnet mask 255.255.255.0 to represent all servers on the 172.16.100.x subnet. The IP address of the Web Interface, XenApp, and all other servers to which users connect must be in one of the subnets defined as an intranet application.
2. 3. 4. 5.
6.
After clicking Create, in the Bind Intranet Applications dialog box, confirm that the intranet application is listed in the Configured Intranet Applications column and click OK.
When users log on using the Access Gateway Plugin, the VPN tunnel is established and the Web Interface is used as the home page.
162
The Access Gateway Plugin for ActiveX requires Internet Explorer 5.5 or higher. Users cannot connect using this version of the plugin if they are connecting from Windows Vista.
Chapter 9
163
When the ActiveX control is installed, the user is connected to the Access Gateway. The Access Interface appears with the menu in the above illustration appearing in the lower right corner. When the user logs off, the menu and Access Interface close.
To configure global settings for the Access Gateway Plugin for ActiveX
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Client Experience tab, next to Windows Plugin Type, select ActiveX. Next to Plugin Type, select Windows and click OK.
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Session Policies. Do one of the following: If you are creating a new session policy, under Related Tasks, click Create new session policy If you are changing an existing policy, select a policy and under Related Tasks, click Modify session policy
3.
Create a new profile or modify an existing profile. To do so, do one of the following: Next to Request Profile, click New Next to Request Profile, click Modify
4.
On the Client Experience tab, next to Windows Plugin Type, click Override Global and do one of the following: Select Access Gateway to use the Access Gateway Plugin for Windows
164
5. 6.
If you select Access Gateway, in Plugin Type, click Override Global and select Windows. Do one of the following: If you are creating a new profile, click Create, set the expression in the policy dialog box, click Create, and click Close If you are modifying an existing profile, after making the selection, click OK twice
If you are configuring the Access Gateway Plugin, you also need to configure the interception mode and set it to transparent.
To set the interception mode for the Access Gateway Plugin for Windows
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Intranet Applications. Under Related Tasks, click Create new intranet application. Under Options, in Interception Mode, select Transparent. In Protocol, select ANY. Under Destination, click Specify an IP Address and in IP address type the IP address. In Netmask, type the subnet mask, click Create, and click Close.
Chapter 9
165
The Access Gateway Plugin for Java supports most TCP-based applications, but provides only some of the features of the Access Gateway Plugin for Windows or Access Gateway Plugin for ActiveX. Users do not require administrative privileges on the client device to use the Access Gateway Plugin for Java. For security reasons, you might want to require using this plugin version for a particular virtual server, group, or user, regardless of which client device is used. To configure the Access Gateway to install the Access Gateway Plugin for Java on client devices, configure a session policy and then bind it to the virtual server, group, or user.
To configure the Access Gateway Plugin for Java
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Session Policies. Select a policy and then click Modify session policy. Next to Request Profile, click Modify. On the Client Experience tab, in Windows Plugin Type, click Override Global and select Access Gateway. Next to Plugin Type, click Override Global, select Java, and click OK twice.
After creating the session policy, create an intranet application to define the interception mode for users logging on using the Access Gateway Plugin for Java.
To set the interception mode
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Intranet Applications. Under Related Tasks, click Create new intranet application. In Name, type a name. Under Options, in Interception Mode, select PROXY. Under Destination, in IP Address, type the IP address. In Port, type the port number, click Create, and click Close.
If you do not specify a source IP address and port number, the Access Gateway automatically uses 127.0.0.1 for the IP address and 0 for the port.
166
To enable clientless access for only a specific virtual server, disable clientless access globally and then enable it using a session policy. If you use the Access Gateway wizard to configure the appliance, you have the choice of configuring clientless access within the wizard. The settings in the wizard are applied globally. Within the Access Gateway wizard, you can configure the following client connection methods: Access Gateway Plugin. Users are allowed to log on using the Access Gateway Plugin only. Use the Access Gateway Plugin and allow access scenario fallback. Users log on to the Access Gateway using the Access Gateway Plugin. If the client device fails an endpoint analysis scan, users are permitted to log on using clientless access. When this occurs, users have limited access to network resources. Allow users to log on using a Web browser and clientless access. Users can log on only using clientless access and they receive limited access to network resources.
Chapter 9
167
Off. Clientless access is turned off. When this setting is selected, users cannot log on using clientless access and the icon for clientless access does not appear on the choices page.
If you did not enable clientless access using the Access Gateway wizard, you can enable it globally using the configuration utility.
To enable clientless access globally
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Client Experience tab, next to Clientless Access, select ON and click OK.
If you want only a select group of users, groups, or virtual servers to use clientless access, disable or turn off clientless access globally. Then, using a session policy, enable clientless access and bind it to users, groups, or virtual servers.
To enable clientless access using a session policy
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Client Experience tab, next to Clientless Access, click Override Global, select On, and click OK. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create and click Close.
After creating the session policy that enables clientless access, bind it to a user, group, or virtual server.
168
Encrypt. The domain and protocol are encrypted using a session key. When the Web address is encrypted, the URL is different for each user session for the same Web resource. If users bookmark the encoded Web address, save it in the Web browser and then log off, when users log on and try to connect to the Web address again using the bookmark, they cannot connect to the Web address. If users save the encrypted bookmark in the Access Interface during their session, the bookmark works each time the user logs on.
You can configure this setting either globally or as part of a session policy. If you configure encoding as part of session policy, you can bind it to the users, groups, or a virtual server.
To configure Web address encoding globally
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Client Experience tab, next to Clientless Access URL Encoding, select the encoding level and click OK.
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Client Experience tab, next to Clientless Access URL Encoding, click Override Global, select the encoding level, and click OK. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and click Close.
Chapter 9
169
Three default clientless access policies are included with the Access Gateway. The first policy is a preconfigured policy for Outlook Web Access. The second is the default policy for all other Web applications. The third is a policy for SharePoint 2007. These policies are configured automatically and cannot be changed. In addition, each policy is bound at the global level and is not enforced unless clientless access is enabled either globally or using a session policy. The global bindings for the default clientless access policies cannot be removed or modified, even if clientless access is not enabled. The default policies are bound only at the global level. If you want to bind clientless access policies to a virtual server, create a new policy and then bind it. Custom clientless access policies can be bound either globally or to a virtual server. To enforce different policies for clientless access at either the virtual server or global levels, change the priority number of the custom policy so it has a lower number than the default policies. If no other clientless access policies are bound to the virtual server, the default global policies take precedence. Note: The priority numbers of the default clientless access policies cannot be changed.
1. 2. 3.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Clientless Access and click a default policy. Under Related Tasks, click Create new clientless access policy. In Name, type a new name for the policy, click Create, and click Close.
1.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click Virtual Servers and expand the node for a virtual server.
170
2.
Under Available Policies / Resources, expand Clientless Access, click the new policy, and drag it to Clientless Access Policies in the virtual server node. In the Modify Priority dialog box, in Priority, type a priority number and click OK.
3.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Getting Started, click Access Gateway wizard. Click Next and follow the directions in the wizard until you reach the Configure clientless access page. Click Configure Domains for Clientless Access and do one of the following: To create a list of excluded domains, click Exclude domains To create a list of included domains, click Allow domains
5. 6. 7.
Under Domain Names, type the domain name and click Add. Repeat Step 5 for each domain you want to add to the list and click OK when finished. Continue configuring the appliance using the Access Gateway wizard.
You can also create or modify the domain list using global settings in the configuration utility.
Chapter 9
171
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Clientless Access, click Configure Domains for Clientless Access. Click Configure Domains for Clientless Access and do one of the following: To create a list of excluded domains, click Exclude domains To create a list of included domains, click Allow domains
4. 5.
Under Domain Names, type the domain name and click Add. Repeat Steps 3 and 4 for each domain you want to add to the list and click OK when finished.
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Clientless Access, click Configure Clientless Access for SharePoint. Under Clientless Access for SharePoint, in Host name of SharePoint server, type the domain or FQDN for the SharePoint site and click Add. Repeat Step 3 for each SharePoint site you want to add to the list and click OK when finished.
172
If you want users to have the SharePoint site as their home page, configure a session profile and enter the Web address of the SharePoint site.
To configure a SharePoint site as the home page
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Client Experience tab, next to Home Page click Override Global, and they type the name of the SharePoint site. Next to Clientless Access, click Override Global, and select ON. In the Create Session Policy dialog box, next to Named Expressions, click General, select True value, click Add Expression, click Create, and click Close.
After completing the session policy, bind it to users, groups, virtual servers, or globally. When users log on, they see the Sharepoint Web site as their home page.
173
1. 2. 3.
In the configuration utility, in the navigation pane, expand DNS and click DNS Suffix. In the details pane, click Add. In DNS Suffix, type the intranet domain name as the suffix, click Create and click Close.
To configure a local DNS record for every SharePoint server name on the Access Gateway
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand DNS > Records and click Address Records. In the details pane, click Add. In Host Name, type the SharePoint host name for the DNS address record. In IP Address, type the IP address of the SharePoint server, click Add, click Create and click Close.
The host name for which an A record is added should not have a CNAME record. Also, there cannot be duplicate A records on the appliance.
174
If users select the Access Gateway Plugin for ActiveX to log on, a dialog box that prompts download of the ActiveX control appears. When it is installed, users are connected to the Access Gateway. If users select the Access Gateway Plugin for Java, the plugin starts and users are logged on. For more information about configuring client choices, see Choosing the Client Access Method on page 152.
The Access Gateway client choices page with the Access Gateway Plugin, Citrix XenApp, and clientless access icons
Chapter 9
175
Client choices can be used without using endpoint analysis or implementing access scenario fallback. If a client security expression is not defined, users receive connection options for the settings that are configured on the Access Gateway. If a client security expression exists for the user session and the client device fails the endpoint analysis scan, the choices page offers only the option to use the Web Interface if it is configured. Otherwise, users can log on using clientless access. Client choices are configured either globally or using a session profile and policy. Important: When configuring client choices, do not configure quarantine groups. Client devices that fail the endpoint analysis scan and are quarantined are treated the same as client devices that pass the endpoint scan.
To enable client choices options globally
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Client Experience tab, click Advanced. On the General tab, click Client Choices and click OK twice.
You can also configure client choices as part of a session policy and then bind it to users, groups, and virtual servers.
To enable client choices as part of a session policy
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Client Experience tab, click Advanced. On the General tab, click Override Global, click Client Choices, click OK, and click Create. In the Create Session Policy dialog box, next to Named Expressions, click General, select True value, click Add Expression, click Create, and click Close.
176
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Groups. In the details pane, click Add. In Group Name, type the name of the group. On the Users tab, select the users, click Add for each one, click Create, and click Close.
The following procedure is an example session profile for client choices with the Access Gateway Plugin, Web Interface, and clientless access.
To create a session profile for client choices
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. In the details pane, on the Profiles tab, click Add. In Name, type a name for the profile. On the Client Experience tab, do the following: A. B. C. D. E. Next to Home Page, click Override Global and clear Display Home Page. This disables the Access Interface. Next to Windows Plugin Type, click Override Global and select Access Gateway. Next to Clientless Access, click Override Global and select OFF. Next to Plugin Type, click Override Global and select Windows. Click Advanced and next to Client Choices, click Override Global, click Client Choices and click OK.
5.
On the Security tab, next to Default Authorization Action, click Override Global and select ALLOW.
Chapter 9
177
6. 7. 8.
On the Security tab, click Advanced. Under Authorization Groups, click Override Global, select the group, click Add, and click OK. On the Published Applications tab, do the following: A. B. C. D. Next to ICA Proxy, click Override Global and select OFF. Next to Web Interface Address, click Override Global and type the Web address of the Web Interface, such as http://ipAddress/Citrix/. Next to Web Interface Portal Mode, click Override Global and select COMPACT. Next to Single Sign-On Domain, click Override Global and type the name of the domain.
9.
If you want to use the Access Gateway Plugin for Java as a client choice, on the Client Experience tab, in Plugin Type, select Java. If you select this choice, you must configure an intranet application and set the interception mode to Proxy. For more information about the interception mode, see To set the interception mode on page 165. If you want to use the Access Gateway Plugin for ActiveX as a client choice, on the Client Experience tab, in Windows Plugin Type, select ActiveX. Do not make a selection in Plugin Type. After creating the session profile, create a session policy. Within the policy, select the profile and set the expression to True value. To use the Web Interface as a client choice, you must also configure the Secure Ticket Authority on the Access Gateway. The Secure Ticket Authority is bound to the virtual server. Note: If the server running the Web Interface is not available, the Citrix XenApp choice does not appear on the choices page.
To configure and bind the Secure Ticket Authority to a virtual server
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand Virtual Servers and then expand a virtual server node. Click STA Servers. Under Related Tasks, click Bind new STA server. In URL, type the IP address or URL of the server running the STA and click Create.
178
Note: The IP address or URL must match what is configured in the Web Interface.
When clientless access is disabled, the following combination of settings must be configured for the access scenario fallback: Define client security parameters for the fallback post-authentication scan Define the Web Interface home page Disable client choices If client devices fail the client security check, users are placed into a quarantine group that allows access only to the Web Interface and published applications
179
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Groups. In the details pane, click Add. In Group Name, type a name for the group, click Create, and click Close. Important: The name of the quarantine group must not match the name of any domain group to which users might belong. If the quarantine group matches an Active Directory group name, users are quarantined even if the client device passes the endpoint analysis security scan.
After creating the group, configure the Access Gateway to fall back to the Web Interface if the client device fails the endpoint analysis scan.
To configure the Web Interface for quarantined user connections
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. In the Global Access Gateway Settings dialog box, on the Published Applications tab, next to ICA Proxy, select OFF. Next to Web Interface Address, type the Web address for the Web Interface. Next to Single Sign-On Domain, type the name of your Active Directory domain and click OK.
After configuring the global settings, create a session policy that overrides the global ICA proxy setting and then bind the session policy to the quarantine group.
To create a session policy
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. On the Policies tab, click Add. In Name, type a name for the policy. Next to Request Profile, click New. On the Published Applications tab, next to ICA Proxy, click Override Global, select On, and click Create.
180
6.
In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and click Close.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Groups. In the details pane, select a group and click Open. On the Policies tab, select the policy and click OK.
After creating the session policy and profile enabling the Web Interface on the Access Gateway, create a global client security policy.
To create a global client security policy
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Security tab, click Advanced. Under Client Security, click New. In the Create Expression dialog box, next Match Any Expression, click Add, configure the client security expression and click Create. In Quarantine Group, select the group you configured in the group procedure and click OK twice.
When configuring access scenario fallback, use the following guidelines: Using client choices or access scenario fallback requires the endpoint analysis plugin (an ActiveX control) for all users. If endpoint analysis cannot run or if users select Skip Scan during the scan, users are denied access. When client choices is enabled, if the client device fails endpoint analysis, users are placed into the quarantine group. Users can continue to log on using either the Access Gateway Plugin or the Web Interface. Important: Citrix recommends that you do not create a quarantine group if client choices is enabled. You can use different Web addresses for the Access Interface and the Web Interface. When both are configured, the home page takes precedence for
Chapter 9
181
the Access Gateway Plugin and the Web Interface home page takes precedence for Web Interface users.
Network traffic destined for a configured HTTP port on the Access Gateway is excluded automatically from WANScaler optimization. This is the default setting. If you configure a traffic policy for WANScaler optimization on an HTTP port, the traffic policy is honored and the network traffic is optimized by WANScaler. However, the Access Gateway optimization features are disabled for all traffic affected by that policy. Network traffic destined for non-HTTP ports can be accelerated by WANScaler without affecting other Access Gateway features. Configuring client connections to use the Accelerator Plugin is accomplished using a traffic policy and can be bound to users, groups, virtual servers, or globally. The policy is prioritized based on where it is bound or by the priority number.
To configure traffic policy for the Accelerator Plugin
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Traffic. In the details pane, on the Policies tab, click Add. In Name, type a name for the policy. Next to Request Profile, click New In Name, type a name for the profile.
182
6. 7.
In WanScaler, select On and click Create. In the Create Traffic Policy dialog box, next to Add Expression, select or enter an expression that represents the traffic types for which WANScaler acceleration should be enabled, click Add Expression, click Create and click Close.
When adding an expression, choose a network expression to use the same IP addresses and port ranges for which the WANScaler is configured to accelerate. For WANScaler acceleration to occur, the traffic types configured on the Access Gateway must match the Service Class Policies configured on the WANScaler. All TCP traffic benefits from WANScaler acceleration. If you are planning to use single sign-on, do not accelerate HTTP traffic since the acceleration disables single sign-on. After creating the policy, bind it to a user, group, virtual server, or globally.
Chapter 9
183
Configure a client security expression. For example, you want to check for a specific version of Sophos Antivirus. In the expression editor, the client security strings appears as:
client.application.av(sophos).version == 10.0.2
After the policy is configured, bind it to a user, group, virtual server, or globally. When users log on, the SmartAccess policy check starts and verifies whether or not if the client device has Version 10.0.2 or higher of Sophos Antivirus installed. When the SmartAccess endpoint analysis check is successful, the Web Interface portal appears in case of a clientless session; otherwise, the normal Access Gateway home page appears. For more information about configuring SmartAccess, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop
184
C HAPTER 10
Client connections are configured by defining the resources users can access in the internal network. Configuring client connections includes: Defining the domains to which users are allowed access Configuring IP addresses for users, including IP pooling Configuring time-out settings Configuring single sign-on Configuring network resources Configuring split tunneling Configuring connections through a proxy server Configuring client software to connect through the Access Gateway
Most client connections are configured using a profile that is part of a session policy. You can also define client connection settings using preauthentication and traffic policies. In This Chapter How User Connections Work Connecting to Internal Network Resources Enabling Proxy Support for Client Connections Configuring Time-Out Settings Configuring Single Sign-On Configuring Network Resources Configuring IP Pooling Configuring Split Tunneling
186
Configuring Name Service Resolution Supporting Voice over IP Phones Configuring Application Access for the Access Gateway Plugin for Java
When users type the Web address, they receive a logon page where users enter their credentials and log on. If the credentials are correct, the Access Gateway finishes the handshake with the client. If the user is behind a proxy server, the user can specify the proxy server and authentication credentials. For more information, see Enabling Proxy Support for Client Connections on page 190. The Access Gateway Plugin is installed on the client device. After the first connection, if users are logging on using a Windows-based computer, they can use the icon in the notification area to establish the connection.
Chapter 10
187
188
NAT firewalls maintain a table that allows them to route secure packets from the Access Gateway to the client device. For circuit-oriented connections, the Access Gateway maintains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Access Gateway to match connections and send packets over the tunnel to the client with the correct port numbers so that the packets return to the correct application.
Chapter 10
189
Path to any network drives that the users can access, which is done by mapping a network drive on their computer Any system requirements for running the Access Gateway Plugin if you configured end point policies If a user runs a firewall on the remote computer, the user might need to change the firewall settings so that it does not block traffic to or from the IP addresses corresponding to the resources for which you granted access. The Access Gateway Plugin automatically handles Internet Connection Firewall in Windows XP and Windows Firewall in Windows XP Service Pack 2.
Because users work with files and applications just as if they were local to the organizations network, no retraining of users or configuration of applications is needed.
If you set the interception mode to proxy, you can configure destination and source IP addresses and port numbers.
To configure network resources
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Resources and click Intranet Applications. In the details pane, click Add. Complete the parameters for allowing network access, click Create and click Close.
190
For more information about configuring specific settings for the Access Gateway Plugin for Windows or Access Gateway Plugin for Java, see Configuring Network Resources on page 198.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. Under Settings, click Change global settings. On the Client Experience tab, click Advanced. On the Proxy tab, under Proxy Settings, select On. For the protocols, type the IP address and port number and click OK twice.
Note: If you select Appliance you can configure only proxy servers that support secure and unsecure HTTP connections. After you enable proxy support on the Access Gateway, configuration details for the proxy server corresponding to the protocol should be specified on the client device. When proxy support is enabled, the Access Gateway sends the proxy server details to the client browser and changes the proxy configuration on the browser itself. After the client connects to the Access Gateway, it can communicate with the proxy server directly for connection to the clients network. You can configure one proxy server to support all of the protocols used by the Access Gateway. This provides one IP address and port combination for all of the protocols.
To configure one proxy server to use all protocols for the Access Gateway
1. 2.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. Under Settings, click Change global settings.
Chapter 10
191
3. 4. 5. 6.
On the Client Experience tab, click Advanced. On the Proxy tab, under Proxy Settings, select On. For the protocols, type the IP address and port number. Click Use the same proxy server for all protocols and click OK twice.
When split tunneling is disabled and all proxy settings are set to On, proxy settings are propagated to client devices. If proxy settings are set to Appliance, the settings are not propagated to client devices. The Access Gateway makes connections to the proxy server on behalf of the client. The proxy settings are not propagated to the client browser, so no direct communication between the client and the proxy server is possible.
To configure the Access Gateway to be a proxy server
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. Under Settings, click Change global settings. On the Client Experience tab, click Advanced. On the Proxy tab, under Proxy Settings, select Appliance. For the protocols, type the IP address and port number and click OK twice.
Note: When the Access Gateway is configured as a proxy server, unsecure and secure HTTP are the only supported protocols.
192
Session time-out. If you enable this setting, the user session times out if there is no mouse or keyboard activity on the client device for the specified interval. The default time-out setting is 30 minutes. If this value is set to zero, session time-out is disabled. Idle session time-out. If you enable this setting, the user session times out if network traffic is not detected. The default setting is zero.
You can enable any of these settings by entering a value between 1 and 65536 to specify a number of minutes for the time-out interval. If you enable more than one of these settings, the first time-out interval to elapse closes the client connection. You configure time-out settings using a session profile. When the profile is added to a session policy, the policy is then bound to a user, group, virtual server, or globally. If you want to configure client time-out settings globally, use the configuration utility. When the time-out settings are configured globally, the settings are applied to all user sessions. You can configure a forced time-out globally or as part of a session policy.
To configure a global forced time-out
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Network Configuration tab, click Advanced. Under Timeouts, in Forced Time-out (mins), type the number of minutes users can stay connected. In Forced Time-out Warning (mins), type the number of minutes before users are warned that the connection is due to be disconnected and click OK twice.
If you want to have further control over who receives the forced time-out, create a session policy and then apply the policy to a user or group.
To configure a forced time-out within a session policy
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New.
Chapter 10
193
5. 6. 7. 8.
In Name, type a name for the profile. On the Network Configuration tab, click Advanced. Under Timeouts, click Override Global and in Forced Time-out (mins) type the number of minutes users can stay connected. Next to Forced Time-out Warning (mins), click Override Global and type the number of minutes users are warned that the connection is due to be disconnected. Click OK and click Create. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and click Close.
9.
You can also configure session and client time-out settings globally using the configuration utility. To apply these values to a user, group, or virtual server use the Access Gateway Policy Manager and create a session policy and profile, setting the expression to true.
To configure a global session or client idle time-out
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. Do one or both of the following: On the Client Experience tab, in Session Time-out (mins), type the number of minutes In Client Idle Time-out (mins), type the number of minutes and click OK
To configure session or client idle time-out settings using the Access Gateway Policy Manager
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. Do one or both of the following: On the Client Experience tab, next to Session Time-out (mins), click Override Global and then type the number of minutes
194
7.
Next to Client Idle Time-out (mins), click Override Global, type the number of minutes, and click Create
In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and click Close.
1. 2.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings.
Chapter 10
195
3.
On the Client Experience tab, click Single Sign-on with Windows and click OK.
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. Next to Request Profile, click New. On the Client Experience tab, next to Single Sign-On with Windows, click Override Global, click Single Sign-on with Windows, and click OK. Create the session policy expression, click Create, and click Close.
5.
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Client Experience tab, click Single Sign-on to Web Applications and click OK.
196
Access Gateway Enterprise Edition Administrators Guide To configure single sign-on to Web applications using a session policy
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Session Policies and select a policy. Under Related Tasks, click Modify session policy. In the Configure Session Policy dialog box, next to Request Profile, click Modify. On the Client Experience tab, next to Single Sign-On to Web Applications, click Global Override, click Single Sign-On to Web Applications, and click OK.
Single sign-on is attempted only for network traffic where the destination port is considered an HTTP port. To allow single sign-on to applications that use a port other than port 80 for HTTP traffic, add the other port number(s) on the Access Gateway. You can enable multiple ports. The ports are configured globally.
To define the HTTP port for single sign-on to Web applications
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings. On the Network Configuration tab, click Advanced. Under HTTP Ports, type the port number, click Add, and click OK twice.
Note: If Web applications in the internal network use different port numbers, type the port number and click Add. The HTTP port number must be defined to allow single sign-on to Web applications, including the Web Interface.
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Authentication Policies and select the LDAP policy. Under Related Tasks, click Modify authentication policy.
Chapter 10
197
3. 4. 5. 6. 7. 8. 9. 10.
In the Configure Authentication Policy dialog box, next to Server, click Modify. Under LDAP Server Information, in Base DN (location of users), type DC=domainname, DC=com. In Administrator Bind DN, type LDAPaccount@domainname.com, where domainname.com is the name of your domain. In Administrator Password and Confirm Administrator Password, type the password. In Server Logon Name Attribute, type UserPrincipalName. In Group Attribute, type memberOf. In Sub Attribute Name, type CN. In SSO Name Attribute, type the format of how users logon and click OK twice. This value is either SamAccountName or UserPrincipleName.
1.
In the Access Gateway Policy Manager, under Available Policies / Resources, expand Session Policies and select the policy for your published applications. Under Related Tasks, click Modify session policy. In the Configure Session Policy dialog box, next to Request Profile, click Modify. In the Configure Session Profile dialog box, on the Published Applications tab, in Single-sign-on Domain, click Override Global, type the domain name, and click OK twice.
2. 3. 4.
For more information about configuring the Access Gateway with XenApp, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
198
Network topology for resource groups and authentication Network resources on the Access Gateway are configured using intranet applications. By default, when the system IP address, a mapped IP address, or a subnet IP address is configured on the appliance, subnet routes are created based on these IP addresses. Intranet applications are created automatically based on these routes and can be bound to a virtual server. If authorization is configured and set to deny and authorization policies are defined for certain types of traffic, intranet applications must be created to correspond with the authorization policy. For example, if an authorization policy is created to allow users access to an Exchange server, an intranet application must be created based on either the IP address and port of the Exchange server, or the subnet that the Exchange server is on.
Chapter 10
199
Creating access to one IP address and subnet mask Creating access to a range of IP addresses Specifying the host name of the server in the internal network Specifying the application, such as Exchange, in the internal network Note: If you specify an application, you cannot specify a port or port range for the application.
When an intranet application is defined on the Access Gateway, client traffic that is destined to the resource is intercepted by the Access Gateway Plugin and sent through the Access Gateway. You can restrict users to one server or IP address in the internal network. For example, you have a consultant who needs to access only to a file share and is connecting using the Access Gateway Plugin. You can configure the intranet application for the specified IP address, subnet mask, and port. When the profile is configured, you can then bind it to the user. If you have multiple users who need restricted access, create a group, add the users to the group, and then bind the intranet application policy to the group. When configuring intranet applications, consider the following: Intranet applications do not need to be defined if the following conditions are met: Interception mode is set to transparent Users are connecting to the Access Gateway using the Access Gateway Plugin for Windows Authorization is set to allow or authorization policies are created for the configured subnet routes
When authorization is allowed, the Access Gateway passes through all the traffic destined to network resources. For improved security and tighter access control, create authorization policies to explicitly allow or deny user access to internal resources. If users are connecting to the Access Gateway using the Access Gateway Plugin for Java, intranet applications must be defined. The Access Gateway Plugin for Java intercepts traffic only to network resources defined by intranet applications. If clients are using this plugin, set the interception mode to proxy.
When configuring an intranet application, an interception mode must be selected that corresponds to the type of client software used to make connections.
200
Note: An intranet application cannot be configured for both proxy and transparent interception. To configure a network resource to be used by both clients, configure two intranet application policies and bind the policies to the user, group, virtual server or Access Gateway global.
To create an intranet application for one IP address
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Intranet Applications. Under Related Tasks, click Create new intranet application. In Name, type a name for the profile. Under Options, next to Interception Mode, select Transparent. In Protocol, select the protocol that applies to the network resource. Under Destination, click Specify an IP Address and Netmask. In IP Address, type the IP address and in Netmask, type the subnet mask. Under Specify a Port Range, in Low Port and High Port, type the port numbers, click Create, and click Close.
If you have multiple servers in your network, such as Web, email, and file shares, you can configure a network resource that includes the IP range for network resources. This allows users access to the network resources contained in the IP address range.
To configure an IP address range
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Intranet Applications. Under Related Tasks, click Create new intranet application. In Name, type a name for the profile. Under Options, next to Interception Mode, select Transparent. In Protocol, select the protocol that applies to the network resource. Under Destination, click Specify an IP Address Range. In IP Start, type the starting IP address and in IP End, type the ending IP address. Under Specify a Port Range, in Low Port and High Port, type the port numbers, click Create, and click Close.
Chapter 10
201
You can configure client access using the host name of a server in the internal network, such as myinternalserver.com. When users connect using the Access Gateway Plugin, they can connect to the server with this host name.
To configure a network resource using a host name
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Intranet Applications. Under Related Tasks, click Create new intranet application. In Name, type a name for the profile. Under Options, next to Interception Mode, select Transparent. In Protocol, select the protocol that applies to the network resource. Under Destination, click Specify a Host Name. In Host Name, type the name of the server in the internal network, click Create and click Close.
Configuring Intranet Applications for the Access Gateway Plugin for Java
If clients are using the Access Gateway Plugin for Java to connect, an intranet application must be configured and set to proxy interception. The client software intercepts traffic by using the client device loopback IP address and port number specified in the profile. If users are connecting from a Windows-based device, the Access Gateway Plugin for Java attempts to modify the host file by setting the application host name to access the loopback IP address and port specified in the profile. Users must have administrative privileges on the client device for host file modification. If users are connecting from a non-Windows device, applications must be configured manually using the source IP address and port values specified in the intranet application profile.
To configure an intranet application for the Access Gateway Plugin for Java
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Intranet Applications. Under Related Tasks, click Create new intranet application. In Name, type a name for the profile. Under Options, next to Interception Mode, select Proxy. Under Destination, in IP Address and Port, type the destination IP address and port.
202
6.
Under Source, in IP Address and Port, type the source IP address and port. Note: The source IP address should be set to the loopback IP address of 127.0.0.1. If an IP address is not specified, the loopback IP address is used. If a port value is not entered, the destination port value is used.
Configuring IP Pooling
In some situations, users connecting using the Access Gateway Plugin need a unique IP address for the Access Gateway. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable IP pooling for a group, the Access Gateway can assign a unique IP address alias to each client. IP pooling is configured using intranet IP addresses. The following types of applications might need to use a unique IP address that is drawn from the IP pool: Voice over IP Active FTP Instant messaging Secure shell (SSH) Virtual network computing (VNC) to connect to a client desktop Remote desktop (RDP) to connect to a client desktop
You can configure the Access Gateway to assign an internal IP address to clients connecting to the Access Gateway. Static IP addresses can be assigned to users or a range of IP addresses can be assigned to a group, virtual server, or to the system globally. The Access Gateway allows you to assign IP addresses from your internal network to your remote clients. A remote client can be addressed by an IP address on the internal network. If you choose to use a range of IPs, the system dynamically assigns an IP address from that range to a remote client on-demand. When configuring IP pooling, be aware of the following: Assigned IP addresses need to be routed correctly. To ensure the correct routing consider the following: If split tunneling is not enabled, make sure that the IP addresses can be routed through network address translation (NAT) devices
Chapter 10
203
Any servers accessed by client connections with intranet IP addresses must have the proper gateways configured to reach those networks Configure gateways or a static route on the Access Gateway so that network traffic from clients is routed to the internal network
Only contiguous subnet masks can be used when assigning IP address ranges. A subset of a range can be assigned to a lower-level entity. For example, if an IP address range is bound to a virtual server, bind a subset of the range to a group. IP address ranges cannot be bound to multiple entities within a binding level. For example, a subset of an address range that is bound to a group cannot be bound to a second group. The Access Gateway does not allow you to remove or unbind IP addresses while they are actively in use by a client session. Internal network IP addresses are assigned to users using the following hierarchy: Users direct binding Group assigned address pool Virtual server assigned address pool Global range of addresses
Only contiguous subnet masks can be used in assigning address ranges. However, a subset of an assigned range might be further assigned to a lower level entity. A bound global address range can have a range bound to the following: Virtual server Group User
A bound virtual server address range can have a subset bound to the following: Group User
204
When an IP address is assigned to a user, it is reserved for the users next logon until the IP pool range is exhausted. When the addresses are exhausted, the Access Gateway reclaims the IP address from the user who is logged off from the Access Gateway the longest. If an address cannot be reclaimed and all addresses are actively in use, the Access Gateway does not allow the user to log on. You can prevent this situation by allowing the Access Gateway to use the mapped IP address as an intranet IP address when all other IP addresses are not available. IP pooling is configured using the configuration utility at the level to which you want to bind the policy. For example, if you want to create an IP address pool for a virtual server, configure the intranet IP addresses on that node. When the IP pool is configured, it is bound to the entity where it is configured.
To configure IP pooling for a user, group or virtual server using the configuration utility
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Access Gateway, and then click Users, Groups or Virtual Servers. In the details pane, click a user, group, or virtual server and click Open. On the Intranet IPs tab, in IP Address and Netmask, type the IP address and subnet mask; click Add. Repeat Step 3 for each IP address you want to add to the pool and then click OK.
You can also create an IP address pool and bind it globally on the Access Gateway using the configuration utility.
To configure IP pooling globally using the configuration utility
1. 2.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Intranet IPs, click To assign a unique, static IP Address or pool of IP Addresses for use by all client Access Gateway sessions, configure Intranet IPs. In IP Address and Netmask, type the IP address and subnet mask and click Add. Repeat Step 3 for each IP address you want to add to the pool and then click OK.
3. 4.
Chapter 10
205
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Network Configuration tab, click Advanced. Next to Intranet IP, click Override Global and then select the option. If you selected SPILLOVER in Step 7, next to Mapped IP, click Override Global, select the host name of the appliance, click OK, and click Create. In the Create Session Policy dialog box, create an expression, click Create, and click Close.
9.
206
A user is assigned a static intranet IP address and has an existing Access Gateway session. If the user tries to establish a second session from a different device, the Transfer Login page appears and the user can transfer the session to the new device. A user is assigned five intranet IP addresses and has five sessions through the Access Gateway. If the user tries to establish a sixth session, the Transfer Login page appears and the user can choose to replace an existing session with a new session.
Note: If the user does not have an assigned IP address available and a new session cannot be established using the Transfer Login page, the user receives an error message. The Transfer Login page appears only if intranet IP addresses are configured and spillover is disabled.
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies and select a session policy. Under Related Tasks, click Modify session policy. Next to Request Profile, click Modify. On the Network Configuration tab, click Advanced. Next to Intranet IP DNS Suffix, click Override Global, type the DNS suffix, and click OK three times.
Chapter 10
207
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies and select a session policy. Under Related Tasks, click Modify session policy. Next to Request Profile, click Modify. On the Network Configuration tab, click Advanced. Next to Spoof Intranet IP, click Override Global and click Spoof Intranet IP. Next to Spoof Intranet IP, clear the check box to disable, or select the check box to enable, and click OK three times.
208
The Access Gateway also supports reverse split tunneling, which defines the network traffic that is not intercepted by the Access Gateway. If split tunneling is set to reverse, intranet applications define the network traffic that is not intercepted. When this is enabled, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through the Access Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on using the Access Gateway Plugin, network traffic destined to a printer or another device within the wireless network is not intercepted. For more information about intranet applications, see Configuring Network Resources on page 198. Split tunneling is configured as part of the session policy.
To configure split tunneling
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies and select a session policy. Under Related Tasks, click Modify session policy. Next to Request Profile, click Modify. On the Client Experience tab, next to Split Tunnel, select Global Override, select the option from the drop-down list and click OK twice.
Chapter 10
209
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Session. In the details pane, on the Profiles tab, select a profile and click Open. On the Network Configuration tab, do one of the following: To configure a DNS server, next to DNS Virtual Server, click Override Global, select the server, and click OK twice To configure a WINS server, next to WINS Server IP, select Override Global, type the IP address, and click OK twice
210
When the Access Gateway is installed as a standalone appliance and users connect using the Access Gateway Plugin, two-way communication is supported with the following Voice over IP (VoIP) softphones: Cisco Softphone Avaya IP Softphone
Secure tunneling is supported between the IP PBX and the softphone software running on the client device. To enable the VoIP traffic to traverse the secure tunnel, you must install the Access Gateway Plugin and one of the supported softphones on the same client device. When the VoIP traffic is sent over the secure tunnel, the following softphone features are supported: Outgoing calls that are placed from the IP softphone Incoming calls that are placed to the IP softphone Bidirectional voice traffic
Support for VoIP softphones is configured using intranet IP addresses. An intranet IP address must be configured for each user. If you are using Cisco Softphone Communication, after configuring the intranet IP address and binding it to a user, no additional configuration is required. For more information about configuring an intranet IP address, see Configuring IP Pooling on page 202. If split tunneling is enabled, create an intranet application and specify the Avaya Softphone application. In addition, transparent interception and spoof IP must be enabled. If you are using the Avaya IP Softphone and if split tunneling is disabled, spoof IP must be enabled, which is the default setting.
Configuring Application Access for the Access Gateway Plugin for Java
You can configure the access level and the applications users are allowed to access in the secure network. If users are logged on using the Access Gateway Plugin for Java, in the Secure Access Remote Session dialog box, users can click Applications. The Intranet Applications dialog box appears and lists all of the applications the user is authorized to access. When users are connected using the Access Gateway Plugin for Java, there are two methods for accessing user applications: HOSTS File Modification Method SourceIP and SourcePort Method
Chapter 10
211
1. 2.
Start a Telnet session using the available software for your computer. From a command prompt, type:
Open telnet
212
Access Gateway Enterprise Edition Administrators Guide To open the Intranet Applications dialog box and locate the IP address and port number
1. 2.
In the Secure Remote Access dialog box, click Applications. Find the application in the list and note the SourceIP address and SourcePort number.
When you have the IP address and port number, start a Telnet session to connect to the computer in the remote network.
C HAPTER 11
The Access Gateway includes a home page that is a Web page that appears after users log on. The default home page is called the Access Interface. The home page can be the Access Interface, the Web Interface, or a customized home page. The Access Interface is used to provide links to Web sites, both internal and external, and links to file shares in the internal network. The Access Interface can be customized with the following: Changing the Access Interface Creating Access Interface links Creating an Access Interface administrator account
Users can customize the Access Interface, adding their own links to Web sites and file shares. Users can also transfer files from the internal network to their device using the home page.
214
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type a name for the profile. On the Client Experience tab, next to Home Page, click Override Global, click Display Home Page and then type the Web address of the home page. Next to Windows Plugin Type, click Override Global, select Access Gateway, and click Create.
Chapter 11
215
8.
In the Create Session Policy dialog box, next to Named Expressions, select True value, click Add Expression, click Create, and click Close.
After creating the session policy, bind it to a user, group, virtual server, or globally.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Customize Access Interface, click Upload the Access Interface. To install the home page from a file on a computer in your network, in Local File, click Browse, navigate to the file, and click Select. To use a home page that is installed on the Access Gateway, in Remote Path, click Browse, select the file, and click Select. Click Upload and click Close.
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Resources / Policies, click Bookmarks. Under Related Tasks, click Create new bookmark. In Name, type a name for the bookmark. In Text to display, type the description of the link. The description appears on the home page. In Bookmark, type the Web address, click Create, and click Close.
216
If clientless access is enabled, you can prevent requests for Web sites to go through the Access Gateway. For example, you added a bookmark for http://www.agexternal.com. In the Add Bookmark dialog box, you can click Use Access Gateway as a reverse proxy. When this check box is enabled, Web site requests go from the client device to the Web site. When this check box is disabled, requests go from the client device to the Access Gateway and then to the Web site.
To bind an Access Interface link
In the Access Gateway Policy Manager, under Available Policies / Resources, click a bookmark and drag-and-drop it to one, some, or all of the following locations: To bind a bookmark globally, under Configured Policies / Resources, expand Access Gateway Global and drop the book mark in Bookmarks. To bind the bookmark to a virtual server, under Configured Policies / Resources, expand Virtual Servers and then expand a virtual server. Drop the bookmark in Bookmarks. To bind the bookmark to a group, under Configured Policies / Resources, expand Group and then expand a group node. Drop the bookmark in Bookmarks. To bind the bookmark to a user, under Configured Policies / Resources, expand Users and then expand a user node. Drop the bookmark in Bookmarks.
When the configuration is saved, the links are available to users in the Access Interface on the Home tab, which is the first page that users see after successfully logging on. The links are organized on the page according to type Web site links or file share links.
C HAPTER 12
Endpoint analysis is a process that scans a client device and detects information such as the presence and version level of operating system, antivirus, firewall, or Web browser software. You can use endpoint analysis to verify that the client device meets your requirements before allowing it to connect to your network or remain connected after users log on. You can monitor files, processes, and registry entries on the client device during the user session to ensure that the device continues to meet requirements. In This Chapter How Endpoint Policies Work Configuring Preauthentication Policies Configuring Post-Authentication Policies Configuring Client Security Preauthentication Expressions Configuring Compound Client Security Expressions
218
Preauthentication policies that use a yes or no parameter. Session policy that is conditional and can be used for SmartAccess Client security expression within a session policy
You can incorporate detected information into policies, enabling you to grant different levels of access based upon the client device. For example, you can provide full access with download permission to users who connect remotely using client devices that are current with antivirus and firewall software requirements. For users connecting from kiosks or untrusted computers, you can provide a more restricted level of access that allows editing the documents on remote servers without downloading them. Endpoint analysis performs these basic steps: Examines an initial set of information about the client device to determine which scans to apply Runs all applicable scans Compares property values detected on the client device with desired property values listed in your configured scans Produces an output verifying whether or not desired property values are found
When a user tries to connect, endpoint analysis checks the scans that are filtered for the endpoint policy. These scans return results (called scan outputs) of detected information or true or false results of required property values. Endpoint analysis completes before the user session uses a license. A preauthentication scan is the yes or no parameter to determine if the client device meets the specified requirements. If the scan fails, credentials cannot be entered on the logon page. A session policy is conditional and typically used for SmartAccess. Within the session policy, there is a client security expression. If the client device fails to meet the requirements of the client security expression, you can configure users to be placed into a quarantine group. If the client device passes the scan, users can be placed into a different group that might have additional checks.
Chapter 12
219
When users log on, the session policy is applied first. If endpoint analysis fails or the user skips the scan, the settings in the session policy are ignored and users have restricted access using the Web Interface or clientless access. If endpoint analysis passes, the session policy is applied and users have full access. If users skip the endpoint analysis scan, the expression in the session policy is considered false. Note: The instructions in this chapter are a general guideline for creating session policies for endpoint analysis. You can have many settings within a session policy. Specific instructions for configuring session policies are located throughout this manual. The instructions might contain directions for configuring a specific setting; however, that setting can be one of many that are contained within a session profile and policy.
220
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand Access Gateway > Policies and click Pre-Authentication. In the details pane, on the Profiles tab, click Add. In Name, type the name of the application to be checked. In Action, select ALLOW or DENY. In Processes to be killed, type the name of the process to be stopped. In Files to be deleted, type the name of the file to be deleted, such as c:\clientext.txt, click Create and click Close. Note: If a file is to be deleted or a process stopped, users receive a message asking for confirmation. Steps 5 and 6 are optional parameters.
If you configure a preauthentication profile using the configuration utility, you then create the preauthentication policy by clicking Add on the Policies tab. In the Create Pre-Authentication Policy dialog box, select the profile from the Request Profile drop-down list. You can also create a policy and profile together using the Access Gateway Policy Manager.
Chapter 12
221
To create a preauthentication policy and profile using the Access Gateway Policy Manager
1. 2. 3. 4. 5. 6. 7. 8. 9.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-Authentication Policies. Under Related Tasks, click Create new pre-authentication policy. In Name, type a name for the policy. Next to Request Profile, click New. In Name, type the name of the application to be checked. In Action, select ALLOW or DENY. In Processes to be killed, type the name of the process to be stopped. In Files to be deleted, type the name of the file to be deleted, such as c:\clientext.txt, and click Create. Next to Named Expressions, select General, select True Value, click Add Expression, click Create, and click Close.
Types of Expressions
The expression consists of an expression type and the parameters of the expression. Expression types include: General Client security Network based
222
When you create a preauthentication or session policy, you can create the expression when you create the policy. You can then apply the policy, with the expression, to virtual servers or globally.
To use a named expression in a policy
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-authentication Policies. Under Related Tasks, click Create new pre-authentication policy. In Name, type a name for the policy. Next to Request Profile, select or create a profile. Next to Named Expressions, select Anti-Virus, select Symantic AntiVirus 10 (with Updated Definition Files), click Add Expression, click Create, and click Close.
Chapter 12
223
For example you want to create a custom client security expression for Symantec AntiVirus 10 and make sure that the virus definitions are no more than three days old. Create a new policy and then configure the expression to specify the virus definitions.
To create a custom expression within a preauthentication policy
1. 2. 3. 4. 5. 6. 7. 8.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-authentication Policies. Under Related Tasks, click Create new pre-authentication policy. In Name, type a name for the policy. In Request Profile, click New. In Name, type a name for the profile and in Action, select Allow. In the Create Pre-Authentication Policy dialog box, next to Match Any Expression, click Add. In Expression Type, select Client Security. Configure the following: A. B. C. D. E. F. In Component, select Anti-Virus In Name, type a name for the application In Qualifier, select Version In Operator, select == In Value, type the value In Freshness, type 3 and click OK.
9.
In the Create Pre-Authentication Policy dialog box, click Create and click Close.
When a custom expression is configured, it is added to the Expression box in the policy dialog box, as shown in the following illustration:
224
You can configure the expression with the or operator to check for these three applications. If the correct version of any of these applications is found on the client device, users are allowed to log on. The expression in the policy dialog box appear as follows:
Chapter 12
225
A preauthentication policy that checks a client device for one of three antivirus applications For more information about compound expressions, see Configuring Compound Client Security Expressions on page 238.
Binding Policies
After you create the preauthentication or client security session policy, bind the policy to the level to which it applies. Preauthentication policies can be bound to virtual servers or globally.
To bind a preauthentication policy
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, click a preauthentication policy. Drag the policy to one of the following under Configured Policies / Resources: Under AAA Global > Pre-Authentication Policies Under Virtual Servers > Pre-Authentication Policies
226
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Configured Policies / Resources, expand either AAA Global or Virtual Servers. If you selected Virtual Servers, expand a virtual server node. Expand the Pre-Authentication Policies node and then click a policy. Under Related Tasks, click Modify priority. In the Modify Priority dialog box, in Priority, type a number and click OK.
1.
In the Access Gateway Policy Manager, under Configured Policies / Resources, click the AAA Global or Virtual Server node to which the policy is bound. Select the policy, under Related Tasks, click Unbind pre-authentication policy.
2.
When the preauthentication policy is unbound, the policy can be removed from the Access Gateway.
227
1. 2.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-Authentication Policies and then select the policy. Under Related Policies, click Remove pre-authentication policy.
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. In Request Profile, click New. In Name, type a name for the profile. On the Security tab, click Advanced.
228
Under Client Security, click Override Global and click New. Configure the client security expression and click Create. Under Client Security, in Quarantine Group, click Override Global, and in Quarantine Group, select a group. In Error Message, type the message you want users to receive if the postauthentication scan fails. Under Authorization Groups, click Override Global, select a group, click Add, click OK, and click Create. In the Create Session Policy dialog box, next to Named Expressions, select True value, click Add Expression, click Create, and click Close.
Chapter 12
229
You can also use authorization groups to restrict user access to network resources. For example, you might have a group of contract personnel that has access only to your email server and a file share. When client devices pass the security requirements defined on the Access Gateway, users can be added to groups dynamically. Quarantine and authorization groups are configured using either global settings or session policies that are bound to a user, group, or virtual server. You can assign users to groups on the basis of a client security expression within the session policy. When the user is a member of a group, the session policy is applied based on group membership.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. In Request Profile, click New. On the Security tab, click Advanced. Under Client Security, click Override Global and click New. In the Client Expression dialog box, configure the client security expression and click Create. In Quarantine Group, select the group. In Error Message, type a message that describes the problem for users and click Create. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and click Close.
After the session policy is created, bind it to a user, group, or virtual server.
To configure a global quarantine group
1. 2.
To configure a global quarantine group, in the configuration utility in the navigation pane, expand Access Gateway and click Global Settings. In the details pane, under Settings, click Change global settings.
230
3. 4. 5. 6. 7.
On the Security tab, click Advanced. Under Client Security, click New. In the Client Expression dialog box, configure the client security expression and click Create. In Quarantine Group, select the group. In Error Message, type a message that describes the problem for users and click OK twice.
1. 2. 3. 4. 5. 6. 7.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies. Under Related Tasks, click Create new session policy. In Name, type a name for the policy. In Request Profile, click New. On the Security tab, click Advanced. Under Authorization Groups, click Override Global, select a group from the drop-down list, click Add, click OK and click Create. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create and click Close.
After the session policy is created, you can bind it to a user, group, or virtual server.
To configure a global authorization group
1. 2. 3.
In the configuration utility, in the navigation pane, expand Access Gateway and click Global Settings. Under Settings, click Change global settings. On the Security tab, click Advanced.
Chapter 12
231
4.
Under Authorization Groups, select a group from the drop-down list, click Add, and click OK twice.
If you want to remove an authorization group either globally or from the session policy, in the Security Settings - Advanced dialog box, select the authorization group from the list and click Remove.
If a security check fails on the client device, no new connections are made until a subsequent check passes (in the case of checks that are at regular intervals); however, traffic flowing through existing connections continues to be tunneled through the Access Gateway. You can use the Access Gateway Policy Manager to configure session policies to check for client security.
232
The following illustration shows the fields for configuring a client security expression within the Add Expression dialog box:
233
1. 2. 3. 4. 5. 6.
In the Access Gateway Policy Manager, under Available Policies / Resources, click Session Policies or Pre-Authentication Policies. Under Related Tasks, click Create new session policy or Create new preauthentication policy. In Name, type a name for the policy. Next to Match Any Expression, click Add. In Expression Type, select Client Security. Configure the settings for the following: A. B. C. D. E. In Component, select the item for which to scan. In Name, type the name of the application. In Qualifier, select Version. In Operator, select the value. In Value, type the client security string, click OK, and click Close.
1. 2.
In the Add Expression dialog box, in Expression Type, select Client Security. Configure the settings for the following: A. B. C. D. In Component, select Service. In Name, type the name of the service. In Qualifier, leave blank or select Version. Depending on your selection in Qualifier, do one of the following: If left blank, in Operator, select EXISTS or NOTEXISTS If you selected Version, in Operator, select the value, click OK, and click Close
The list of all available services and their status can be checked on a Windows computer at the following location: Control Panel > Administrative Tools > Services
234
Note: The service name for each service varies from its listed name. Check for the name of the service by looking at the Properties dialog box.
1. 2.
In the Add Expression dialog box, in Expression Type, select Client Security. Configure the settings for the following: A. B. C. In Component, select Process. In Name, type the name of the application. In Operator, select EXISTS or NOTEXISTS, click OK, and click Close.
When you configure an endpoint analysis policy (pre-authentication or postauthentication) to check for a process, you can configure an MD5 checksum. When you create the expression for the policy, you can add the MD5 checksum to the process you are checking for. For example, if you are checking to see if notepad.exe is running on the client device, the expression is:
CLIENT.APPLICATION.PROCESS(notepad.exe_md5_388b8fbc36a8558587afc90f b23a3b00) EXISTS
Chapter 12
235
1. 2.
In the Add Expression dialog box, in Expression Type, select Client Security. Configure the settings for the following: A. B. C. In Component, select Operating System. In Name, type the name of the application. In Qualifier, do one of the following: D. Leave blank Select Service Pack Select Hotfix
Depending on your selection in Step C, in Operator, do one of the following: If Qualifier is blank, in Operator, select EXISTS or NOTEXISTS If you selected Service Pack or Hotfix, select the operator and in Value, type the value
3.
The string client.os (winxp).sp without a number returns an error message because this is an invalid check For example, if the operating system has service packs present, such as Service Pack 3 and Service Pack 4, you can configure a check just for Service Pack 4, because Service Pack 4s presence automatically indicates that previous service packs are present.
1. 2.
In the Add Expression dialog box, in Expression Type, select Client Security. Configure the settings for the following:
236
A. B. C. D.
In Component, select File. In Name, type the name of the application. In Qualifier, leave blank or select Time Stamp. If Time Stamp is selected, in Value, type the value. In Operator, select the value, click OK, and click Close.
Note: If you use the command line to configure a file check, use four backslash (\) characters instead of one. For example, the configuration shows c:\\\\file.txt and not c:\file.txt. You can also use a forward slash to configure a file check, such as c:/file.txt
Underscores are used to separate the subkey and the associated value name, such as
HKEY_LOCAL_MACHINE\\SOFTWARE\\VirusSoftware_Version
Chapter 12
237
A registry expression that looks for the Access Gateway Plugin registry key when users log on Note: If you are scanning for registry keys and values and select Advanced Free-Form in the Expression dialog box, the expression must start with CLIENT.REG. Registry checks are supported under the most common five types: HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG
Registry values to be checked use types: String For the string value type, case-sensitivity is checked DWORD For DWORD type, the value is compared and must be equal Expanded String
238
Other types such as Binary and Multi-String, are not supported Only the '==' comparison operator is supported Other comparison operators such as <, > and case-sensitive comparisons are not supported The total registry string length should be less than 256 bytes
You can add a value to the expression. The value can be a software version, service pack version, or any other value that appears in the registry. If the data value in the registry does not match the value you are testing against, users are denied logon. Note: You cannot scan for a value within a subkey. The scan must match the named value and the associated data value.
To configure a registry expression
1. 2.
In the Add Expression dialog box, in Expression Type, select Client Security. Configure the settings for the following: A. B. C. D. In Component, select Registry. In Name, type the name of the registry key. In Qualifier, leave blank or select Value. In Operator, do one of the following: E. If Qualifier is left blank, select EXISTS or NOTEXISTS If you selected Value in Qualifier, select either == or !==
In Value, type the value as it appears in the registry editor, click OK, and click Close.
If an entry in the registry has two words, such as Norton AntiVirus, use one backslash to denote the space. The backslash does not replace the space, as shown in the following example:
CLIENT.REG(HKEY_LOCAL_MACHINE\\Software\\Symantec\\Norton\ AntiVirus_Version).VALUE == 12.8.0.4 -frequency 5
Chapter 12
239
The Boolean operators that are supported in the Access Gateway are: And (&&) Or (||) Not (!)
The strings can be grouped together using parentheses for greater precision. Note: If you are using the command line to configure expressions, use parentheses to group security expressions together when you form a compound expression. It improves understanding and debugging of the client expression.
240
client.file(c:\\\\file.txt) EXISTS) OR (client.proc(putty.exe) EXISTS This string can also be configured as client.file(c:\\\\file.txt) EXISTS) || (client.proc(putty.exe) EXISTS
C HAPTER 13
After the Access Gateway is configured, you can maintain and monitor the Access Gateway. In This Chapter Upgrading the Access Gateway Configuring Delegated Administrators Viewing Access Gateway Configuration Settings Clearing the Access Gateway Configuration Configuring Auditing on the Access Gateway
1. 2. 3. 4.
Go to the Citrix Web site at http://www.citrix.com, click My Citrix, and log on. At the top of the Web page, click Downloads and in Search Downloads by Product, select Citrix Access Gateway. In Select Product Version, select the Access Gateway version to start the download. Follow the instructions on the screen.
When the software is downloaded to your computer, you can install the software using the Upgrade Wizard in the configuration utility or a command prompt.
242
Access Gateway Enterprise Edition Administrators Guide To upgrade the Access Gateway using the Upgrade Wizard
1. 2. 3.
In the configuration utility, in the navigation pane, click System. In the details pane, click Upgrade Wizard. Click Next and follow the directions in the wizard.
1. 2. 3. 4. 5. 6. 7. 8.
To upload the software to the Access Gateway, use a secure FTP client, such as WinSCP, to connect to the appliance. Copy the software from your computer to the /var/nsinstall directory on the appliance. Use an SSH client, such as PuTTY, to open an SSH connection to the appliance. Log on to the Access Gateway. At a command prompt, type
shell
where build_X_XX.tgz is the name of the build to which you want to upgrade. 9. 10. To start the installation, at a command prompt, type
./installns
When the Access Gateway restarts, to verify successful installation, at a command prompt type
what or show version
Chapter 13
243
244
Operator. Allows read-only access and also allows access to enable and disable commands on services. This policy also allows access to set services and servers as accessdown. Network. Permits almost complete system access, excluding system commands and the shell command. Superuser. Grants full system privileges, such as those granted to the default administrator, nsroot.
Command policies contain built-in expressions. The configuration utility is used to create system users, system groups, command policies, and define permissions.
To create an administrative user on the Access Gateway
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand System and click Users. In the details pane, click Add. In User Name, type a user name. In Password and Confirm Password, type the password. Under Member of, in Available Groups, select a group and click Add. Under Command Policies, select a policy, in Priority type a number, click Create and click Close.
When you are configuring an administrative user on the appliance, you can add the user to a group. You can create a new group from within the Create User dialog box or using the configuration utility.
To create an administrative group from within the Create User dialog box
1. 2.
In the Create User dialog box, under Member of, click New. In Group Name, type a name for the group, select a user, and click Create.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand System and click Groups. In the details pane, click Add. In Group Name, type a name for the group. To add an existing user to the group, under Members > Available Users, select a user and click Add Under Command Policies, select a policy, click Create and click Close.
When creating a new administrative group, you can also create a new user.
Chapter 13
245
To configure an administrative user from within the Create Group dialog box
1. 2. 3. 4.
In the Configure Group dialog box, under Member, click New. In User Name type a user name. In Password and Confirm Password, type the password. Under Command Policies, select a policy and click Create. The new user appears under Configured Users in the Configure Group dialog box.
1. 2. 3. 4. 5.
In the configuration utility, in the navigation pane, expand System and click Command Policies. In the details pane, click Add. In Policy Name, type a name for the policy. In Action, select Allow or Deny. In Policy Components, select the following: Operator which is the action the administrator is allowed to perform Entity Group is the group to which the command belongs, such a authentication or high availability Entity is the entity an administrator can change, such as a RADIUS authentication policy Value which is the priority of the policy
6.
246
When you click Add, the expression appears under Command Spec in the Create Command Policy dialog box. After creating the custom command policy, you can bind it to a user or a group.
To bind a custom command policy to a user or group
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click Users or click Groups. In the details pane, select a user or group from the list and click Open. Under Command Policies, select the policy and click OK.
In addition to viewing configuration settings, you can configure settings using a batch file. The batch file contains a list of configuration commands that you can use to configure the Access Gateway. The batch file can reside on the Access Gateway or a computer in your network. You can type the commands in the Batch Configuration dialog box. You can also clear configuration settings on the Access Gateway. Important: If you choose to clear settings on the Access Gateway, certificates, virtual servers, and policies are removed. Citrix recommends that you do not clear the configuration.
Chapter 13
247
In the configuration utility, above the details pane, click Save and click Yes.
1. 2.
In the configuration utility, in the navigation pane, expand System and click Diagnostics. In the details pane, under View Configuration, click Saved configuration.
You can also save the configuration to a file on a computer on your network.
To save the Access Gateway configuration to a file on your computer
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click Diagnostics. In the details pane, under View Configuration, click Saved configuration. In the Saved Configuration dialog box, click Save output text to a file and click Save.
248
1. 2.
In the configuration utility, in the navigation pane, expand System and click Diagnostics. In the details pane, under View Configuration, click Running configuration.
1. 2.
In the configuration utility, in the navigation pane, expand System and click Diagnostics. In the details pane, under View Configuration, click Saved v/s running configuration.
Chapter 13
249
All. Restores the configuration to the original factory settings including the system IP address and default route, which are required to maintain network connectivity to the appliance.
When you clear all or part of the configuration, the feature settings are set to the factory default settings. When you clear the configuration, files that are stored on the Access Gateway, such as certificates and licenses, are not removed. The file ns.conf is not altered. If you want to save the configuration before clearing the configuration, save the configuration to your computer first. If you save the configuration, you can restore the ns.conf file on the Access Gateway. When the file is restored to the appliance and the Access Gateway is restarted, any configuration settings in ns.conf are restored. If you clear the entire configuration, high availability synchronization might not correspond to any of the clear configuration levels. Modifications to configuration files, such as rc.conf, are not reverted. Changes using the command nsapimgr do not revert to the original settings. If you have a high availability pair, both Access Gateway appliances are modified identically. For example, if you clear the basic configuration on one appliance, the changes are propagated to the second appliance.
To clear the Access Gateway configuration
1. 2. 3.
In the configuration utility, in the navigation pane, expand System and click Diagnostics. In the details pane, under Maintenance, click Clear configuration. In Configuration Level, select the level you want to clear and click Run.
250
IP address of the virtual server Port number of the virtual server Intranet IP address assigned to the user
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Monitor Connections, click Active user sessions. View the list of sessions under Active connections between the client and Appliance.
You can retrieve updated information about sessions to the Access Gateway.
To refresh the session list
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Active User Sessions, click Active User Sessions. Click Refresh.
You can terminate user and group sessions. You can also end a session that has a specific intranet IP address and subnet mask.
To end user or group sessions
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Active User Sessions, click Active User Sessions. Do one of the following: To terminate a user session, click Active Users, select a user, and click Terminate To terminate a group session, click Active Groups, select a group, and click Terminate
1. 2. 3.
In the configuration utility, in the navigation pane, click Access Gateway. In the details pane, under Active User Sessions, click Active User Sessions. Next to Intranet IP, type the IP address.
Chapter 13
251
4.
ALERT
Compression statistics for the Access Gateway are also stored in the Access Gateway audit log if the TCP compression feature is configured. The compression ratio achieved for different data is stored in the log file for each user session on the Access Gateway in the log file.
252
Access Gateway Enterprise Edition Administrators Guide To configure an Access Gateway log
1. 2. 3. 4.
In the Access Gateway Policy Manager, under Available Policies/ Resources, click Auditing Policies. Under Related Tasks, click Create new auditing policy. In Name, type a name for the policy. In Auditing Type, select one of the following: Syslog if you want to send the logs to a Syslog server. - or Nslog to store the logs on the Access Gateway.
5. 6.
Next to Server, click New. Type the following information for the server information where the logs are stored: A. B. C. D. In Name, type the name of the server. Under Server, type the IP Address and Port. Under Log Levels, select the level of logging. Next to Select date format, select how you want the date on the log to appear, click Create, and click Close.
After you create the auditing policy, you can bind to one, some, or all of the following: System global Access Gateway global Virtual servers Groups Users
In the Access Gateway Policy Manager, under Available Policies / Resources, click an auditing policy and drag it to the Auditing Policies node under any of the following: System Global Access Gateway Global Virtual Servers
Chapter 13
253
Groups Users
1. 2. 3. 4. 5.
In the Access Gateway Policy Manager, under Available Policies/ Resources, click Auditing Policies. Click the audit policy. Under Related Tasks, click Modify auditing policy. In the Configure Auditing Policy dialog box, click Modify. Select the changes and click OK twice.
You can remove an auditing policy from the Access Gateway. When you remove an auditing policy, it is unbound automatically.
To remove an auditing policy
1. 2.
In the Access Gateway Policy Manager, under Available Policies/ Resources, click Auditing Policies. Click the policy; under Related Tasks, click Remove auditing policy and click Yes.
254
If the packet is not from the same flow, or if the time duration is beyond the mean time, a new flow is created. Mean time is the time during which packets of the same flow do not generate additional messages (although the counter is incremented). Note: Note: The total number of different flows that can be logged at any given time is limited to 10,000. The following table describes the parameters with which you can configure ACL logging at the rule level for extended ACLs.
Parameter Name Logstate Ratelimit Description State of the logging feature for the ACL. Possible values: ENABLED and DISABLED. Default: DISABLED. Number of log messages that a specific ACL can generate. Default:100.
The following procedure configures logging for an ACL and specifies the number of log messages that the rule can generate.
To configure ACL Logging using the configuration utility
1. 2. 3. 4.
In the configuration utility, in the navigation pane, expand Network and click ACLs. In the details pane, click Extended ACLs, and then select the ACL for which you want to configure logging and click Open. In the Modify ACL dialog box, select the Log State checkbox. In the Log Rate Limit text box, type the rate limit that you want to specify for the rule and click OK.
After you configure ACL logging, you can enable it on the Access Gateway. Create an auditing policy and then bind it to a user, group, virtual server, or globally. To create an auditing policy, see To configure an Access Gateway log on page 252.
To enable ACL or TCP logging on the Access Gateway
In the Create Auditing Server or Configure Auditing Server dialog box, click ACL Logging or TCP Logging.
A PPENDIX
This chapter provides conceptual information about the security technologies used in the Access Gateway solution, helps you identify the number and type of certificates required, and helps you decide how and where to obtain and install them. In This Appendix Securing Connections with Digital Certificates Configuring FIPS 140-2 on the Model 9000 FIPS Series
Important: When configuring certificates, do not use 512-bit keypairs. They are subject to brute force attacks.
256
Some organizations, including United States government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography. FIPS (Federal Information Processing Standard) 140 is a standard for cryptography. The SSL/TLS protocol allows sensitive data to be transmitted over public networks such as the Internet by providing the following important security features: Authentication. A client can determine a servers identity and ascertain that the server is not an impostor. Optionally, a server can also authenticate the identity of the client requesting connections. Privacy. Data passed between the client and server is encrypted so that if a third party intercepts messages, it cannot unscramble the data. Data integrity. The recipient of encrypted data knows if a third party corrupts or modifies that data.
Introduction to Cryptography
The SSL/TLS protocol uses cryptography to secure communications. Cryptography provides the ability to encode messages to ensure confidentiality. Cryptography is also used to authenticate the identity of a message source and to ensure the integrity of its contents. A message is sent using a secret code called a cipher. The cipher scrambles the message so that it cannot be understood by anyone other than the sender and receiver. Only the receiver who has the secret code can decipher the original message, thus ensuring confidentiality. Cryptography allows the sender to include special information in the message that only the sender and receiver know. The receiver can authenticate the message by reviewing the special information. Cryptography also ensures that the contents of a message are not altered. To do this, the sender includes a cryptographic operation called a hash function in the message. A hash function is a mathematical representation of the information, similar to the checksums found in communication protocols. When the data arrives at its destination, the receiver calculates the hash function. If the receivers hash function value is the same as the senders, the integrity of the message is assured.
Types of Cryptography
There are two main types of cryptography: Secret key cryptography Public key cryptography
Appendix A
257
In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter information, making that information secure and visible only to individuals who have the corresponding key to recover the information. Secret key cryptography is also known as symmetric key cryptography. With this type of cryptography, both the sender and the receiver know the same secret code, called the key. Messages are encrypted by the sender using the key and decrypted by the receiver using the same key. This method works well if you are communicating with only a limited number of people, but it becomes impractical to exchange secret keys with large numbers of people. In addition, there is also the problem of how you communicate the secret key securely. Public key cryptography, also called asymmetric encryption, uses a pair of keys for encryption and decryption. With public key cryptography, keys work in pairs of matched public and private keys. The public key can be freely distributed without compromising the private key, which must be kept secret by its owner. Because these keys work only as a pair, encryption initiated with the public key can be decrypted only with the corresponding private key. The following example illustrates how public key cryptography works: Ann wants to communicate secretly with Bill. Ann encrypts her message using Bills public key (which Bill made available to everyone) and Ann sends the scrambled message to Bill. When Bill receives the message, he uses his private key to unscramble the message so that he can read it. When Bill sends a reply to Ann, he scrambles the message using Anns public key. When Ann receives Bills reply, she uses her private key to unscramble his message.
The major advantage asymmetric encryption offers over symmetric key cryptography is that senders and receivers do not have to communicate keys up front. Provided the private key is kept secret, confidential communication is possible using the public keys. Combining public key and secret key cryptography. The main disadvantage of public key cryptography is that the process of encrypting a message, using the very large keys common to PKI, can cause performance problems on all but the most powerful computer systems. For this reason, public key and secret key cryptography are often combined. The following example illustrates how this works:
258
Bill wants to communicate secretly with Ann, so he obtains Anns public key. He also generates random numbers to use just for this session, known as a session key. Bill uses Anns public key to scramble the session key. Bill sends the scrambled message and the scrambled session key to Ann. Ann uses her private key to unscramble Bills message and extract the session key.
When Bill and Ann successfully exchange the session key, they no longer need public key cryptographycommunication can take place using just the session key. For example, public key encryption is used to send the secret key; when the secret key is exchanged, communication takes place using secret key encryption. This solution offers the advantages of both methodsit provides the speed of secret key encryption and the security of public key encryption.
When establishing an SSL connection with a Web browser on a client device, the server sends its certificate to the client.
Appendix A
259
When receiving a server certificate, the Web browser (for example, Internet Explorer) on the client device checks to see which CA issued the certificate and if the CA is trusted by the client. If the CA is not trusted, the Web browser prompts the user to accept or decline the certificate (effectively accepting or declining the ability to access this site). Now when Ann receives a message from Bill, the locally stored information about the CA that issued the certificate is used to verify that it did indeed issue the certificate. This information is a copy of the CAs own certificate and is referred to as a root certificate. Certificates generally have a common format, usually based on ITU standards. The certificate contains information that includes the: Issuer. The organization that issues the certificates. Subject. The party that is identified by the certificate. Period of validity. The certificates start date and expiration date. Public key. The subjects public key used to encrypt data. Issuers signature. The CAs digital signature on the certificate used to guarantee its authenticity.
A number of companies and organizations currently act as CAs, including VeriSign, Baltimore, Entrust, and their respective affiliates.
Certificate Chains
Some organizations delegate the responsibility for issuing certificates to resolve the issue of geographical separation between organization units, or that of applying different issuing policies to different sections of the organization. Responsibility for issuing certificates can be delegated by setting up subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs. In this model, the root CA is at the top of the hierarchy and has a self-signed certificate. The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the subordinate CAs.
260
The hierarchical structure of a typical digital certificate chain. CAs can sign their own certificates (that is, they are self-signed) or they can be signed by another CA. If the certificate is self-signed, it is called root CAs. If it is not self-signed, it is called subordinate or intermediate CAs. If a server certificate is signed by a CA with a self-signed certificate, the certificate chain is composed of exactly two certificates: the end entity certificate and the root CA. If a user or server certificate is signed by an intermediate CA, the certificate chain is longer. The following figure shows the first two elements are the end entity certificate (in this case, gwy01.company.com) and the certificate of the intermediate CA, in that order. The intermediate CAs certificate is followed by the certificate of its CA. This listing continues until the last certificate in the list is for a root CA. Each certificate in the chain attests to the identity of the previous certificate.
Appendix A
261
Getting Certificates
When you identify the number and type of certificates required for your Access Gateway deployment, you must decide where to obtain the certificates. Where you choose to obtain certificates depends on a number of factors, including: Whether or not your organization is a CA, which is likely to be the case only in very large corporations Whether or not your organization has already established a business relationship with a public CA The fact that the Windows operating system includes support for many public Certificate Authorities The cost of certificates, the reputation of a particular public CA, and so on
262
Appendix A
263
264
1.
At the $ prompt, enter the command: openssl rsa. If you enter this command without arguments, you are prompted as follows:
read RSA key
2.
Enter the name of the password to be encrypted. You can enter the openssl rsa command with arguments if you know the name of the private key and the unencrypted PEM file. For example, if the private key filename is my_keytag_key.pvk and the unencrypted filename is keyout.pem, enter openssl rsa -in my_keytag_key.pvk -out keyout.pem.
For more information, see the Open SSL Web site at http://www.openssl.org/ docs/apps/rsa.html#EXAMPLES. For information about downloading OpenSSL for Windows, see the SourceForge Web site at http://sourceforge.net/project/ showfiles.php?group_id=23617&release_id=48801.
Appendix A
265
1.
Run the command: openssl pkcs7 -in ./certFile -print_certs The output will look like this:
subject=... ... -----BEGIN CERTIFICATE----... Server Certificate ... -----END CERTIFICATE----subject=... ... -----BEGIN CERTIFICATE----... Intermediate Cert ... -----END CERTIFICATE-----
2.
Combine the server certificate data and the intermediate certificate data (if it exists) from the output with the private key.
1.
Use a text editor to combine the unencrypted private key with the signed certificate in the PEM file format. The file contents should look similar to the following:
-----BEGIN RSA PRIVATE KEY----<Unencrypted Private Key> -----END RSA Private KEY---------BEGIN CERTIFICATE----<Signed Certificate> -----END CERTIFICATE-----
2.
266
Caution: Any certificate for the Access Gateway that has more than one level must include all intermediate certificates or the system could become unusable.
To generate trusted root certificates for multiple levels
1.
Open Internet Explorer and access a Web page through the Access Gateway. For example, enter an address similar to the following: https://ipAddress:httpPort//www.mypage.com where: ipAddress is the IP address of your Access Gateway httpPort is the Access Gateway port number
2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Double-click the Lock symbol in the bottom right corner of the browser. Switch to the Certificate Path window pane at the top of the screen. Double-click the first path level to bring up the certificate information for the first level and then go to the Details screen. Click the Copy to File button at the bottom. After the Certificate Export wizard appears, click Next. Click the format Base-64 encoded and then click Next. Enter a filename; for example, G:\tmp\servercert.cer. Review the information and note the complete filename. Click Finish. Click OK to close the Certificate Information window for the first level. Repeat Steps 49 for all levels except the last level. Insert all certificates in one file and make sure that any intermediate certificates are part of any certificate file you upload. The file to be uploaded should be in the following format:
private key Server Certificate Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2
Appendix A
267
Requiring validation of the SSL server certificates increases security for the connections between the Access Gateway and the secure network. These connections are security-sensitive because they are used to configure the Access Gateway and grant or deny access to network resources using session policies. The Access Gateway requires installing the proper root certificates that are used to sign the server certificates.
268
To configure the Access Gateway to use FIPS 140-2, a secure certificate signed by a Certificate Authority must be installed on the Access Gateway. If you do not have a signed certificate, create a Certificate Signing Request and send it to a public CA, such as Verisign or Thawte. Citrix recommends installing the signed certificate on the Access Gateway before configuring FIPS 140-2. For more information about certificates, see Installing and Managing Certificates on page 75. The private key is associated with a server certificate that is signed by a Certificate Authority (CA). You can install the private key in the Hardware Security Model using the FIPS wizard or using the configuration utility. Note: Only an administrator who logs on to the Access Gateway using nsroot (the administrative user name) can change the passwords and install the private key in the Hardware Security Module. The following table summarizes the differences between the Access Gateway and the FIPS 140- 2 appliance.
Setting Private key storage Cipher support Accessing private keys Access Gateway On the hard drive All ciphers From the hard drive FIPS 140-2 On the FIPS card FIPS-approved ciphers Not accessible
Configuring FIPS 140-2 is similar to configuring a non-FIPS appliance. However, the processes differ, due to the presence of the Hardware Security Model on the Access Gateway FIPS 140-2 appliance. After completing the basic settings on the Access Gateway, configure the Hardware Security Module.
Appendix A
269
Note: When changing the Security Officer password and the user password for the first time, specify sopin123 as the old Security Officer password. Citrix recommends changing the passwords on the Hardware Security Module before configuring the module. The Hardware Security Module can be configured only by the appliance administrator and should be configured before you run the FIPS 140-2 appliance for the first time. When you configure the Hardware Security Module for the first time, you configure the passwords. The initial configuration also erases all the existing data on the Hardware Security Module. Note: Due to security constraints, the passwords for the Hardware Security Module cannot be retrieved. Store a copy of the password safely. If you need to initialize the Hardware Security Module, you need to specify this password as the old Security Officer password.
To initialize the Hardware Security Module
1. 2. 3. 4. 5. 6.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. Click Initialize HSM. In Security Officer (SO) Password, type a new password. In Old SO Password, type sopin123, which is the default password. In User Password, type userpin123, which is the default password. In HSM Label, type FIPS-140-2 Level-2 or a label of your choice and click OK.
Important: After the Hardware Security Module is initialized, save the Access Gateway configuration. If this is not done and the appliance is restarted, the FIPS 140-2 card will not function. Any subsequent attempt to change the Security Officer password locks the card.
270
1. 2. 3.
In the configuration utility, in the navigation pane, expand SSL and click FIPS. In the details pane, under SSL Certificates Overview, click FIPS wizard. Click Next and follow the directions in the wizard.
Note: If you do not have a signed certificate, use the Certificate Signing Request that is in the FIPS wizard. After creating the CSR, exit the wizard. When you receive the signed certificate back from the Certificate Authority, you can run the FIPS wizard again to install the certificate and the private key.
To create a FIPS 140-2 key using the configuration utility
1. 2. 3.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. In the details pane, on the FIPS Keys tab, click Add. In Fips Key Name, type the name of the key.
Appendix A
271
4.
In Modulus, type 1024. The modulus is the key-bit length. Citrix recommends a modulus size of 1024.
5.
The FIPS key is stored in the Hardware Security Module of the Access Gateway.
1. 2. 3. 4.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. On the FIPS Keys tab, click Export. Under FIPS Key Name, select the key you want to export. In File Name, type the name of the file to be exported and click Export. The exported file is stored in the /nsconfig/ssl directory by default. If you choose to use any other directory, you must specify the complete path to the location. You can also click Browse to start the file explorer to navigate to any location on the Access Gateway.
Important: To avoid errors when importing a FIPS 140-2 key, when you export the key, make sure that the name of the exported key is the same as the original key name when it was created. If a private key on the Hardware Security Module is deleted, the associated server certificates cannot be used because the private key is associated with the server certificate. When the private key is deleted, you cannot create the same key a second time.
272
1. 2. 3. 4. 5.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. On the FIPS Keys tab, click Import. Next to Import From, select FIPS key file. In FIPS Key Name, type the name of the FIPS 140-2 key to be created. In Key File Name, type the name of the FIPS 140-2 key to be imported and click Import. Note: The default location is the /nsconfig/ssl directory. If the file is located in another directory, you must specify the complete path to the location. You can use also click Browse to launch the file explorer and navigate to any location on the Access Gateway.
1. 2. 3.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. On the Wrap Keys tab, click Add. In Wrap Key Name, type the name of the wrap key.
Appendix A
273
4. 5.
In Password, type the password to be used for the wrap key. In Salt, type the salt string to be used for the wrap key and click Create.
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. On the FIPS Keys tab, click Import. Next to Import From, click Pkcs8 file and click Convert. In Key Name (Pkcs8 format), click Browse and navigate to the private key. In Private Key Path, click Browse and navigate to the private key. Under Key Format, select the format to which the external key is saved. In Password, type the password used to encrypt the key, click Convert, and then click Import.
After converting the private key to the PKCS8 format, import the internal key to the Hardware Security Model.
To import an external private key as a FIPS key
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. On the FIPS Keys tab, click Import. Click Import From Pkcs8 file. In FIPS Key Name, type the name of the FIPS key to be created. In Key File Name, type the name of the FIPS key to be imported. Under Wrap Key Name, select the wrap key to be used for the import. In IV, type the initialization vector to be used for importing the key, such as wrapkey123, and click Create. Note: For security reasons, delete the external private key from the hard disk after you import it into the Hardware Security Module.
274
This is also known as secure information management. If you have two Access Gateway appliances configured as a high availability pair, the same private key and server certificate must reside on each appliance. You can use the FIPS wizard to import certificates from an IIS server or from the primary Access Gateway appliance. During the wizard, select Import existing private key as FIPS key and then select the private key. Before running the FIPS wizard, create the wrap key that is used for importing private keys. Citrix recommends using the FIPS wizard to import the private key. You can also import the private key using the configuration utility.
To configure a high availability with FIPS 140-2 using the configuration utility
1. 1. 2. 3. 4. 5.
In the configuration utility, in the Navigation pane, expand SSL and click FIPS. On the FIPS Info tab, click Enable SIM. In Certificate File Name, type the file name and path on the source system where the FIPS 140-2 certificate is stored. In Key Vector File Name, type the file name and path on the source system where the FIPS 140-2 key vector is stored. In Target Secret File Name, type the location for storing the secret data on the target system. In Source Secret File Name, type the location for storing the secret data on the target system and click OK.
Appendix A
275
Note: The secret file on the source and target system is the file on the system to which the FIPS key is copied before it is transferred or received.
276
A PPENDIX
Advanced Concepts
This appendix discusses some of the advanced settings you can configure on the Access Gateway. In This Appendix Configuring DNS Virtual Servers Using Operators and Operands in Policy Expressions Configuring Server-Initiated Connections Enabling Access Gateway Plugin Logging
1. 2. 3. 4. 5. 6.
In the configuration utility, in the navigation pane, expand Virtual Servers and Services and click Virtual Servers. In the details pane, click Add. In Name, type a name for the virtual server. In IP Address, type the IP address of the DNS server. In Port, type the port on which the DNS server listens. In Protocol, select DNS and click Create.
278
Finally, associate the DNS virtual server with the Access Gateway. There are two different methods by which this can be accomplished. The virtual server can either be tied globally to the Access Gateway or on a per virtual server basis, depending on the needs of your Access Gateway.
1. 2. 3. 4. 5. 6. 7.
In the configuration utility, in the navigation pane, expand Virtual Servers and Services and click Services. In the details pane, click Add. In Service Name, type a name for the service. In Protocol, select DNS. In Server, type the IP address of the DNS server. In Port, type the port number. On the Monitors tab, under Available, select dns, click Add, click Create and click Close.
Next, create the DNS virtual server using the procedure To configure a DNS virtual server on page 277 and bind the DNS service to the virtual server.
To bind a DNS service to a DNS virtual server
In the Configure Virtual Service (Load Balancing) dialog box, on the Services tab, select the DNS service, click Create and click Close.
Appendix B
Advanced Concepts
279
CONTENTS
Qualifier Method
Operator EQ/NEQ
Operand Required Standard HTTP Methods Supported methods GET, HEAD, POST, PUT, DELETE OPTIONS, TRACE, CONNECT
Action
Example
Verifies the Method EQ GET incoming request method to the configured method.
280
Qualifier URL
Operator EQ/NEQ
Action
Example
Verifies the URL EQ / foo*.asp incoming URL URL EQ /foo* with the configured URL. URL EQ /*.asp URL EQ /foo.asp URL CONTAINS Verifies the ZZZ incoming URL for the presence of the configured pattern. (Includes URL and URL query.)
URL LEN
GT
Required
Compares the incoming URL Length (as an integer length with the value) configured length. (Includes URL and URL query.)
URLLEN GT 60
URL QUERY
CONTAINS/ Required NOTCONT Any String (in AINS Quotes) Optional Length and offset
Verifies the incoming URL query for the presence of the configured pattern. Used similarly to CONTENTS. If no option is specified, the whole URL query after the pattern is used. If options are present, only the length of the query after the pattern is used. The offset is used to indicate from where to start the search for the pattern.
GT
Required
Compares the URLQUERYLN incoming URL GT 60 Length (as an integer query length with value) the configured length.
Appendix B
Advanced Concepts
281
Action Compares the incoming URL for the presence of configured tokens. A backward slash (\) must be entered in front of the question mark.
VERSION
EQ, NEQ
Required Standard HTTP versions. (Valid http version strings HTTP/1.0, HTTP/1.1)
Compares the VERSION EQ incoming HTTP/1.1 requests HTTP version with the configured HTTP version. Examines the Header Cookie incoming request EXISTS for the presence of the HTTP header. Verifies the Header Cookie incoming request CONTAINS "&sid" for the presence of a configured pattern in the specific header. Used similarly to CONTENTS. If no option is specified, the whole HTTP header value after the pattern is used. If options are present, only the length of the header after the pattern is used. The offset is used to indicate from where to start the search for the pattern.
HEADER
CONTAINS/ Required NOTCONT Any String (in AINS Quotes) Optional Length and offset
282
Operator
Action
Example
CONTENTS Optional
Uses the contents Header User-Agent CONTENTS of the HTTP header. If no option is specified, the whole HTTP header value is used. If options are present, only the length of the header starting from the offset is used.
SOURCEIP
EQ/NEQ
Verifies the source IP address in the incoming request against the configured IP address. If the optional netmask is specified, the incoming request is verified against the configured IP address and netmask. Verifies the destination IP address in the incoming request against the configured IP address. If the optional netmask is specified, the incoming request is verified against the configured IP address and netmask.
DESTIP
EQ/NEQ
SOURCEPORT
EQ/NEQ
Verifies the SOURCEPORT EQ source port 10-20 number in the incoming request against the configured port number.
Appendix B
Advanced Concepts
283
Qualifier DESTPORT
Operator EQ/NEQ
Action
Example
DESTPORT NEQ Verifies the destination port 80 number in the incoming request against the configured port number. Checks the CLIENT.SSL.VERS version of the ION EQ SSLV3 SSL/TLS version being used in the secure connection. CLIENT.CIPHER.T Checks for the type of the cipher YPE EQ EXPORT being used (export or nonexport). Checks for the key strength of the cipher being used. CLIENT.CIPHER.B ITS GE 40
CLIENT.SSL.VERSION
EQ/NEQ
CLIENT.CIPHER.TYPE
EQ/NEQ
CLIENT.CIPHER.BITS
EQ, NEQ, Required GE, LE, GT, Client Cipher bits LT EXISTS, NOTEXIST S
CLIENT.CERT
Checks whether CLIENT.CERT or not the client EXISTS sent a valid certificate during the SSL handshake. Checks the CLIENT.CERT.VER version of the SION EQ 2 client certificate. Checks the serial CLIENT.CERT.SER IALNUMBER EQ number of the client certificate. 2343323 The serial number is treated as a string. CLIENT.CERT.SIG ALGO EQ md5WithRSAEncry ption CLIENT.CERT.SUB JECT CONTAINS CN= NetScaler
CLIENT.CERT.VERSION
EQ, NEQ, Client Certificate GE, LE, GT, Version. LT Required Client Certificate Serial Number
CLIENT.CERT.SERIALNUMBER EQ/NEQ
CLIENT.CERT.SIGALGO
EQ/NEQ
Required
Checks the signature Client Certificate algorithm used in Signature Algorithm the client certificate. Checks the subject field of the client certificate.
CLIENT.CERT.SUBJECT
CONTAINS, Required NOTCONT Client Certificate AINS Subject Optional Length, Offset
284
Qualifier CLIENT.CERT.ISSUER
Operator
Operand
Action
Example
CONTAINS, Required NOTCONT Client Certificate AINS Issuer Optional Length, Offset
Checks the issuer CLIENT.CERT.ISS field of the client UER CONTAINS certificate. O=VeriSign
CLIENT.CERT.VALIDFROM
Checks the date from which the client certificate is valid. Valid date formats are: Tue, 05 Nov 1994 08:12:31 GMT Tuesday, 05Nov-94 08:12:31 GMT Tue Nov 14 08:12:31 1994
CLIENT.CERT.VALIDTO
Checks the date until which the client certificate is valid. Valid date formats are: Tue, 05 Nov 1994 08:12:31 GMT Tuesday, 05Nov-94 08:12:31 GMT Tue Nov 14 08:12:31 1994
Appendix B
Advanced Concepts
285
When an IP address is assigned to a users session, it is possible to connect to the users client device from the internal network. For example, users connecting with Remote Desktop or a VNC client can access the users client device for diagnosing a problem application. It is also possible for two remotely logged on Access Gateway users with internal network IP addresses to communicate with each other through the Access Gateway. Allowing discovery of the internal network IP addresses of the logged on users on the appliance aids in this communication. A remote user can use the ping command to discover the internal network IP address of a user who could be logged on to the Access Gateway at that time. The command for this is:
ping <username.domainname>
A server can initiate a connection to a client in many different ways. These can either be TCP or UDP connections. The connections can originate from an external system in the internal network or from another computer logged on to the Access Gateway. The internal network IP address assigned to each client logged on to the Access Gateway is used for these connections. The different types of server-initiated connections that the Access Gateway supports are described below. For these types of connections, the server has prior knowledge about the clients IP address and port and makes a connection to it. This connection is intercepted by the Access Gateway. In these type of connections, the client makes an initial connection to the server and the server connects to the client on a port that is known or derived from the first configured port. In this scenario, the client device makes an initial connection to the server and then exchanges ports and IP addresses with the server using an applicationspecific protocol where this information is embedded. This enables the Access Gateway to support applications such as active FTP connections. The port command is used in an active FTP and certain Voice over IP protocols. The Access Gateway supports plug-in to plug-in connections through the use of the internal network IP addresses. With this type of connection, two Access Gateway clients that use the same Access Gateway can initiate connections with each other. An example of this is using instant messaging applications, such as Windows Live Messenger or Yahoo! Messenger. If a user logged on to the Access Gateway does not execute a clean logoff (the logoff request did not reach the appliance), the user can log on again using any device and replace the previous session with a new session. This feature might be beneficial in deployments where one IP address is appended per user.
286
When an inactive user logs on to the Access Gateway for the first time, a session is created and an IP address is assigned to the user. If the user logs off but the logoff request gets lost or the client fails to perform a clean logoff, the session is maintained on the system. If the user tries to log on again from the same device or another device, after successful authentication, a transfer logon dialog box is presented to the user. If the user chooses to transfer logon, the previous session on the Access Gateway is closed and a new session is created. The transfer of logon is active for only two minutes after logoff and if logon is attempted from multiple devices simultaneously, the last logon attempt is the one that replaces the original session.
The hooklog<num>.txt file logs interception messages generated by the Access Gateway Plugin and the nssslvpn.txt file finds errors with the plugin. You can also send these files to Citrix customer support for assistance. Note: The hooklog.txt files are not deleted automatically. Citrix recommends deleting the files periodically. All logging files are located in the directory %systemroot%\All Users\Application Data\Citrix\AGEE. You can use these log files to troubleshoot the Access Gateway Plugin. Users can email the log files to technical support if problems are encountered. In the Configuration dialog box, users can set the level of logging for the Access Gateway Plugin. The logging levels are: Record error messages Record event messages Record Access Gateway Plugin statistics Record all errors, event messages, and statistics
Advanced Concepts
287
1. 2.
Right-click the Access Gateway icon in the notification area and click Configure Access Gateway. Click the Trace tab, select the log level, and click OK.
288
Index
A
Accelerator Plugin using with Access Gateway Plugin 181 access control list 198 logging 253 Access Gateway 78 Access Gateway wizard 3435, 42 administrator accounts 243 alerts 16 configuration settings 246 configuration testing 54 configuring primary for high availability 61 default IP address 52 deploying in DMZ 25, 36 deploying in double-hop DMZ 29 deploying in secure network 26 deploying with server farm 27 Education and Training 16 hardware platforms 21 installation 36, 41 installation prerequisites 32 installation, materials for 36 installing in DMZ 25, 31 IP address types 36 local users 110 logon page 110 Model 10010 21 Model 7000 21 Model 9000 21 Published Applications Wizard 3435 reverse proxy 216 saving configuration 247 Setup Wizard 34, 42, 52 synchronizing 62 upgrading 241 Access Gateway Advanced Edition 86 Access Gateway Model 10010 22 Access Gateway Model 7000 22 Access Gateway Model 9000 22
Access Gateway Model 9000 with FIPS 140-2 22 Access Gateway Model 9010 22 Access Gateway Plugin 2021, 25, 29, 91 intranet applications 198 IPv6 51 TCP compression monitoring 105 TCP compression policy 101 using with Citrix Accelerator Plugin 18, 181 using with firewalls 187 using with proxy server 187 Web Interface 160 Windows 151 with Citrix XenApp Plugin for Hosted Apps 154 Access Gateway Plugin for ActiveX 20, 9091, 151, 162 client choices 177 configuring on Access Gateway 163 system requirements 162 Access Gateway Plugin for Java 20, 91, 151, 189 client choices 177 configuring on Access Gateway 164 intranet applications 199, 201, 210 system requirements 164 Access Gateway Plugin for Windows 9091, 189 client choices 176 configuring on Access Gateway 163 Access Gateway Policy Manager authentication, configuring 113 creating virtual server 50 Access Gateway proxy binding to a virtual server 50 Access Gateway wizard 3435, 42 authentication 109, 113 Certificate Signing Request 76 clientless access 166 IPv6 51 Access Interface 21, 91, 213 portal links 215
290
Access Scenario Fallback 175, 178 guidelines 180 quarantine group 178 accounting 19 Active Directory 108, 145 administrator accounts 243 administrator password 41 high availability 58 RPC node 60 alerts Knowledge Center 16 application time-out 94 asymmetric encryption 257 auditing policy 251 binding to virtual server 50
Index
authorization 19, 32, 35, 92, 138 authentication 109 client choices group 176 default global 138 groups 92 LDAP group attribute field 142 RADIUS group extraction 143 setting priorities 140 authorization group 229 configuring 230 authorization policy binding 140 auto negotiation 43
291
B
backup license 44 BGF 54 binding authentication policy 114 authorization policy 140 certificates 80 preauthentication policy 225 session policies 93 TCP compression policy 104 traffic policy 9495 virtual servers 50 binding policies 89 bookmarks binding to virtual server 50 Border Gateway Protocol 54
C
cascading authentication 131 CAs. See Certificate Authority Certificate Authority 23, 32, 43, 75, 259 configuration utility 76 private 262 public 262 subordinate 259 certificate management 32 Certificate Revocation Lists 261 Certificate Signing Request 43, 76, 78 creating 78 private key 77
certificates 258 authentication 258 binding to virtual server 80 client authentication 108 combining with private key 265 content 259 converting to PEM format 264 DER 75 DSA private key 77 exporting 83 fully qualified domain name 79 generating for multiple levels 265 hierarchy 259 imported, installing 84 importing 83 importing from Secure Gateway 83 installing 35, 79, 263 intermediate 76, 8081, 260 intermediate, installing 82 LDAP connections 133 management 76 password-protected 77 PEM 75 PFX 75 PKCS #12 75, 77 private 262 private key 77 private key, unencrypting 264 renewal 261 revocation lists 261 root 23, 7576, 80, 134, 258 RSA private key 77 self-signed 81 server 7576, 78, 80, 258 signed 43 subordinate 81, 260 test 43, 75 verification process 262 Challenge-Handshake Authentication Protocol 121, 143 CHAP, see Challenge-Handshake Authentication Protocol checklist pre-installation 58 ciphers description 256 Citrix Accelerator Plugin 151 Citrix NetScaler 87 Citrix Preferred Support Services 14 Citrix Presentation Server Clients, see Citrix XenApp Plugin for Hosted Apps Citrix Solutions Advisers 14
292
Citrix XenApp 24 Access Gateway Advanced Edition settings 86 configuring user connections 153 deploying 27 double-hop DMZ deployment 29 file type association 96 policy names 86 Published Applications Wizard 34 single sign-on 92, 197 split tunneling 207 Citrix XenApp Plugin for Hosted Apps 25, 27, 29, 151 153 ICA proxy setting 92 IPv6 51 with Access Gateway Plugin 154 Citrix XenDesktop 18 client certificate authentication 108 two-factor 129 user name extraction 129 client certificates authentication 127 client choices 92, 173174 Access Gateway Plugin for ActiveX 177 Access Gateway Plugin for Java 177 authorization group 176 configuring options 176 quarantine groups 175 Secure Ticket Authority 177 client cleanup 92 client connections access method 160 configuring 163 ending sessions 21, 250 managing 249 multiple logon options 173 optimizing 94 refreshing 250 session profile 91 time-out settings 191 types 20 viewing 250 client security 21 client security expressions 87 types 87 client software Access Gateway Plugin for ActiveX 20 Access Gateway Plugin for Java 20 Access Gateway Plugin for Windows 20 Citrix XenApp Plugin for Hosted Apps 20 client types 91
Index
293
D
Data Encryption Standard 77 dead intervals 62 debugging 92 default gateway 32, 37, 52 high availability 59 default gateway IP address 36 default global authentication types 109 delegated administrators 243 deployment authentication support 24 double-hop DMZ 29 secure network 26 single DMZ 27 Web Interface 2728 deployment options 24 DER certificates 75 DES, see Data Encryption Standard disabling authentication 136 DMZ deploying Access Gateway 25, 36 deploying double-hop 29 deploying Web Interface 28, 30 installation 31 single deployment 27 Web Interface, double-hop 29 DNS suffix IP pooling 206 DNS, see Name Service Providers documentation related 16 documentation conventions 13 documentation, product 14 domain single sign-on 197 double-hop binding to virtual server 50 double-hop DMZ deployment 29 double-source authentication 131132 DSA 77 DSA private key 77 dynamic routing 53
encryption asymmetric 257 public key 258 endpoint analysis 87, 217 expressions 221 MD5 checksum in process policy 234 policy types 217 SmartAccess 182 system requirements 218 exporting certificates 83 expressions client security 87, 232 client security, preauthentication 231 client security, types of 87 compound 88 compound client security 238 custom 89, 222 endpoint analysis 221 file policies 235 general 87 inline 88 multiple 224 named 88, 221 named, creating 88 network-based 87 operating system policies 234 policy 87 process policies 234 registry policies 236 service policies 233 simple 88 types 87 external authentication 110
F
failover high availability 58, 67 listen mode 68 failover interface set 73 Federal Information Processing Standard 22 Federal Information Processing Standard 140-2 17, 256 Access Gateway Model 9000 22 file shares single sign-on 194 file transfer system IP address 53 file transfer utility single sign-on 194 file type association 94, 96 requirements 96
E
Education and Training 16 email Web-based 91
294
filters 86 FIPS 140, see Federal Information Processing Standard firewall using with Access Gateway Plugin 187 firewall ports 2526 FIS, see failover interface set flash disk 37 forced time-out 191192 FQDN, see fully qualified domain name FTP configuring for use with client 156 full duplex 43 fully qualified domain name 44
G
Gemalto Protiva 122, 125 authentication 109 general expressions 87 global user limit 136 group attribute field LDAP 142 group extraction LDAP 141 LDAP, multiple domains 145 RADIUS 143 group sessions 249 terminating 250 groups add users 112 authorization 92, 229 authorization, client choices 176 authorization, configuring 230 creating 111 deleting 112 quarantine 92, 228
H
half duplex 43 hardware platforms 21 health check high availability 58 heartbeat packets 71 hello intervals 62
I
ICA 2930 ICA proxy 92, 145, 182 IP address assignment 53 ICA session 151 ICSA 17 idle session time-out 192193 IEEE 802.11 support 31 IETF, see Internet Engineering Taskforce
Index
imported certificates installing 84 importing certificates 83 from Secure Gateway 83 INC, see independent network configuration independent network computing configuring 72 independent network configuration 71 high availability 71 inline expressions 88 installation Access Gateway 36 certificates 79 firewall ports 2526 materials needed 36 prerequisites 32 procedure for Access Gateway 41 secure network 26 single DMZ 25, 31 installing certificates 35 custom home page 215 interception mode 164165, 189, 199 client choices 177 intranet applications 199 intermediate certificates 76, 8081 installing 82 Internet Engineering Taskforce 255 Internet Protocol version 6 Internet Protocol version 6, see IPv6 Internet security protocols 255 intervals high availability 62 intranet applications 189, 198199 Access Gateway Plugin 198 Access Gateway Plugin for Java 199, 201, 210 binding to virtual server 50 intranet IP address, see IP pooling IP address 36 assigning 53 configuring using Setup Wizard 42 configuring using the Access Gateway wizard 42 default 52 default gateway 37, 52 high availability 58 mapped 37, 52, 91 private network 92 subnet 37, 52 system 37, 52 virtual server 3637, 50 IP address extraction RADIUS 121 IP pooling 91, 202 binding to virtual server 50 DNS suffix 206 options 205 requirements 202 sessions 249 split tunneling 202 spoof IP address 206 terminating session 250 IPv6 51 IPv6, see Internet Protocol version 6 ISO X.509 protocol 258
295
K
Knowledge Center 14 alerts 16
L
LAC, see License Authorization Code LDAP attribute fields 116 attributes, determining 119 ports 116 single sign-on 196 StartTLS 116 LDAP authentication 24, 108 certificates 133 group memberships 141 LDAP browser 119 LDAP group attribute field 142 LDAP group extraction 141 multiple domains 145 license backup 44 high availability 48, 59 installing 44 platform 4445 platform, downloading 45 platform, installing 45 universal 18, 44, 46 universal, downloading 46 universal, installing 47 user connections 32, 46 viewing 48 License Authorization Code 46 link redundancy 73 Linux 20 local authentication 24, 108, 110
296
local LAN access 92 local users 110 creating 54 groups 111 password 110 removing 111 logging 19, 251 access control list 253 TCP connections 253 logon page Access Gateway 110 logon scripts 92
O
one-time password 122 Open Shortest Path First 54 OSPF 54 Outlook Web Access 91 OWA, see Outlook Web Access
M
Mac OS X 20 managing certificates 76 mapped IP address 3637, 52, 91 high availability 59 ICA proxy 53 Name Service Providers 53 materials for Access Gateway installation 36 maximum users 136 MD5 checksum 234 Microsoft Challenge-Handshake Authentication Protocol 121, 143 Model 10010 21 rack installation 38 Model 7000 21 rack installation 37 Model 9000 21 rack installation 38 MS-CHAP, see Microsoft Challenge-Handshake Authentication Protocol multiple expressions 224
P
PAP, see Password Authentication Protocol password administrator 41, 60 high availability, administrator 58 local users 110 one-time 122 RPC node 60 Password Authentication Protocol 121, 144 PEM certificates 75, 264 personal identification number 122 PFX certificates 75 PIN, see personal identification number PKCS #12 certificates 75 PKI, see Public Key Infrastructure platform license 45 downloading 45 installing 45
N
Name Service Providers 32, 35, 91, 209 configuring 55 IP address assignment 53 named expressions 88, 221 creating 88 NAS ID, see network access server identifier NAS IP, see network access server NetScaler Application Switch 21, 87 network access 198 network access server 120 network access server identifier 120
Index
policies 86 Access Gateway Advanced Edition settings 86 adding session profile 93 auditing 251 authentication 87 authentication priority 115 authentication types 108 authentication, binding 108 authentication, evaluation of 112 binding 86, 89 command 243 conditional 86 creating 89 description 85 endpoint analysis 87 expressions 87 post-authentication 217, 227 preauthentication 217 preauthentication, binding 225 priorities 86, 108 session 90 session, binding 93 session, creating 90 TCP compression 101 TCP compression, benefits 101 TCP compression, binding 104 TCP compression, creating 102 TCP compression, methods 102 traffic 94 traffic creating 94 traffic, binding 9495 traffic, HTTP compression 94 traffic, parameters 94 traffic, removing 96 policy filters 86 policy names Citrix XenApp 86 port redirection 35 portal links Access Interface 215 portal mode Web Interface 92 ports high availability 58 in DMZ 25 in secure network 26 LDAP 116 post-authentication policy 217, 227 Access Scenario Fallback 178 configuring 227 preauthentication policy 21, 217 binding 225 binding to virtual server 50 client security expression 231 profile 220 removing 226 precedence policies 86 pre-installation checklist 58 high availability 58 prerequisites installation 32 Presentation Server Clients, see XenApp Plugin for Hosted Apps priorities 86 authentication, setting 132 authorization policy 140 private certificates 262 private key 77 combining with signed certificate 265 DSA 77 RSA 77 unencrypting 264 private network IP address 92 process policy MD5 checksum 234 product alerts 16 product documentation 14 profile description 85 preauthentication policy 220 session 91 session, adding to policy 93 session, creating 91 proxy reverse 216 proxy servers 190 settings 92 public Certificate Authority 262 public key encryption 258 Public Key Infrastructure 255 published applications 27 Published Applications Wizard 3435
297
Q
quarantine group 21, 92, 227228 Access Scenario Fallback 178 client choices 175 configuring 229
298
R
rack installation Model 10010 38 Model 7000 37 Model 9000 series 38 RADIUS authentication 24, 108 group extraction 143 guidelines 120 IP address extraction 121 protocols 121 shared secret 121 using SafeWord 124 works with 109 refresh session information 250 related documentation 16 remote access 17 removing local users 111 requirements high availability 58 reverse proxy 216 reverse split tunneling 208 RIP, see Routing Information Protocol root certificates 23, 7576, 80, 134, 258 route monitors adding 72 routed networks high availability 70 routes static 54 static and dynamic 53 Routing Information Protocol 53 RPC node administrator password 60 RSA 77 RSA private key 77 RSA SecurID authentication 24, 109, 122
S
SafeWord authentication 24, 109, 122123 configuration 124 supported products 124 Secure Gateway 17 importing certificates 83 SafeWord authentication 123 secure network deploying in 26 Secure Socket Layer 187, 255 Secure Ticket Authority 27, 177 binding to a virtual server 50
Index
single sign-on 92, 94, 194 file transfer utility 194 to Citrix XenApp 197 to server farm 197 Web applications 94, 195 Web applications using LDAP 196 with Windows 92, 194 XenApp 92 Small Form-factor Pluggable Network Ports 39 smart card authentication 130 SmartAccess 17, 86, 151, 178, 182, 218, 227 endpoint analysis 182 SNMP 37 Softerra LDAP browser 119 software version for high availability 58 split DNS 92 split tunneling 91, 207 Citrix XenApp 207 IP pool 202 reverse 208 spoof intranet IP address 91, 206 SSL, see Secure Socket Layer StartTLS 116 static routes 5354 testing 54 STA, see Secure Ticket Authority subnet IP address 3637, 52 ICA proxy 53 Name Service Providers 53 subordinate certificates 81 Subscription Advantage 15 support 14 symmetric network configuration 71 synchronizing appliances 62 forcing 63 system IP address 37, 52 authentication 53 file transfers 53 high availability 58 TCP connections logging 253 technical support 14 test certificates 43, 75 testing Access Gateway configuration 54 testing static routes 54 time-out application 94 forced 191192 idle session 192193 session 192193 time-out settings 91, 191 TLS, see Transport Layer Security traffic policies 94 traffic policy 94 binding 95 binding to virtual server 50 creating 94 HTTP compression 94 parameter 94 removing 96 Transfer Login page 205 Transport Layer Security 187, 255 triple DES, see Data Encryption Standard troubleshooting high availability 65 two-factor client certificate authentication 129
299
U
universal license 18, 46 downloading 46 installing 47 upgrading Access Gateway software 241 URL encoding clientless access 92 user connections 20 Access Gateway Plugin 154 Citrix XenApp 153 license 32, 46 licenses for 48 user groups users 111 user limit virtual server 137 user name extraction 129 user principal name 196
T
TACACS+ authentication 24, 108, 126 TCP compression policy 101 Access Gateway Plugin 101 benefits 101 binding 104 creating 102 methods 102 monitoring 105
300
user sessions 249 terminating 250 users add to groups 112 local 110 maximum sessions 136
X
XenApp 2425 Access Gateway Advanced Edition settings 86 deploying 27 file type association 96 policy names 86 Published Applications Wizard 34 single sign-on 92 XenApp Plugin for Hosted Apps 25, 27, 29, 151153 ICA proxy setting 92 XML Service Secure Ticket Authority 30 X.509 standard 81, 259
V
VeriSign, see Certificate Authority, public virtual server 19 binding 50 binding certificates 80 configuring 35 creating 4950 IP address 3637, 50 IPv6 51 Secure Ticket Authority 177 user limit 137 Voice over IP 209 spoof IP address 206
W
WANScaler 151, 181 WANScaler client, see Accelerator Plugin WANScaler client, see Citrix Accelerator Plugin Web applications single sign-on 94, 194195 Web browser logging on to configuration utility 41 Web Interface 24 Access Scenario Fallback 152, 178 address 92 client choices 176177 deployment 27 deployment in DMZ, behind Access Gateway 28 deployment in DMZ, parallel to Access Gateway 28, 30 deployment in secure network 28 double-hop DMZ 29 portal mode 92 single sign-on 194 Windows single sign-on 92, 194 Windows NT Lan Manager, see NTLM WINS, see Name Service Providers