How to use WEBVPN with Citrix Metaframe

Document Sample
How to use WEBVPN with Citrix Metaframe Powered By Docstoc
					                   How to use WEBVPN with Citrix Metaframe
                                           Version 1.4
                                        Author: Luis Jorge

The vpn3000 supports various Citrix clients by using different WEBVPN features. Chart
1.1 shows a list of WEBVPN features and what Citrix clients are supported with each
WEBVPN feature.

VPN3000 Feature Options Citrix Metaframe Clients Supported
Full tunneling*          Program Neighborhood Client, Web Client, Java Client
Citrix Support Feature   Java or Web Client

                                                fig 1.1
* Features only in 4.7 and later code

Citrix Metaframe Presentation server has 3 modules with which 2 must be installed and a
third module which is optional but highly recommended unless you are very familiar
with Citrix Metaframe and HMTL coding. The 2 modules that must be installed are
Presentation Server & License Server. The other module you will need to have installed
is the Web Interface module. These 3 modules can be on the same or different servers.
The Web interface module runs on a server with IIS installed and is required to use the
Java or active-x client. There is an advanced option of deploying the java, active-x, &
ICA files via your own custom build web server and interface for more advanced
applications. The document that explains how to do this can be found at

   How to configure vpn3000 to support Citrix Metaframe Web Client /
                Java Client using Citrix Support Feature

The vpn3000 controls the Citrix Support Feature function at the group level. To enable
support for Citrix you will need to turn on Citrix support in the WEBVPN tab under the
group you would like to access the Citrix server via WEBVPN. (see 2.1).

You most likely want to add a predefined link to the users Home Page (a.k.a. Portal Page)
for quick launch and easy access. You would add the Citrix web interface server as a
normal HTTP resource just like any other web server.

When using the web client or Java client it will use the FQDN name found in the CN
field of the SSL certificate to determine where to establish a secure Citrix connection.

When defining the Citrix web interface server resource on the portal page of the
vpn3000 you can use the IP address or the FQDN of that Citrix server. If the web server
is not setup to point to the Citrix web portal login page as its default page you will need
to provide the complete link to the Web Portal path.


                                           fig 2.1

In addition to enabling support for Citrix at the group level you will also need to consider
what type of SSL cert you plan to use. There are 3 options

           •   Self Signed Certificates – These are certificates that are created locally on
               the box and are self signed, as to say the Root Authority is itself

           •   Purchased Certificates – These certificates are purchased from a publicly
               well known Certificate Authority like Verisign or Entrust. The certificates
               purchased will be signed by their root certificate for validation. Most
               browsers and Java certificate stores contain the root cert from these
               companies and thus any certificates purchased from them will be
               automatically trusted by the pc.

           •   Corporate or Private Certificate Authority – These would be certificates
               generated and signed by your own local certificated authority server. One
               of the most common examples of this would be Microsoft’s Certificate
               Authority server

One of the requirements of the Citrix Java or WEB CLIENT is to use FQDN when
connecting to the server; you will need to make sure your certificate when generated is
done using the FQDN, not the IP address. This FQDN must be located in the CN field of
the certificate.
        Example: “”

           How to generate a self signed certificate on the vpn3000

Under administration >>> certificate management screen you will see a list of SSL
certificates currently installed in the box. There will be one for private and one for public
(see fig 3.1). Click the generate link next to the ssl cert you would like to create. In this
case it should be the public SSL cert since your users should be accessing the box via the
public interface. The screen that follows is the certificate info page. In the CN field fill in
the FQDN you would like your users to use when accessing the vpn3000 via WEBVPN,
by default the IP address of the interface is filled in (see fig 3.2).

                                            fig 3.1
                                           fig 3.2

 How to use Purchased Certificates or Corporate or Private Certificate

This topic will not be discuss here since it’s not anything new to support Citrix. This info
can be found the in Administrators Guide on

How to configure Citrix web interface to use Java w/vpn3000 WEBVPN

There are two items needed to be configured to get the Citrix Java client to work. One is
to configure the Citrix Web Interface, the other is two determine if you will need to
install a trusted root certificate in the Sun Java store. These directions are assuming you
are using the Sun Java virtual machine not the Microsoft one. In a future doc we will add
the topic of using Microsoft’s JVM.

The first question to answer is what type of certificate authority did you get your SSL
certificate from.
        Purchased Certificates : If you purchased the certificate from a public certificate
authority then the SUN JVM most likely has the root certificate installed in the
certificate store as a trusted root thus trusting any certificates signed by it. In this case
there should be nothing you will need to do for that certificate to work and you should
continue on to configure your Citrix web interface.

       Self Signed Certificates: If you are using self signed certificates you will need to
import (install) this root certificate into the JVM certificate store. See how to extract self
signed certificates from the vpn3000 then see how to import root certificates into Sun
Java certificate store.

        Corporate or Private Certificate Authority: If you are using corp. or private
certificate authority you will need to import (install) the root certificate that signed the
SSL certificate. See how to import root cert into Sun Java certificate store.

              How to export self signed vpn3000 root certificates

There are a few ways on how to retrieve the self signed root certificates from the
vpn3000. The first way is http or https to \\boxaddress\CERT\ssl.crt this will open a
dialalog box and allow to save the certificate for that interface, so if you are trying to get
the public interfaces SSL certificate than make sure you use the public IP for the box
address or DNS name will work also.

The other option is to login to the GUI and under administration >>> certificate
management screen (see fig 3.1) you will see a list of SSL certificates currently installed
in the box. There will be one for private and one for public (see fig 3.1). Click the export
link next to the SSL cert you would like to export. In this case it should be the public SSL
cert since your users should be accessing the box via the public interface. The screen that
follows will ask for a password since this export will also include the private key for the
SSL certificate. The vpn3000 will open a new browser window that will display the
encrypted private key and the certificate key (see fig 6.1). You want to copy and paste
the certificate part of this screen (see below) into a text editor like notepad. You then will
want to save the file with an extension of “.cer”. Now you will be able to import this
certificate into the JVM certificate store.

                                               fig 6.1

      How to import root certificates into Sun’s Java certificate store

This process must be done to allow the JVM to trust the SSL certificate being presented
from the vpn3000. The Citrix java code will be able to access the FQDN but will not
connect without the JVM trusting the SSL certificate being presented. If the SSL cert is
not trusted you will see the following error when make a connection (see fig 7.1)

                                               fig 7.1

There are two ways to import certificates into the Java certificate store. The first way is to
use a command line tool called keytool. The keytool utility is installed by default when
JVM was installed on the machine. The JVM certificate store is a file called “cacerts”
located in ...\lib\security\cacerts and has a default password of “changeit”.

The other option is to use a GUI based program like keystore explorer which is a
graphical version of the keytool tool.

The keytool program can be found in c:\program files\java\j2re.1.4.2_06\bin\keytool.exe
                               *** This will vary per version of code ***

Example of the syntax is “keytool -import -trustcacerts -alias mycert -file certnew.cer -
keystore ..\lib\security\cacerts”
                                     *** This syntax will vary ***

      The JVM certificate store “cacerts” has a default password of “changeit”

The keystore explorer can be found at

                   How to configure the Citrix Web Interface

For this example we will configure the web interface to default to the Java Citrix client
and to use the connection manager. This is a very basic example of how to use the Web
Interface. There are several other advanced options like using the Citrix Web Client
which is an Active-X applet, using Program Neighborhood Client that might be already
installed on the machine, or using auto detect if you have any client already install, and if
not default to the Java or Web Client. You can also not choose to use the connection
manager and when a person connects they get desktop which looks and feels like their
local machine.

For details on how to configure more advanced options in the Web interface please refer
to the Citrix administration Guides.

You can launch the web interface console from within the Citrix Access Suite console or
directly via http.


There is only one parameter that is 100% necessary for this to work with the vpn3000
which is enable SSL/TLS option. All other options are for you to choose how the Citrix
Web Interface will act and look for your users. The encryption option has no effect on the
vpn3000 and you will still be using SSL encryption for your session to the vpn3000 to
access Citrix. This option is used when you want to use encryption if you were not using
the vpn3000 or if you want to provide some basic encryption for local LAN traffic. If you
would like you can use this option in combination with the vpn3000.

Here is a screen shot for the Client deployment setting screen under the Web Interface
The only item we have checked on this first screen is Client for Java as the default.
As stated in the doc in earlier section SSL/TLS MUST BE CHECK for this to work with
the vpn3000.

Shared By: