590 likes | 928 Vues
Citrix Technical Overview. Installing Citrix Secure Gateway . Andrew Wilmot Citrix Technical Business Development Manager Ab c d IT. Citrix Secure Gateway Presentation . Introduce Citrix Secure Gateway and explain how it delivers secure access to applications and content from the Internet.
E N D
Citrix Technical Overview Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager AbcdIT
Citrix Secure Gateway Presentation • Introduce Citrix Secure Gateway and explain how it delivers secure access to applications and content from the Internet. • Review Citrix Portal products NFuse Classic, Enterprise Services for NFuse, and NFuse Elite. • Discuss the special requirements for configuring Citrix Secure Gateway and NFuse on one Server. • Go through the implementation step by step.
What is Citrix Secure Gateway? • Citrix Secure Gateway is a secure Internet gateway between MetaFrame® servers and ICA Client workstations that allows customers to simply and securely deliver applications across the Internet, on demand, to any device.
Introducing Citrix Secure Gateway 1.1 • Citrix Secure Gateway controls ICA traffic between the Metaframe Server farm and the client on the Internet. • It effectively ‘hides’ the Metaframe Server from the Internet – access is obtained via a secure SSL connection, brokered by CSG. • CSG is a free product for users of Metaframe Xpa,s,e. • Works in conjunction with NFuse Classic 1.7, NFuse Elite 1.0, and Enterprise Services for NFuse 1.7.
NFuse Portal Products • NFuse Classic 1.7 • Application Portal product providing end users with access to published applications over the web. • Enterprise Services for NFuse 1.7 • expands on NFuse Classic allowing you to publish applications from multiple MetaFrame XP for Windows and MetaFrame for UNIX server farms simultaneously. • NFuse Elite 1.0 • Access Portal product that can be used as an Enterprise Information Portal (EIP), combining information from many sources in one place.
Why Secure Access? • Remote Employee Access (B2E). • Business Application Deployment (B2B). • Consumer Applications (B2C). • Business Continuity. • Must be Secure. • Must be Cost Effective. • Must allow access from anywhere. • Must support different client device types.
When to use Secure Gateway • One or more servers to support. • Want to hide internal network addresses. • Want to secure from DMZ. • Need highly secure remote access solution. • Don’t want to use a VPN client. • Need non-intrusive ICA client install i.e. access from Internet cafes using JAVA client.
CSG Architecture Authentication Access Mgmt Secure Connectivity NAT 192.168.5.1-192.68.0.100 Firewall Firewall Citrix Secure Gateway CitrixNFuse ClientWorkstations EXTERNAL LAN Citrix MF Server 192.168.0.100 Alt Address 192.168.5.1 ICA Port 1494 XML Port 8081 IIS/STA Port 80 DMZ csg.company.com 203.12.216.50 citrix.company.com 203.12.216.51 Ports to open 443 (Https and SSL) Ports to open 80 (STA) 8081 (XML) 1494 (ICA)
CSG Traffic Flow Web Browser Secure Web Server DMZ ICA/SSL 443 ICA Client CSG Server ICA/1494 MetaFrame Server Farm .ICA file 443 HTTP/S NFuse Citrix XML Service XML-HTTP/80
CSG Components • CSG Service • The CSG program itself. • NFuse Classic or NFfuse Elite or ESNFuse • Extensions are now built into NFuse and do not need to be installed separately as they were in earlier versions. • Secure Ticketing Authority • Functions as a ticketing authority and issues ‘tickets’ to portal users client’s. These form the basis of authentication and authorization for ICA connections to a MetaFrame server. • Single Server can be used for CSG/NFuse • Certain steps must be taken to ensure that works successfully – see document from Alstom.
CSG Ticketing ICA/1494 ICA/SSL Ticket Verification ICA File Ticket Generation CSG Server ICA Client MetaFrame Server Farm Secure Ticketing Authority Web Browser Secure Web Server Citrix XML Service NFuse
NFuse Classic and CSG Connection Process • User accesses NFuse Classic portal page over Https:// connection from Web browser and logs in. • NFuse requests the published resources from the MF XML Service, and the application page is populated with icons. • User clicks on an application and address for the client is sent to the Secure Ticket Authority (STA) and a ticket is requested. The STA saves the IP address and issues the requested ticket to CSG server. • NFuse server generates an ICA file containing the ticket issued by the STA and the FQDN of the CSG Server, and sends it to the client’s Web browser. • The Web browser passes the ICA file to the ICA Client, which launches an SSL connection to the CSG server.
NFuse Classic and CSG Connection Process • CSG server accepts the ticket from the ICA Client and uses information in the ticket to identify and contact the STA for ticket validation. • If the STA is able to validate the ticket, it returns an IP address of the MetaFrame server on which the requested resource resides to the CSG server. • CSG server receives the IP address for the MetaFrame server and it establishes an ICA connection to the MetaFrame server. CSG server monitors ICA data flowing through the connection, and encrypts and decrypts client-server communication.
CSG Service • Windows 2000 native Service • Runs in DMZ, does not require IIS installed. • Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. • Utilises Microsoft S-Channel for SSL functions. • Server certificate required for SSL server authentication. • Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. • GUI configuration tool. • Small benefit from PCI based SSL accelerators.
Secure Ticketing Authority • Implemented as ISAPI DLL so requires IIS. • Extremely lightly loaded. • Easily configurable through UI tool. • Redundant STAs can be defined. • Should not be accessible from outside DMZ. • Communicates with CSG and NFuse via XML protocol over HTTP. Port configurable.
Encryption and Connectivity • Secures ICA Traffic only. • SSL v3.0 and TLS 1.0 with 128-bit encryption. • Support for Public Key Infrastructure (PKIs). • Single IP address is exposed to Internet. • Ease of firewall traversal (uses port 443 only). Citrix Secure Gateway Firewall ICA and SSL Citrix NFuse 1.6 Technology Citrix MetaFrame XP w/ Feature Release 1
SSL vs TLS • SSLis an open, non-proprietary protocol that provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. • TLSis the latest, standardised version of the SSL protocol. TLS is an open standard and like SSL, TLS provides server authentication, encryption of the data stream, and message integrity checks. • Support for TLS Version 1.0 is included in Feature Release 2 for MetaFrame XP (Not in FR1) and clients from v6.30. • Because there are only minor differences between SSL and TLS, the server certificates you use for SSL in your MetaFrame installation will also work for TLS.
New in CSG v1.1 • Windows 2000 certification. • All logging to Windows system log. • TLS v1.0 and SSL v3.0. • No NFuse Extensions – Now native to NFuse Classic. • Improved configuration Graphical User Interface – NFuse Admin. • Solaris edition.
CSG and Java Client • Zero footprint Client – nothing to install on the local machine. • Client is downloaded and executed via the browser. • Ideal for accessing applications securely from an Internet Café. • SSL Certificates from own MS Certificate Server as well as commercial organisations can be used.
Installing Citrix Secure Gateway • Configure DNS entries for NFuse/CSG Server. • Install and configure W2K/Citrix Metaframe Server(s). • Install and configure W2K/CSG/NFuse Server. • Install MS Certificate Services on a W2K Server. • Generate and Install Certificates. • Install Secure Ticketing Authority. • Install and configure NFuse. • Install and configure Citrix Secure Gateway. • Customise the NFuse login page.
Configure Network and DNS entries • Open the ports required on the firewall. • Reserve public IP addresses for CSG and NFuse. • Configure A records in the DNS for citrix.company.com and csg.company.com.
Install and Configure Metaframe Server • Install Windows 2000 and IIS. • Install Terminal Services in Application Compatibility Mode. • Install Service Pack 2. • Install TS Post SP2 Hot Fix. • Install Metframe XP – specify XML port as 8081 (if STA on the same server). • Add the Alternate Address (if NAT being used to DMZ) – syntax is c:\altaddr /set 192.168.1.5 • Install the Secure Ticketing Authority.
Install and Configure CSG/NFuse Server • Install Windows 2000 and IIS • Install Windows 2000 Service Pack 2 • Dual Home the CSG/NFuse Server (second IP Address)
Configure CSG/NFuse Server - IIS • Disable Socket Pooling • Generate Certificate Requests • Create Certificates using MS Certificate Authority • Install Certificates
Certificate Server - Creating Certificates • Install MS Certificate Services on a server. • Select ‘Advanced’ use 1024 bit encryption. • Issue Certifcate Request in IIS, use 1024 bit and name with the domain name of the server eg.citrix.company.com. • Issue another Certifcate request for eg.csg.company.com. • Paste requests into Certicate Server. • Generate Certificate and the Root Certificate. • Install Certifcates on the CSG/NFuse Server.
How do I determine a person’s identity? Certificate Refresher • How do I determine a server’s identity?
Server Certificates • Server certificates are unique to a particular server name. • The ‘subject’ of the certificate is the FQDN of the server. • View the Certification Path to find out which certification authority (CA) issued this certificate.
Root certificates (CA certificates) are self-signed entities that are used to verify server certificates. If you trust a CA, install their root certificate. Windows ships with many pre-installed CA certificates for well-known CA’s. Verisign Baltimore RSA Thawte Root Certificates
Generating the Certifcate Requests • Generate the requests from within IIS Admin on the CSG/NFuse Server.
Installing the MS Certificate Server • Use Add/Remove Programs>Windows Components, to install MS Certificate Services on a Windows 2000 Server.
Creating the Certificate • Go to URL http://[server]/certsrv to access the Certificate Server.
Issue and Save the Certificate • Use the MMC to issue pending certificates, then use the Certificate Server to create and save them.
Creating the Root Certificate • Go to the Certificate Server URL and select ‘Retrieve the CA Certificate’.
Adding the Root Certificate • Copy the Root Certificate to the machines and double click on it to add it to the CSG/NFuse Server and the Clients who will be connecting via CSG/NFuse.
Adding the Server Certificates in IIS • From within IIS Admin, choose the Directory Security TAB to install the Certificate.
Configure IIS to accept only SSL • From within IIS Admin, choose Web Site TAB, and add the SSL port 443. Then choose the Directory Security TAB and ‘Edit’ under Secure Communications area.
Certificates Required – Web and CSG • A Certificate is required for the NFuse web site, ie https://citrix.company.com and also for the client to authenticate using SSL to the CSG server, using the FQDN of the CSG Server ie csg.company.com. • To generate a second certificate, follow the procedure discussed and instead of the ‘Default Web Site’, use the ‘Administration Site’ under IIS to generate the Certificate Request and accept the created Certificate. • There should be two certificates, plus a root certificate from the Certification Authority generated. • citrix.company.com (install under Default Web Site) • csg.company.com (install under Administration Site) • Root certificate
CSG/NFuse Server - Install NFuse • Run the executable to install NFuse on the CSG/NFuse Server.
CSG/NFuse Server - Install CSG • Run the installation routine. • Select the Certificate to use eg. csg.company.com. • Set the IP Address that CSG will listen to port 443 on. • Set the IP Address of the STA. • Other settings can be left as default.
Installing the CSG Service • Install the CSG Service - run the executable to install it on the CSG/NFuse Server.
Installing the STA Service • Run the executable to install the STA on the Metaframe Server.
Configuring NFuse using NFuse Admin • Graphical Administration Utility that edits nfuse.conf file where configuration settings are stored. • Default page http://[server]/Citrix/NFuseadmin. • Specify Metaframe Server Address, XML Port. • Configure for Citrix Secure Gateway here if required. • Control ICA Client deployment, and Java client. • Configure Server and Client side firewall settings.
NFuse Admin CSG Settings – MF Server • Specify the address of the Metaframe Server and the XML port.
NFuse Admin Settings - CSG • Check ‘Citrix Secure Gateway’.
NFuse Admin Settings - CSG • The FQDN of CSG server, ‘use alternate address of Metaframe servers’ checked (if using NAT), as well as address of the STA should be specified.
NFuse Classic 1.7 Login Page • Default Page is http://server/Citrix/NFuse17 • NFuse.conf file is an ‘ini’ file that controls NFuse – edit using NFuse Admin or manually. • NFuse.conf is located under c:\Program Files\Citrix\NFuse\conf directory. • Can be customised – use a html editor eg FrontPage and edit the login.asp file.
Default page for ‘citrix.company.com’ • Rather than change your web server document root, create a file ‘default.asp’ and save under c:\inetpub\wwwroot directory. • Edit this file and add the line of code below: <% Response.Redirect “/Citrix/Nfuse17/” %>