Citrix Technical Overview

1
Citrix Technical Overview
Installing Citrix Secure Gateway
Andrew Wilmot Citrix Technical Business
Development Manager Abcd IT
2
Citrix Secure Gateway Presentation

• Introduce Citrix Secure Gateway and explain how
  it delivers secure access to applications and
  content from the Internet.
• Review Citrix Portal products NFuse Classic,
  Enterprise Services for NFuse, and NFuse Elite.
• Discuss the special requirements for configuring
  Citrix Secure Gateway and NFuse on one Server.
• Go through the implementation step by step.

3
What is Citrix Secure Gateway?

• Citrix Secure Gateway is a secure Internet
  gateway between MetaFrame servers and ICA Client
  workstations that allows customers to simply and
  securely deliver applications across the
  Internet, on demand, to any device. 

4
Introducing Citrix Secure Gateway 1.1

• Citrix Secure Gateway controls ICA traffic
  between the Metaframe Server farm and the client
  on the Internet.
• It effectively hides the Metaframe Server from
  the Internet access is obtained via a secure
  SSL connection, brokered by CSG.
• CSG is a free product for users of Metaframe
  Xpa,s,e.
• Works in conjunction with NFuse Classic 1.7,
  NFuse Elite 1.0, and Enterprise Services for
  NFuse 1.7.

5
NFuse Portal Products

• NFuse Classic 1.7
• Application Portal product providing end users
  with access to published applications over the
  web.
• Enterprise Services for NFuse 1.7
• expands on NFuse Classic allowing you to publish
  applications from multiple MetaFrame XP for
  Windows and MetaFrame for UNIX server farms
  simultaneously.
• NFuse Elite 1.0
• Access Portal product that can be used as an
  Enterprise Information Portal (EIP), combining
  information from many sources in one place.

6
Why Secure Access?

• Remote Employee Access (B2E).
• Business Application Deployment (B2B).
• Consumer Applications (B2C).
• Business Continuity.
• Must be Secure.
• Must be Cost Effective.
• Must allow access from anywhere.
• Must support different client device types.

7
When to use Secure Gateway

• One or more servers to support.
• Want to hide internal network addresses.
• Want to secure from DMZ.
• Need highly secure remote access solution.
• Dont want to use a VPN client.
• Need non-intrusive ICA client install i.e. access
  from Internet cafes using JAVA client.

8
CSG Architecture
Authentication
Access Mgmt
Secure Connectivity
NAT 192.168.5.1-192.68.0.100
Firewall
Firewall
Citrix Secure Gateway
CitrixNFuse
ClientWorkstations
EXTERNAL
LAN Citrix MF Server 192.168.0.100 Alt Address
192.168.5.1 ICA Port 1494 XML Port 8081 IIS/STA
Port 80
DMZ csg.company.com 203.12.216.50 citrix.company.
com 203.12.216.51
Ports to open 443 (Https and SSL)
Ports to open 80 (STA) 8081 (XML) 1494 (ICA)
9
CSG Traffic Flow
DMZ
ICA/SSL
443
ICA Client
CSG Server
ICA/1494
MetaFrame Server Farm
.ICA file
443
HTTP/S
NFuse
Citrix XML Service
XML-HTTP/80
10
CSG Components

• CSG Service
• The CSG program itself.
• NFuse Classic or NFfuse Elite or ESNFuse
• Extensions are now built into NFuse and do not
  need to be installed separately as they were in
  earlier versions.
• Secure Ticketing Authority
• Functions as a ticketing authority and issues
  tickets to portal users clients. These form
  the basis of authentication and authorization for
  ICA connections to a MetaFrame server.
• Single Server can be used for CSG/NFuse
• Certain steps must be taken to ensure that works
  successfully see document from Alstom.

11
CSG Ticketing
CSG Server
ICA Client
MetaFrame Server Farm
Secure Ticketing Authority
Secure Web Server
Web Browser
Citrix XML Service
NFuse
12
NFuse Classic and CSG Connection Process

• User accesses NFuse Classic portal page over
  Https// connection from Web browser and logs in.
• NFuse requests the published resources from the
  MF XML Service, and the application page is
  populated with icons.
• User clicks on an application and address for the
  client is sent to the Secure Ticket Authority
  (STA) and a ticket is requested. The STA saves
  the IP address and issues the requested ticket to
  CSG server.
• NFuse server generates an ICA file containing the
  ticket issued by the STA and the FQDN of the CSG
  Server, and sends it to the clients Web browser.
  
• The Web browser passes the ICA file to the ICA
  Client, which launches an SSL connection to the
  CSG server.

13
NFuse Classic and CSG Connection Process

• CSG server accepts the ticket from the ICA Client
  and uses information in the ticket to identify
  and contact the STA for ticket validation.
• If the STA is able to validate the ticket, it
  returns an IP address of the MetaFrame server on
  which the requested resource resides to the CSG
  server.
• CSG server receives the IP address for the
  MetaFrame server and it establishes an ICA
  connection to the MetaFrame server. CSG server
  monitors ICA data flowing through the connection,
  and encrypts and decrypts client-server
  communication.

14
CSG Service

• Windows 2000 native Service
• Runs in DMZ, does not require IIS installed.
• Multi-threaded design (utilizes IO Completion
  Ports) for high efficiency and throughput.
• Utilises Microsoft S-Channel for SSL functions.
• Server certificate required for SSL server
  authentication.
• Build large CSG arrays for scalability and fault
  tolerance using industry standard external
  network load balancer.
• GUI configuration tool.
• Small benefit from PCI based SSL accelerators.

15
Secure Ticketing Authority

• Implemented as ISAPI DLL so requires IIS.
• Extremely lightly loaded.
• Easily configurable through UI tool.
• Redundant STAs can be defined.
• Should not be accessible from outside DMZ.
• Communicates with CSG and NFuse via XML protocol
  over HTTP. Port configurable.

16
Encryption and Connectivity

• Secures ICA Traffic only.
• SSL v3.0 and TLS 1.0 with 128-bit encryption.
• Support for Public Key Infrastructure (PKIs).
• Single IP address is exposed to Internet.
• Ease of firewall traversal (uses port 443 only).

Citrix Secure Gateway
Firewall
ICA and SSL
Citrix NFuse 1.6 Technology
Citrix MetaFrame XP w/ Feature Release 1
17
SSL vs TLS

• SSL is an open, non-proprietary protocol that
  provides data encryption, server authentication,
  message integrity, and optional client
  authentication for a TCP/IP connection.
• TLS is the latest, standardised version of the
  SSL protocol. TLS is an open standard and like
  SSL, TLS provides server authentication,
  encryption of the data stream, and message
  integrity checks.
• Support for TLS Version 1.0 is included in
  Feature Release 2 for MetaFrame XP (Not in FR1)
  and clients from v6.30.
• Because there are only minor differences between
  SSL and TLS, the server certificates you use for
  SSL in your MetaFrame installation will also work
  for TLS.

18
New in CSG v1.1

• Windows 2000 certification.
• All logging to Windows system log.
• TLS v1.0 and SSL v3.0.
• No NFuse Extensions Now native to NFuse
  Classic.
• Improved configuration Graphical User Interface
  NFuse Admin.
• Solaris edition.

19
CSG and Java Client

• Zero footprint Client nothing to install on the
  local machine.
• Client is downloaded and executed via the
  browser.
• Ideal for accessing applications securely from an
  Internet Café.
• SSL Certificates from own MS Certificate Server
  as well as commercial organisations can be used.

20
Installing Citrix Secure Gateway

• Configure DNS entries for NFuse/CSG Server.
• Install and configure W2K/Citrix Metaframe
  Server(s).
• Install and configure W2K/CSG/NFuse Server.
• Install MS Certificate Services on a W2K Server.
• Generate and Install Certificates.
• Install Secure Ticketing Authority.
• Install and configure NFuse.
• Install and configure Citrix Secure Gateway.
• Customise the NFuse login page.

21
Configure Network and DNS entries

• Open the ports required on the firewall.
• Reserve public IP addresses for CSG and NFuse.
• Configure A records in the DNS for
  citrix.company.com and csg.company.com.

22
Install and Configure Metaframe Server

• Install Windows 2000 and IIS.
• Install Terminal Services in Application
  Compatibility Mode.
• Install Service Pack 2.
• Install TS Post SP2 Hot Fix.
• Install Metframe XP specify XML port as 8081
  (if STA on the same server).
• Add the Alternate Address (if NAT being used to
  DMZ) syntax is c\altaddr /set 192.168.1.5
• Install the Secure Ticketing Authority.

23
Install and Configure CSG/NFuse Server

• Install Windows 2000 and IIS
• Install Windows 2000 Service Pack 2
• Dual Home the CSG/NFuse Server (second IP
  Address)

24
Configure CSG/NFuse Server - IIS

• Disable Socket Pooling
• Generate Certificate Requests
• Create Certificates using MS Certificate
  Authority
• Install Certificates

25
Certificate Server - Creating Certificates

• Install MS Certificate Services on a server.
• Select Advanced use 1024 bit encryption.
• Issue Certifcate Request in IIS, use 1024 bit and
  name with the domain name of the server eg.
  citrix.company.com.
• Issue another Certifcate request for eg.
  csg.company.com.
• Paste requests into Certicate Server.
• Generate Certificate and the Root Certificate.
• Install Certifcates on the CSG/NFuse Server.

26
Certificate Refresher

• How do I determine a persons identity?

• How do I determine a servers identity?

27
Server Certificates

• Server certificates are unique to a particular
  server name.
• The subject of the certificate is the FQDN of
  the server.
• View the Certification Path to find out which
  certification authority (CA) issued this
  certificate.

28
Root Certificates

• Root certificates (CA certificates) are
  self-signed entities that are used to verify
  server certificates.
• If you trust a CA, install their root
  certificate.
• Windows ships with many pre-installed CA
  certificates for well-known CAs.
• Verisign
• Baltimore
• RSA
• Thawte

29
Generating the Certifcate Requests

• Generate the requests from within IIS Admin on
  the CSG/NFuse Server.

30
Installing the MS Certificate Server

• Use Add/Remove ProgramsWindows Components, to
  install MS Certificate Services on a Windows 2000
  Server.

31
Creating the Certificate

• Go to URL http//server/certsrv to access the
  Certificate Server.

32
Issue and Save the Certificate

• Use the MMC to issue pending certificates, then
  use the Certificate Server to create and save
  them.

33
Creating the Root Certificate

• Go to the Certificate Server URL and select
  Retrieve the CA Certificate.

34
Adding the Root Certificate

• Copy the Root Certificate to the machines and
  double click on it to add it to the CSG/NFuse
  Server and the Clients who will be connecting via
  CSG/NFuse.

35
Adding the Server Certificates in IIS

• From within IIS Admin, choose the Directory
  Security TAB to install the Certificate.

36
Configure IIS to accept only SSL

• From within IIS Admin, choose Web Site TAB, and
  add the SSL port 443. Then choose the Directory
  Security TAB and Edit under Secure
  Communications area.

37
Certificates Required Web and CSG

• A Certificate is required for the NFuse web site,
  ie https//citrix.company.com and also for the
  client to authenticate using SSL to the CSG
  server, using the FQDN of the CSG Server ie
  csg.company.com.
• To generate a second certificate, follow the
  procedure discussed and instead of the Default
  Web Site, use the Administration Site under
  IIS to generate the Certificate Request and
  accept the created Certificate.
• There should be two certificates, plus a root
  certificate from the Certification Authority
  generated.
• citrix.company.com (install under Default Web
  Site)
• csg.company.com (install under Administration
  Site)
• Root certificate

38
CSG/NFuse Server - Install NFuse

• Run the executable to install NFuse on the
  CSG/NFuse Server.

39
CSG/NFuse Server - Install CSG

• Run the installation routine.
• Select the Certificate to use eg.
  csg.company.com.
• Set the IP Address that CSG will listen to port
  443 on.
• Set the IP Address of the STA.
• Other settings can be left as default.

40
Installing the CSG Service

• Install the CSG Service - run the executable to
  install it on the CSG/NFuse Server.

41
Installing the STA Service

• Run the executable to install the STA on the
  Metaframe Server.

42
Configuring NFuse using NFuse Admin

• Graphical Administration Utility that edits
  nfuse.conf file where configuration settings are
  stored.
• Default page http//server/Citrix/NFuseadmin.
• Specify Metaframe Server Address, XML Port.
• Configure for Citrix Secure Gateway here if
  required.
• Control ICA Client deployment, and Java client.
• Configure Server and Client side firewall
  settings.

43
NFuse Admin
44
NFuse Admin CSG Settings MF Server

• Specify the address of the Metaframe Server and
  the XML port.

45
NFuse Admin Settings - CSG

• Check Citrix Secure Gateway.

46
NFuse Admin Settings - CSG

• The FQDN of CSG server, use alternate address of
  Metaframe servers checked (if using NAT), as
  well as address of the STA should be specified.

47
NFuse Classic 1.7 Login Page

• Default Page is http//server/Citrix/NFuse17
• NFuse.conf file is an ini file that controls
  NFuse edit using NFuse Admin or manually.
• NFuse.conf is located under c\Program
  Files\Citrix\NFuse\conf directory.
• Can be customised use a html editor eg
  FrontPage and edit the login.asp file.

48
Default page for citrix.company.com

• Rather than change your web server document root,
  create a file default.asp and save under
  c\inetpub\wwwroot directory.
• Edit this file and add the line of code below

49
NFuse Classic 1.7 Login Page
50
NFuse Applications
51
NFuse Client Settings
52
Verify SSL Connectivity

• ICA Systray Icon, or the active Citrix window
  right click and choose properties or mouse over
  the connection to display the encryption status.

53
MS Lockdown Tool for Security

• Microsoft IIS Lockdown tool can be used to secure
  an IIS web server.
• Can be obtained from
• http//download.microsoft.com/download/iis50/Util
  ity/2.1/NT45/EN-US/iislockd.exe
• Choose Advanced lockdown mode.
• Uncheck the option to disable support for ASP
  pages.

54
Redundancy using Two Nfuse Installations

• Reconfigure the DNS record to point to an
  alternate server if one goes down.
• Configure a DNS record to round robin between the
  Nfuse Servers. Disadvantage is that some users
  will not be able to connect until the downed box
  is removed from the DNS record.
• Use a network load balancer best option but
  most expensive.
• Utilise Network load balancing with Windows 2000
  Advanced Server - similar to the solution above.

55
Citrix Portal Summary

• Citrix Portal solutions allow you to securely
  access your applications from anywhere you can
  get to a PC with a browser and an Internet
  connection.
• They are excellent solutions to use for Remote
  Access, Wireless Mobility, Rapid Application
  Deployment and Business Continuity purposes.
• CSG is a simple and cost effective solution to
  enable remote access to Metaframe published
  applications when compared to hardware/software
  based VPNs.
• NFuse Elite is a fully featured, flexible, easy
  to configure Access Portal product, for use as
  an Enterprise Information Portal.