Get documents about "Installing_Citrix_Secure_Gateway
Document Sample
Citrix Technical Overview
Installing Citrix Secure Gateway
Citrix Secure Gateway Presentation
• Introduce Citrix Secure Gateway and explain how it
delivers secure access to applications and content from
the Internet.
• Review Citrix Portal products NFuse Classic, Enterprise
Services for NFuse, and NFuse Elite.
• Discuss the special requirements for configuring Citrix
Secure Gateway and NFuse on one Server.
• Go through the implementation step by step.
What is Citrix Secure Gateway?
• Citrix Secure Gateway is a secure
Internet gateway between MetaFrame®
servers and ICA Client workstations that
allows customers to simply and
securely deliver applications across the
Internet, on demand, to any device.
Introducing Citrix Secure Gateway 1.1
• Citrix Secure Gateway controls ICA traffic between the
Metaframe Server farm and the client on the Internet.
• It effectively ‘hides’ the Metaframe Server from the
Internet – access is obtained via a secure SSL
connection, brokered by CSG.
• CSG is a free product for users of Metaframe Xpa,s,e.
• Works in conjunction with NFuse Classic 1.7, NFuse Elite
1.0, and Enterprise Services for NFuse 1.7.
NFuse Portal Products
• NFuse Classic 1.7
– Application Portal product providing end users with access
to published applications over the web.
• Enterprise Services for NFuse 1.7
– expands on NFuse Classic allowing you to publish
applications from multiple MetaFrame XP for Windows and
MetaFrame for UNIX server farms simultaneously.
• NFuse Elite 1.0
– Access Portal product that can be used as an Enterprise
Information Portal (EIP), combining information from
many sources in one place.
Why Secure Access?
• Remote Employee Access (B2E).
• Business Application Deployment (B2B).
• Consumer Applications (B2C).
• Business Continuity.
• Must be Secure.
• Must be Cost Effective.
• Must allow access from anywhere.
• Must support different client device types.
When to use Secure Gateway
• One or more servers to support.
• Want to hide internal network addresses.
• Want to secure from DMZ.
• Need highly secure remote access solution.
• Don’t want to use a VPN client.
• Need non-intrusive ICA client install i.e. access from
Internet cafes using JAVA client.
CSG Architecture
NAT 192.168.5.1-192.68.0.100
Secure Connectivity Authentication Access Mgmt
Citrix
Secure
Gateway
Firewall
Firewall
Client Citrix
Workstations NFuse
EXTERNAL DMZ LAN
csg.company.com 203.12.216.50 Citrix MF Server 192.168.0.100
citrix.company.com 203.12.216.51 Alt Address 192.168.5.1
ICA Port 1494
Ports to open Ports to open XML Port 8081
443 (Https and SSL) 80 (STA) IIS/STA Port 80
8081 (XML)
1494 (ICA)
CSG Traffic Flow
ICA/SSL DMZ
443
CSG ICA/1494 MetaFrame
ICA Client
Server Server Farm
.ICA file
Web Secure Web
Browser 443 Server
HTTP/S
Citrix XML
NFuse
XML- Service
HTTP/80
CSG Components
• CSG Service
– The CSG program itself.
• NFuse Classic or NFfuse Elite or ESNFuse
– Extensions are now built into NFuse and do not need to be
installed separately as they were in earlier versions.
• Secure Ticketing Authority
– Functions as a ticketing authority and issues ‘tickets’ to
portal users client’s. These form the basis of authentication
and authorization for ICA connections to a MetaFrame
server.
• Single Server can be used for CSG/NFuse
– Certain steps must be taken to ensure that works
successfully – see document from Alstom.
CSG Ticketing
ICA/1494
ICA/SSL CSG
ICA Client Server Ticket MetaFrame
Verification Server Farm
Secure
ICA Ticketing
File Secure Web Authority
Web
Browser Server
Ticket Generation
Citrix XML
Service
NFuse
NFuse Classic and CSG Connection Process
• User accesses NFuse Classic portal page over Https://
connection from Web browser and logs in.
• NFuse requests the published resources from the MF XML
Service, and the application page is populated with icons.
• User clicks on an application and address for the client is sent
to the Secure Ticket Authority (STA) and a ticket is requested.
The STA saves the IP address and issues the requested ticket
to CSG server.
• NFuse server generates an ICA file containing the ticket
issued by the STA and the FQDN of the CSG Server, and
sends it to the client’s Web browser.
• The Web browser passes the ICA file to the ICA Client, which
launches an SSL connection to the CSG server.
NFuse Classic and CSG Connection Process
• CSG server accepts the ticket from the ICA Client and uses
information in the ticket to identify and contact the STA for
ticket validation.
• If the STA is able to validate the ticket, it returns an IP
address of the MetaFrame server on which the requested
resource resides to the CSG server.
• CSG server receives the IP address for the MetaFrame server
and it establishes an ICA connection to the MetaFrame server.
CSG server monitors ICA data flowing through the connection,
and encrypts and decrypts client-server communication.
CSG Service
• Windows 2000 native Service
• Runs in DMZ, does not require IIS installed.
• Multi-threaded design (utilizes IO Completion Ports) for high
efficiency and throughput.
• Utilises Microsoft S-Channel for SSL functions.
• Server certificate required for SSL server authentication.
• Build large CSG arrays for scalability and fault tolerance using
industry standard external network load balancer.
• GUI configuration tool.
• Small benefit from PCI based SSL accelerators.
Secure Ticketing Authority
• Implemented as ISAPI DLL so requires IIS.
• Extremely lightly loaded.
• Easily configurable through UI tool.
• Redundant STAs can be defined.
• Should not be accessible from outside DMZ.
• Communicates with CSG and NFuse via XML protocol
over HTTP. Port configurable.
Encryption and Connectivity
• Secures ICA Traffic only.
• SSL v3.0 and TLS 1.0 with 128-bit encryption.
• Support for Public Key Infrastructure (PKIs).
• Single IP address is exposed to Internet.
• Ease of firewall traversal (uses port 443 only).
Citrix Secure
Gateway
Firewall
ICA and SSL
Citrix NFuse 1.6 Citrix MetaFrame XP w/
Technology Feature Release 1
SSL vs TLS
• SSL is an open, non-proprietary protocol that provides
data encryption, server authentication, message
integrity, and optional client authentication for a TCP/IP
connection.
• TLS is the latest, standardised version of the SSL
protocol. TLS is an open standard and like SSL, TLS
provides server authentication, encryption of the data
stream, and message integrity checks.
• Support for TLS Version 1.0 is included in Feature
Release 2 for MetaFrame XP (Not in FR1) and clients
from v6.30.
• Because there are only minor differences between SSL
and TLS, the server certificates you use for SSL in your
MetaFrame installation will also work for TLS.
New in CSG v1.1
• Windows 2000 certification.
• All logging to Windows system log.
• TLS v1.0 and SSL v3.0.
• No NFuse Extensions – Now native to NFuse Classic.
• Improved configuration Graphical User Interface –
NFuse Admin.
• Solaris edition.
CSG and Java Client
• Zero footprint Client – nothing to install on the local
machine.
• Client is downloaded and executed via the browser.
• Ideal for accessing applications securely from an
Internet Café.
• SSL Certificates from own MS Certificate Server as well
as commercial organisations can be used.
Installing Citrix Secure Gateway
• Configure DNS entries for NFuse/CSG Server.
• Install and configure W2K/Citrix Metaframe Server(s).
• Install and configure W2K/CSG/NFuse Server.
• Install MS Certificate Services on a W2K Server.
• Generate and Install Certificates.
• Install Secure Ticketing Authority.
• Install and configure NFuse.
• Install and configure Citrix Secure Gateway.
• Customise the NFuse login page.
Configure Network and DNS entries
• Open the ports required on the firewall.
• Reserve public IP addresses for CSG and NFuse.
• Configure A records in the DNS for citrix.company.com
and csg.company.com.
Install and Configure Metaframe Server
• Install Windows 2000 and IIS.
• Install Terminal Services in Application Compatibility
Mode.
• Install Service Pack 2.
• Install TS Post SP2 Hot Fix.
• Install Metframe XP – specify XML port as 8081 (if STA
on the same server).
• Add the Alternate Address (if NAT being used to DMZ) –
syntax is c:\altaddr /set 192.168.1.5
• Install the Secure Ticketing Authority.
Install and Configure CSG/NFuse Server
• Install Windows 2000 and IIS
• Install Windows 2000 Service Pack 2
• Dual Home the CSG/NFuse Server (second IP Address)
Configure CSG/NFuse Server - IIS
• Disable Socket Pooling
• Generate Certificate Requests
• Create Certificates using MS Certificate Authority
• Install Certificates
Certificate Server - Creating Certificates
• Install MS Certificate Services on a server.
• Select ‘Advanced’ use 1024 bit encryption.
• Issue Certifcate Request in IIS, use 1024 bit and name
with the domain name of the server eg.
citrix.company.com.
• Issue another Certifcate request for eg.
csg.company.com.
• Paste requests into Certicate Server.
• Generate Certificate and the Root Certificate.
• Install Certifcates on the CSG/NFuse Server.
Certificate Refresher
• How do I determine a • How do I determine a
person’s identity? server’s identity?
Server Certificates
• Server certificates are
unique to a particular
server name.
• The ‘subject’ of the
certificate is the FQDN
of the server.
• View the Certification
Path to find out which
certification authority
(CA) issued this
certificate.
Root Certificates
• Root certificates (CA
certificates) are self-signed
entities that are used to
verify server certificates.
• If you trust a CA, install
their root certificate.
• Windows ships with many
pre-installed CA certificates
for well-known CA’s.
–Verisign
–Baltimore
–RSA
–Thawte
Generating the Certifcate Requests
• Generate the requests from within IIS Admin on the
CSG/NFuse Server.
Installing the MS Certificate Server
• Use Add/Remove Programs>Windows Components, to
install MS Certificate Services on a Windows 2000
Server.
Creating the Certificate
• Go to URL http://[server]/certsrv to access the
Certificate Server.
Issue and Save the Certificate
• Use the MMC to issue pending certificates, then use the
Certificate Server to create and save them.
Creating the Root Certificate
• Go to the Certificate Server URL and select ‘Retrieve the
CA Certificate’.
Adding the Root Certificate
• Copy the Root Certificate to the machines and double
click on it to add it to the CSG/NFuse Server and the
Clients who will be connecting via CSG/NFuse.
Adding the Server Certificates in IIS
• From within IIS Admin, choose the Directory Security
TAB to install the Certificate.
Configure IIS to accept only SSL
• From within IIS Admin, choose Web Site TAB, and add
the SSL port 443. Then choose the Directory Security
TAB and ‘Edit’ under Secure Communications area.
Certificates Required – Web and CSG
• A Certificate is required for the NFuse web site, ie
https://citrix.company.com and also for the client to
authenticate using SSL to the CSG server, using the
FQDN of the CSG Server ie csg.company.com.
• To generate a second certificate, follow the procedure
discussed and instead of the ‘Default Web Site’, use the
‘Administration Site’ under IIS to generate the
Certificate Request and accept the created Certificate.
• There should be two certificates, plus a root certificate
from the Certification Authority generated.
– citrix.company.com (install under Default Web Site)
– csg.company.com (install under Administration Site)
– Root certificate
CSG/NFuse Server - Install NFuse
• Run the executable to install NFuse on the CSG/NFuse
Server.
CSG/NFuse Server - Install CSG
• Run the installation routine.
• Select the Certificate to use eg. csg.company.com.
• Set the IP Address that CSG will listen to port 443 on.
• Set the IP Address of the STA.
• Other settings can be left as default.
Installing the CSG Service
• Install the CSG Service - run the executable to install it
on the CSG/NFuse Server.
Installing the STA Service
• Run the executable to install the STA on the Metaframe
Server.
Configuring NFuse using NFuse Admin
• Graphical Administration Utility that edits nfuse.conf file
where configuration settings are stored.
• Default page http://[server]/Citrix/NFuseadmin.
• Specify Metaframe Server Address, XML Port.
• Configure for Citrix Secure Gateway here if required.
• Control ICA Client deployment, and Java client.
• Configure Server and Client side firewall settings.
NFuse Admin
NFuse Admin CSG Settings – MF Server
• Specify the address of the Metaframe Server and the
XML port.
NFuse Admin Settings - CSG
• Check ‘Citrix Secure Gateway’.
NFuse Admin Settings - CSG
• The FQDN of CSG server, ‘use alternate address of
Metaframe servers’ checked (if using NAT), as well as
address of the STA should be specified.
NFuse Classic 1.7 Login Page
• Default Page is http://server/Citrix/NFuse17
• NFuse.conf file is an ‘ini’ file that controls NFuse – edit
using NFuse Admin or manually.
• NFuse.conf is located under c:\Program
Files\Citrix\NFuse\conf directory.
• Can be customised – use a html editor eg FrontPage
and edit the login.asp file.
Default page for ‘citrix.company.com’
• Rather than change your web server document root,
create a file ‘default.asp’ and save under
c:\inetpub\wwwroot directory.
• Edit this file and add the line of code below:
<% Response.Redirect “/Citrix/Nfuse17/” %>
NFuse Classic 1.7 Login Page
NFuse Applications
NFuse Client Settings
Verify SSL Connectivity
• ICA Systray Icon, or the active Citrix window– right click
and choose properties or mouse over the connection to
display the encryption status.
MS Lockdown Tool for Security
• Microsoft IIS Lockdown tool can be used to secure an
IIS web server.
• Can be obtained from:
http://download.microsoft.com/download/iis50/
Utility/2.1/NT45/EN-US/iislockd.exe
• Choose ‘Advanced’ lockdown mode.
• Uncheck the option to disable support for ASP pages.
Redundancy using Two Nfuse Installations
• Reconfigure the DNS record to point to an alternate
server if one goes down.
• Configure a DNS record to round robin between the
Nfuse Servers. Disadvantage is that some users will not
be able to connect until the downed box is removed
from the DNS record.
• Use a network load balancer – best option but most
expensive.
• Utilise Network load balancing with Windows 2000
Advanced Server - similar to the solution above.
Citrix Portal Summary
• Citrix Portal solutions allow you to securely access your
applications from anywhere you can get to a PC with a
browser and an Internet connection.
• They are excellent solutions to use for Remote Access,
Wireless Mobility, Rapid Application Deployment and
Business Continuity purposes.
• CSG is a simple and cost effective solution to enable
remote access to Metaframe published applications
when compared to hardware/software based VPNs.
• NFuse Elite is a fully featured, flexible, easy to
configure Access Portal product, for use as an
Enterprise Information Portal.
