Embed Size (px)
Citation preview
Introduction
Part 1
Citrix Web Interface 4.6 is an ASP.Net 2.0 application that provides access to Citrix Published Applications via a web browser. When deployed by itself, Internet Based users require direct ICA (TCP Port 1494) or Common Gateway Protocol (TCP Port 2598) Communication with each Citrix Server hosting their published applications. Since this involves allowing secure communications from the Public Internet into the Private Network and opening firewall ports. Additionally it requires that the client can successfully communicate over ports 1494 or 2598.
Citrix Secure Gateway 3.0 (CSG) is a Reverse Proxy that provides secure remote access to Citrix Published Applications over SSL (TCP Port 443). When deployed in a DMZ it solves the security and access problems previously listed, i.e. the client only needs to be able to contact the CSG over port 443 and the CSG communicates on behalf of the clients with the Citrix Servers on the Private Network. No communication happens between the Public Internet and Private/Corporate Network.
Both Citrix Web Interface and Secure Gateway are available to Citrix Presentation Server Customers via http://www.mycitrix.com.
Software pre-requisites (for the machine to host Web Interface 4.6 and Secure Gateway 3.0):
1. Windows Server OS, i.e. 2003 Web or 2003 Standard Edition. 2. IIS w/ ASP.Net 3. Net Framework 2.0 4. Microsoft Visual J# Version 2.0 Redistributable Package 5. Access Management Console for Presentation Server 4.5 (Framework only) 6. Web Interface 4.6 Access Management Console Extension 7. 3rd Party SSL Server Certificate (i.e. from Verisign, Thawte, GeoTrust, GoDaddy...)
Hardware Requirements:
1. Server capable of running Windows Server OS w/ IIS 2. Firewall with DMZ an available DMZ Port
Web Interface 4.6 for Windows - Installation and Configuration
The initial installation and configuration of the Web Interface / Secure Gateway Server should be performed on the Private Network, to ensure that all components are working properly before moving the server to the DMZ. Since the server’s final destination is in the DMZ, the server should NOT be a domain member.
After installing software pre-requisites 1 through 6, download and launch the Web Interface installation program (WebInterface.exe). Install Web Interface and accept the defaults.
Download the Citrix Web Client and place ica32web.msi in “C:\Program Files\Citrix\Web Interface\4.6\Clients\ica32\”.
Download the Citrix Java Client and place the components in “C:\Program Files\Citrix\Web Interface\4.6\Clients\icajava\”.
Launch the Access Management Console (AMC). The first time the AMC is run, discovery is performed to identify the components that will be managed.
Select the option, “Do not contact servers running the configuration service”, unless you want to centrally store the Web Interface Configuration (refer to the Web Interface Administrators Guide).
After the discovery process completes, right click on the Web Interface node on the left pane of the AMC -> Select “Create Site”.
Select the default option for Site Type (Access Platform Site).
On the Specify IIS Location step of the site creation, check the option “Set as the default page for the IIS site”. Accept the defaults for the rest of the Create Site process.
After the site is created, the initial settings must be configured. On this screen, enter the name of the Citrix Farm, then enter at least one server from the Citrix Farm with which the Web Interface will communicate. The Web Interface communicates with the XML Service on the configured Citrix Server via the Farm XML Port (80 is the default). Refer to the Citrix Server Farm Properties in the Presentation Server Console if unsure what port number to enter.
Best practice would be to enter at least two XML Servers (for redundancy) and to enter Citrix Servers configured as Data Collectors. When a user enters their credentials to log on to the Web Interface, the Web Interface communicates with the XML Service to authenticate the user and return the Application Set for that user.
XML Servers can be entered as their NetBIOS, FQDN or IP Address, depending on which name resolution mechanism is in place. Since the server will end up in the DMZ, entering the IP Address requires the fewest open ports (between the DMZ and Private Network).
On the “Select Application Type” screen, select “Remote”, unless you plan to use the Presentation Server 4.5 Application Streaming Feature to stream applications to client computers. Accept the defaults for the remainder of the Initial Configuration Wizard.
At this point the Citrix Web Interface is ready to be tested, to ensure that it’s been configured correctly. To test that the Web Interface is working, open Internet Explorer on the Web Interface Server and browse to http://localhost. Without any further configuration, one should be able to successfully log on and launch applications from the configured Citrix Farm.
After successfully entering logon credentials, one should be presented with the following Citrix Client Detection Wizard (if no Citrix Client is installed).
Clicking the “Detect Client” button initiates a scan to check the client computer for an installed Citrix Client. If no client is detected, the user is presented with the following screen where the Citrix Web Client installation can be started.
If the end user clicks the “Download” button, the Citrix Web Client installation package is loaded from “C:\Program Files\Citrix\Web Interface\4.6\Clients\ica32\ica32web.msi” on the Web Interface Server.
Click “Run” and proceed with the Client Installation. After the installation is complete, the end user is presented with the following screen.
Click “Successful” to be taken to the client’s application set.
Click on one of the applications. If the application launches, the basic configuration of Citrix Web Interface was successful. The next step is to obtain an SSL Server Certificate which will be used by Citrix Secure Gateway.
SSL Server Certificate Configuration
Since Citrix Secure Gateway is used to provide secure remote access, a Trusted 3rd Party SSL Server Certificate is required. To obtain the certificate, launch Computer Management and navigate to Services and Applications -> Internet Information Services (IIS) Manager -> Web Sites -> Default Web Site -> Properties -> Directory Security.
Click on the “Server Certificate” button to start the “Web Server Certificate Wizard”. Select “Next -> Create a new certificate -> Prepare the request now, but send it later.
In the name field, enter a friendly name that accurately describes what the certificate will be used for, i.e. “Citrix Secure Gateway”. Click Next.
The information on the Organization Information page is what will display on the SSL Certificate when viewed by the end user.
The Site Common Name is the most important piece of information that is entered. It MUST match the Fully Qualified Domain Name that will be addressed by the end user. It need not
be the same as the NetBIOS Name of the Server, but DNS must be configured to resolve this name to the server being configured.
On the Geographical Information Screen it is important that the “State/province” be completely spelled, as the request will not be accepted by the 3rd Party Certificate Authority if the State/province is abbreviated.
The information entered in the IIS Certificate Wizard outputs to a text file, whose content is submitted to the 3rd Party Certificate Authority via their online certificate purchase form.
After purchasing the SSL Server Certificate from your preferred Certificate Authority, the Certificate needs to be installed on the Web Interface / Secure Gateway Server. The following steps may differ slightly, depending on the vendor, but in this example we’ll use certificates from GoDaddy.com. GoDaddy supplies two certificates, an Intermediate Certificate Authority and the SSL Server Certificate that was purchased. Per the instructions from the vendor we open the Certificates Management Console via Start -> Run -> MMC -> File -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Next -> Local Computer -> Finish.
Right click on the “Intermediate Certification Authorities”, navigate to All Tasks -> Import -> Browse and select the Root Certificate supplied by the vendor.
Click Next and Accept the Default Location of Intermediate Certification Authorities.
Click Next to Complete the Certificate Import.
Open IIS Manager -> Web Sites -> Default Web Site -> Properties -> Directory Security -> Server Certificate.
Click “Next” to continue with the Web Server Certificate Wizard.
Select “Process the pending request and install the certificate”. Click “Next” to continue.
Browse to, or enter the path to the downloaded SSL Server Certificate. Click “Next” to continue.
Change the “SSL port this web site should use” from 443, to 444 or another unused port. It is very important NOT to accept the default port of 443, as this port will be used by Citrix Secure Gateway.
To test that the SSL Certificate has been properly installed and that IIS has been configured correctly, restart IIS via “Start -> Run -> cmd -> IISRESET”. After IIS restarts, browse to https://FullyQualifiedDomainName:444. This is NOT the URL clients will enter, as they will connect to the Citrix Secure Gateway on the standard HTTPS Port (443). This is only being done to ensure that the certificate was properly installed and that the Citrix Web Interface still works. A DNS Host (A) or Alias (Cname) record must be configured to resolve the Fully Qualified Domain Name to the IP Address of the server being configured for the web page to display correctly.
Part 2
In part two of this document we’ll go over the installation and configuration of Citrix Secure Gateway, as well as the required firewall configuration.
In part one of this document it was described how to do a basic installation of Citrix Web Interface 4.6 and how to request and install a 3rd Party SSL Server Certificate. Part two describes how to install and configure Citrix Secure Gateway 3.0 on the same server, so Internet Users can securely connect to Citrix Servers on a private network.
Prerequisites:
1. Configured and tested (on the private network) Citrix Web Interface. 2. Installed 3rd Party SSL Server Certificate. 3. IIS HTTPS Port configured on a port OTHER THAN 443, i.e. 444.
4. Citrix Presentation Server Components CD, or access to download Secure Gateway 3.0 from www.mycitrix.com.
5. Firewall with a DMZ Port. 6. Connectivity to at least one Citrix Secure Ticket Authority (built into the XML
Service on Presentation Server 4.x).
Setup
Now that Citrix Web Interface 4.6 has been installed and tested and the SSL Server Certificate has been installed, it is time to install Citrix Secure Gateway 3.0. It’s best to keep the server on the private network until the complete system has been tested, to simplify troubleshooting, as one should not have to worry about the correct firewall ports being open.
Access the Citrix Presentation Server Components CD, or download Secure Gateway 3.0 from www.mycitrix.com. To begin the setup, double-click CSG_GWY.MSI.
Click “Next”, read and accept the License Agreement.
Select “Secure Gateway” and click “Next”.
Accept the default “Destination Folder” and click “Next”.
On the Service Account selection screen, select “NETWORK SERVICE” and click “Next”.
Review the Installation Selections and click “Next” to begin the installation.
If the installation was successful, this screen is displayed.
To begin the configuration of Citrix Secure Gateway, click “OK” to launch the “Secure Gateway Configuration Wizard”.
Configuration
Select ONLY the option to secure “MetaFrame Presentation Server”, then click “OK”.
Select the “Advanced” configuration type, then click “Next”.
Select the SSL Server Certificate that was installed in part one. Click “View” to verify that the correct certificate has been selected.
The items to review are outlined in red on the picture shown above:
"Issued to:" MUST be the FQDN (Fully Qualified Domain Name) that end users will type in their Internet Browser to address the Secure Gateway.
"Valid from" MUST be a current date range. The bottom of the General tab MUST read “You have a private key that corresponds
to this certificate.” If this is not displayed the certificate may have been copied from another server, where is MUST be exported to a .PFX file, including the Private Key. This can be accomplished with the Certificates MMC on the original server.
On the “Configure secure protocol settings” screen, accept the default options and click “Next”.
Assuming your server has only one active Network Interface, accept the default option to “Monitor all IP addresses” and listen on TCP port 443. Click “Next” to continue.
On the “Configure outbound connections” screen, accept the default and click “Next” to continue.
On the “Details of the server running the Secure Ticket Authority (STA)” screen, click the “Add” button.
On the “Secure Ticket Authority (STA) details” pop-up, enter the FQDN of a Citrix Server. This is typically a Zone Data Connector, and the same server that is listed in the Farm XML Servers in the Web Interface Configuration. If the Citrix Farm is configured to use anything but the default TCP Port of 80, append the port number to the FQDN, preceded by a colon, i.e. “ctxs-cps.scs.local:8080”. If it is a requirement to secure traffic between the Secure Gateway and STA, check the checkbox in the “Protocol settings” section and enter the appropriate TCP Port. This requires an SSL Server Certificate on the server hosting the STA.
For redundancy, a secondary and tertiary STA can be added by repeating the previous step. When done, click “Next” to continue.
On the “Connection parameters” screen, accept the default options, and click “Next” to continue.
If you are load balancing connections to the Secure Gateway, add the IP Address of the device on the “Logging Exclusions” screen, otherwise click “Next” to continue.
Assuming Secure Gateway is on the same server as the Citrix Web Interface, accept the default “Indirect” radial button and the default “Installed on this computer” checkbox. If Secure Gateway will be used with a Web Interface Server hosted on a different server, de-select “Installed on this computer” and enter the FQDN of the Web Interface Server in the “Details” section.
Select the desired amount of “Logging parameters” and click “Next” to continue.
Click “Finish” to start the Secure Gateway service.
Open the “Secure Gateway Management Console” and click “Secure Gateway Diagnostics” to verify that the setting selected in the configuration wizard are valid.
Launch the Web Interface Console (via the Access Management Console). Right-click the Web Interface Site -> Manage secure client access -> Edit Gateway settings.
Enter the FQDN of the Secure Gateway Server that was just configured, then add the URL to the Secure Ticket Authority, as shown in the picture above. Initially, leave session reliability disabled, until Secure Gateway and Web Interface have been tested and the latest hotfix has been applied to Secure Gateway. Click “OK”.
Right-click the Web Interface Site -> Manage secure client access -> Edit DMZ settings.
Edit the “Default Client IP address” setting and select “Gateway Direct”, so clients will access the Presentation Server Farm via the Secure Gateway, instead of being delivered ICA files that include the Private IP Address of the target Citrix Server. Click “OK”.
Since the Secure Gateway is still on the Private Network, edit the hosts file (%WinDir%\system32\drivers\etc\hosts) on a test client workstation and add an entry for the FQDN that’s listed on the SSL Server Certificate.
From the test client workstation, open an Internet Browser and address the FQDN of the Secure Gateway, i.e. https://citrix.sessioncomputing.com. Since IIS is NOT listening on port 443, and Secure Gateway is, Secure Gateway should automatically proxy the request to the Web Interface Login Page. The page should display the SSL Secured (128 Bit) icon on the Internet Browser’s Status Bar (shown above).
Launch a Published Application via the Web Interface and verify in the Program Neighborhood Connection Center that the application was launched via the Secure Gateway. This is distinguished via the Black Lock on the Application Set, under ICA Connections. Additionally, viewing the properties of the connection displays the Encryption Level as “128 Bit SSL/TSL in use” (shown above).
Additionally, this can be confirmed via “Session Information” in the Secure Gateway Management Console, which displays the Client IP, User, Domain, Time Established and Time Elapsed.
Now that the configuration has been tested, download the latest hotfix for Secure Gateway 3.0, currently SGE300W800. This is a cumulative hotfix that contains all of the fixes from hotfixes SGE300W001 thru SGE300W007.
Logoff all Secure Gateway Sessions and launch SGE300W800.MSI. Click “Next” to continue.
If the error shown above is encountered during the installation of hotfix SGE300W800.MSI, search %SystemDrive% for “msvcr71.dll”.
Copy “msvcr71.dll”.
Paste the dll in %WinDir%\System32, and click “Retry” to start the Secure Gateway Service.
Click “Finish” to complete the hotfix installation.
Installation of this hotfix requires a restart, so click “Yes” to restart the Secure Gateway Server.
After the system restarts, re-test launching applications via the Secure Gateway URL and Web Interface. If the applications launch successfully, enable Session Reliability in the Web Interface Console -> Web Interface Site -> Right-Click -> Manage secure client access -> Edit Gateway settings, if so desired. Enabling Session Reliability changes the communication protocol between the Secure Gateway and Citrix Presentation Servers from TCP Port 1494 (ICA – Independent Computing Architecture) to TCP Port 2598 (CGP – Common Gateway Protocol).
Updates from hotfix SGE300W003, included in SGE300W800, allow one to display more columns in the Secure Gateway Management Console. The Server, Application and Session Idle Time columns can be enabled in the Secure Gateway Management Console by adding the following registry entries on the Secure Gateway Server.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.0]"ToolsDir"="C:\\Program Files\\Citrix\\Secure Gateway\\""ShowServerAndAppForSession"=dword:00000001"ShowTimeIdleForSession"=dword:00000001
Now that Secure Gateway and Web Interface have been tested on the private network, it is time to move the machine to the DMZ and re-test. When the machine is connected to the DMZ, the Public DNS A (Host) Record will need to be updated or added for the Secure Gateway, so the machine can be addressed via FQDN by Internet Users.
Required Firewall Rules
Internet to DMZ (Secure Gateway Server) – Allow TCP Port 443. DMZ (Secure Gateway Server) to Private Network (STA & XML Service) – Allow
TCP Port 80, or Farm XML Service Port, or TCP Port 443 if Securing STA Traffic via SSL.
DMZ (Secure Gateway Server) to Private Network (Citrix Presentation Servers) – Allow TCP Port 1494 (without Session Reliability), or TCP Port 2598 (with Session Reliability).
Below is an example diagram of a Citrix Farm configured to use Secure Gateway and Web Interface as described in this article.
Summary
Citrix Web Interface 4.6 and Citrix Secure Gateway 3.0 can happily reside in the DMZ on one Windows Server, with one IP Address, and one SSL Server Certificate. There are other configurations that can be used, depending on your security requirements. Refer to the Administrators Guide and Troubleshooter’s Guide for documentation on alternate deployment scenarios.
References
Hotfix SGE300W008 - For Citrix Secure Gateway 3.0
Explaining ICA Session Reliability, Common Gateway Protocol, on TCP Port 2598
Citrix Secure Gateway Product Lifecycle
Secure Gateway 3.0 for Presentation Server Troubleshooter's Guide
Deploying the Web Client 10.1 for Windows Through Web Interface 4.6
Web Interface Administrator's Guide
