Nelson Esteves NPG Escalation TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition
Agenda Integrating Repeater with Access Gateway Enterprise Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting
Integrating Repeater with Access Gateway Enterprise Integrating Repeater with Access Gateway Enterprise Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting
Branch Repeater Integration Traffic between the client and the secure network is optimized before passing through the VPN tunnel
Deployment Architecture Data Center and Corporate Offices Remote and Mobile Workspaces • Access Gateway • Secure access to: • Applications • Desktops • Networks • Branch Repeater • Compression • Acceleration Access Gateway Plugin Branch Repeater Plugin File Shares and Web Applications
Branch Repeater Integration Repeater integration is enabled/disabled through a Traffic Profile
Branch Repeater Integration Design considerations Redirector mode: A traffic policy expression must be created for the signaling IP address of the Repeater appliance Transparent mode: A traffic policy must be created which covers all backend servers the client is accessing Only one Repeater traffic policy will be evaluated when bound at the virtual server level or globally Enabling Repeater in a traffic policy will disallow Single Sign-On, File Type Association and HTTP authorization features
Integration with Microsoft SharePoint Integrating Repeater with Access Gateway Enterprise Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting
Integration with Microsoft SharePoint Access Gateway Enterprise Edition 9.0 can rewrite content from a SharePoint site so that it is available to users without requiring the Access Gateway Plug-in. This avoids administrators having to deploy VPN access to users that require access to SharePoint. For the rewrite process to complete successfully, the Access Gateway must be configured with the Web address for each SharePoint server in your network. In most environments where SharePoint is accessed externally administrators have to configure what is called Alternate Address Mapping
Integration with Microsoft SharePoint Alternate Address Mapping in SharePoint 2007 TOO COMPLEX!!!
Integration with Microsoft SharePoint New with Access Gateway Enterprise is the full support of Microsoft SharePoint via clientless access. This basically means that no longer administrators will have to configure internet, intranet, etc.. addresses for a SharePoint site. With Access Gateway Enterprise Edition you now have full access to SharePoint and its features without having to deploy VPN access. How to implement it? All it takes is one single configuration entry and the powerful rewrite engine will make the necessary changes to the SharePoint pages.
Integration with Microsoft SharePoint Powerful rewrite engine at work Sample source page from original SharePoint page: Same page via Access Gateway Enterprise on clientless access:
Clientless Access to SharePoint Supported sharepoint features
Security Expressions and Smart Access Integrating Repeater with Access Gateway Enterprise Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting
Policy Expressions Operator Qualifier Action Name • Expressions: • Can be single or Compound • Consist of a Name, Qualifier and Operator • Evaluated by AGEE to determine if a policy is applied Expression allow_ftp DESTIP == 10.9.13.60 Allow DESTPORT== Port 21
Match All Expressions Match All Expression will use the AND operator to form the expression Resulting Expression: av_5_TrendMicro_11_25 && av_5_TrendMicroOfficeScan_7_3
Tabular Expressions Tabular Expressions let you create custom compound expressions with the aid of graphical operators and a preview display
Advanced Free-Form Expressions can be created and edited manually Expression must however be a valid rule Useful for creating complex expressions, using custom qualifiers, using additional operators, and previewing an expression built using the other methods
Why? Virtual Server Policy A Priority 10 Policy results are aggregated from all policies that are true When the policy settings conflict, priority wins When policy settings do not conflict, the results are cumulative from all policies that are true Home page www.citrixsynergy.com Split Tunnel OFF Single Sign-on -not set- Policy B Priority 20 Home page www.citrix.com Split Tunnel ON Single Sign-on ON Home page www.citrixsynergy.com Split Tunnel OFF Single Sign-on ON Resulting Configuration
Global Policy A Priority 0 Home page www.citrix.com Split Tunnel ON Single Sign-on -not set- Virtual Server Policy B Priority 0 Home page www.citrixsynergy.com Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 0 Home page www.sales.com Split Tunnel OFF Single Sign-on ON Home page www.sales.com Split Tunnel OFF Single Sign-on ON Resulting Configuration
Why? When policies are bound to different bind points with the samepriority the lowest bind point wins Global Virtual Server Group User Global Policy A Priority 0 Home page www.citrix.com Split Tunnel ON Single Sign-on -not set- Virtual Server Policy B Priority 0 Home page www.citrixsynergy.com Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 0 Home page www.sales.com Split Tunnel OFF Single Sign-on ON Home page www.sales.com Split Tunnel OFF Single Sign-on ON Resulting Configuration
Global Policy A Priority 10 Home page www.citrix.com Split Tunnel -not set- Single Sign-on -not set- Virtual Server Policy B Priority 20 Home page www.citrixsynergy.com Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 30 Home page www.sales.com Split Tunnel OFF Single Sign-on ON Home page www.citrix.com Split Tunnel OFF Single Sign-on OFF Resulting Configuration
Why? Higher priority settings take precedence over bind point order When policy settings do not conflict, the results are cumulative from all policies that are true Global Policy A Priority 10 Home page www.citrix.com Split Tunnel -not set- Single Sign-on -not set- Virtual Server Policy B Priority 20 Home page www.citrixsynergy.com Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 30 Home page www.sales.com Split Tunnel ON Single Sign-on ON Home page www.citrix.com Split Tunnel ON Single Sign-on OFF Resulting Configuration
Basic Firewall and Port Rules External DMZ Internal DNS 53 (UDP) LDAP/ LDAPS NSIP 443,80* (HTTP/TCP) NSIP 389/636 (TCP) XenApp WI STA VIP Remote End User SNIP or MIP 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP) NSIP * Port 80 used for https redirect 443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP) AGEE Admin
SmartAccess Workflow External DMZ Internal LDAP 389/636 443 Remote End User 80/443 WI WI makes a XML callback to a preconfigured-on-WI AGEE VPN Virtual Server URL with the previously provided SessionToken to get the EPA Results 3) Access Gateway next performs pass-through SSO to Web Interface via a custom AGCitrixBasic HTTP Header 4) A SessionToken is also provided • AGEE does a HTTP redirect to the website configured in ‘-homepage’ option • 2) Web Interface returns a 401 and AGEE detects that this is a Web Interface server. Web Interface Authenticates credentials provided via custom SSO AGCitrixBasic Header User accesses AGEE VPN Virtual Server Web Interface generates “Smart Access” application set page and sends the web page back to user. Access Gateway passes credentials to Directory Service for validation. User supplies credentials to logon page. Post-AuthN AGEE Session policy EPA checks done with the existing EPA ActiveX Session policy EPA check results returned to AGEE Web Interface sends credentials & EPA results to Citrix XML Service which validates them and returns user’s “smart access” application set to Web Interface. AGEE Pre-AuthN EPA ActiveX download & client scan STA and XML EPA ActiveX sends results back to AGEE On Pre-Authentication EPA success AGEE returns login page EE returns EPA results to WI XenApp
Deeper Look at Security Scans – Pre-Auth • Redirect to /epa/epa.html • EPA client sends a GET for /epaq which causes the • Access Gateway to return a 200 OK response with a HTTP header called CSE • If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example:
Deeper Look Into Smart Access • Client logs in to Access Gateway and is redirected to Web Interface • During this redirection the client sends a request to /auth/agesso.aspx • Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header • Web Interface then validates the credentials via a POST back to Access Gateway • If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example: How Did I Do That ????
Decrypting a Network Trace • In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway appliance. This can easily be done via GUI: • Or via the command line: • Once the network trace has run it will be placed under /var/nstrace/ • *** important: since this is SSL traffic the trace has to start before any request is made *** • Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols: • Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key> • Once that is done the traffic will be decrypted and you will be able to analyze it.
What if private key is not available? How to create a HTTP debug virtual server:
What if private key is secured? If the private key was created with a passphrase, it can be decrypted via openssl:
Published Application Launch Process External DMZ Internal XenApp 1494/2598 443 80/443 Remote End User WI 80/443 Web Interface contacts Citrix XML Service to determine least loaded XenApp server hosting application. XML Service returns XenApp IP address. Web Interface generates ICA file that includes Access Gateway FQDN and STA ticket. ICA file is sent back to client device. User clicks application icon. Request is sent to Web Interface. ICA Client sends ICA request to Access Gateway. Access Gateway contacts STA to validate ticket and exchange the ticket for the XenApp IP address. Web Interface contacts STA to exchange XenApp IP address for ticket. Access Gateway contacts XenApp to initiate ICA session. ICA session is established. STA and XML
XenApp Integration: Web Interface Site Type Web Interface Access Gateway XenApp Specify the URL to the Virtual Server’s FQDN Web Interface must be able to resolve the FQDN
XenApp Integration: Web Interface DMZ Settings Web Interface Access Gateway XenApp Set the DMZ Access Method to Gateway Direct
XenApp Integration: Web Interface Gateway Settings Web Interface Access Gateway XenApp Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server
XenApp Integration: Web Interface Gateway Settings Web Interface Access Gateway XenApp Enter the STA server URL address
XenApp Integration: Session Profile Configuration ICA Proxy ON tells AGEE not to launch the Secure Access ClientICA Proxy ON enables SSO to WI URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform Embedded Web Interface display format Full or Compact Single Sign-On Domain defines the users domain name
XenApp Integration: Defining STA Server Web Interface Access Gateway XenApp The STA Server ID and State are monitored by AGEE Multiple STA Servers can be defined for failover
Troubleshooting SSL Related Errors Play Video
Session Takeaways • Only One Traffic Policy Evaluated at a time • Integration with SharePoint requires all hostnames used internally • SmartAccess requires the name of the virtual server and policy for XenApp policy to be applied • When decrypting a network trace start the trace before sending the first request • Private keys can be decrypted is password is known • HTTP Access Gateway Virtual Server can used for debugging
Partner Training & Certification Build your product expertise and maximize your sales potential with the latest Citrix training and certification: Access Gateway • CAG-200 Implementing Citrix Access Gateway 9.0 Enterprise Edition • CMB-204 Implementing Citrix XenApp 5.0 for Windows Server 2008 with Access Gateway Enterprise Edition • CCA for Citrix Access Gateway 9 Enterprise Edition WANScaler • CTX-1741AI Citrix WANScaler 4.3 and Citrix Branch Repeater: Administration • CCA for Citrix WANScaler 4 Visit www.citrix.com/partnertraining to view a complete list of discounted Partner offerings and learn how to maintain compliance with Citrix Certification.
Before you leave… • Recommended related Summit breakout sessions: • TECH307: Advanced troubleshooting of Citrix NetScaler • Premier Ballroom 310 2:30pm • TECH305: Troubleshooting tools and methodology for Citrix XenApp 5 environments • Premier Ballroom 310 4:30pm • Session surveys are available online at www.citrixsummit.com starting Monday, May 4 • Feedback is requested (giveaway provided) • Download presentations starting Tuesday, May 12, from your My Schedule Tool located in your My Synergy Microsite event account