You are on page 1of 258

Access Gateway Advanced Edition Administrator’s Guide

Citrix® Access Gateway™ 4.5


Citrix Access Suite™
Copyright and Trademark Notice
Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. Copies of the End
User License Agreement are included in the Documentation folder of the product CD-ROM.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious
unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
© 2003-2006 Citrix Systems, Inc. All rights reserved.
Citrix, Citrix Presentation Server, Citrix Access Gateway, ICA (Independent Computing Architecture), Access Suite, Citrix Program
Neighborhood, and SmoothRoaming are registered trademarks or trademarks of Citrix Systems, Inc. in the United States and other
countries.
RSA Encryption © 1996-1997 RSA Security Inc., All rights reserved.
Trademark Acknowledgements
Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other
countries.
Apple, Mac, Mac OS, and Macintosh are registered trademarks or trademarks of Apple Computer Inc.
Flash and Shockwave are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries.
Java is a registered trademark of Sun Microsystems, Inc. in the U.S. and other countries.
Microsoft, MS-DOS, Windows, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory and Vista are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Lotus, Domino, Notes, and iNotes are trademarks of International Business Machines Corporation in the United States, other countries, or
both.
Mozilla and Firefox are trademarks or registered trademarks of the Mozilla Foundation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries.
Secure Computing and SafeWord are registered trademarks of Secure Computing Corporation.
McAfee and VirusScan are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries.
Norton AntiVirus, Norton Personal Firewall, Symantec, Symantec AntiVirus Solution, and Symantec Desktop Firewall are registered
trademarks or trademarks of Symantec Corporation in the US and/or other countries.
OfficeScan, Trend Micro, and Trend Micro Incorporated are trademarks of Trend Micro in the US and/or other countries.
ZoneAlarm and Zone Labs are trademarks or registered trademarks of Zone Labs LLC in the United States and other countries.
All other trademarks and registered trademarks are the property of their owners.
Document code: September 19, 2006 (JB)
C ONTENTS

Contents

Chapter 1 Welcome
Access Gateway Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Smart Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SmoothRoaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Secure by Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
New Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Chapter 2 Getting Information and Help


Accessing Product Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Knowledge Center Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Education and Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Customizing the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Chapter 3 Planning Your Access Strategy


Step 1: Evaluating Corporate Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Step 2: Performing a Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Step 3: Developing Your Access Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Securing Access and Resources with Policies . . . . . . . . . . . . . . . . . . . . . . . . . .26
Planning for Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Traversing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Protecting Sensitive Corporate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Evaluating Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
One-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Planning for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
4 Access Gateway Advanced Edition Administrator’s Guide

Considering Users’ Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Chapter 4 Licensing the Advanced Edition


Installing Citrix Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Getting More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Obtaining Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Determining the Licenses Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Licensing Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Mixed Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Specifying the License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Adding Shortcuts to the License Management Console . . . . . . . . . . . . . . . . . . . . .37

Chapter 5 Installing Advanced Access Control


Planning Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Pre-Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Post-Installation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Account Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Microsoft SQL Server User Account Requirements . . . . . . . . . . . . . . . . . . . . .44
Service Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Using Security Templates with the Service Account . . . . . . . . . . . . . . . . . . . . .45
Database Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Access Gateway Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Feature Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
HTML Preview Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Live Edit Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Email Synchronization Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Web Email Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Using Microsoft Windows 2003 Server Web Edition for Web Email . . . . . . .52
Endpoint Analysis Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Authentication Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Citrix Presentation Server Integration Requirements . . . . . . . . . . . . . . . . . . . .54
Requirements for Bypassing the Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Third Party Portal Integration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Web Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Live Edit Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
5 Access Gateway Advanced Edition Administrator’s Guide

Endpoint Analysis Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61


Secure Access Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Console Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Installing Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Uninstalling Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Chapter 6 Configuring Advanced Access Control


Supported Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Access Gateway Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Advanced Access Control Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Double-Hop DMZ Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Changing the Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Configuring Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Steps to Configuring A Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Creating or Joining an Access Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Selecting a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Specifying an Existing Database Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Specifying a License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Selecting a Web Site Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Securing Web Site Traffic with SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Finishing Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Enabling Advanced Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Using the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Installing the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Users and Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Deploying the Console to Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
The Access Management Console User Interface . . . . . . . . . . . . . . . . . . . . . . .82
Starting the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Finding Items in Your Deployment Using Discovery . . . . . . . . . . . . . . . . . . . .83
Customizing Your Displays Using My Views . . . . . . . . . . . . . . . . . . . . . . . . . .84
Configuring Your Farm with the Getting Started Panel . . . . . . . . . . . . . . . . . . . . .84
Linking to Citrix Presentation Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Specifying Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Configuring Load Balance or Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Configuring Address Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Configuring Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Configuring the Access Gateway Address Mode. . . . . . . . . . . . . . . . . . . . . . . .88
Associating Access Platform Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
6 Access Gateway Advanced Edition Administrator’s Guide

Configuring Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89


Renaming Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Logging on through the Logon Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Updating Logon Page Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Changing Expired Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Setting the Default Logon Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Removing Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring Split Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring Accessible Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Forwarding System Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Configuring Client Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Configuring Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Configuring ICA Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Configuring Authentication with Citrix Presentation Server. . . . . . . . . . . . . . . . .100

Chapter 7 Securing User Connections


Configuring Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring RADIUS and LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . .102
Creating RADIUS Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Creating LDAP Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Assigning Authentication Profiles to Logon Points . . . . . . . . . . . . . . . . . . . . .105
Setting Authentication Credentials for Logon Points . . . . . . . . . . . . . . . . . . .106
Configuring RSA SecurID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Configuring SafeWord Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Configuring Advanced Authentication with SafeWord . . . . . . . . . . . . . . . . . .111
Configuring Authentication with SafeWord Only . . . . . . . . . . . . . . . . . . . . . .111
Configuring RADIUS with SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Configuring Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Configuring the Access Gateway for Trusted Authentication . . . . . . . . . . . .115
Configuring Advanced Access Control for Trusted Authentication . . . . . . . .116

Chapter 8 Adding Resources


Creating Network Resources for VPN Access. . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Using the Entire Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Defining Resources to Avoid Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Creating Web Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Including Related Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Configuring Sites Secured with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
7 Access Gateway Advanced Edition Administrator’s Guide

Web Resources that Keep Sessions Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . .124


Enabling Pass-Through Authentication for Web Resources . . . . . . . . . . . . . . . . .124
Configuring Sites with Form-Based Authentication . . . . . . . . . . . . . . . . . . . .125
Creating File Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Using Dynamic System Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Active Directory Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Creating Resource Groups to Ease Policy Administration . . . . . . . . . . . . . . . . . .129
Integrating Resource Lists in Third-Party Portals . . . . . . . . . . . . . . . . . . . . . . . . .130

Chapter 9 Controlling Access Through Policies


Controlling User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Integrating Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Pooling Resources By Access Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Designing Policies From User Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Differentiating Access Control and Publishing . . . . . . . . . . . . . . . . . . . . . . . .134
Creating Access Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Naming Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Configuring Policy Settings to Control User Actions . . . . . . . . . . . . . . . . . . . . . .137
Allowing Access to Standard Web Content . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Allowing File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Allowing HTML Preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Allowing Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Allowing Live Edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Allowing Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Setting Conditions for Showing the Logon Page. . . . . . . . . . . . . . . . . . . . . . . . . .141
Bypassing URL Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Considerations about URL Rewriting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Limitations of Browser-Only Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Creating Connection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Creating Policies for Presentation Server Connections . . . . . . . . . . . . . . . . . .148
Prioritizing Connection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Creating Policy Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Creating Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Creating Continuous Scan Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Granting Access to the Entire Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Reviewing Policy Information with Policy Manager . . . . . . . . . . . . . . . . . . . . . .155

Chapter 10 Integrating Citrix Presentation Server


Linking from Advanced Access Control to Citrix Presentation Server . . . . . . . .158
8 Access Gateway Advanced Edition Administrator’s Guide

Integrating Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158


Displaying Multiple Sites and Caching Credentials. . . . . . . . . . . . . . . . . . . . .160
Coordinating Advanced Access Control and Web Interface Settings . . . . . . .162
Configuring File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Integrating Third-Party Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

Chapter 11 Verifying Requirements on Client Devices


Creating Endpoint Analysis Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Using Scan Outputs to Filter Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Using Scan Outputs to Filter Logon Page Visibility . . . . . . . . . . . . . . . . . . . .168
Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Adding Rules to Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Using Scan Outputs in Other Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Editing Conditions and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Editing the Available Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Using Data Sets in Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Creating Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Adding Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Grouping Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Adding Language Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Scripting and Scheduling Scan Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Updating Property Values in Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Updating Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Creating Continuous Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

Chapter 12 Providing Secure Access to Corporate Email


Choosing an Email Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Providing Access to Published Email Applications. . . . . . . . . . . . . . . . . . . . . . . .183
Providing Users with Secure Web-Based Email . . . . . . . . . . . . . . . . . . . . . . . . . .184
Enabling Access to Web-Based Email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Integrating Web-Based Email Access with a Third-Party Portal . . . . . . . . . . . . .187
Providing Users with Secure Access to Email Accounts. . . . . . . . . . . . . . . . . . . .188
Enabling Users to Attach Files to Web-Based Email . . . . . . . . . . . . . . . . . . . . . .190
Restricting File Attachment Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Enabling Access to Email on Small Form Factor Devices . . . . . . . . . . . . . . . . . .192
Updating the Mapisvc.inf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
9 Access Gateway Advanced Edition Administrator’s Guide

Chapter 13 Rolling Out Advanced Access Control to Users


Developing a Client Software Deployment Strategy. . . . . . . . . . . . . . . . . . . . . . .195
Determining Responsibility for Installing Client Software . . . . . . . . . . . . . . .196
Supported Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Determining Which Clients to Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Managing Client Software Using the Access Client Package . . . . . . . . . . . . . . . .200
Client Software Available for the Access Client Package . . . . . . . . . . . . . . . .201
Creating a Client Distribution Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Distributing and Installing Your Client Software Package . . . . . . . . . . . . . . .201
Posting Client Software to a Share Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Downloading Client Software on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Ensuring a Smooth Logon Experience with the Secure Access Client . . . . . . . . .205
Modifying the Logon Point Redirect URL . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Modifying Browser Delay Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Modifying Ticket Lifetime Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Ensuring a Smooth Rollout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Providing Logon Information to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Browser Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Customizing Browser Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Customizing the Logon Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Chapter 14 Managing Your Access Gateway Environment


Managing Access Server Farms Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Controlling Access by Multiple Consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Using Groups in Policy Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Securing the Access Management Console Using COM+ . . . . . . . . . . . . . . . . . .215
Restarting COM+ Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Adding and Removing Farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Adding and Removing Gateway Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Changing Service Account and Database Credentials. . . . . . . . . . . . . . . . . . . . . .218
Modifying Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Removing Servers from the Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Maintaining Availability of the Access Server Farm. . . . . . . . . . . . . . . . . . . . . . .220
Exporting and Importing Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . .220
Monitoring Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Chapter 15 Auditing Access to Corporate Resources


Configuring Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Interpreting Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
10 Access Gateway Advanced Edition Administrator’s Guide

Troubleshooting User Access to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230


Performing Audit Log Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230

Appendix A Glossary

Appendix B Scan Properties Reference


Antivirus Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Citrix Scans for McAfee VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Citrix Scans for McAfee VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . .240
Citrix Scans for Norton AntiVirus Personal . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Citrix Scans for Symantec AntiVirus Enterprise . . . . . . . . . . . . . . . . . . . . . . .242
Citrix Scans for Trend OfficeScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Citrix Scans for Windows Security Center Antivirus . . . . . . . . . . . . . . . . . . .244
Browser Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Citrix Scans for Browser Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Citrix Scans for Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Citrix Scans for Internet Explorer Update . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Citrix Scans for Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Citrix Scans for Netscape Navigator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Firewall Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Citrix Scans for McAfee Desktop Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Citrix Scans for McAfee Personal Firewall Plus . . . . . . . . . . . . . . . . . . . . . . .249
Citrix Scans for Microsoft Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . .250
Citrix Scans for Norton Personal Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Citrix Scans for Windows Security Center Firewall . . . . . . . . . . . . . . . . . . . .251
Citrix Scans for ZoneAlarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Citrix Scans for ZoneAlarm Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Machine Identification Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Citrix Scans for Domain Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Citrix Scans for MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Miscellaneous Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Citrix Bandwidth Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Operating System Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Citrix Scans for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Citrix Scans for Microsoft Windows Service Pack . . . . . . . . . . . . . . . . . . . . .256
Citrix Scans for Microsoft Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . .257
C HAPTER 1

Welcome

Citrix Access Gateway is a universal SSL VPN appliance that provides a secure,
always-on, single point-of-access to all applications and protocols. It has all of
the advantages of IPSec and SSL VPNs, without their costly and cumbersome
implementation and management. With the Advanced Edition, Access Gateway
finely controls both the resources users can access and what actions they can
perform, facilitating regulatory compliance. Access Gateway delivers the best
access experience for everyone: secure access to corporate data for the business,
easy access for users, and easy administration and management for IT.

Access Gateway Advanced Edition


The Advanced Edition expands your Access Gateway environment with
Advanced Access Control software, which provides your users with the following
standard features.

Smart Access
SmartAccess analyzes the access scenario and then delivers the appropriate level
of access without compromising security. Depending on who and where users are
and what device and network they are using, users are granted different levels of
access, such as the ability to preview, but not edit, documents.
Advanced Access Control provides SmartAccess through two key phases—sense
and respond. In the sensing phase of SmartAccess, the system analyzes the users’
access scenario and then responds with an appropriate level of access. “Granted”
or “denied” are no longer the only answers to an access attempt because
organizations not only control which resources users get access to based on their
access scenario, but how they can use these resources when they gain access.
For example, a user at an airport kiosk could be allowed to only preview or read
email attachments and files but would not be allowed to download, edit, or print
these files. However, that same user working from home may be granted full
download, editing, and printing capabilities. In addition, Advanced Access
Control integrates seamlessly with Citrix Presentation Server to give
organizations this same level of granular control over published applications.
12 Access Gateway Advanced Edition Administrator’s Guide

SmoothRoaming
Advanced Access Control supports SmoothRoaming technology by ensuring that
as users move between devices, networks, and locations, the appropriate level of
access is configured automatically for each new access scenario.

Secure by Design
Advanced Access Control provides users with access that is inherently secure by
design, protecting both the security of company information as well as the
integrity of the network.
SmartAccess, SmoothRoaming, and Secure by Design technologies work
together by combining the following features:
• Integrated endpoint security. Provides continuous real-time monitoring to
ensure that the device is safe to connect and remain connected to the
network. Endpoint analysis further evaluates the integrity of connecting
devices and allows you to tailor the level of access you grant in policies
according to analysis results.
• VPN connectivity. Network resources enable direct SSL virtual private
network (VPN) connectivity to servers, services, and networks within the
corporate LAN.
• Action controls. Allow administators to set policies that allow or deny
viewing, editing, and saving documents depending on the user’s identity,
device, location and connection.
• Mobile device awareness. Re-factors email and file interfaces for personal
digital assistants (PDAs) and small form factor devices.
• Browser-only access. Provides access with any Web browser on any
device to Web sites, files, and email. You can automatically render
Microsoft Office documents for HTML Preview.
• Secure access to Web-based email and files. Provides access to corporate
email securely over the Internet through a Web-based user interface.
Allows users to securely access Microsoft Outlook and Lotus Notes in real
time and synchronize information for offline use. Enables access to
corporate network file shares securely over the Internet through a Web-
based user interface.
• Advanced Presentation Server integration. You can use endpoint
analysis and client location to control which published applications are
available to the user. This feature extends SmartAccess to Presentation
Server, including the use of Advanced Access Control filters to control
local client drive mapping, clipboard operations, and local printer mapping.
Chapter 1 Welcome 13

• Multilingual support. Provides full server and client support for Japanese,
German, French, and Spanish.
• Standards-based encryption. Uses industry-standard SSL encryption to
provide secure access to corporate resources.
• Common management platform. Provides a unified framework
containing client and server configuration, licensing, monitoring, and
reporting tools for administrative simplicity, business visibility, and
corporate security

New Features
This release provides the following new features and enhancements.
• Support for UPN and Alternate UPN credentials. Users who log on to
internal networks with credentials specified in User Principal Name (UPN)
or Alternate UPN format can log on to the Access Gateway and seamlessly
access corporate resources such as published Web sites, file shares, and
Web email.
• Enhanced access to Citrix Presentation Server published applications.
Citrix Presentation Server published applications are accessible as Access
Platform sites from within the Access Interface, allowing users to quickly
access and launch published applications. You can enable up to three
Access Platform sites to display applications from multiple Presentation
Server farms.
• Support for third-party load balancers. In addition to its internal load
balancing capabilities, Access Gateway Advanced Edition supports
configurations that include third-party load balancers such as Citrix
Netscaler. In the event an Advanced Access Control server in a farm
becomes unavailable, users are routed automatically to another Advanced
Access Control server.
• Enhanced access to documents hosted on Sharepoint sites. Microsoft
Sharepoint sites that are accessed through the Web proxy retain many of the
menu-driven features users need to work with files, such as Delete, Edit
Properties, and Alert Me.
• Support for double-hop DMZ deployments. Organizations can provide
an extra layer of security for their internal resources by deploying Access
Gateway appliances in a two-stage DMZ configuration.
• Policies dynamically determine best resource delivery method. You can
configure policies to determine the best method for accessing resources
based on users’ connection bandwidth. Using the Citrix Bandwidth
endpoint analysis scan, the connection bandwidth is calculated and the
14 Access Gateway Advanced Edition Administrator’s Guide

result is used to determine whether resources such as published applications


are streamed or delivered to the user through an ICA session.

New Name
Access Gateway Advanced Edition is the new name for the products formerly
known as Access Gateway with Advanced Access Control, Access Gateway
Enterprise, and MetaFrame Secure Access Manager.
C HAPTER 2

Getting Information and Help

The topics in this section describe how to get more information about the product
and how to contact Citrix.
• “Accessing Product Documentation” on page 15
• “Getting Service and Support” on page 18
• “Education and Training” on page 19
• “Customizing the Software” on page 19

Accessing Product Documentation


Your product documentation includes PDF guides, online documentation, known
issue information, integrated on-screen assistance, and application help.
• User documentation is provided through the online help system and Adobe
Portable Document Format (PDF) files. Guides correspond to different
features. For example, information for administrators is contained in the
Access Gateway Standard Edition Administrator’s Guide. Guides are stored
in the \Documentation folder on the Server CD. Installation places
documentation files in the
C:\Program Files\Citrix\Access Gateway\Documentation\lang directory. In
these examples, lang refers to the language, such as en for English, de for
German, and so on.

Note: Online guides are provided as Adobe Portable Document Format


(PDF) files. To view, search, and print the PDF documentation, you need to
have Adobe Acrobat Reader 5.0.5 with Search or Adobe Reader 6.0
through 7.0. You can download these products for free from the Adobe
Systems Web site at http://www.adobe.com/.

• In many places in the user interface, integrated on-screen assistance is


available to help you complete tasks. For example, in the Access
16 Access Gateway Advanced Edition Administrator’s Guide

Management Console, you can position your mouse over a setting to


display help text that explains how to use that control.
• Online help is available in many components such as the console. You can
access the online help from the Help menu or Help button.
The following documentation is included with your software:
• The Readme files on the Server CD provide the latest information about
functionality, known issues, and documentation changes. Be sure to read
these documents for important information before you install the product or
its components.
• This manual, the Access Gateway Advanced Edition Administrator’s Guide,
provides conceptual information and procedures for system administrators
who plan, design, pilot, or deploy the software. It provides information
about features, installation and setup, and access server farm maintenance.
• Access Gateway Advanced Edition Upgrade Guide provides procedures for
system administrators upgrading from an earlier release. It provides
information about how to back up your access server farm’s data, upgrade
server components, and migrate data and license information.
• Getting Started with Citrix Licensing Guide and the licensing Readme file
provide conceptual and procedural information about deploying,
maintaining, and using licensing for Citrix products.
Additional gateway appliance documentation available from the Access
Gateway’s Administration Portal includes Getting Started with Citrix Access
Gateway Standard Edition, Access Gateway Standard Edition Pre-Installation
Checklist, Access Gateway Standard Edition Administrator's Guide, and a
Readme file.
To provide feedback about the documentation, go to www.citrix.com and click
Support > Knowledge Center > Product Documentation. To access the
feedback form, click the Submit Documentation Feedback link.

Document Conventions
This documentation uses the following typographic conventions for menus,
commands, keyboard keys, and items in the program interface:
Chapter 2 Getting Information and Help 17

Convention Meaning
Boldface Commands, names of interface items such as text boxes,
option buttons, and user input.
Italics Placeholders for information or parameters that you
provide. For example, filename in a procedure means you
type the actual name of a file. Italics also are used for new
terms and the titles of books.
%SystemRoot% The Windows system directory, which can be WTSRV,
WINNT, WINDOWS, or other name you specify when you
install Windows.
Monospace Text displayed in a text file.
{ braces } A series of items, one of which is required in command
statements. For example, { yes | no } means you must type
yes or no. Do not type the braces themselves.
[ brackets ] Optional items in command statements. For example, [/
ping] means that you can type /ping with the command. Do
not type the brackets themselves.
| (vertical bar) A separator between items in braces or brackets in
command statements. For example, { /hold | /release | /
delete } means you type /hold or /release or /delete.
… (ellipsis) You can repeat the previous item or items in command
statements. For example, /route:devicename[,…] means
you can type additional device names separated by
commas.

Command-Line Conventions
Some components run from a DOS command line interface. If you are not
familiar with DOS command lines, note that:
• Slashes and hyphens in a command line are important and must be entered
exactly as described in the instruction
• The spacing on the command line is important and must be followed
exactly as described in the instructions
• Help is available for DOS-based programs by entering the command name
followed by a forward slash and a question mark, for example:
C:>sessmon/?
18 Access Gateway Advanced Edition Administrator’s Guide

Getting Service and Support


Citrix provides technical support primarily through the Citrix Solution Advisors
(CSA) Program. Our CSA partners are trained and authorized to provide a high
level of support to our customers. Contact your supplier for first-line support or
check for your nearest CSA partner at http://www.citrix.com/support/.
In addition to the CSA program, Citrix offers a variety of self-service, Web-based
technical support tools that include the following:
• The Citrix Knowledge Center, an interactive tool containing thousands of
technical solutions to support your Citrix environment
• Support forums, where you can participate in technical discussions and
search for previous responses from other forum members
• Software downloads, for access to the latest service packs, hotfixes, and
utilities
• Downloadable clients, available at http://www.citrix.com/download/
Another source of support, Citrix Preferred Support Services, provides a range of
options that allows you to customize the level and type of support for your
organization’s Citrix products.

Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage
program. The Citrix Subscription Advantage program gives you an easy way to
stay current with the latest software versions and information for your Citrix
products. Not only do you get automatic access to download the latest feature
releases and software upgrades and enhancements that become available during
the term of your membership, you also get priority access to important Citrix
technology information.
You can find more information on the Citrix Web site at http://www.citrix.com/
services/ (select Subscription Advantage). You can also contact your Citrix sales
representative, Citrix Customer Care, or a member of the Citrix Solutions
Advisors program for more information.

Knowledge Center Watches


The Citrix Knowledge Center allows you to configure watches. A watch notifies
you if the topic you are interested in was updated. Watches allow you to stay
notified of updates to Knowledge Base or Forum content. You can set watches on
product categories, document types, individual documents, and on Forum product
categories and individual topics.
To set up a watch, log on to the Citrix Support Web site at
Chapter 2 Getting Information and Help 19

http://support.citrix.com. After you are logged on, in the upper right corner, click
My Watches and follow the instructions.

Education and Training


Citrix offers a variety of instructor-led training and Web-based training solutions.
Instructor led courses are offered through Citrix Authorized Learning Centers
(CALCs). CALCs provide high quality classroom learning using professional
courseware developed by Citrix. Many of these courses lead to certification.
Web-based training courses are available through CALCs, resellers, and from the
Citrix Web site.
Information about programs and courseware for Citrix training and certification is
available from http://www.citrix.com/edu/.

Customizing the Software


The Citrix Developer Network (CDN) is an open-enrollment membership
program that provides access to developer toolkits, technical information, and test
programs. Software and hardware vendors, system integrators, ICA licensees, and
corporate IT developers who incorporate Citrix computing solutions into their
products can access CDN at http://apps.citrix.com/cdn/.
Some operations can be scripted with a Citrix Software Development Kit (SDK).
The Endpoint Analysis SDK that is included with your software supports
customization of endpoint analysis and is located on the Server CD in the
\Setup\EndpointAnalysisSDK folder.
20 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 3

Planning Your Access Strategy

Before you install Advanced Access Control, you should evaluate your
infrastructure and collect the information necessary to develop an access strategy
that meets the specific needs of your corporation. When planning an access
strategy, follow the general steps below.
“Step 1: Evaluating Corporate Infrastructure” on page 21
“Step 2: Performing a Risk Analysis” on page 25
“Step 3: Developing Your Access Strategy” on page 25
Each of these steps is discussed in detail in the following sections. Consider
documenting your findings throughout this process to assist you in designing and
scoping the overall effort of the project, determining a realistic timeline for
implementation, and setting benchmarks against which to measure your overall
progress.

Step 1: Evaluating Corporate Infrastructure


Corporate infrastructure includes all of the hardware components comprising
your company’s network such as client devices, servers, load balancers, firewalls,
and so on. In addition, include the resources for which you want to provide access
such as applications, services, and data in your assessment. The most common
types of corporate infrastructure include:
• Web applications such as a corporate intranet, Web-based email
application, and so on
• Corporate data such as databases, documents, presentations, spreadsheets,
and so on
• Servers such as Exchange or Notes/Domino servers, Web servers, database
servers, and so on
You can use Advanced Access Control to secure and control users’ access to all
their resources on the corporate network. The following diagrams show three
traffic routes (VPN, browser, or Presentation Server ICA) you can provide and
combine to satisfy a wide variety of remote access needs.
22 Access Gateway Advanced Edition Administrator’s Guide

Virtual private network traffic:


Chapter 3 Planning Your Access Strategy 23

Web browser traffic:


24 Access Gateway Advanced Edition Administrator’s Guide

Presentation Server traffic:


Chapter 3 Planning Your Access Strategy 25

After you identify the elements within your corporate infrastructure, you can
perform a risk analysis and then develop a strategy for providing the appropriate
level of access to these resources.

Note: Advanced Access Control includes built-in load balancing support.


Therefore, you do not need to deploy a load balancer to manage requests made to
Advanced Access Control servers.

Step 2: Performing a Risk Analysis


In the context of access control, vulnerabilities represent the possibility of
unauthorized users gaining access to corporate resources. There are various
methods of deriving risk, usually based on a combination of likelihood and
consequence information. For example, when providing users with access to a
specific corporate resource, how likely is a particular threat and what damage
could be done if that threat is realized?
The key elements to consider when determining the risks associated with
providing access to a corporate resource include the type of resource accessed,
the sensitivity of the data included in that resource, and the environment from
which the resource is accessed. Due to its subjective nature and the resulting
damage, it is difficult to quantify risk. However, the goal of risk analysis is to
ensure that your Advanced Access Control policies enable users to access
corporate resources at an acceptable risk level.
For example, consider the benefits of enabling users to access confidential data
compared with the possibility that this data is accidentally revealed to
unauthorized users. If your analysis reveals the risk is too great, you can create
policies that further restrict access to this data and, as a result, minimize the risk
associated with providing access to this data.

Step 3: Developing Your Access Strategy


After you collect information about your corporate infrastructure, identify the
corporate resources for which you want to provide access, and perform a risk
analysis, you are ready to develop your access strategy. This process includes
determining how to integrate Advanced Access Control into your existing
network.
26 Access Gateway Advanced Edition Administrator’s Guide

Securing Access and Resources with Policies


Policies extend the security of your network by controlling which resources users
can access and what actions users can perform on those resources. Before
creating policies, consider:
• Resources. Identify the resources for which you want to provide access.
Use the results of your risk analysis to assist you in this process.
• Users. Associate policies with the appropriate users.
• Access scenarios. Develop policies to support the scenarios in which users
access corporate resources. A scenario is defined by the logon point used to
access the network, endpoint analysis scan results, authentication type, or a
combination thereof. For example, determine if users can access their email
over the Internet using a corporate laptop.
In addition, determine the actions users can perform when they gain access.
For example, you can specify whether users can modify documents using a
published application, preview a document as an HTML file, and so on.
For a detailed explanation about how to incorporate policies into your access
strategy, see “Controlling Access Through Policies” on page 131.

Planning for Client Requirements


Advanced Access Control includes two methods of verifying information on the
client device. Continuous scans verify required files, processes, or registry entries
on client devices connecting to your network. These scans run repeatedly during
the user session to ensure that the client device continues to meet your
requirements. You can incorporate continuous scans into connection policies so
that if a required file, process, or registry scan ceases to be verified, the
connection is disconnected.
Endpoint analysis scans detect information about a client device, such as the
operating system version and service pack level. The scans run when a user tries
to connect through a logon point. However, unlike continuous scans, endpoint
analysis scans run only once per session. You can incorporate scan results into
access policies, allowing you to base access to your networks and resources on
the information you gather about the client device. For example, you can prohibit
access to your corporate network by employees working from a home
workstation unless the workstation is running a required version of antivirus
software.
For more information about incorporating continuous and endpoint analysis scans
into your access strategy, see “Verifying Requirements on Client Devices” on
page 165.
Chapter 3 Planning Your Access Strategy 27

Traversing Firewalls
Access Gateway eases firewall traversal and provides a secure Internet gateway
between Advanced Access Control servers and client devices. Scenarios in which
firewalls are commonly used include:
• Demilitarized zones (DMZs). In this scenario, firewalls are used to create
one-stage or two-stage DMZs to protect the corporate network from
Internet traffic. This deployment requires users external to the network to
traverse firewalls protecting the corporate network before gaining access to
corporate resources.
• Enclaves. In this scenario, firewalls limit traffic between specific segments
of the network. For example, hospital administrators may segment their
LAN so that access to sensitive information such as patient records is
accessible only from specific enclaves within the network.
• Perimeter of access server farm. In this scenario, firewalls secure
Advanced Access Control servers from threats within the corporate LAN
by forming a secure perimeter around the access server farm. This
deployment ensures that the access server farm is not directly accessible to
users.
Corporations often implement a combination of the above deployments to protect
against different types of threats. See the Access Gateway Standard Edition
Administrator’s Guide for more information about supported Access Gateway
deployment scenarios.

Protecting Sensitive Corporate Data


Sensitive data, often referred to as intellectual property, is any information,
application, or service considered proprietary to the corporation. Examples of
intellectual property include financial documents, customer data, employee
records, and so on. The sensitivity of data is based on the assessment of impact if
there is a loss of data confidentiality or integrity. When assessing the sensitivity
of data consider:
• Regulatory requirements. More stringent privacy laws impose new levels
of confidentiality on several business sectors including health care,
insurance, and finance. In addition, the global environment necessitates an
awareness of regulations in any state or country in which your corporation
performs business.
• Legal ramifications. Determine if there are any legal implications related
to the exposure of proprietary data; specifically, whether or not another
party takes legal action against your corporation due to the exposure of
confidential information to unauthorized users.
28 Access Gateway Advanced Edition Administrator’s Guide

• Competitive impact. Determine if the loss of information results in your


corporation’s inability to remain competitive. For example, consider a
scenario in which your company’s “secret recipe” is made available to your
competitors.
• Corporate reputation. Determine the impact to your corporation’s
reputation if certain proprietary information is made available to
unauthorized users. For example, consider a scenario in which your
customers’ credit card information is accessed by unauthorized users. In
addition to possible legal action, customers may lose faith in your
company’s ability to maintain their privacy and, as a result, choose to stop
using your services.
The goal of intellectual property control is to prevent the exposure of sensitive
corporate data. Using Advanced Access Control, you can protect intellectual
property through the use of the following policy-based access control features:
• HTML Preview. You can configure Microsoft Office files such as Word
and Excel so that they display as HTML files instead of their native file
format. This allows users to view but not modify the document. In addition,
the risks associated with temporary files are mitigated as the HTML files
are removed from the client device’s cache when the user terminates the
session. Therefore, no sensitive data is accidentally left on the client device
after users log off.
• Citrix Presentation Server integration. You can configure files to open
within a published application instead of a local application on a client
device. This increases the protection of intellectual property because
proprietary data remains within the protected corporate network at all
times.
In addition, you can share Advanced Access Control policy information
with Citrix Presentation Server to selectively enable functionality for a
specific published application session such as client drive mapping and
local printing. For more information about filters, see “Controlling Access
Through Policies” on page 131.

Evaluating Authentication Types


Authentication is the process of determining whether users are, in fact, who they
declare to be. Advanced Access Control supports one-factor and advanced
authentication. Each authentication option is described in the following sections.
Chapter 3 Planning Your Access Strategy 29

One-Factor Authentication
One-factor authentication is based on something users know such as a PIN,
password, or pass phrase. When implementing one-factor authentication, users
authenticate to Advanced Access Control by entering their user name and
password when they log on. Users are assumed to be valid because they enter the
correct credentials.
The advantages of using one-factor authentication include:
• Advanced Access Control supports standard Windows- and LDAP-based
one-factor authentication. Therefore, no additional effort or implementation
costs are associated with this authentication method.
• Passwords are easily revokable and replaceable in the event that they are
compromised.
• All users are familiar with user names and passwords.
The disadvantages of using one-factor authentication include:
• Passwords are highly susceptible to “social engineering” attacks where
users unknowingly provide their passwords to unauthorized users.
• Users can share passwords and as a result, it is not possible to rely on a
password to ensure that the authentication is genuine. In addition, after
sharing passwords for a particular purpose, users often forget to change
their passwords. This allows multiple users to authenticate using the same
set of credentials.

Advanced Authentication
Advanced authentication combines something a user knows with a second piece
of information. The second piece of information can be something the user has,
such as a hardware token, or something a user knows, such as an additional
password. Advanced Access Control integrates with RSA Security SecurID,
Secure Computing SafeWord, and RADIUS to support advanced authentication.
The advantages of advanced authentication include:
• It increases your overall confidence in the authentication process. Whether
it is an additional password or a one-time passcode generated from a
hardware token, requiring users to provide an additional piece of
information greatly mitigates authentication-related risks. For example, if a
user’s main password is compromised, an attacker must obtain the user’s
RADIUS password or hardware token to access the network.
• Token-based solutions provide an additional benefit in that users cannot
record their authentication information for later use. This ensures that users
30 Access Gateway Advanced Edition Administrator’s Guide

adhere to the basic password protection best practice of not saving


proprietary authentication information in electronic or paper format.
The disadvantages of advanced authentication include:
• Implementation costs are significant. In addition to the software required to
validate advanced authentication information, token-based solutions also
require the purchase of hardware tokens.
• Tokens can be lost, stolen, or forgotten.
Consider the advantages and disadvantages of one-factor and advanced
authentication. For some corporations, one-factor authentication provides a
sufficient level of security. However, if your corporation requires additional
security, an advanced authentication solution may be more appropriate.

Planning for High Availability


Advanced Access Control includes built-in load balancing support. In addition,
Advanced Access Control servers support industry-standard server clustering
applications and techniques to ensure high availability and maximum business
continuity. When planning your Advanced Access Control deployment, consider
implementing one or more of the following solutions:
• Database backups. Back up your Advanced Access Control SQL database
to recover from a variety of problems including database storage failures,
application errors, and user errors. In addition, backups are often critical
when recovering from catastrophic disasters such as hurricanes, fires,
floods, and so on.
• Hardware redundancy. Prevent downtime due to hardware failures by
detecting a failing component before it actually fails and bypassing a failure
when it does occur. To achieve hardware redundancy, ensure your hardware
meets the minimum requirements as specified in “Server Requirements” on
page 41. In addition, determine if redundancy is needed in the following
areas:
• Switches and routers transporting Advanced Access Control traffic
• Network cards on Advanced Access Control servers
• Database servers
• Server redundancy. Each Advanced Access Control server within an
access server farm is configured for the HTML Preview server role by
default. Therefore, each server you add to your farm acts as a redundant
server to minimize downtime in the event of a server failure. If you do not
want all servers in your farm assigned to this role, deploy one or more
Chapter 3 Planning Your Access Strategy 31

servers for each Advanced Access Control server with this role enabled.
For more information about assigning the HTML Preview server role, see
“Modifying Server Roles” on page 219.
• Database redundancy. A SQL database server stores all of Advanced
Access Control’s data. Therefore, to ensure that this data is always
available to users, consider one or more of the high availability strategies:
• Clustering
• Log shipping
• Network load balancing to switch SQL servers
• Stretch clustering
For more information about the above high availability solutions, refer to
your SQL documentation.

Considering Users’ Needs


When planning your access strategy, consider the needs of your users. This
analysis helps you determine the type of access users need to perform effectively.
Consider the following issues:
• Productivity. Create policies that provide the appropriate level of access
for users to remain efficient and productive.
• Access to resources. Evaluate which resources users need to access such as
email, Web applications, published applications, file shares, and so on.
• User interface. Determine the default user interface you want users to see
when they log on. Advanced Access Control includes the Access Interface,
a Web page that displays a user’s available corporate resources and email.
In addition, you can configure any Web application such as a Citrix Access
Platform site or a third-party portal as the default user interface.
• Working offline. Consider whether users periodically access the network
to synchronize data and work offline. For example, users who travel often
could benefit from securely accessing their email in real-time and
synchronizing data to their client device. This allows these employees to
remain productive because they can continue to work even while
disconnected from the network.
• Client devices. Advanced Access Control supports a range of client
devices. Therefore, evaluate the hardware and software profile of your
client devices including form factor, operating system, browser, and so on
to ensure the client devices in your environment meet the minimum
32 Access Gateway Advanced Edition Administrator’s Guide

requirements of Advanced Access Control. For additional information


about client device requirements, see “Client Requirements” on page 58.
• Browser-only access. Determine if users need to access network file
shares, Web email, and internal Web sites from “locked down” client
devices that do not permit the downloading of any client software. In this
scenario, a Web browser is the only client software needed to access the
corporate network.

Note: Not all Web applications support browser-only access. For more
information, see “Limitations of Browser-Only Access” on page 145.
C HAPTER 4

Licensing the Advanced Edition

Citrix Licensing limits the number of concurrent user sessions to the number of
licenses purchased. If you purchase 100 licenses, you can have 100 concurrent
user sessions at any time. When a user ends a session, the license is released for
the next user. A user who connects from more than one computer at the same time
uses a license for each session.
The licensing process includes the following steps:
• “Installing Citrix Licensing” on page 33 (optional if you already have
Citrix Licensing)
• “Obtaining Licenses” on page 34
• “Specifying the License Server” on page 36
• “Adding Shortcuts to the License Management Console” on page 37
(optional)

Installing Citrix Licensing


Access Gateway Advanced Edition requires access to at least one shared or
dedicated license server running Citrix Licensing. If your product portfolio
already includes other Citrix products, you may already have a license server
available to store and manage your user licenses. If so, you can skip this step and
proceed to obtain your license files.

Note: The Access Gateway Standard Edition uses a license server on the
gateway appliance and does not require a dedicated Citrix license server. You
must use a dedicated license server for the Advanced Edition. If you upgrade
from the Standard Edition and do not already have a Citrix license server, you
need to install one.

You can install and configure Citrix Licensing before, during, or after you install
Access Gateway Advanced Edition.
34 Access Gateway Advanced Edition Administrator’s Guide

To install Citrix Licensing, follow the procedures in the Getting Started with
Citrix Licensing Guide, available from:
• The Citrix Knowledge Center (http://support.citrix.com/)
• The Documentation folder on the product CD
• Start > All Programs or Programs > Citrix > Access Gateway >
Documentation on a server running Access Gateway Advanced Edition
Because licensing is a crucial part of your product installation, Citrix strongly
recommends that you read the licensing guide before installing Citrix Licensing.

Getting More Information


In addition to the Getting Started with Citrix Licensing Guide, you can find a
series of articles designed to provide you with more detailed information for tasks
that extend beyond the scope of installing your licensing components. These
articles are listed in Chapter 3 of the guide and are found in the Citrix Knowledge
Center (http://support.citrix.com/).

Obtaining Licenses
If you have not already done so, you must obtain license files to download and
copy to your license server. License files contain the licenses that you allocated
for a specified license server. You obtain these files from the Licensing area of the
MyCitrix Web site (http://www.mycitrix.com/).
Before downloading a license file, be prepared with the case-sensitive name of
the license server that will store the license file and the number of licenses you
want to allocate to that server.
Further details about the information to have ready and the steps for downloading
license files are provided in the Getting Started with Citrix Licensing Guide,
available on the product CD, from the Start menu of a server running the Access
Gateway Advanced Edition, or the Support area of the Citrix Web site
(http://support.citrix.com).

Determining the Licenses Required


Users connecting through the Access Gateway Advanced Edition occupy two
licenses—one for the gateway appliance and one for the Advanced Access
Control server. Therefore, ensure that you have an adequate number of both
Access Gateway and Access Gateway Advanced Edition user licenses to support
your deployment.
Both types of licenses can be bundled together into a single license file for
copying to the license server.
Chapter 4 Licensing the Advanced Edition 35

Note that each server occupies one of the Access Gateway Advanced Edition
concurrent user licenses. When tallying the number of licenses you need, include
one for each server.

Licensing Grace Period


A 96-hour grace period goes into effect at installation if you point your Access
Gateway Advanced Edition server to a license server with no product licenses
installed. A grace period of 30 days goes into effect if communication with a
license server is lost after having contacted the license server successfully at least
once.
During the grace period, user sessions are not disconnected. However, new user
sessions cannot be connected. If the grace period runs out before communication
is established with a license server with the appropriate licenses, all active user
sessions are disconnected.

Mixed Environments
For environments with a mixture of deployments (in other words, Access
Gateway Standard Edition deployments and Advanced Edition deployments),
you can allocate the desired number of licenses among the different deployments
when you generate your license files.

To allocate new or migrated licenses

1. Log on to MyCitrix (http://www.mycitrix.com).


2. Choose Licensing > Fulfillment > Fulfill Eligible Products, choose the
licensing program type of your license, and follow the on-screen
instructions to select licenses. A Product Fulfillment Certificate verifies
license conversion and presents the resulting license codes.
After you generate new license codes, you must allocate licenses into license files
that you copy to the license server. Allocating licenses lets you choose the
number of licenses to include in a license file; you can allocate all or some of
your available licenses at a time. The license file is a digitally signed, text-only
file that contains product licenses and information needed by the license server.

To download license files

1. From MyCitrix (http://www.mycitrix.com), choose Licensing > Citrix


Activation System > Activate or Allocate Licenses.
2. Follow the on-screen allocation instructions. Note that the License Server
Name is case-sensitive.
3. Download the license file.
36 Access Gateway Advanced Edition Administrator’s Guide

By default, the Citrix Activation System saves files to the last location used by
the Save As control. License files have the extension .lic. In the event you cannot
locate the downloaded license file, search your computer for files with an .lic
extension.

Note: If you have trouble downloading license files, contact Citrix Customer
Care.

To copy licenses to the license server

1. In the License Management Console, navigate to the License Files pages of


the Configuration tab.
2. On the License Files page, click Copy license file to License Server,
browse to your license file, and copy it to the license server.
3. Ensure that the license server recognizes the new file by performing one of
the following actions.
• In the License Management Console, from the Welcome page, click
Configure License Server, followed by Update license data.
• If you are not using the License Management Console, you must
initiate a reread of the file. At a command prompt, navigate to
C:\Program Files\CitrixLicensing\LS\ and type the following
command:
lmreread -c @localhost
After the license server recognizes the file, your Citrix products can be
launched.

Important: Do not edit license files without understanding their format. You
can unintentionally corrupt them and render the licensing system unusable.

Specifying the License Server


All computers in an access server farm must communicate with the same license
server. You can specify the license server during initial installation through the
Server Configuration Utility, or specify it later through the farm node of the
Access Management Console.
Chapter 4 Licensing the Advanced Edition 37

To specify a license server

1. From the console tree, select the server farm node and choose Define
license server under Other Tasks.
2. Configure the following settings:
A. Host name. Type the name of the license server.
B. License server port number. This is the port number the product
uses to communicate with the license server. Unless you must
perform configurations to accommodate a firewall or the default port
is already in use, Citrix recommends you leave the port at its default
setting.

Adding Shortcuts to the License Management Console


The License Management Console snap-in allows you to create a shortcut to one
or more license servers. You have the option of installing the snap-in when you
install the product or can add it later from the product CD. Use the shortcut to run
the License Management Console remotely and administer licensing for your
farm.

To create a shortcut to the license servers in your environment

1. From the console tree, click the Licensing node.


2. Under Common Tasks, click Add shortcut to license server.
3. For Server name, type the DNS name or IP address of the license server
for your farm.
38 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 5

Installing Advanced Access Control

The installation of Advanced Access Control varies depending on your


deployment scenario. You can install the logical server components on a single
physical server or distribute components across multiple servers.
The topics in this section provide the following information:
• “Planning Your Installation” on page 39
• “Server Requirements” on page 41
• “Network Requirements” on page 43
• “Feature Requirements” on page 46
• “Authentication Software Requirements” on page 53
• “Citrix Presentation Server Integration Requirements” on page 54
• “Client Requirements” on page 58
• “Console Requirements” on page 62
• “Installation Overview” on page 62
• “Installing Advanced Access Control” on page 63

Planning Your Installation


As part of your access strategy, you must also plan for the installation of the
Access Gateway Advanced Edition components and the requirements for the
features you want to implement. This section provides an overview of the tasks
you must perform before and after you install the Advanced Access Control
software.

Pre-Installation Tasks
Many of the features of Access Gateway Advanced Edition require that certain
components are installed or settings are configured before you install the
Advanced Access Control software.
40 Access Gateway Advanced Edition Administrator’s Guide

The following table provides an overview of these prerequisites to help you plan
your installation. References to additional information about each component or
feature are included.

Component or Feature Required Task Additional Information


Access Gateway appliance Install appliance(s) Access Gateway Standard Edition
Pre-Installation Checklist
Access Gateway Standard Edition
Administrator’s Guide
Advanced Access Control server Ensure the server meets all hardware “System Requirements” on page 42
and software requirements
• Supported version of Microsoft
Windows
• Windows Installer 3.0 or 3.1
• .NET Framework 2.0
• MDAC 2.7 or 2.8
Set Web extensions
• ASP.NET (Allowed)
• Active Server Pages (Allowed)
• FrontPage Server Extensions
(Prohibited
• WebDAV (Prohibited)
Ensure network configuration meets “Network Requirements” on page 43
requirements
Ensure service account meets “Service Account Requirements” on
requirements page 44
Database server Install database server and create “Microsoft SQL Server User
user account Account Requirements” on page 44
“Database Requirements” on page
46
Restart the server if installing on the “Installing Advanced Access
Advanced Access Control server Control” on page 63
License sever Install Citrix License Server on the Getting Started with Citrix Licensing
Advanced Access Control server or a Guide
separate server
HTML Preview Install Microsoft Office (without “HTML Preview Requirements” on
Outlook) on the Advanced Access page 46
Control server
Chapter 5 Installing Advanced Access Control 41

Component or Feature Required Task Additional Information


Web email Install Microsoft Exchange System “Installing the Microsoft Exchange
Management Tools and Microsoft System Management Tools and
Exchange Administrator 5.5 on the Administrator Software” on page 51
Advanced Access Control server
Update the mapisvc.inf file on the “Default Email Interface
Advanced Access Control server Requirements” on page 51
RADIUS Authentication Install Visual J# .NET 2.0 “RADIUS Requirements” on page
53
RSA SecurID Authentication Install RSA ACE/Agent for “SecurID Requirements” on page 54
Windows
Secure Computing SafeWord Install SafeWord Agent “SafeWord Requirements” on page
54
Access Management Console If installing on a standalone “Console Requirements” on page 62
workstation, ensure required
software is installed

Post-Installation Tasks
The following table provides an overview of tasks you perform immediately after
installing the Advanced Access Control software. References to additional
information about each component or feature are included.

Component or Feature Required Task Additional Information


Access Gateway appliance Configure communication with “Enabling Advanced Access
Advanced Access Control server(s) Control” on page 80
HTML Preview To display PDF files, install and “HTML Preview Requirements” on
configure conversion software page 46

Server Requirements
Before proceeding with software installation, verify that the servers you are using
meet the hardware and software requirements for Advanced Access Control.

Important: To ensure that installation of Advanced Access Control progresses


smoothly, use servers that are not configured as domain controllers. During
installation, Advanced Access Control adds a service account to the local
Administrators group that is not present on a domain controller. If you attempt to
install Advanced Access Control on a domain controller, the service account
cannot be added and the installation will fail.
42 Access Gateway Advanced Edition Administrator’s Guide

System Requirements
• PC with a 550 MHz processor
• 768 MB of physical memory
• 9 GB of available hard disk space
• Microsoft Windows 2000 Server Family with Service Pack 4, or Windows
Server 2003, Standard Edition, Web Edition, or Enterprise Edition with all
service packs and updates installed
• Internet Information Services (IIS) 5.0 or 6.0
• Microsoft Windows Installer 3.0 or 3.1
• Microsoft .NET Framework 2.0
• Microsoft Data Access Components (MDAC) Version 2.7 Refresh or 2.8

Important: You must install the Windows Installer (WindowsInstaller-


KB884016-v2-x86.exe), the .NET Framework, and MDAC 2.7 Refresh
(mdac_typ.exe) before you install Advanced Access Control. The Windows
Installer, .NET Framework, and MDAC 2.7 Refresh executable files are located
on the Advanced Access Control Server CD-ROM.

To set Web services extensions

Before installing Advanced Access Control, you must ensure the following Web
services extensions are set appropriately in the Internet Information Services (IIS)
Manager:

Extension Name Required for Advanced Access Status in IIS Manager


Control Installations?
ASP.NET Yes Allowed
Active Server Pages Yes Allowed
FrontPage Server No. Must be prohibited for the Web Prohibited
Extensions proxy to function properly.
WebDAV No. Must be prohibited for Outlook Prohibited
Web Access (OWA) to display the
contents of users’ inboxes.
Chapter 5 Installing Advanced Access Control 43

1. Click Start > Programs or All Programs > Administrative Tools >
Internet Information Services (IIS) Manager.
2. Expand the local computer node and then select Web Services Extensions.
3. Make the following selections as required:
• Select ASP.NET and click Allow.
• Select Active Server Pages and click Allow.
• Select FrontPage Server Extensions and click Prohibit.
• Select WebDAV and click Prohibit.
You may need to register ASP.NET if you installed the .NET Framework before
installing IIS. To register ASP.NET, locate aspnet_regiis.exe and then type
aspnet_regiis.exe -i from a command prompt.

Network Requirements
Before installing Advanced Access Control, ensure that your network
configuration meets the following requirements:
• The computers or resources that users will access are connected to the
Advanced Access Control servers you will deploy
• The Advanced Access Control server is:
• A member of the domain to which users who authenticate to the
server belong
—Or—
• A member of a domain that trusts and is trusted by the domain(s) of
the authenticating users
• In a multi-domain environment, trust relationships have been established so
that users in all domains can authenticate and access resources
• To provide access to the Internet, a Domain Naming System (DNS) host
record resolves to a public IP address for the Access Gateway appliance

Note: To configure Advanced Access Control successfully, the server must


belong to a domain. If the Advanced Access Control server is a member of a
workgroup and not a domain, the Server Configuration wizard does not run.
44 Access Gateway Advanced Edition Administrator’s Guide

Account Requirements
This section describes the server accounts required to install Advanced Access
Control.

Microsoft SQL Server User Account


Requirements
When creating an access server farm, Advanced Access Control requests an
account for access to SQL Server. The specified account must permit Advanced
Access Control to create a database for the access server farm and then connect to
the database.
To create the database during install, at a minimum, the account must be included
in the Database Creators server role on SQL Server. After Advanced Access
Control creates the database, the database user must be assigned the
db_datareader and db_datawriter permissions.
SQL Server 2000 supports Windows Authentication mode, which requires
Windows user accounts for access, and Mixed Mode, which accepts Windows
user accounts and SQL Server accounts.
When you first install Advanced Access Control and create an access server farm,
Setup creates a database with the same name as the access server farm. Setup
does not create additional databases when you add servers to an access server
farm.

Note: The database creation and access requirements in this section apply to
both SQL Server authentication and Windows authentication for database user
accounts.

Service Account Requirements


When you install Advanced Access Control and create a new access server farm,
the Server Configuration wizard prompts you for an account to use for
communicating with services and servers in the farm. This account is referred to
as the service account. You must specify an existing account to be the service
account. If you do not have a service account, create one prior to installing
Advanced Access Control. Valid service accounts meet the following
requirements:
• The service account must be a member of the local Administrators group on
every server in the farm.
Chapter 5 Installing Advanced Access Control 45

• The service account must not be disabled and not subject to password
expiration or other credential changes. If the service account is removed,
the access server farm will not operate.
• The service account can be a local user account only if you are creating a
single-server access server farm and do not intend to scale the farm. You
cannot install Advanced Access Control on multiple servers with a local
user account selected for the service account. Citrix strongly recommends
using a domain account instead of a local user account when installing
Advanced Access Control.

Important: If you specify a local user account as the service account,


ensure the local user account also has database owner permissions for the
database Advanced Access Control creates during Setup. If the local user
account does not have database owner permissions, some features might
not be available to users.

• In an Active Directory environment, when specifying the service account


user name in User Principal Name (UPN) or Alternate UPN format, you
must enter the full domain name.
If necessary, you can change the service account after installing Advanced Access
Control. For more information about changing service account details, see
“Changing Service Account and Database Credentials” on page 218.

Note: If you are deploying Advanced Access Control in an environment where


the Restricted Group policy is used to control the membership to the local
Administrators group, ensure the user associated with the service account is in
one of the groups added by the Restricted Group policy. For additional
information, refer to the Resource Kit for Windows 2000 or Windows 2003.

Using Security Templates with the Service


Account
Your corporate IT policy may require that security templates be applied to reduce
the attack surface area of your Windows servers. The Highly Secure security
template (HiSECWS.INF) removes the service account from the local
Administrators group when applied after installing Advanced Access Control.
After applying this security template, add the service account back to the local
Administrators group. Otherwise, Advanced Access Control will not function
correctly.
46 Access Gateway Advanced Edition Administrator’s Guide

Database Requirements
Access Gateway Advanced Edition supports the following database packages:
• Microsoft SQL Server 2005
• Microsoft SQL Server 2000 with Service Pack 4
• Microsoft SQL Server Express 2005

Note: If you install Microsoft SQL Server and you create a database before you
install Advanced Access Control, be sure to specify case-insensitive collation
when you create the database. This ensures the names you assign to resources
remain unique and prevents resources with duplicate names from being created.

Access Gateway Requirements


The Access Gateway appliance is a universal SSL VPN appliance that provides
users with controlled access to application and information resources. For
information about requirements for installing and using the Access Gateway
appliance, see the Getting Started with Citrix Access Gateway Standard Edition
guide.

Feature Requirements
You can use Advanced Access Control to allow users to view, upload, or
download Web-based resources using any client device that has a Web browser.
However, some features such as Live Edit use additional client software. Other
features require additional server software. This section provides information to
help you plan access to features depending on a feature’s client or server
requirements.

HTML Preview Requirements


HTML Preview enables users to view files such as Microsoft Office documents
or Adobe Acrobat PDF files in HTML.

Installing Microsoft Office for HTML Preview


To use HTML Preview to view Microsoft Office documents, the following
software must be installed on a Web server in your access server farm:
• Microsoft Word 2000, XP, or 2003
Chapter 5 Installing Advanced Access Control 47

• Microsoft Excel 2000, XP, or 2003


• Microsoft Powerpoint 2000, XP, or 2003
• Microsoft Visio 2002 or 2003
If you install these programs after installing Advanced Access Control, you will
need to restart the Citrix Activation Engine Service.
If you use HTML Preview with Microsoft Office documents, be aware of the
following considerations:
• Microsoft Outlook must be excluded from the Office installation because it
interferes with Advanced Access Control’s Web email functions.
• All devices deploying HTML Preview content to users should have
adequate Microsoft Office licenses. For more information about licensing
requirements, refer to your Microsoft Office Licensing Agreement.
• If multiple servers are configured for HTML Preview, these servers must
have the same version of Microsoft Office installed. Otherwise, a document
viewed with HTML Preview may appear different to some users,
depending on the version of Office rendering the document.
For more information about using HTML Preview to provide access to
documents, see “Allowing HTML Preview” on page 139.

Using Macros with HTML Preview


When using HTML Preview to access Microsoft Office documents, it is possible
to run macros embedded within these documents. Viewing a document containing
macros could represent a security risk to your deployment because the macros
may run on the Advanced Access Control server within the context of the service
account.
Before implementing HTML Preview, evaluate each of the following strategies
for mitigating this potential risk:
• Set macro security in each Microsoft Office application according to your
organization’s network security policies
• Configure each Microsoft Office application to run in the context of a User
account with limited privileges

Important: These strategies do not provide protection against possible security


risks related to functional issues in Microsoft Office applications (for example,
Microsoft Word crashes when opening a document). As you evaluate these
strategies, consider Microsoft’s recommendations for server and application
security as well as your organization’s information security requirements.
48 Access Gateway Advanced Edition Administrator’s Guide

To disable embedded macros in Microsoft Office

1. Launch the Microsoft Office application installed on the Advanced Access


Control server.
2. Set the macro security level to the highest level available for the version of
the Microsoft Office application you are running.
3. Disable trust for all installed add-ins and templates.
For more information about setting macro security for Microsoft Office
applications, refer to the Microsoft Office documentation or the Microsoft Office
Web site.

To configure Microsoft Office applications to run under a User account

This procedure involves automating Office applications using an unattended user


account. For more information about this approach and its accompanying
considerations, refer to Microsoft knowledgebase article 288367, How to
configure Office applications to run under a specific user account.
1. Log on to the Advanced Access Control server as Administrator and create
a new User account.
2. Start the Office application you want to configure and press ALT+F11 to
load the Visual Basic for Applications (VBA) editor.
3. Close the application and the VBA editor.
4. Click Start > Run and type DCOMCNFG to open the Component
Services console.
5. From the DCOM Config node, locate the Office application you want to
configure. They are listed as follows:
• Microsoft Excel Application
• Microsoft PowerPoint Presentation
• Microsoft Word Document
6. Right-click the application and select Properties.
7. Click the Security tab and perform the following tasks:
A. Under Launch and Activation Permissions, select Customize and
then click Edit.
B. Add the User account you created and allow Local Launch and
Local Activation permissions. Ensure the SYSTEM,
INTERACTIVE and Everyone accounts are present.
C. Under Access Permissions, select Customize and then click Edit.
Chapter 5 Installing Advanced Access Control 49

D. Add the User account you created and allow the Local Access
permission.
8. On the Identity tab, select This user and enter the credentials of the User
account you created.
9. Restart the server.
Repeat these steps for each Office application you want to configure. After you
restart the server, start the Task Manager and then start each application to verify
it is running under the new User account.

Using HTML Preview with PDF Documents


If you want to use HTML Preview with PDF documents, you must install on the
Advanced Access Control server software that converts the PDF file to HTML.
For more information about configuring Advanced Access Control to view PDF
files, see the Citrix Knowledge Center article CTX107543: Customizing HTML
Preview in Advanced Access Control located on the Citrix Web site.

Live Edit Requirements


Live Edit is a convenient way for users to work remotely with files such as Word
documents and Excel spreadsheets using a Web browser.
To use Live Edit, users must have the following software installed on their
computers:
• Microsoft Internet Explorer 6.0 SP1
• Live Edit Client ActiveX control
• An appropriate Microsoft Office editing application such as:
• Microsoft Word 2000, XP or 2003
• Microsoft Excel 2000, XP, or 2003
• Microsoft Powerpoint 2000, XP, or 2003
• Microsoft Visio 2002 or 2003

Note: After installing any Microsoft Office applications, run the application for
the first time before using Live Edit. This ensures that any post-installation tasks
are completed and allows the Live Edit Client to display documents for editing
without delay.
50 Access Gateway Advanced Edition Administrator’s Guide

For information about requirements for running the Live Edit Client, see “Client
Requirements” on page 58. For more information about using Live Edit to
provide access to documents, see “Allowing Live Edit” on page 140.

Email Synchronization Requirements


Email synchronization allows users to synchronize their email folders on their
client devices with their folders on Microsoft Exchange or Lotus Notes/Domino
servers to prepare for working offline.
Email synchronization requires the following components:
• Microsoft Outlook 2000, XP, or 2003; or Lotus Notes R5, R6, or R7
installed on the client device
• Secure Access Client installed on the client device
• An email server running Microsoft Exchange or Lotus Notes/Domino
For more information about requirements for the Secure Access Client, see
“Client Requirements” on page 58. For more information about email
synchronization, see “Providing Users with Secure Access to Email Accounts” on
page 188.

Web Email Requirements


You can provide users with access to corporate email resources using Web email.
Using the included default email interface, users can access their email accounts
from a workstation or a handheld device with only a Web browser. This interface
functions only with email servers using Microsoft Exchange.
Advanced Access Control also supports using Outlook Web Access, Lotus
iNotes/Domino Web Access, or other Web email interfaces. Outlook Web Access
and iNotes do not operate on handheld devices such as PDAs.
The following table lists the components required for each supported Web email
platform.
Chapter 5 Installing Advanced Access Control 51

Advanced Access Control Outlook Web Access iNotes/Domino Web Access


Web Email
Required Email Microsoft Exchange Server, Microsoft Exchange Server, IBM Lotus Domino Server,
Server Versions 2000 or 2003 with all Versions 2000 or 2003 with all Versions R6 or R7
service packs and critical service packs and critical
updates installed updates installed
Required Server Microsoft Exchange System Microsoft Exchange System N/A
Administration Management Tools Management Tools
Tools Microsoft Exchange 5.5 Microsoft Exchange 5.5
Administrator Administrator
Supported Web Internet Explorer 6.0 SP1 Internet Explorer 6.0 SP1 Internet Explorer 6.0 SP1
Browsers Safari 1.1 and 1.3
Netscape Navigator 8.0
Mozilla Firefox 1.0

Default Email Interface Requirements


If you are using Microsoft Exchange 2000 and you want to use the default Email
Interface, you must install Microsoft Exchange System Management Tools and
then update the mapisvc.inf file on the Advanced Access Control server. For
more information, see “Updating the Mapisvc.inf File” on page 193.

Installing the Microsoft Exchange System Management


Tools and Administrator Software
Microsoft Exchange System Management Tools and Microsoft Exchange 5.5
Administrator supply the MAPI components that are required for Web email
functionality. These tools are supported on the following operating systems:
• Microsoft Windows 2000 Server Family with Service Pack 3 or 4
• Windows Server 2003, Standard Edition or Enterprise Edition
When using these tools, it is important that you:
• Install Microsoft Exchange System Management Tools and Microsoft
Exchange 5.5 Administrator on the server before installing Advanced
Access Control or other software such as Microsoft Office. This ensures the
required Messaging Application Programming Interface (MAPI)
components are installed correctly.
• Install the versions of Microsoft Exchange System Management Tools and
Microsoft Exchange 5.5 Administrator that are included with the version of
Microsoft Exchange you are using. If they do not match, Web email may
not function correctly.
52 Access Gateway Advanced Edition Administrator’s Guide

• Ensure the WebDAV Web service extension is set to “Prohibit” if you use
Outlook Web Access for your Web-based email interface. If this extension
is set to “Allowed,” users’ inboxes may not display correctly.
For information about configuring Web email, see “Providing Users with Secure
Web-Based Email” on page 184.

Using Microsoft Windows 2003 Server Web


Edition for Web Email
If you are using Microsoft Windows Server 2003 Web Edition and you have
Microsoft Exchange 2003 in your environment, you cannot install Microsoft
Exchange System Management Tools or Microsoft Exchange 5.5 Administrator.
Instead, copy the MAPI components to the %SystemRoot%/system32 directory
of the Advanced Access Control server.

To install the MAPI components on a server running Microsoft Windows


2003 Server Web Edition

1. On the server running Microsoft Exchange 2003, copy the following files:
• mapi32.dll
• mapisvc.inf
2. On the Advanced Access Control server, paste the files to the
%SystemRoot/system32 directory.

User Profile Access Requirements


Advanced Access Control stores MAPI user profiles in the Temp folder located in
the Advanced Access Control installation directory. Users configured for Web
email must have read/write access to this folder. Before installing Advanced
Access Control, you must add the users to the Users group on all Advanced
Access Control servers. The installation process grants the Users group read/write
access to the Temp folder.

Endpoint Analysis Requirements


You can configure endpoint analysis scans to be run on client devices to check
them for protective measures, such as operating system patches and antivirus
software, before users access resources.
Endpoint analysis scans require the Endpoint Analysis Client that can be installed
as an ActiveX control, a plug-in for Netscape Navigator or Firefox, or as a
Windows 32-bit application. To download and install the ActiveX control, users
must be members of the Administrators or Power Users group of the client
device.
Chapter 5 Installing Advanced Access Control 53

Important: If the Endpoint Analysis Client is not installed on a client system,


the user can access only those resources for which a scan is not required.

For information about requirements for running the Endpoint Analysis Client, see
“Client Requirements” on page 58. For more information about configuring
endpoint analysis scans, see “Creating Endpoint Analysis Scans” on page 166.

Authentication Software Requirements


Advanced Access Control supports using the following authentication methods to
strengthen the security of your deployment:
• Microsoft Active Directory
• Lightweight Directory Access Protocol (LDAP)
• Remote Authentication Dial-In User Service (RADIUS)
• RSA SecurID 5.2 or 6.0
• Secure Computing SafeWord PremierAccess and SafeWord for Citrix

LDAP Requirements
To use LDAP with Access Gateway Advanced Edition, you must have an LDAP-
compliant directory service in your environment such as Microsoft Active
Directory, Novell eDirectory, or IBM Directory Server.

Important: User credentials specified in User Principle Name (UPN) or


Alternate UPN formats are not supported when using LDAP as an authentication
method.

RADIUS Requirements
To use RADIUS with Access Gateway Advanced Edition, you must install the
Microsoft Visual J# .NET Version 2.0 executable file (vjredist.exe) on the server
running Advanced Access Control before you install the Advanced Access
Control software. This executable file is located in the JSharp20 folder on the
Advanced Access Control Server CD-ROM.

Important: User credentials specified in User Principle Name (UPN) or


Alternate UPN formats are not supported when using RADIUS as an
authentication method.
54 Access Gateway Advanced Edition Administrator’s Guide

For more information about using RADIUS with logon points, see “Creating
RADIUS Authentication Profiles” on page 102.

Supported RADIUS Authentication Protocols


Access Gateway Advanced Edition supports implementations of RADIUS that
are configured to use the Password Authentication Protocol (PAP) for user
authentication. Other authentication protocols such as the Challenge-Handshake
Authentication Protocol (CHAP) are not supported.
For more information about configuring RADIUS authentication, see “Creating
LDAP Authentication Profiles” on page 104.

SecurID Requirements
To use SecurID authentication with Access Gateway Advanced Edition, install
the RSA ACE/Agent for Windows software before installing the Advanced
Access Control software. If you install Advanced Access Control before you
install the ACE/Agent, SecurID authentication does not function correctly.
For information about requirements for installing RSA SecurID, refer to the RSA
product documentation.

SafeWord Requirements
To use SafeWord authentication with Access Gateway Advanced Edition:
• Obtain the latest version of the SafeWord Agent from Secure Computing
• Install the SafeWord Agent software on the server before installing the
Advanced Access Control software
For information about requirements for installing SafeWord PremierAccess and
SafeWord for Citrix, refer to the Secure Computing documentation for these
products.

Citrix Presentation Server Integration


Requirements
To access resources published with Citrix Presentation Server using file type
association or Web Interface, users must have a Citrix Presentation Server Client
on their client device.
Advanced Access Control supports integration with the following versions of
Citrix Presentation Server:
• Citrix Presentation Server 4.0
• MetaFrame Presentation Server 3.0
Chapter 5 Installing Advanced Access Control 55

• MetaFrame XP 1.0 Feature Release 3 with Service Pack 4


• MetaFrame for UNIX 4.0

Note: Advanced Access Control supports application policies that are applied
using Citrix Presentation Server Version 4.0 and above. While Advanced Access
Control can communicate with older versions of Citrix Presentation Server, it
does not allow application-specific policies to be applied.

You can configure the logon point to use either the Web Client or the Client for
Java on demand when users access published resources.
Advanced Access Control supports using the following Citrix Presentation Server
Clients:

Client English Japanese German Spanish French


Citrix Presentation Server Client Yes Yes Yes Yes Yes
Version 9.2
Client for Java Version 9.4 Yes Yes Yes Yes Yes
Web Client Version 9.2 Yes Yes Yes Yes Yes

For more information about requirements for running the Client for Java, see the
Client for Java Administrator’s Guide. For more information about configuring
Advanced Access Control to access published resources, see “Allowing File Type
Association” on page 138.

Citrix Presentation Server for UNIX Requirements


If you want to integrate Advanced Access Control with Citrix Presentation Server
for UNIX, be aware of the following:
• Workspace Control is not supported
• SmartAccess is not supported
• Because Web Interface requires users to enter a domain when logging on,
users must enter the word “unix” as the domain to authenticate to Web
Interface through Advanced Access Control

SmartAccess Requirements
The SmartAccess feature enables organizations to better control how published
applications are accessed and used.
56 Access Gateway Advanced Edition Administrator’s Guide

You can use SmartAccess with Advanced Access Control to control which
resources users can access, based on their access scenario, and what they can do
within those resources after they get access. SmartAccess integrates with Web
Interface for Citrix Presentation Server to give organizations granular control
over published applications. To use SmartAccess, you must have the following
components in your environment:
• Citrix Access Gateway Advanced Edition
• Citrix Presentation Server 4.0

Note: SmartAccess is not supported with Citrix Presentation Server for UNIX.

If you are using Web Interface to access published applications, you must also
have the following software:
• Access Suite Console 4.0 for Citrix Presentation Server with the Web
Interface Extension 4.2 patch applied
• Web Interface for Citrix Presentation Server 4.0 or 4.5
You must also ensure that address translation and firewall settings are identical
for the Web Interface and Advanced Access Control. For more information about
configuring SmartAccess, see the Web Interface Administrator’s Guide.

Multiple Access Platform Site and Credential Caching


Requirements
Advanced Access Control supports displaying up to three Citrix Access Platform
sites within the Access Interface. If the credentials used to log on to the Access
Platform sites are different from those used for Advanced Access Control, you
can cache these credentials so users are not required to reenter them. These
features require:
• Web Interface for Citrix Presentation Server 4.0 or 4.5.
• Advanced Access Control to authenticate users with Active Directory
credentials only. Credential caching is not supported for use with RADIUS,
LDAP, RSA SecurID, or Secure Computing SafeWord.

SmoothRoaming Requirements
The SmoothRoaming features of Citrix Presentation Server provide users with
uninterrupted access to information. These features include Workspace Control,
Session Reliability, and Dynamic Session Reconfiguration.
Chapter 5 Installing Advanced Access Control 57

Note: Workspace Control is not supported with Citrix Presentation Server for
UNIX.

You can use SmoothRoaming features with Advanced Access Control to enable
users to move between client devices and gain access to all of their applications
when they log on. To use SmoothRoaming, you must have the Advanced or
Enterprise edition of Citrix Presentation Server 3.0 or 4.0 installed on a server in
your environment. SmoothRoaming is not available in the Citrix Presentation
Server Standard Edition.

Requirements for Bypassing the Web Proxy


If you want users to bypass the Web proxy when accessing a Web resource, you
can allow them to access the resource using the Secure Access Client. For
information about requirements for running the Secure Access Client, see “Client
Requirements” on page 58.

Third Party Portal Integration Requirements


Access Gateway Advanced Edition supports integration with third party portals
such as Microsoft Sharepoint to provide convenient access to Web resources, file
shares, Web email, and published applications. To integrate Microsoft Sharepoint
you must have one of the following versions installed in your environment:
• Microsoft Sharepoint 2001
• Microsoft Sharepoint 2003
Typically, users can work with documents managed by Sharepoint using menu-
driven commands. When users access the Sharepoint site through the Web proxy,
menu items that require ActiveX to function are not available. The following
table describes these menu items:

Menu Item Requires ActiveX? Available to Users by


Default?
View Properties No Yes
Edit Properties No Yes
Edit in Microsoft Office Yes No
Delete No Yes
Check In No Yes
Check Out No Yes
58 Access Gateway Advanced Edition Administrator’s Guide

Menu Item Requires ActiveX? Available to Users by


Default?
Version History No Yes
Alert Me No Yes
Discuss Yes No
Create Document Workspace No Yes

Additionally, custom menu items that require ActiveX to function are not
available to users when Sharepoint is accessed through the Web proxy.

Client Requirements
This section describes the client requirements for the platforms that Advanced
Access Control supports.

Web Browser Requirements


Advanced Access Control supports the use of Web browsers on the following
platforms:

Devices Operating System Web Browser


Desktop Workstations Microsoft Windows: Internet Explorer 6.0 SP1
Windows XP Home/ Netscape Navigator 8.0
Professional SP2 Mozilla Firefox 1.5
Windows 2000 Professional
SP4
Apple Macintosh OS X Safari 2.0
(English only) 10.3.9 or greater Netscape Navigator 8.0
Mozilla Firefox 1.5
Red Hat Linux Netscape Navigator 8.0
Mozilla Firefox 1.0.4
Chapter 5 Installing Advanced Access Control 59

Devices Operating System Web Browser


PDAs and Smartphones PalmOS 5.4 PalmSource Web Browser 2.0
(Palm Treo 650)
Microsoft Windows Mobile 5.0 Internet Explorer
(UT Starcom/Verizon Wireless
XV6700)
Microsoft Windows Mobile Internet Explorer
2003
(HP iPAQ hw6515 Mobile
Messenger)
RIM BlackBerry Default Web Browser
(BlackBerry 7130e)
Symbian (Japanese only) Default Web Browser
(Motorola FOMA M1000)

Note: If you are using Apple Macintosh OS X, apply all updates, service packs,
and patches to ensure Web-based features function properly.
60 Access Gateway Advanced Edition Administrator’s Guide

The following table describes localization support based on the platform and Web
browser:

Web Browser English Japanese German Spanish French


Internet Explorer 6.0 SP1 Yes Yes Yes Yes Yes
(Windows 2000/XP)
Netscape Navigator 8.0 Yes No No No No
(Windows 2000/XP)
Netscape Navigator 7.1 Yes Yes Yes No Yes
(Windows 2000/XP)
Netscape Navigator 7.0 Yes Yes Yes Yes Yes
(Windows 2000/XP)
Mozilla Firefox 1.5 Yes Yes Yes Yes Yes
(Windows 2000/XP)
Safari 2.0 (Mac OS X) Yes No No No No
Netscape Navigator 7.1 Yes No No No No
(Mac OS X)
Netscape Navigator 7.0 Yes No No No No
(Mac OS X)
Mozilla Firefox 1.5 Yes No No No No
(Mac OS X)

Advanced Access Control delivers content to client Web browsers by transmitting


Web pages encoded with HTML and JavaScript. In most cases, standard client
configurations can support Advanced Access Control.
You must ensure the following settings are configured for each Web browser:
• Enable execution of client-side JavaScript
• Allow downloading of signed ActiveX controls
• Allow downloading of Java applets if you provide access to published
applications and restrict users to the Client for Java
For more information about configuring Web browsers for use with Advanced
Access Control, see “Browser Security Considerations” on page 209.

Live Edit Client Requirements


The Live Edit Client is an ActiveX control that downloads automatically to a
client Web browser to provide remote editing capabilities for Microsoft Office
documents.
Chapter 5 Installing Advanced Access Control 61

To use the Live Edit Client, the following software is required on users’
workstations:
• Microsoft Windows 2000 or XP with all service packs and critical updates
• Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission
to load signed ActiveX controls

Note: Windows 2000 or XP users must be members of the Administrators or


Power Users group to download and install ActiveX controls.

Endpoint Analysis Client Requirements


The Endpoint Analysis Client collects device information such as operating
system, antivirus, or Web browser versions prior to logging on to Advanced
Access Control. The Endpoint Analysis Client can be distributed as an ActiveX
control, a browser plug-in, or a Windows 32-bit application.
To use the Endpoint Analysis Client, the following software is required on users’
workstations:
• Microsoft Windows 2000 or XP with all service packs and critical updates
• Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission
to load signed ActiveX controls if distributing the ActiveX control
• Netscape Navigator 8.0 if distributing the browser plug-in
• Mozilla Firefox 1.5 if distributing the browser plug-in

Note: Windows 2000 or XP users must be members of the Administrators or


Power Users group to download and install ActiveX controls.

Secure Access Client Requirements


The Secure Access Client acts as a proxy between the client computer and the
Access Gateway appliance. The Secure Access Client can be distributed as a
desktop application for Microsoft Windows or Linux operating systems. The
Secure Access Client is downloaded and installed automatically when users enter
the secure Web address of the Access Gateway appliance and a logon point in a
Web browser.
62 Access Gateway Advanced Edition Administrator’s Guide

Note: Windows 2000 and XP users must be members of the Administrators or


Power Users group to install applications. Linux users must have the tcl and tk
packages installed to use the Secure Access Client.
The Secure Access Client is not supported in double-hop DMZ deployments. If
you deploy Access Gateway Advanced Edition in a double-hop DMZ, users
access resources only through a browser-only connection.

Console Requirements
The Access Management Console is the configuration and administration tool for
Advanced Access Control. You can install the console on an Advanced Access
Control server or on a standalone workstation.
The Console requires at least:
• Windows Server 2003, Standard Edition, Enterprise Edition, or Datacenter
Edition with Service Pack 1; Microsoft Windows Server 2003, 64-bit
Edition; Windows XP Professional with Service Pack 2; or Windows 2000
Professional with Service Pack 4
• 25 MB of hard drive space
• .NET Framework Version 2.0
• Microsoft Data Access Components (MDAC) Version 2.7 Refresh

Important: If you install the console on the Advanced Access Control server,
you must install the .NET Framework and MDAC 2.7 Refresh (mdac_typ.exe)
before you install Advanced Access Control. The .NET Framework and MDAC
2.7 Refresh executable files are located on the Advanced Access Control Server
CD-ROM.

Installation Overview
This overview includes the basic steps for installing Advanced Access Control.
Citrix supports deploying Advanced Access Control on a single server or on
multiple servers.
For important information to consider before installing Citrix products, review
the readme files and administrator guides for components you plan to install. The
readme files and administrator guides are available in the Documentation folder
of the Advanced Access Control Server CD-ROM.
Chapter 5 Installing Advanced Access Control 63

To get started with Advanced Access Control, complete the following steps:
1. Before you begin installation, use Windows Update to ensure all Advanced
Access Control servers are patched with critical updates.
2. Ensure your servers meet all requirements for components and features you
plan to use.
3. Install and configure Citrix Licensing. See the Readme for Citrix Licensing
and the Getting Started with Citrix Licensing Guide, available in the
Documentation folder of the Advanced Access Control Server CD-ROM.

Note: Citrix recommends performing this step before installing


Advanced Access Control to save time during server configuration and
prevent user access delays due to licensing issues. However, you can install
the licensing server during or after server configuration.

4. Install Advanced Access Control and the Access Management Console.


5. Install additional components, if applicable.
6. After you install components, visit the Citrix Hotfixes and Service Packs
Web site to download and install critical updates.

Installing Advanced Access Control


The Advanced Access Control Setup wizard guides you through the process of
installing Advanced Access Control and its components.

To install Advanced Access Control

1. Insert the Advanced Access Control Server CD-ROM in the CD drive. The
startup screen appears if autorun is enabled. If autorun is not enabled,
navigate to the CD root directory and double-click AutoRun.exe.
2. On the startup screen, click Access Gateway Advanced Edition.
3. Read and accept the Citrix license agreement.
64 Access Gateway Advanced Edition Administrator’s Guide

4. Select any of the following components to install:


• Server. Installs the Advanced Access Control server software,
including the Logon Agent and server configuration tools.
• Management console. Installs the configuration and management
tool for Advanced Access Control and the other products in the Citrix
Access Suite.
• Access Management Console - Licensing. Installs the Licensing
Console snap-in. For more information about this snap-in, see “The
Access Management Console User Interface” on page 82.
• Access Management Console - Diagnostics. Installs the Diagnostic
Facility Console snap-in. You do not need to install this component
unless requested to do so by a Citrix Technical Support
representative. For more information about this snap-in, see “The
Access Management Console User Interface” on page 82.
5. Follow the on-screen instructions to complete the Setup wizard.
As Advanced Access Control is installed, a message box displays the progress.
When the installation is complete, you can configure the server with the Server
Configuration utility or you can install Advanced Access Control on other
servers.
To begin configuring your server, click Finish. For more information about
configuring your server, see “Configuring Your Server” on page 76.

Troubleshooting the Installation


During installation, Advanced Access Control creates the log file
CTXMSAM40_Install.log that you can use to troubleshoot the server installation.
This log file is written to a temporary folder by default. To define the location of
this folder, Advanced Access Control checks the following environment
variables:
• TMP
• TEMP
• USERPROFILE
• windir
The first valid path that Windows finds among these variables becomes the
location of the installation log files.
You can override this default path by typing /logfilepath folder_path at a
command prompt, where folder_path is the location where you want to store the
installation log files.
Chapter 5 Installing Advanced Access Control 65

Uninstalling Advanced Access Control


If you want to remove an Advanced Access Control component from a server, use
Add/Remove Programs on the Control Panel. Depending on the options you
selected during installation, remove these components in the following order:
• Citrix Access Gateway 4.5 Server
• Citrix Access Gateway 4.5 Console
• Citrix License Server Administration
• Citrix Access Management Console - Diagnostics
• Citrix Access Management Console - Framework

Note: If you remove the Citrix Access Gateway Console component before
removing the Citrix Access Gateway Server component, the Server component
cannot be removed successfully.
The Citrix License Server Administration and Citrix Access Management
Console - Diagnostics components can be removed at any time in the
uninstallation. However, the Citrix Access Management Console - Framework
component must be removed last.

To remove Advanced Access Control components

1. Choose Start > Control Panel > Add or Remove Programs.


2. In Add or Remove Programs, select an Advanced Access Control
component.
3. Click Change or Remove. The wizard prompts for verification that you
want to remove the software.
4. Click Yes or Next to remove the component.
66 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 6

Configuring Advanced Access


Control

After you install Advanced Access Control, you configure each of your servers in
the access server farm. The following topics discuss server configuration:
• “Supported Configurations” on page 68
• “Configuring Your Server” on page 76
• “Steps to Configuring A Server” on page 77
• “Enabling Advanced Access Control” on page 80
• “Using the Access Management Console” on page 82
• “Configuring Your Farm with the Getting Started Panel” on page 84
• “Linking to Citrix Presentation Server” on page 85
• “Configuring Logon Points” on page 89
• “Logging on through the Logon Point” on page 92
• “Updating Logon Page Information” on page 93
• “Changing Expired Passwords” on page 93
• “Setting the Default Logon Point” on page 93
• “Removing Logon Points” on page 94
• “Configuring the Access Gateway” on page 95
• “Configuring Split Tunneling” on page 95
• “Forwarding System Messages” on page 96
• “Configuring Client Properties” on page 97
• “Configuring Server Properties” on page 98
• “Configuring ICA Access Control” on page 99
68 Access Gateway Advanced Edition Administrator’s Guide

• “Configuring Authentication with Citrix Presentation Server” on page 100

Supported Configurations
You can deploy Access Gateway Advanced Edition in a variety of ways to meet
the needs of your organization. Supported configurations include:
• One or more Access Gateway appliances deployed in the DMZ and the
Advanced Access Control server deployed in the internal network
• One or more Access Gateway appliances deployed behind a load balancer
in the DMZ and the Advanced Access Control server deployed in the
internal network
• A double-hop DMZ scenario where one or more Access Gateway
appliances are deployed in the first DMZ, one or more Access Gateway
appliances are deployed in the second DMZ, and the Advanced Access
Control server is deployed in the internal network

Access Gateway Configurations


Depending on your organization’s needs, you can deploy one or multiple Access
Gateway appliances. If your deployment includes a load balancer with multiple
appliances, you configure each appliance with the same FQDN as the load
balancer but you do not specify Access Gateway failover servers. The load
balancer handles failover as well as load balancing.
If your deployment includes multiple appliances without a load balancer, you
configure each appliance with a unique FQDN and specify the other appliances as
failover servers. For more information about deploying the Access Gateway
appliance, see Getting Started with Citrix Access Gateway Standard Edition.

Advanced Access Control Configurations


Advanced Access Control supports the following access server farm
configurations:
• Advanced Access Control on a single server.
Install Advanced Access Control on a single server. The server contains all
required access server farm components, including the database server.
• Advanced Access Control on a single server and Microsoft SQL Server
on a separate server.
Install Microsoft SQL Server on a separate server. Install Advanced Access
Control and specify the SQL database server for the server farm database.
Chapter 6 Configuring Advanced Access Control 69

• Advanced Access Control on multiple servers.


Install Microsoft SQL Server on a separate database server. Install
Advanced Access Control on multiple servers.

Double-Hop DMZ Configurations


You can deploy two Access Gateway appliances in a double-hop DMZ to control
access to corporate resources through Advanced Access Control. In a double-hop
DMZ configuration, three firewalls divide the DMZ into two stages to provide an
extra layer of security for the internal network. One Access Gateway resides in
the first DMZ while one or more Access Gateway appliances reside in the second
DMZ. The Advanced Access Control server resides in the internal network.
The Access Gateway in the first DMZ handles the client connections and
performs the security functions of an SSL VPN. This Access Gateway encrypts
the client connections, determines how clients are authenticated, and controls
access to the servers in the internal network.
The Access Gateway in the second DMZ serves as a proxy device. This Access
Gateway enables the ICA traffic to traverse the second DMZ to complete
Presentation Server Client connections to the access server farm.
Communications between the Access Gateway in the first DMZ and the Secure
Ticket Authority (STA) in the internal network are also proxied through the
Access Gateway Proxy in the second DMZ.

Note: The term Access Gateway Proxy refers to the Access Gateway appliance
deployed in the second DMZ.

When Access Gateway Advanced Edition is deployed in a double-hop DMZ


configuration, the Access Gateway appliance in the first DMZ can communicate
with any number of appliances in the second DMZ. However, the Access
Gateway Proxy in the second DMZ can communicate with only one appliance in
the first DMZ. Notification messages from the Advanced Access Control server
are proxied through the Access Gateway in the second DMZ to the appliance in
the first DMZ. For more information about communication between the Access
Gateway and Access Gateway Proxy, see “Understanding the Relationship
between the Access Gateway and the Access Gateway Proxy” on page 70.
In a double-hop DMZ deployment, users connect to the Access Gateway in the
first DMZ with a Web browser and a Citrix Presentation Server Client. Users
access the logon point on the Advanced Access Control server with a Web
browser to access corporate resources. Users connect with a Citrix Presentation
Server Client to use the resources to which they have access such as published
applications.
70 Access Gateway Advanced Edition Administrator’s Guide

Important: The Secure Access Client is not supported in a double-hop DMZ


deployment. You cannot use the Secure Access Client to access network
resources when Access Gateway appliances are deployed in a double-hop DMZ
configuration.

Understanding the Relationship between the Access


Gateway and the Access Gateway Proxy
Although the Access Gateway in the first DMZ can communicate with any
number of Access Gateway Proxy appliances in the second DMZ, the Access
Gateway Proxy in the second DMZ can communicate with only one Access
Gateway in the first DMZ. If you deploy multiple Access Gateway appliances in
the first DMZ, you should configure each appliance to communicate only with
the Access Gateway Proxy that is configured to communicate with that specific
Access Gateway.
For example, an administrator has two Access Gateway appliances in the first
DMZ (named Appliance 1 and Appliance 2) and four Access Gateway Proxy
appliances in the second DMZ (named Appliance 4, Appliance 5, Appliance 6,
and Appliance 7). The administrator configures Appliances 4 and 5 to
communicate with Appliance 1; and Appliances 6 and 7 communicate with
Appliance 2, as illustrated below.
Chapter 6 Configuring Advanced Access Control 71

When configuring Appliance 1 in the first DMZ, the administrator enables


communication only with the Access Gateway Proxy that is configured to
communicate with Appliance 1. Therefore, the administrator configures
Appliance 1 to communicate with Appliances 4 and 5 only. Likewise, the
administrator configures Appliance 2 to communicate with Appliances 6 and 7
only. The illustration below shows this configuration.

In this example, each Access Gateway in the first DMZ communicates with a
subset of the Access Gateway Proxy appliances in the second DMZ. This ensures
the Proxy appliances are able to respond to the appropriate Access Gateway in the
first DMZ. Otherwise, notifications from the Advanced Access Control server
would be lost and users could not log on and use corporate resources.

Deploying Double-Hop DMZ Configurations


Deploying Access Gateway Advanced Edition in a double-hop DMZ
configuration involves the following tasks:
• Installing the Access Gateway appliances in the first and second DMZs.
• Adding the IP addresses and FQDNs of the Advanced Access Control
server, the Access Gateway in the first DMZ, and the Access Gateway
Proxy in the second DMZ to the Hosts file on the Access Gateway
appliances in both DMZs and the Advanced Access Control server. This
task is required if you are not using DNS in your environment.
72 Access Gateway Advanced Edition Administrator’s Guide

• Configuring the Access Gateway Proxy in the second DMZ to


communicate with the Access Gateway in the first DMZ and the Advanced
Access Control server.
• Configuring the Access Gateway in the first DMZ to communicate with the
Access Gateway Proxy in the second DMZ.
• Configuring the Access Gateway in the first DMZ to communicate with the
Advanced Access Control server.

Important: To deploy this configuration correctly, you must perform these


tasks in the specified order. For example, if you configure the Access Gateway in
the first DMZ before you configure the Access Gateway Proxy in the second
DMZ, you will receive errors and communication between the appliances will not
occur even if all the settings are correctly configured.

Step 1: Installing Access Gateway Appliances


The Access Gateway Standard Edition Administrator’s Guide describes in detail
the process for installing the Access Gateway in the first DMZ and the Access
Gateway Proxy in the second DMZ. After you install these appliances, proceed to
Step 2.

Step 2: Adding Entries to the Hosts Files on the Access Gateway


and Advanced Access Control Server
The Hosts files on the Access Gateway appliances and the Advanced Access
Control server consist of entries that are used to resolve FQDNs to IP addresses.
If you are not using DNS in your double-hop DMZ configuration, you must add
these entries.
Use the Administration Tool to add the following entries to the Hosts file:
• On the Access Gateway, add the FQDNs and IP addresses of the Access
Gateway Proxy in the second DMZ and the Advanced Access Control
server
• On the Access Gateway Proxy, add the FQDNs and IP addresses of the
Access Gateway in the first DMZ and the Advanced Access Control server
On the Advanced Access Control server, use a text editor to add the FQDNs and
IP addresses of the Access Gateway appliances in both DMZs to the Hosts file.

To add entries to the Hosts file on the Access Gateway

1. From the Administration Tool, click the Access Gateway Cluster tab and
then expand the window for the Access Gateway in the first DMZ.
Chapter 6 Configuring Advanced Access Control 73

2. Click the Name Service Providers tab.


3. Under Edit the HOSTS file, in IP address, enter the IP address of the
Access Gateway Proxy installed in the second DMZ.
4. In FQDN, enter the FQDN you want to associate with the IP address you
entered in the previous step. Click Add.
5. Repeat Steps 3 and 4 to add entries for any remaining Access Gateway
Proxy appliances installed in the second DMZ and for the Advanced
Access Control server.

To add entries to the Hosts file on the Advanced Access Control server

1. In Windows Explorer, locate the Hosts file in the


%SystemRoot\system32\drivers\etc directory.
2. Open the file using a text editor.
3. On a separate line, type the IP address and associated FQDN of each
appliance.
4. Save the Hosts file.
5. Repeat Steps 1 through 4 for each Advanced Access Control server in your
farm.

Step 3: Configuring Communication with the Access Gateway


Proxy and Advanced Access Control
For a double-hop DMZ configuration, you must first configure the Access
Gateway Proxy in the second DMZ to communicate with the Access Gateway in
the first DMZ and with the Advanced Access Control server in the internal
network. After you complete this step, the Access Gateway Proxy is ready to
establish communication with the Access Gateway in the first DMZ.

Note: You can configure the Access Gateway Proxy to communicate with only
one Access Gateway in the first DMZ. For more information about
communication between the Access Gateway and Access Gateway Proxy, see
“Understanding the Relationship between the Access Gateway and the Access
Gateway Proxy” on page 70.

To configure communication between the Access Gateway Proxy and the


Access Gateway

If you have multiple appliances installed in the second DMZ, perform this
procedure on each appliance.
74 Access Gateway Advanced Edition Administrator’s Guide

1. From the Administration Tool, select the Access Gateway Cluster tab and
then expand the window for the appliance in the second DMZ.
2. On the General Networking tab, in DMZ Configuration, select Second
hop in double DMZ.
3. In Protocol, select either SOCKS over SSL or SOCKS.
4. In Port, the default port is either 443 (for secure connections) or 1080 (for
unsecure connections).
5. Select the Advanced Access Control check box.
6. In FQDN of the first appliance in the DMZ, type the FQDN or IP address
of the Access Gateway in the first DMZ. If you are using the SOCKS over
SSL protocol, you must type the FQDN address. If you are using the
SOCKS protocol, you can type either the FQDN or IP address.
7. Click Submit and restart the Access Gateway Proxy.
After you configure the Access Gateway Proxy, you can configure the Access
Gateway in the first DMZ.

Step 4: Configuring Communication between the Access


Gateway and Access Gateway Proxy
In a double-hop DMZ configuration, the Access Gateway in the first DMZ
communicates with the Access Gateway Proxy in the second DMZ to deliver
requests to the Advanced Access Control server in the internal network.

Note: If you have multiple Access Gateway appliances installed in the first
DMZ, you will need to configure each of these appliances to communicate with a
subset of Access Gateway Proxy appliances. For more information, see
“Understanding the Relationship between the Access Gateway and the Access
Gateway Proxy” on page 70.

To configure communication between the Access Gateway and Access


Gateway Proxy

1. From the Administration Tool, click the Access Gateway Cluster tab and
then expand the window for the Access Gateway in the first DMZ.
2. On the General Networking tab, in DMZ Configuration, select First hop
in double DMZ.
3. Select the Configure for Advanced Access Control check box. Click
Add.
Chapter 6 Configuring Advanced Access Control 75

4. In the Add appliance from second hop window, complete the following:
• FQDN or IP address. Enter the FQDN or IP address of the Access
Gateway Proxy installed in the second DMZ. If you are using the
SOCKS over SSL protocol, you must enter the FQDN address. If you
are using the SOCKS protocol, you can enter either the FQDN or IP
address.

Note: This FQDN or IP address is also used by the Advanced


Access Control server to communicate with the Access Gateway
Proxy. When the Advanced Access Control server registers the
Access Gateway in the first DMZ, the Gateway Appliances node in
the Access Management Console displays the Access Gateway
Proxy’s information.

• Port. The default port for a SOCKS over SSL connection is 443. The
default port for a SOCKS connection is 1080. You can change the
default ports as necessary.
• Protocol. Select SOCKS over SSL if you want to secure the SOCKS
connection to the Access Gateway Proxy in the second DMZ with
SSL. Select SOCKS if you want this connection to be unsecured.
• Second hop appliance MAC address. Enter the MAC address of the
network card associated with Interface 0 on the Access Gateway
Proxy installed in the second DMZ.
5. Click Validate to verify that the Access Gateway in the first DMZ can
connect to the Access Gateway Proxy in the second DMZ using the
specified address, protocol, and port.
6. Repeat Steps 3 through 5 to add more appliances to the Appliances in
second hop list.

Note: The Access Gateway in the first DMZ uses the Appliances in
second hop list to load balance connections to the appliances installed in the
second DMZ.

7. Click Submit and restart the Access Gateway.


76 Access Gateway Advanced Edition Administrator’s Guide

Step 5: Configuring Communication between the Access


Gateway and Advanced Access Control
In a double-hop DMZ configuration, the Access Gateway in the first DMZ
communicates with the Advanced Access Control server through the Access
Gateway Proxy in the second DMZ. To configure the Access Gateway in the first
DMZ to communicate with the Advanced Access Control server, see “Enabling
Advanced Access Control” on page 80 for instructions.

Changing the Server Configuration


You can make changes to the access server farm configuration at any time from
the console. When you install more than one Advanced Access Control server in
an access server farm, you can configure additional servers to provide recovery,
enhance performance, and increase the server farm’s capacity to support
additional users. For more information about managing Advanced Access
Control servers, see “Managing Your Access Gateway Environment” on page
213.

Configuring Your Server


After you install Advanced Access Control, you configure your servers using the
Server Configuration utility. This section describes the following configuration
tasks:
• Creating an access server farm
• Selecting a farm database and specifying a database server
• Specifying the Citrix Licensing Server
• Selecting a Web site path and securing Logon Agent traffic
• Enabling Advanced Access Control

Server Configuration Overview


The Server Configuration utility allows you to perform preliminary configuration
tasks such as creating an access server farm and specifying a license server.
This utility sets up the account you specify as the service account. It adds the
account to the local Administrators group and grants the following local security
policy rights:
• Act as part of the operating system
• Log on as a batch job
Chapter 6 Configuring Advanced Access Control 77

• Log on as a service

Important: The Server Configuration utility cannot create a SQL user account
for access to the farm database. You must create an account in SQL Enterprise
Manager before you change the user account for database access. The database
user account must have System Administrator privileges.

The Server Configuration utility does not add the service account to network
shares.
The Server Configuration utility does not remove previous service accounts from
the local security policy or network shares. If this is a security concern, remove
the old accounts after updating the account information with the utility.
The Server Configuration utility performs the following operations:
• Verifies all account information
• Updates services
• Stops Advanced Access Control services
• Starts Advanced Access Control services
• Updates internal service account information
• Updates internal database account information
• Synchronizes the access server farm

Steps to Configuring A Server


After installing Advanced Access Control, you can configure a server with the
Server Configuration Utility.

To run the Server Configuration utility

Click Start > Programs > Citrix > Access Gateway > Server Configuration.

Creating or Joining an Access Server Farm


When you install Advanced Access Control on a server, you can create a new
access server farm or add the server to an existing access server farm.
• Create a new access server farm
Choose this option if you are creating an access server farm. The access
server farm name becomes the SQL Server database name. Choosing this
78 Access Gateway Advanced Edition Administrator’s Guide

option requires you to enter licensing, service account, and database


information.
• Join an existing access server farm
Choose this option if you are adding a server to an existing access server
farm. Choosing this option requires you to enter service account and
database information.

Selecting a Database
When you create an access server farm, the Server Configuration utility prompts
you to specify whether to use an existing SQL Server database or to install a local
database engine. The database server stores the configuration data for the access
server farm.
• Microsoft SQL Server
Choose this option to use a supported version of Microsoft SQL Server as
the database server for the access server farm. SQL Server can run on the
same server running Advanced Access Control or on a separate database
server.

Important: If you want to select a SQL Server database, be sure the SQL
Service is running on the server you want to specify. If the SQL Service is
not running, the Server Configuration utility cannot detect the server.

• Microsoft SQL Server Express


Choose this option if you want Advanced Access Control to install the
necessary components for a local database server and create a database for
the access server farm. The Server Configuration utility searches for an
instance of SQL Server Express labeled CitrixAAC. If this instance is not
found, the Server Configuration utility installs this instance for you.

Note: Use the Microsoft SQL Server Express option for a pilot
deployment of Advanced Access Control. Citrix recommends the use of
Microsoft SQL Server for large-scale deployments.

Specifying an Existing Database Server


If you select Microsoft SQL Server as your database, the Server Configuration
utility prompts you to specify the server on which SQL Server is installed.
• Farm database server. Type the name of the database server.
Chapter 6 Configuring Advanced Access Control 79

• Access server farm name. Type the name of the access server farm you
want to create or join.
• Use the Service Account to access the configuration database. Choose
this option to use the Advanced Access Control service account credentials
to access the SQL database.
• Use SQL Authentication to access the configuration database. Choose
this option to use the SQL database account credentials to access the SQL
database. If you choose this option, you must also enter the database user
name and password.

Specifying a License Server


If you are creating a new access server farm, the Server Configuration utility
prompts you to identify the license server you want to use to validate your
installation of Advanced Access Control. You must select one of the following
options to continue server configuration.
• I would like to use an existing license server. Choose this option if you
want to specify a license server that you installed directly. In the Host
name box, type the name of the license server you want to use. If the
license server uses a port other than 27000, clear the Use default port
check box and then type the correct port in the License server port box.
• I would like to install a new license server on this computer. Choose this
option if you want to install a license server on the same machine as the
server running Advanced Access Control. When you complete the server
configuration, Advanced Access Control installs the license server.
• I do not wish to configure licensing at this time. Choose this option if you
want to specify a license server later. If you do not specify a license server,
users will receive an “Access Denied” message when they attempt to log on
to Advanced Access Control.

Selecting a Web Site Path


The Web site path is the location where all Web content for Advanced Access
Control is installed. Review the Web site path that Advanced Access Control
detects to ensure it is valid for your deployment.

To change the physical path

1. Select the Web site you want to change.


2. Click the Use custom path for web content check box.
3. In the Path box, type the physical path you want to use for the Web site.
You can also click Browse to navigate to the directory you want to specify.
80 Access Gateway Advanced Edition Administrator’s Guide

Securing Web Site Traffic with SSL


When you select a Web site path, you can also enable the Secure Sockets Layer
(SSL) protocol to secure communication with the Logon Agent.
To secure Web site traffic, click the Secure traffic between the Logon Agent
and the Authentication Service check box.

Important: You must have the required digital certificates installed on the
server before configuring Advanced Access Control. This check box is not
enabled unless SSL is enabled on the server.

Finishing Server Configuration


The Server Configuration utility displays a summary of your selected options and
configuration settings. After you review the summary, click Next to initiate server
configuration. When configuration is complete, click Finish and proceed to
enabling Advanced Access Control to manage the Access Gateway appliance.

Enabling Advanced Access Control


To use the granular access control features of Advanced Access Control, you
must enable the Access Gateway appliance to communicate with the Advanced
Access Control server.

Note: If you are deploying Access Gateway Advanced Edition in a double-hop


DMZ deployment, you enable communication with Advanced Access Control
after several other tasks are completed. For more information about these
additional tasks, see “Double-Hop DMZ Configurations” on page 69.

To enable communication with Advanced Access Control, you perform the


following tasks using the Access Gateway Administration Tool:
• In the Name Service Providers tab, enter the DNS and WINS information
for your Advanced Access Control server.
• In the Routes tab, configure the IP routes as needed.
• In the Advanced Options tab, select Advanced Access Control and enter the
server information.
Chapter 6 Configuring Advanced Access Control 81

After you perform these tasks and reboot the appliance, you use the
Administration Tool to manage appliance-specific settings only. For more
information about using the Administration Tool, see the Access Gateway
Standard Edition Administrator’s Guide.

Important: When you enable Advanced Access Control to manage global


gateway appliance settings, the corresponding settings in the Administration Tool
are deactivated and any existing configuration values are removed. If you
configured these settings with the Administration Tool before enabling Advanced
Access Control, you must configure these settings again in the Access
Management Console. For more information about configuring these settings in
the console, see “Configuring the Access Gateway” on page 95.
If you disable appliance administration with Advanced Access Control, the global
gateway appliance settings you configured in the console are deactivated and
existing configuration values are removed.

To enable Advanced Access Control

1. Launch the Access Gateway Administration Tool and select an Access


Gateway appliance.
2. On the Access Gateway Cluster tab, click Advanced Options.
3. To manage the Access Gateway cluster using the Access Management
Console, select Advanced Access Control.
4. In Server running Advanced Access Control, type the IP address or
FQDN of the server that is running Advanced Access Control.

Important: If you specify the FQDN of the server running Advanced


Access Control and you cannot connect to the server, ensure you have
entered the DNS servers you want to use in the Name Service Providers tab
of the Administration Tool. If you specify the IP address of the server
running Advanced Access Control, you do not need to specify the DNS
servers.

5. To encrypt communication between the Access Gateway appliance and the


Advanced Access Control server, select Secure server communication.
6. Click Submit to save your changes.
7. Restart the Access Gateway.
82 Access Gateway Advanced Edition Administrator’s Guide

Using the Access Management Console


The Access Management Console extends your ability to manage your
deployment by integrating many of the administrative features of your Citrix
products into the Microsoft Management Console (MMC). The Access
Management Console is a standalone snap-in to the MMC. Management
functionality is provided through a number of management tools (extension snap-
ins) that you can select when you install the Access Management Console or at
any time later.

Installing the Access Management Console


Before installing any snap-ins to the Access Management Console, ensure that
you installed the Access Management Console - Framework Version 4.5. If you
try to install any snap-ins before installing the Framework on your server, the
installation fails. You cannot install any snap-in if a newer version of the snap-in
is present on your server. If you try to do so, the installation fails. Before you
install an older version of a snap-in, first uninstall your existing snap-in.

Users and Accounts


You must be a Citrix administrator to use the Access Management Console. You
should therefore ensure that the correct administrator privileges are in place
before allowing others to use the console.
Do not run the console in two sessions simultaneously on one computer using the
same user account. Changes made on the console in one session can overwrite
changes made in the other.

Deploying the Console to Administrators


To use the console to make changes to an Advanced Access Control deployment,
administrators must have permission to run the Access Gateway Server COM+
application. For more information about granting COM+ permissions, see
“Securing the Access Management Console Using COM+” on page 215.

The Access Management Console User Interface


The main user interface of the Access Management Console consists of three
panes:
• The left pane contains the console tree.
• The task pane in the middle displays administrative tasks and tools. This
pane is not present in the MMC.
Chapter 6 Configuring Advanced Access Control 83

• The details pane on the right displays information about your deployment
items and associated tasks.
The following nodes are available under the top-level node in the console tree:
• Alerts. Lists the alerts created by all the items in your deployment. Double-
click an alert to drill down to the affected item.
• Search Results. Displays the results of any search that you performed.
Click Search in the task pane to perform a standard or advanced search.
• My Views. Allows you to customize the information that you display in the
details pane.
In addition, nodes are created by some Access Management Console snap-ins
when they are installed. Depending on your Access Management Console
installation, the following snap-ins are available:
• Licensing. Launches the License Management Console that allows you to
manage licenses for your Citrix products. For more information about the
License Management Console, see the Getting Started with Citrix
Licensing Guide.
• Diagnostic Facility. Creates and packages trace logs and other system
information to assist Citrix Technical Support in diagnosing problems.

Starting the Access Management Console


To start the Access Management Console

Click Start > Programs > Citrix > Management Consoles > Access
Management Console.

Finding Items in Your Deployment Using


Discovery
Before you can use the Access Management Console to manage the items in your
deployment, you must run discovery. Discovery is not equivalent to locating
items that already exist in the console tree, which you perform using Search in the
task pane. In contrast, discovery adds items to the console tree.
You discover items using the Run discovery task. The first time you open the
console, discovery runs automatically. At any stage afterwards, run discovery to
locate newly installed products or components and to update the console if items
were added to or removed from your deployment. For example, if another
instance of the console was used to configure settings, you need to run discovery
to add those updates.
84 Access Gateway Advanced Edition Administrator’s Guide

To run discovery for all components

1. Select Suite Components in the console tree.


2. Click Run discovery in the task pane.
To run discovery for one component in the console tree, select the component and
then click Run discovery.
Running discovery is something that you should consider doing on a regular basis
to ensure that you have the most up-to-date view of your deployment. Run
discovery if:
• You installed or removed an Access Gateway or Advanced Access Control
item or component. The Console does not recognize any recently installed
items or components until you run discovery.
• Items are added to or removed from an existing deployment. The console
tree, the details pane, and the available tasks are “refreshed” only after
discovery is completed.
• Your administrative privileges change or you change a custom
administrator’s privileges. Modifications to privileges do not take effect in
the console until you rerun discovery.

Customizing Your Displays Using My Views


You can create custom displays of the details pane called My Views. These are
configurable displays that give you quick access to items you need to examine
regularly or items in different parts of the console tree that you want to group in
the same display. Instead of repeatedly browsing the console tree, you can place
the items in a single, easily retrieved display. For example, you can create a My
View to display policies for servers in different access server farms.

Configuring Your Farm with the Getting Started Panel


To help you configure your deployment, the Getting Started panel presents links
to several wizards that guide you through tasks such as configuring email and
access policies.

To access the Getting Started Panel

1. Select the Access Gateway node in the navigation pane.


2. Under Other Tasks in the task pane, click Getting started.
You can also right-click the Advanced Access Control node or the farm node in
the console tree and then click All Tasks > Getting started.
Chapter 6 Configuring Advanced Access Control 85

By default, the Getting Started panel appears when you click the Advanced
Access Control node. To prevent the Getting Started panel from appearing
automatically, clear the Always show this page check box located near the
bottom of the panel.

Linking to Citrix Presentation Server


You can link the access server farm to farms running Citrix Presentation Server.
This allows you to offer published resources from Citrix Presentation Server
through file type association or the Web Interface. When file type association is
allowed by policies, opening a document launches it in an associated application
running on a server.
To link your access server farm to farms running Citrix Presentation Server, you:
• Specify the farm(s) you want to link to your access server farm
• Configure load balancing or failover if the server farm includes multiple
servers
• Configure address modes if the server farm is behind a firewall configured
for Network Address Translation (NAT)
Before you link your access server farm, ensure the following requirements are
met in Citrix Presentation Server:
• Published resources are assigned to the same user groups assigned to
resources in the access server farm.
• The option Allow connections made through Access Gateway is enabled
for each published resource. This option appears in the access control
settings of the published resource properties.
• In each server’s properties, the option Trust requests sent to the XML
Service is selected.

Specifying Server Farms


Create a list of the server farms that are available to users of Access Gateway.
This list is used in logon point properties to specify which farms are available to
users of the logon point. Each server farm you configure contains a list of servers
you can use to specify load balancing or failover among servers within the farm.

To specify server farms

1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. Select the Presentation Server Farm page and click New.
86 Access Gateway Advanced Edition Administrator’s Guide

3. In the Citrix Presentation Server farm name box, type the name or IP
address of the farm to which you want to link your access server farm.

Note: Advanced Access Control accepts server farm names up to 50


characters long. If the server farm name is longer than 50 characters, type
the IP address instead.

4. If you want to secure the link between Advanced Access Control and Citrix
Presentation Server, select the Secure communication with the farm by
applying a secure protocol check box.

Note: To apply a secure protocol, you must have the appropriate client
and server certificates installed on the Advanced Access Control servers
and Access Gateway appliances.

5. Click Next and then click Add.


6. In the Server name box, type the machine name of the server running
Citrix Presentation Server.

Configuring Load Balance or Failover


You can balance the load of requests sent to servers running Citrix Presentation
Server. Requests follow the sequence of the server list in Presentation Server
Farm Properties. The initial request goes to the first server on the list, the next
request goes to the second server, and so on. After the last server, the process
starts again at the top of the list.

Important: Do not prioritize the data collector or master ICA browser server as
the first server on the list.

You can use the list to sequence failover in case connectivity to a server becomes
unavailable. Use failover support to ensure continued access to published
resources.
The server list can sequence load balancing or failover support, but not both. By
default, the server list is used for failover.

To implement load balancing or failover support

1. Select the access server farm node and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
The Presentation Server Farm Properties appear.
Chapter 6 Configuring Advanced Access Control 87

3. On the Servers page, use Up and Down to change the sequence of servers.
4. Select Load balance requests to servers or Set failover sequence of
unavailable servers.
5. To change the bypass interval, change the value displayed in minutes. The
default is five minutes.

Configuring Address Modes


If your server farm is behind a firewall and the firewall is configured for Network
Address Translation (NAT), you can define settings to determine the IP address of
the server included in ICA files.

To configure address modes for client IP addresses

1. Select the access server farm node and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
3. On the Address Mode page, click New.
4. In the Client IP Address box, type the incoming client IP address or range
of IP addresses for client requests in dot address format (for example,
255.255.255.255). For Access Gateway, the incoming address is the
address of the Access Gateway appliance.
5. Select the Server Address Mode from the list:
• Normal. The IP address sent to the client is the actual address of the
server. This is the default setting.
• Alternate Address. The IP address sent to the client is the alternate
address of the server. Alternate addresses are configured on the server
running Citrix Presentation Server. To use this option, you must have
a firewall with NAT enabled and alternate IP addresses assigned to
the servers. For more information about setting alternate addresses,
see the Citrix Presentation Server Administrator’s Guide.
• Translated Address. The IP address sent to the client is based on the
configured address translation mappings. For more information, see
“Configuring Address Translation” on page 88.
• Access Gateway. The IP address sent to the client is the actual
address of the Access Gateway appliance. To use this option, you
must also define the Access Gateway settings. For more information,
see “Configuring the Access Gateway Address Mode” on page 88.
You can assign addressing modes for specific IP addresses or a range of IP
addresses. You can use asterisks as wildcards (such as 10.12.128.*) to indicate a
range of IP addresses.
88 Access Gateway Advanced Edition Administrator’s Guide

Configuring Address Translation


If your server farm is behind a firewall, you can hide internal server addresses by
performing the following tasks:
• Map the internal IP address of each server to an external IP address
• Specify the client addresses that use the translated address

Note: To use this option, you must have a firewall with Network Address
Translation (NAT) enabled.

To map the internal IP address of a server

1. Select the access server farm node and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
The Presentation Server Farm Properties appear.
3. On the Address Mode page, click Address Translation.
4. Click New.
5. Enter the internal IP address and port of the server running Citrix
Presentation Server.
6. In the Translated address box, enter the external IP address and port that
clients must use to connect to the server.
7. On the Address Mode page, click New to open the New Client Address
Mode dialog box. Add the client IP address or range of addresses for the
clients that use the translated address you just configured. Select
Translated Address from the Server Address Mode list.
The Address Translation settings apply only to the specified client IP addresses
on the Address Mode page.

Configuring the Access Gateway Address Mode


If you are providing applications through Citrix Presentation Server, you must
configure the server address mode. The server address mode determines which
server IP address is sent to users when they open applications from the farm
running Citrix Presentation Server.

To configure the Access Gateway address mode

1. Select the access server farm and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
Chapter 6 Configuring Advanced Access Control 89

3. On the Address Mode page, click Access Gateway.


4. Select the option to configure Access Gateway.
5. Enter the Access Gateway server name (exactly as it appears on the server
certificate) and port.
6. If the servers in your server farm are behind a firewall and configured to
use NAT alternate addresses, select the option to use alternate addresses.

Associating Access Platform Sites


If you display multiple sites within the Access Interface and want to preserve
Workspace Control functions, you must select an Access Platform site to
associate with a Presentation Server farm. After you configure and publish an
Access Platform site as a Web resource, you can select the site from the Web
Interface page of the farm properties. For more information, see “Displaying
Multiple Sites and Caching Credentials” on page 160.

Configuring Logon Points


The logon point defines the logon page for users and specifies settings that are
applied to user sessions. These initial settings include the required authentication
strength, the clients to use, the home page, and the accessible server farms. User
sessions inherit the properties of the logon point through which they connect.
To determine the logon points you will need, consider:
• The users who will be accessing your deployment. For example, users in a
particular department may require their own logon point. Likewise, users
with a specific relationship to your organization, such as partners, may
require their own logon point.
• The devices with which users access the logon point. For example, users
who access resources with small form factor devices such as a PDA may
require a logon point separate from the logon point accessed with
workstations.
• The policies you want to create that restrict access to resources based on the
logon point used. For example, users who authenticate from a specific
logon point can access specific resources that are unavailable when using a
different logon point.
For more information about using logon points in policies to control access to
resources, see “Controlling Access Through Policies” on page 131.
To configure a logon point in your deployment, you perform the following tasks:
• Create the logon point using the console
90 Access Gateway Advanced Edition Administrator’s Guide

• Deploy the logon point using the Server Configuration utility

To create a logon point

1. In the console tree, select Logon Points.


2. Under Common Tasks in the task pane, click Create logon point.
3. Type a unique name and description for the new logon point.
4. Select a home page from the following options:
• Display the default navigation page. Displays the Access Interface,
a built-in default home page for users, with tabs for email, file shares,
and Web applications.
• Display the home page application with the highest display
priority. Displays the Web application listed at the top of the display
order list. To change the display priority, click Set Display Order.
5. On the Authentication and Authorization pages, select the authentication
method and group authority you want to use when users log on. For more
information about configuring authentication, see “Securing User
Connections” on page 101.
6. On the Presentation Server Farms page, add the farms that you want to
make available to users through file type association. If you are using the
Web Interface to deliver published applications, you do not need to add
farms to the logon point. For more information about using the Web
Interface with Advanced Access Control, see “Integrating Citrix
Presentation Server” on page 157.
7. Configure options for sound, windows, and Workspace Control.

Note: Workspace Control allows users to reconnect to their open


applications. If users have pop-up blockers enabled, they are prompted to
allow each application to open in a separate window.

8. On the Clients page, select the clients you want to deploy to users during
logon.
9. On the Sessions Settings page, set the options for the method of prompting
users for their domain and the number of days to warn users about
password expiration.
Chapter 6 Configuring Advanced Access Control 91

Note: Users who allow their passwords to expire cannot log on to


Advanced Access Control. For more information about restoring access to
these users, see “Changing Expired Passwords” on page 93.

10. On the Session Timeouts page, set the interval, in minutes, for the
following time-out settings:
• Maximum time for VPN client sessions. The length of time a
session using the Secure Access Client is allowed to remain active.
The default value of zero means the session remains active
indefinitely.
• Maximum time for traffic inactivity before session ends. The
length of time a browser-only session or a session using the Secure
Access Client is allowed to remain active without any traffic activity
detected. The default value is 20 minutes. You may want to increase
this value if users experience excessive time-outs with features such
as Live Edit that do not communicate with the Advanced Access
Control server to keep sessions active. If you enter zero for this
setting, the session will remain active regardless of inactivity.
• Maximum time for mouse and keyboard inactivity before VPN
session ends. The length of time a session using the Secure Access
Client is allowed to remain active without any mouse or keyboard
input detected. If you enter zero for this setting, the session will
remain active regardless of inactivity.
11. On the Visibility page, select whether to show the logon page to users
logging on through the Access Gateway or to set conditions for showing the
logon page to users logging on to Advanced Access Control directly. The
default logon point is always visible to users logging on through the Access
Gateway. For more information about using conditions for showing the
logon page, see “Setting Conditions for Showing the Logon Page” on page
141.

To deploy a logon point

1. Click Start > Programs or All Programs > Citrix > Access Gateway >
Server Configuration.
2. From the Configured Logon Points page, select the logon point you want
to deploy.
3. Click Deploy.
92 Access Gateway Advanced Edition Administrator’s Guide

Renaming Logon Points


If you rename an existing logon point, you must redeploy it to make it available to
users. To redeploy a renamed logon point, open the Server Configuration utility
and select the renamed logon point. Click Update to redeploy the logon point.

Logging on through the Logon Point


When you deploy a logon point, a logon point folder is created in a virtual
directory named CitrixLogonPoint. A URL pointing to the logon point folder can
be used to access the network. For example:
https://appliancename/CitrixLogonPoint/logonpointname
where appliancename is the FQDN or IP address of the Access Gateway
appliance and logonpointname is the name of the logon point folder.
During installation, Advanced Access Control creates a logon point, called
SampleLogonPoint, that you can use for testing. To access this logon point, you
type the following URL:
https://appliancename/CitrixLogonPoint/SampleLogonPoint
where appliancename is the FQDN or IP address of the Access Gateway
appliance.

Important: The sample logon point is designed for testing purposes only.
Default policies created for the sample logon point allow all authenticated users
to see the logon page and to log on. After testing your system, replace the sample
logon point or edit these policies to comply with your network security
guidelines. For more information, see “Controlling Access Through Policies” on
page 131.

Users can also access the default logon point by typing the following URL:
https://appliancename/
where appliancename is the FQDN or IP address of the Access Gateway
appliance. For more information about default logon points, see “Setting the
Default Logon Point” on page 93.
For more information about distributing logon points to users, see “Rolling Out
Advanced Access Control to Users” on page 195.
Chapter 6 Configuring Advanced Access Control 93

Updating Logon Page Information


The Access Gateway stores copies of the Web pages and graphic files that
comprise the logon pages users see when they access resources. You must update
these files when you:
• Deploy a new logon point
• Customize an existing logon page
• Redeploy a renamed logon point

To update logon page files on the Access Gateway

1. From the console tree, expand Logon Points and select the logon point you
want to update.
2. In Common Tasks, click Refresh logon page information.
If the Access Gateway is unavailable when you perform this task, the console
displays an error message indicating the gateway appliance is out of date. If the
Access Gateway becomes available when you rerun the task, the console displays
a message indicating the update was successful.

Changing Expired Passwords


The Session Settings page in the logon point properties allows you to specify the
number of days to warn users about password expiration. Users can change their
password at any time during this period and continue accessing resources through
the logon point. Users who allow their passwords to expire are denied access and
are not prompted to change their expired passwords.
To restore access to users with expired passwords, select the User must change
password at next logon check box in the user’s Windows account properties.
The next time the user attempts to log on to Advanced Access Control, the user is
prompted to change the expired password.

Setting the Default Logon Point


Default logon points enable users to log on to the access server farm through the
Access Gateway without specifying a logon point. You can designate a logon
point as the default using the console. When you install Advanced Access Control
the SampleLogonPoint is designated as the default logon point. Only one logon
point can be designated as the default at any time.
94 Access Gateway Advanced Edition Administrator’s Guide

When you set a logon point as the default, the logon point becomes visible
automatically to users logging on through the Access Gateway. If, at a later time,
you set a different logon point as the default, the logon point remains visible to
these users. If you want the logon point to be visible only to users logging on to
Advanced Access Control within the corporate network, you must change the
visibility settings in the logon point properties. For more information about
configuring logon points, see “Configuring Logon Points” on page 89.

To set a default logon point

1. In the console tree, expand Logon Points and select the logon point you
want to designate as the default.
2. Under Common Tasks, click Set as default logon point.

Removing Logon Points


To remove a logon point from your deployment, you perform the following tasks:
• Remove any policies associated with the logon point
• Delete the logon point from the console
• Remove the logon point’s virtual directory from the Advanced Access
Control server using the Server Configuration utility

To delete a logon point from the console

1. In the console tree, expand Logon Points and then select the logon point
you want to delete.
2. Under Common Tasks in the task pane, click Delete logon point.

To remove a logon point’s virtual directory from the server

1. Click Start > Programs or All Programs > Citrix > Access Gateway >
Server Configuration.
2. On the Configured Logon Points page, select the logon point you want to
remove.
3. Click Remove.
Chapter 6 Configuring Advanced Access Control 95

Configuring the Access Gateway


To enable the full range of access control features in Advanced Access Control,
you configure the settings on the Advanced Options tab in the Access Gateway
Administration Tool. Additionally, you use the Access Management Console to
configure the settings that govern all the gateway appliances in your access server
farm. These settings include:
• Enable split tunneling and specify the networks that can be accessed
through the Access Gateway
• Capture system log messages
• Enable Simple Network Management Protocol (SNMP) logs
• Enable features that are controlled by the communication between the
Secure Access Client and the Access Gateway
• Create client access control lists (ACLs)

Configuring Split Tunneling


Split tunneling enables client devices to communicate with public Internet
resources and your corporate network concurrently.
Enabling split tunneling can improve the efficiency of the client connection and
minimizes the occurrence of “Access Denied” messages when users access
resources on the Internet or your corporate network. However, split tunneling
requires you to configure a list of accessible networks so that users can access
corporate resources. If this list is not defined, users cannot access any corporate
resources regardless of any policies granting access.
Disabling split tunneling maximizes the security of client connections and
requires no additional configuration for users to begin accessing corporate
resources. When split tunneling is disabled, all network traffic sent by the Secure
Access Client is routed through the Access Gateway, including traffic to public
Internet Web sites. Therefore, when users log on through the Access Gateway,
they can access only the resources you define. If a user tries to access a resource
that you have not defined, such as a public Web site, access is denied by default.

To configure split tunneling

1. From the console tree, select Gateway Appliances.


2. Under Common Tasks, click Edit gateway appliances properties.
3. On the Accessible Networks page, select or clear the option to enable split
tunneling.
96 Access Gateway Advanced Edition Administrator’s Guide

4. If you enable split tunneling, click New to configure the list of accessible
networks.
5. In the New Accessible Network box, select the addressing method you
want to use.
6. Enter the destination IP address and, depending on the selected addressing
method, the corresponding subnet mask or network prefix length.

Configuring Accessible Networks


Accessible networks are the networks and subnets that can be accessed through
the Access Gateway when split tunneling is enabled for the Secure Access Client.
Users can access a server or subnode address provided that address is defined in
one of the accessible networks. When a user logs on using the Secure Access
Client, the access control list (ACL) received during authorization governs the
accessible networks available to that user.
When using accessible networks, be aware of the following limitations:
• The Secure Access Client can recognize only 24 accessible networks. If
your organization has a large number of subnets and you want to enable
split tunneling, you may need to define supersets of networks so that you
can define all required networks within the 24 recognized accessible
networks.
• When you enable split tunneling, all network resources you create in the
Access Management Console must fall within the accessible networks you
define. If you create a network resource that falls outside of these accessible
networks, users cannot access the resource regardless of any policies
granting access.
When you define an accessible network in the Access Management Console, you
specify the destination using either an IP address and subnet mask or the
Classless Inter-Domain Routing (CIDR) addressing scheme.

Forwarding System Messages


System message logs contain information that can help support personnel assist
with troubleshooting. You can forward system messages to a syslog server or
enable SNMP logs.

To forward Access Gateway messages to a syslog server

1. From the console tree, select Gateway Appliances.


2. Under Common Tasks, click Edit gateway appliances properties.
Chapter 6 Configuring Advanced Access Control 97

3. On the Syslog and SNMP page under Syslog Settings, type the IP address
or the FQDN of the syslog server you want to capture system messages sent
by the Access Gateway.
4. In Syslog facility, select the facility you want to use for captured messages.
Select User Level for generic user processes. Select Local Use 0 - 7 if you
defined one of these facilities for Access Gateway processes. For example,
a syslog server may have Local Use 0 defined for anonymous FTP
processes while Local Use 1 is reserved for Access Gateway processes.
5. In Statistics broadcast interval, type the frequency in minutes at which
you want the Access Gateway to send system messages. If the broadcast
interval is set to zero, broadcasting is continuous.

To enable logging of SNMP messages

When Simple Network Management Protocol (SNMP) is enabled, the Access


Gateway reports the MIB-II system group (1.3.6.1.2.1). The Access Gateway
does not support Access Gateway-specific SNMP data.
1. From the console tree, select Gateway Appliances.
2. Under Common Tasks, click Edit gateway appliances properties.
3. On the Syslog and SNMP page under SNMP Settings, select Enable
logging of SNMP messages.
4. In SNMP server name or address, type the location of the SNMP server.
This required field is informational only.
5. In Name of SNMP contact or associate, type the contact. This field is
informational only.
6. In SNMP Community, type the name of the community. This required
field is informational only.
7. In Port, type the port.

Configuring Client Properties


The Client Properties page of the gateway appliances properties controls a variety
of settings that affect the interaction between the Access Gateway and the Secure
Access Client.

To configure client properties

1. From the console tree, select Gateway Appliances.


2. Under Common Tasks, click Edit gateway appliances properties.
98 Access Gateway Advanced Edition Administrator’s Guide

3. On the Client Properties page, select any of the following check boxes:
• Require SSL client certificate for users connecting via the
gateway appliances. If you want additional authentication, select
this option to require certificates for Windows client computers. If a
client certificate is required, it must be provided by the network
administrator. The certificate is installed separately into the certificate
store using the Microsoft Management Console. When this
requirement is enforced, every computer that logs on through the
Access Gateway must have an SSL client certificate that is in P12
format.
• Enable internal failover. Select this option to enable the Secure
Access Client to connect to the Access Gateway from inside the
firewall if the Access Gateway IP address cannot be reached. When
internal failover is configured, the client will failover to the internal
IP address of the Access Gateway if the external IP address cannot be
reached. The Secure Access Client must connect at least once to
retrieve the failover list. This list is then cached in the registry.

Note: Internal failover is not available for browser-only access.

• Enable failover among gateway appliances. You can configure an


Access Gateway to failover to multiple Access Gateways. Because
the Access Gateway failover is active/active, you can use each
Access Gateway as a primary gateway for a different set of users.

Configuring Server Properties


The Server Properties page of the gateway appliances properties controls settings
related to securing communications between the Access Gateway and Secure
Access Client and improving Voice over IP connections.

To configure server properties

1. From the console tree, select Gateway Appliances.


2. Under Common Tasks, click Edit gateway appliances properties.
3. On the Server Properties page, select any of the following check boxes:
• Validate SSL certificates on backend. Select this option to require
the Access Gateway to validate SSL server certificates. This
increases security for internal connections originating from the
Access Gateway. Validating SSL server certificates is an important
Chapter 6 Configuring Advanced Access Control 99

security measure because it can help prevent security breaches, such


as man-in-the-middle attacks. The Access Gateway requires
installing the proper root certificates that are used to sign the server
certificates.
• Improve latency for Voice over IP traffic. Select this option to
improve the latency and audio quality of Voice over IP (VoIP) traffic
over an SSL connection. If you select this option, the Access
Gateway appliance uses a 56-bit key to encrypt this traffic. Citrix
recommends the use of strong ciphers to reduce the possibility of a
malicious attack to the corporate network. For more information
about improving VoIP connections made through the Access
Gateway appliance, see the Access Gateway Standard Edition
Administrator’s Guide.
4. Select the bulk encryption cipher you want to use for symmetric encryption
of data over SSL connections.

Configuring ICA Access Control


Citrix Presentation Server uses the Independent Computing Architecture (ICA)
protocol for communication between its clients and servers. When using the
Access Gateway as a proxy to tunnel ICA traffic without the Secure Access
Client, you can control which servers running Citrix Presentation Server that
users can access. To do this, you provide an access control list (ACL) in the
Access Management Console. When users request published applications through
the Access Gateway, they are granted or denied access based on the ACL you
provide.
If you are using the Web Interface to deliver published applications through the
Access Gateway, you must configure the Web Interface’s Secure Gateway
settings with the FQDN of the Access Gateway.

Important: ACLs you specify are not applied when published applications are
configured as network resources.

To configure ICA access control

1. From the console tree, select Gateway Appliances.


2. Under Common Tasks, click Edit gateway appliances properties.
3. On the ICA Access Control page, select the option to provide unrestricted
access or use an ACL to restrict access to servers running Citrix
Presentation Server.
100 Access Gateway Advanced Edition Administrator’s Guide

4. To provide an ACL, click New.


5. In Start IP address and End IP address, type the range of IP addresses of
the servers running Citrix Presentation Server you want to include.
6. In Port, type the port number or enable the default port.
7. In Protocol, select the protocol you want to use.
• Select ICA to allow ICA/SOCKS connections to the selected servers.
Typically, you would use ICA for servers running Citrix Presentation
Server that accept ICA/SOCKS connections.
• Select CGP to allow CGP connections to the selected servers.
Typically, you would use CGP for servers running Citrix Presentation
Server that accept CGP connections. CGP can provide session
reliability if you enable session reliability on the selected servers.

Configuring Authentication with Citrix Presentation


Server
Citrix Presentation Server works with the Web Interface and the Secure Ticket
Authority (STA) to provide authentication and authorization for clients. To
provide access to published applications using the Web Interface through the
Access Gateway, you must configure the STA settings in the gateway appliances
properties. You also configure these settings to preserve Workspace Control when
you enable the display of multiple Access Platform sites within the Access
Interface.

To configure the Access Gateway to use the Secure Ticket Authority

1. From the console tree, select Gateway Appliances.


2. Under Common Tasks, click Edit gateway appliances properties.
3. On the Secure Ticketing Authority page, click New.
4. Type the IP address or FQDN of the server where the STA is installed.
5. Select Use secure communication to secure the connection to the STA.
6. In STA Path, type the path of the STA.
7. In STA ID, type the ID of the STA or click Retrieve STA ID to
automatically enter the ID based on the server and path.
C HAPTER 7

Securing User Connections

Access Gateway Advanced Edition supports authentication and authorization for


users connecting from remote locations. Advanced Access Control supports
several authentication types including Active Directory, LDAP, RADIUS, RSA
SecurID, and Secure Computing Safeword products.
You can enable these authentication types by configuring the Logon Point
Properties in the Access Management Console. When you configure a logon
point, you select the authentication and authorization methods you want to use.
For example, you can select LDAP to authenticate users and Active Directory to
authorize users to access certain corporate resources.
The following topics discuss how to configure these authentication types:
• “Configuring Advanced Authentication” on page 101
• “Configuring RADIUS and LDAP Authentication” on page 102
• “Configuring RSA SecurID Authentication” on page 108
• “Configuring SafeWord Authentication” on page 110
• “Configuring Trusted Authentication” on page 115

Configuring Advanced Authentication


Access Gateway Advanced Edition supports using Active Directory as the only
authenticator and group authority as well as with another authentication method
such as RADIUS, RSA SecurID, or Secure Computing SafeWord. When you
configure advanced authentication, only Active Directory is allowed as the group
authority for the logon point you want to use.
To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0
must be installed on the Advanced Access Control server. See “RADIUS
Requirements” on page 53 for more information.
102 Access Gateway Advanced Edition Administrator’s Guide

To configure a logon point with advanced authentication

If you are configuring advanced authentication with RADIUS, ensure you


configure a RADIUS authentication profile before you configure the logon point.
See “Creating RADIUS Authentication Profiles” on page 102 for more
information.
1. In the console tree, select the logon point you want to configure. For more
information about creating a new logon point, see “Configuring Logon
Points” on page 89.
2. On the Authentication page, under Advanced Authentication select the
authentication method you want to use with Active Directory.
3. On the Authorization page, only Active Directory is selected. If you are
using a RADIUS profile with Active Directory, select whether or not the
RADIUS and Active Directory servers use the same password.
If you are configuring advanced authentication with RADIUS, you need to set the
RADIUS authentication credentials for the logon point. For more information,
see “Setting Authentication Credentials for Logon Points” on page 106.
For more information about configuring advanced authentication for SecurID and
SafeWord products, see “Configuring RSA SecurID Authentication” on page 108
and “Configuring Advanced Authentication with SafeWord” on page 111.

Configuring RADIUS and LDAP Authentication


To use RADIUS or LDAP authentication when users log on through a logon
point, perform the following tasks:
• Install and configure a RADIUS or LDAP server
• Create RADIUS or LDAP authentication profiles
• Assign the authentication profile to a logon point
• Set the authentication credentials for the logon point
To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0
must be installed on the Advanced Access Control server. See “RADIUS
Requirements” on page 53 for more information.

Creating RADIUS Authentication Profiles


Authentication profiles allow you to configure RADIUS settings at the farm level
and apply them to one or more logon points. Creating a RADIUS authentication
profile involves the following tasks:
Chapter 7 Securing User Connections 103

• Define RADIUS server authentication to specify the RADIUS servers you


want to use, the time-out period, and to configure server load balancing or
failover
• Define RADIUS authorization using the attributes and values configured
on your RADIUS server

To define RADIUS authentication

1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. Select Authentication Profiles and then click New under RADIUS
profiles. Type a name and description to define the profile.
3. Click New to enter the RADIUS server and corresponding ports.
4. If you have multiple RADIUS servers, select to use the server list for one of
the following:
• Load balancing of requests to the servers. Requests follow the
sequence of the server list so that the initial request goes to the first
server in the list, the next request goes to the second server, and so on.
• Failover sequence of communication if servers become
unavailable. In the event connectivity to a server becomes
unavailable, connectivity with another server in the list ensures
RADIUS authentication services remain available to users.
5. Use the arrows to change a server’s position in the list.
6. Change the value in the Bypass failed servers for this time interval field
if you want to specify the amount of time an unavailable server should be
bypassed. The default value is 300 seconds.
7. If you want to audit RADIUS events, select Enable RADIUS auditing.
8. If you want to change the period in which the user authentication process
times out for lack of a server response, change the value in the Cancel
authentication after this time field. By default, authentication times out
after 30 seconds elapse.

To define RADIUS authorization

1. From the RADIUS Profile Configuration dialog box, click Configure


Authorization.
2. In Group attribute name, type the group name that is defined on your
RADIUS server.
104 Access Gateway Advanced Edition Administrator’s Guide

3. Type the Separator you want to use if multiple user groups are included in
the RADIUS configuration. A separator can be a period, a semicolon, or a
colon.
4. In the Vendor identifier field, type the vendor-specific code number that
was entered on your RADIUS server.
5. In the Vendor specified type field, type the vendor-assigned attribute
number.

Creating LDAP Authentication Profiles


Authentication profiles allow you to configure LDAP settings at the farm level
and apply them to one or more logon points. When using LDAP authentication
and Active Directory authorization, group names, including character and case,
must be identical.

To create an LDAP authentication profile

1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. Select Authentication Profiles and then click New under LDAP profiles.
3. Type a name and description to define the profile.
4. Type the name or IP address of the LDAP server you want to use.
5. In Port, type the server port number that your LDAP server uses for LDAP
requests.
6. In Administrator DN, type the distinguished name of the administrative
user that has access to your LDAP server and the rights to look up user
entries in the LDAP repository. The following are examples of syntax for
this field:
“domain/user name”
“ou=administrators,dc=ace,dc=com”
“user@domain.name” (for Active Directory)
“cn=Administrator,cn=Users,dc=ace,dc=com”
For Active Directory, the group name, specified as cn=groupname, is
required. The group name that is defined in the Access Gateway must be
identical to the group name that is defined on the LDAP server.
For other LDAP directories, the group name either is not required or, if
required, is specified as ou=groupname.
The Access Gateway binds to the LDAP server using the administrator
credentials and then searches for the user. After locating the user, the
Chapter 7 Securing User Connections 105

Access Gateway unbinds the administrator credentials and rebinds with the
user credentials.
7. In Base DN, type the distinguished name under which user lookups should
begin. Base DN is usually derived from the Bind DN by removing the user
name and specifying the group where users are located. Examples of syntax
for Base DN include:
“ou=users,dc=ace,dc=com”
“cn=Users,dc=ace,dc=com”
8. In LDAP attribute for user logon names, type the attribute under which
the Access Gateway should look for user logon names for the LDAP server
that you are configuring. Depending on the directory service you are using,
type one of the following attributes:
• For Active Directory, use the default sAMAccountName.
• For Novell eDirectory or Lotus Domino, use cn.
• For IBM Directory Server, use uid.
• For Sun ONE Directory , use uid or cn.
9. In LDAP group attribute, type the name of the group attribute the Access
Gateway should use to obtain the groups associated with a user during
authorization. Depending on the directory service you are using, type one
of the following attributes:
• For Active Directory, use the default memberOf.
• For Novell eDirectory, use groupMembership.
• For IBM Directory Server, use ibm-allGroups
• For Sun ONE Directory, use nsRole.

Assigning Authentication Profiles to Logon


Points
After you configure RADIUS or LDAP authentication profiles, you must assign
these profiles to a logon point. You can assign authentication profiles in the logon
point properties, on the Authentication and Authorization pages.
You can use RADIUS profiles as the sole authentication method or as part of
advanced authentication with Active Directory. You can use LDAP profiles as the
sole authentication method only.
106 Access Gateway Advanced Edition Administrator’s Guide

If you assign an LDAP profile to authenticate users, you can use Active Directory
or an LDAP profile to authorize users. If you assign a RADIUS profile for
authentication, you can choose the LDAP or RADIUS profile for authorization.
When using a RADIUS profile for authentication, you must use the same profile
for authorization.
When you use RADIUS or LDAP profiles, you can specify how users access
resources that require Active Directory credentials. In an advanced authentication
scenario where Active Directory is the group authority, you can specify whether
the Active Directory and RADIUS servers share the same password. In scenarios
where RADIUS or LDAP authenticate and authorize users, you can enable pass-
through authentication to Active Directory. This allows users to access resources
smoothly, without entering their Active Directory credentials. To do this, you
supply the default Active Directory domain. User accounts in the default Active
Directory domain match those on your RADIUS or LDAP servers.

To assign authentication profiles to a logon point

1. In the console tree, select the logon point you want to configure. For more
information about creating a new logon point, see “Configuring Logon
Points” on page 89.
2. Under Common Tasks, click Edit logon point.
3. On the Authentication page, select the RADIUS or LDAP profile you
want to use to identify users in your organization.
4. On the Authorization page, select the RADIUS or LDAP profile you want
to use to determine the level of access users receive when they authenticate
successfully.
After you assign the authentication profile to the logon point, use the Server
Configuration utility to set the authentication credentials for the profile.

Setting Authentication Credentials for Logon


Points
Logon point authentication credentials consist of the global or server-specific
RADIUS secrets or LDAP passwords that you specify. Before you set the
authentication credentials, ensure a RADIUS or LDAP authentication profile has
been assigned to the logon point.
Chapter 7 Securing User Connections 107

If your deployment is configured to use RADIUS authentication, and your


RADIUS server is configured to use PAP, you can strengthen user authentication
at the logon point by assigning a strong shared secret to the RADIUS server.
Strong RADIUS shared secrets consist of random sequences of upper and
lowercase letters, numbers, and punctuation and are at least 22 characters long. If
possible, use a random character generation program to create RADIUS shared
secrets.
To further protect RADIUS traffic, assign a different shared secret to each Access
Gateway appliance or each Advanced Access Control server. When you define
clients on the RADIUS server, you can also assign a separate shared secret to
each client. If you do this, you must configure separately each Access Gateway
realm that uses RADIUS authentication. If you synchronize configurations
among several Access Gateway appliances in a cluster, all the appliances will be
configured with the same secret.

To assign RADIUS shared secrets

1. On the Advanced Access Control server, click Start > Programs or All
Programs > Citrix > Access Gateway > Server Configuration.
2. Click Configured Logon Points and then select the logon point that you
have configured to use RADIUS authentication.
3. Click Authentication Credentials.
4. Under RADIUS Servers, select Global secret for all servers or Server
specific secrets.
5. Type the global secret in the Authentication secret and Confirm
authentication secret boxes.
6. For server-specific secrets, double-click the IP address of the RADIUS
server and enter the secret in the Server Credential box.

To assign LDAP server passwords

1. On the Advanced Access Control server, click Start > Programs or All
Programs > Citrix > Access Gateway > Server Configuration.
2. Click Configured Logon Points and then select the logon point that you
have configured to use LDAP authentication.
3. Click Authentication Credentials.
4. Under LDAP Servers, select Global password for all servers or Server
specific passwords.
5. Type the global password in the Authentication secret and Confirm
authentication secret boxes.
108 Access Gateway Advanced Edition Administrator’s Guide

6. For server-specific passwords, double-click the IP address of the LDAP


server and enter the password in the Server Credential box.

Configuring RSA SecurID Authentication


If you use RSA SecurID for authentication, you can configure Access Gateway
Advanced Edition to authenticate user access with the RSA ACE/Server. The
Advanced Access Control server acts as an RSA Agent Host to authenticate users
who attempt to log on.
You can configure the Advanced Access Control server to authenticate with RSA
SecurID in the following ways:
• With Active Directory, as an advanced authentication method
• As the only authentication method, where LDAP is used as the group
authority
Configuring RSA SecurID authentication consists of the following tasks:
• Configure the Advanced Access Control server(s) as an RSA ACE/Agent
and generate a Sdconf.rec file
• Generate an Sdroot certificate file for the Advanced Access Control
server(s) and install the RSA ACE/Agent software
• Test authentication with the RSA SecurID server
• Configure a logon point for RSA SecurID authentication
If you are using RSA SecurID as the only authentication method, ensure you have
performed the following tasks prior to configuring the logon point:
• Create an LDAP authentication profile
• Assign the authentication profile to the logon point
• Set the authentication credentials for the logon point
For more information, see “Creating LDAP Authentication Profiles” on page
104, “Assigning Authentication Profiles to Logon Points” on page 105, and
“Setting Authentication Credentials for Logon Points” on page 106.

To configure the Advanced Access Control server as an RSA ACE/Agent

1. On the RSA ACE/Server computer, open the RSA ACE/Server Database


Administration window and click Agent Host > Add Agent Host.
2. In Name, type the fully-qualified domain name (FQDN) of the Advanced
Access Control server.
Chapter 7 Securing User Connections 109

3. In Network Address, type the IP address of the Advanced Access Control


server.
4. In Agent Type, select NetSP Agent.
5. From the Database Administration window, click Agent Host > Generate
Configuration Files and then click One Agent Host.
6. Double-click the name of the Advanced Access Control server and save the
Sdconf.rec file in a folder on the computer.
7. Copy the Sdconf.rec file to the %SystemRoot%/System32 folder on the
Advanced Access Control server.

To generate an Sdroot certificate file and install RSA ACE/Agent

1. On the Advanced Access Control server, install and launch the RSA ACE/
Agent Certificate Utility.
2. In Current Directory, enter the path of the directory in which you want to
store the certificate file.
3. Click the New Root Certificate and Keys button.
4. Enter your organization name, country, and key passwords.
5. Install the RSA ACE/Agent for Windows software and select the following
installation options:
• In Setup Type, select Custom
• In Custom Setup, select Local Authentication Client only. All
other client options should not be installed.
6. When prompted, locate the Sdroot certificate file you created.
7. Follow the remaining onscreen instructions to install the RSA ACE/Agent
software.
8. Restart the server after installation finishes.

To test authentication with RSA SecurID

1. On the Advanced Access Control server, click Start > Control Panel >
RSA ACE/Agent.
2. From the Main tab, click the Test Direct Authentication with RSA ACE/
Server button.
3. From the RSA ACE/Server Configuration Information window, click the
RSA ACE/Server Test Directly button and enter the user ID and token
passcode for the user you are testing.
110 Access Gateway Advanced Edition Administrator’s Guide

If the test is successful, the “Successful Authentication” message appears. You


can then configure logon points to use RSA SecurID authentication.

To configure a logon point with RSA SecurID authentication

If you are using RSA SecurID as the only authentication method, ensure you
create an LDAP authentication profile, assign the profile to the logon point, and
set the authentication credentials prior to configuring the logon point. For more
information, see “Creating LDAP Authentication Profiles” on page 104 and
“Setting Authentication Credentials for Logon Points” on page 106.
1. In the console tree, select the logon point you want to configure. For more
information about creating a new logon point, see “Configuring Logon
Points” on page 89.
2. Under Common Tasks, click Edit logon point.
3. On the Authentication page, select one of the following options:
• Under Advanced Authentication, select RSA to use SecurID with
Active Directory to authenticate users.
• Under Authentication, select RSA to use SecurID as the only
authentication method.
4. If you are using RSA SecurID as the only authentication method, on the
Authorization page, select the LDAP profile you want to use.

Configuring SafeWord Authentication


The SafeWord product line provides secure authentication using a token-based
passcode. Once the passcode is used, it is immediately invalidated by SafeWord
and cannot be used again. Access Gateway Advanced Edition supports
authentication with SafeWord for Citrix and SafeWord PremierAccess.
You can configure the Advanced Access Control server to authenticate with
SafeWord in the following ways:
• With Active Directory, as an advanced authentication method
• As the only authentication method, where LDAP is used as the group
authority
• With RADIUS, where the Advanced Access Control server acts as a
RADIUS client to a server configured with Microsoft Internet
Authentication Service (IAS)
Chapter 7 Securing User Connections 111

Configuring Advanced Authentication with


SafeWord
When you configure advanced authentication, Active Directory works with
SafeWord to authenticate users and determines the level of access users have once
they log on. To configure advanced authentication with SafeWord, perform the
following tasks:
• Install and configure the SafeWord for Citrix Secure Access Manager
Agent on the Advanced Access Control server. Citrix strongly recommends
obtaining the latest version of the agent software from Secure Computing to
ensure SafeWord authentication is successful. Refer to the Secure
Computing product documentation for information about configuring the
agent.
• Create a logon point and configure authentication and authorization using
the Access Management Console.

To configure advanced authentication with SafeWord

1. On the Advanced Access Control server, install the SafeWord for Citrix
Secure Access Manager agent software located on the SafeWord product
CD. When prompted, accept the option to use the latest agent software from
Secure Computing and then select the Secure Access Manager Agent
option.
2. Restart the Advanced Access Control services. You can use the Server
Configuration utility to restart all the services simultaneously.
3. Restart the Citrix Access Gateway Server COM+ application from the
Component Services console.
4. From the console tree, select the logon point you want to configure and
click Edit logon point in Common Tasks. For more information about
creating a new logon point, see “Configuring Logon Points” on page 89.
5. On the Authentication page, under Advanced Authentication, select
SafeWord.

Configuring Authentication with SafeWord Only


When you configure SafeWord as the only authentication method for users, you
must use LDAP as the group authority. If you want to use SafeWord as the sole
authentication method, perform the following tasks:
• Install and configure the SafeWord for Citrix Secure Access Manager
Agent on the Advanced Access Control server. Citrix strongly recommends
obtaining the latest version of the agent software from Secure Computing to
112 Access Gateway Advanced Edition Administrator’s Guide

ensure SafeWord authentication is successful. Refer to the Secure


Computing product documentation for information about configuring the
agent.
• Create an LDAP authentication profile that you can assign to the logon
point as the group authority.
• Create a logon point and configure authentication and authorization using
the Access Management Console.
• Set the authentication credentials for the logon point.

To configure authentication with SafeWord only

1. On the Advanced Access Control server, install the SafeWord for Citrix
Secure Access Manager agent software located on the SafeWord product
CD. When prompted, accept the option to use the latest agent software from
Secure Computing and then select the Secure Access Manager Agent
option.
2. Restart the Advanced Access Control services. You can use the Server
Configuration utility to restart all the services simultaneously.
3. Restart the Citrix Access Gateway Server COM+ application from the
Component Services console.
4. Create an LDAP authentication profile. For more information, see
“Creating LDAP Authentication Profiles” on page 104.
5. From the console tree, select the logon point you want to configure and
click Edit logon point in Common Tasks. For more information about
creating a new logon point, see “Configuring Logon Points” on page 89.
6. On the Authentication page, select SafeWord.
7. On the Authorization page, select the LDAP authentication profile you
want to use.
To complete the configuration, you need to set the authentication credentials for
the logon point to which you assigned the LDAP profile. See “Setting
Authentication Credentials for Logon Points” on page 106 for more information.

Configuring RADIUS with SafeWord


To authenticate users, SafeWord uses the RADIUS protocol, Microsoft Internet
Authentication Service (IAS), and a user database stored on an Active Directory
server.
To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0
must be installed on the Advanced Access Control server. See “RADIUS
Requirements” on page 53 for more information.
Chapter 7 Securing User Connections 113

If you want to use RADIUS with either SafeWord product, perform the following
tasks:
• Configure Microsoft Internet Authentication Service (IAS) on a separate
server and configure the Advanced Access Control server as a RADIUS
client.
• Create a RADIUS authentication profile for the IAS server. If you want to
use LDAP as the group authority instead of RADIUS, you must also create
an LDAP authentication profile. For more information, see “Configuring
RADIUS and LDAP Authentication” on page 102.
• Assign the RADIUS authentication profile to the logon point. If you use
LDAP as the group authority, you must also assign the LDAP
authentication profile to the logon point. For more information, see
“Assigning Authentication Profiles to Logon Points” on page 105.
• Set the RADIUS authentication credentials for the logon point. If you use
LDAP as the group authority, you must also set the LDAP authentication
credentials. For more information, see “Setting Authentication Credentials
for Logon Points” on page 106.
• On the SafeWord server, install and configure the SafeWord IAS Agent
software.

To configure IAS and configure a RADIUS client

Before proceeding, ensure IAS is installed on a server in your environment. You


can install IAS using Add/Remove Programs in Control Panel. For more
information, see the Windows online help.
1. Open the Microsoft Management Console (MMC) and install the snap-in
for IAS.
2. In the left pane, right-click Remote Access Policies and select New
Remote Access Policy. The New Remote Access Policy Wizard appears.
114 Access Gateway Advanced Edition Administrator’s Guide

3. Complete the wizard, using the following settings:


• Set up a custom policy and then type a unique policy name.
• Select Windows Groups for the policy and select the group(s)
containing the users to be authenticated with SafeWord
• Select Grant remote access permission and click Edit Profile.
• On the Authentication tab, clear the check boxes selected by default
and then select only Unencrypted authentication (PAP, SPAP).
• Click the Advanced tab and remove the attributes that appear by
default. Then, add the Vendor Specific RADIUS Standard attribute.
• In the Vendor-specific Attribute Information box, select Yes to
specify that the attribute conforms to the RADIUS RFC specification.
• Click Configure Attribute and enter the following settings:
• In Vendor-assigned attribute number, type 0.
• In Attribute Format, select String.
• In Attribute value, enter the group name(s) you specified for
the policy. For example, if you specified the Sales and Finance
groups, you enter CTXSUserGroups=sales;finance.
4. From the left pane of the MMC, right-click RADIUS Clients and select
New RADIUS Client.
5. Type a name for the client and enter the IP address or the FQDN of the
Advanced Access Control server.
6. Ensure RADIUS Standard is selected and then provide a shared secret that
the Advanced Access Control server can use to authenticate with the
RADIUS server.

To configure the SafeWord IAS Agent

1. Launch the IAS Agent by clicking Start > Programs or All Programs >
Secure Computing > SafeWord > IAS Agent > Configure IAS Agent.
2. Click Authentication Engine and enter the host name or IP address of the
authentication engine.
3. Click Groups and enter the user group and domain of the users using
SafeWord tokens.
Chapter 7 Securing User Connections 115

Configuring Trusted Authentication


To further strengthen your Access Gateway environment, you can ensure that
each Access Gateway that connects to an Advanced Access Control server is a
trusted device. To do this, you configure each Access Gateway to present a client
certificate when prompted. Then, you configure each Advanced Access Control
server to request the client certificate from each Access Gateway in your
environment.

Configuring the Access Gateway for Trusted


Authentication
Before you configure the Access Gateway, ensure that:
• The Access Gateway uses SSL to communicate with the Advanced Access
Control server. This is required because the virtual directories the Access
Gateway must access on the Advanced Access Control server are secured.
• The Access Gateway trusts the root certificate for the certificate authority
that issued the client certificate. If not, you will need to install it as a trusted
root certificate.
• You have obtained a client certificate from a recognized certificate
authority so you can install it on the Access Gateway.

To verify the Access Gateway is using SSL

1. Open the Access Gateway Administration Tool and select the Access
Gateway from the Access Gateway Cluster tab.
2. Click the Advanced Options tab.
3. To enable SSL communication, select the Secure server communication
check box.

To install the root certificate as a trusted certificate

Before you install the root certificate, check to be sure it conforms to the Base64
file format. Access Gateway does not recognize other formats as valid.
1. From the Administration Tool, select the Access Gateway and then click
the Administration tab.
2. In Manage trusted root certificates, click Manage.
3. From Trusted Root Certificate Management, click the Manage tab.
4. Click Upload Trusted Root Certificate.
5. Select the root certificate you want to install.
116 Access Gateway Advanced Edition Administrator’s Guide

6. Reboot the Access Gateway.


After the Access Gateway reboots, verify the root certificate appears in the
Trusted Issuers tab of the Trusted Root Certificate Management window. You can
then install the client certificate.

To install the client certificate on the Access Gateway

1. Open the Administration Tool and select the Access Gateway from the
Access Gateway Cluster tab.
2. Click the Administration tab and then click Browse to upload a .pem
private key and client certificate.
3. Locate the client certificate and enter the passphrase when prompted.
4. Reboot the Access Gateway.
After you install the client certificate, you can configure the Advanced Access
Control server to require the certificate from the Access Gateway.

Configuring Advanced Access Control for Trusted


Authentication
To configure the Advanced Access Control server to request the client certificate
from each Access Gateway in your environment, you perform the following
tasks:
1. Create or assign a server certificate
2. Add the root certificate from the certificate authority that issued the Access
Gateway client certificate to the Certificate Trust List on the server
3. Configure the virtual directories that the Access Gateway will access to
require client certificates

To create or assign a server certificate

1. Click Start > All Programs > Administrative Tools > Internet
Information Services (IIS) Manager.
2. Expand the local computer node and the Web Sites node.
3. Right-click the Default Web Site node and select Properties.
4. Click the Directory Security tab and then click the Server Certificate
button under Secure communications.
5. Follow the onscreen instructions in the IIS Certificate Wizard to create a
new server certificate or assign an existing certificate.
Chapter 7 Securing User Connections 117

After the server certificate is assigned, you can add the root certificate to the
server’s Certificate Trust List and configure the server to require client
certificates.

To add the root certificate to the Advanced Access Control server’s


Certificate Trust List

1. Open Internet Information Services (IIS) Manager and locate the Default
Web Site node.
2. Right-click the Default Web Site node and select Properties.
3. Click the Directory Security tab and then click the Edit button under
Secure communications.
4. Select the Enable certificate trust list check box.
5. Click the New button and follow the onscreen instructions to complete the
Certificate Trust List wizard. This wizard allows you to add the root
certificate that matches the Access Gateway’s client certificate to the
Certificate Trust List.

To configure the server to require client certificates

1. In Internet Information Services (IIS) Manager, expand the Default Web


Site node and locate the CitrixGatewayConfigService node.
2. Right-click the CitrixGatewayConfigService node and select Properties.
3. Click the Directory Security tab and then click the Edit button under
Secure communications.
4. Select the Require secure channel checkbox.
5. Under Client certificates, select Require client certificates.
6. In Internet Information Services (IIS) Manager, right-click the
CitrixLogonAgentService node and select Properties.
7. Click the Directory Security tab and then click the Edit button under
Secure communications.
8. Select the Require secure channel check box.
9. Under Client certificates, select Require client certificates.
118 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 8

Adding Resources

To control your corporate resources with Advanced Access Control, you add
them to the console and then create policies for them.
Resources include corporate applications, Web sites, portals, file shares, services,
servers, email, and email synchronization—essentially any resource that you
want to provide for user access.
This section describes how and why you configure the following types of
resources:
• Network resources
• Web resources
• File shares
For information about configuring email resources, see “Providing Secure Access
to Corporate Email” on page 181.

Creating Network Resources for VPN Access


Use network resources to define subnets or servers on the corporate network that
users can connect to directly through a VPN tunnel using the Secure Access
Client. By default, users are denied access to network resources until you create
policies that grant them access permission.

To create a network resource

1. In the console tree, select Network Resources and click Create network
resource in Common Tasks.
2. In the New Network Resource wizard, enter a name and description for the
resource.
3. On the Specify Servers and Ports page, click New to add network
identification, port, and protocol information for the resource.
• To define entire subnets, specify network addresses with subnet
masks. For example, to define all servers on the 10.x.x.x network,
120 Access Gateway Advanced Edition Administrator’s Guide

specify a subnet mask of 255.0.0.0. To define a single server, you can


define a specified network IP address such as 10.2.3.4 with subnet
mask 255.255.255.255.
• For Port, you can specify multiple ports or port ranges by separating
each port with a comma and hyphenating ranges. For example, the
entry “22,80,110-120” means that the resource uses port 22, port 80,
and all ports between and including 110-120.
• The Secure Access Client software listens on the specified port.
4. Specify whether or not to create a default policy. If you create a default
policy, you can edit its properties later.
After defining a network resource, you can create policies that control its user
access and connection settings.
The only access control permission you can grant for a network resource is to
allow or deny access. Because users connect directly to the services defined by
the specified port or network subnode, the Web proxy is not used. Connecting to
resources through the Web proxy is required if you want to tailor the level of
access with action controls such as HTML Preview and Live Edit.
When users connect with the Secure Access Client they can view a list of their
network resources in the client properties.

Using the Entire Network Resource


The Entire Network resource is a built-in resource you can use to grant or deny
Secure Access Client access to all servers and services on the secure network.
The definition of the “entire network” might be limited in scope if you have
enabled split tunneling in the global properties for gateway appliances. If split
tunneling is enabled, the Entire Network resource does not override the definition
of accessible networks. In other words, when split tunneling is enabled, the Entire
Network resource equals the definition you have configured for accessible
networks. For more information about split tunneling and accessible networks,
see “Configuring Split Tunneling” on page 95.

Note: Entire Network includes all resources on the secure network, including
servers or subnets you add later. For example, if you create an access policy that
includes Entire Network and later add a server to the network, the new server is
controlled by the settings of the existing policy.

For more information about creating policies that include Entire Network, see
“Granting Access to the Entire Network” on page 154.
Chapter 8 Adding Resources 121

Defining Resources to Avoid Conflicts


Because you have multiple choices for configuring your corporate resources, you
can create resources that overlap. For example, you can create a file share
resource for File Share B on Server A and also create a network resource for
Server A. Both of these resources overlap by including File Share B.
If you assign overlapping resources to different policies, it is possible to create
conflicts between the action controls provided for the same corporate resource.
Overlapping definitions arise if you use network resources to provide access to
entire servers, networks, or subnets and simultaneously use file shares and Web
resources to define parts of the same servers, networks, and subnets. The
following bullets describe a scenario in which such an overlap exists:
• Server A is a file share server for which you define a network resource. A
policy assigned to the network resource allows all company employees
remote VPN access to the server when they use a trusted client device and
the advanced authentication combination of Active Directory with RSA
SecurID.
• File Share B is a shared folder on Server A.
• You define File Share B as a file share resource for browser access. You
assign this file share to a policy that allows access if users are using a logon
point visible only from the internal company network.
Although your intention with the second policy above is to restrict the access to
File Share B, the actual result is that the first policy allows users full access to
File Share B through a VPN tunnel to the entire server.
To avoid conflicts:
• Define network resources so that they do not overlap with browser-based
resources (file shares and Web resources).
• Assign overlapping resources to the same policy.

Creating Web Resources


Web resources define the Web pages, sites, or applications that you want to secure
with policies. You can group multiple URLs and define them as a single Web
resource.
By default, users are denied access to a Web resource until you create policies
that grant access permissions.
122 Access Gateway Advanced Edition Administrator’s Guide

To create a Web resource

1. In the console tree, select Resources > Web resources and click Create
Web resource in Common Tasks.
2. Enter a name and description for the resource.
3. On the Configure Addresses page, click New for each URL address you
want to add and enter the address.
Addresses can include:
• virtual directories but not individual documents. For example, you
can add http://PeopleManagementSystem/Recruiting/
but not
http://PeopleManagementSystem/How-to-Interview.html
• dynamic system tokens, such as
http://www.MyCompany.com/users/#<FullName>
Addresses cannot include:
• general regular expressions such as
http://www.server[1-0]+.com/[A-Za-z]+(A-Za-z0-9)*/
• wildcards such as
*.MyURL.com or http://www.*/Dept/MyCompany.com
4. From the Application type list, select the type of application the URL
opens. The application type determines if specialized information is needed
in the URL configuration.
• Citrix Web Interface 4.2 or later points to a Web Interface site
displaying users’ published applications from Citrix Presentation
Server. For more information see “Integrating Web Interface” on
page 158.
• SharePoint points to a SharePoint site.
• SharePoint with Web Interface Web Part points to a Web Part
designed to provide Citrix Web Interface as an area on a SharePoint
site. Supports SmartAccess features through the Web Interface.
• Web Application points to a Web site URL that needs no specialized
configuration information. This is the default setting.
• Web Application (requires session cookies) points to Web sites
allowed to receive cookies. By default the Web proxy does not
forward cookies to redirected URL addresses. The Web proxy does
not pass cookies to the default Web application type.
Chapter 8 Adding Resources 123

5. From the Authentication types supported area of the New URL dialog
box, you can enable pass-through authentication to the site by selecting the
site’s authentication method. For more information, see “Enabling Pass-
Through Authentication for Web Resources” on page 124.
6. Select the option to publish in users’ lists of resources if you want this
resource to appear on the Access Interface.
• The home page must be a page within the exact URL you specify in
Step 3. For example, if you enter http://MyCompany.net for the
resource address, you can specify a page within that site, such as
http://MyCompany.net/Finance.aspx.
• If your directory service uses the homepage token, you can enter
#<HomePage> for the URL home page. For more information about
using tokens, see “Using Dynamic System Tokens” on page 128.

Note: If you are enabling Advanced Access Control to display multiple


Citrix Access Platform sites within the Access Interface, you must publish
the site so you can associate it with a Presentation Server farm. For more
information, see “Displaying Multiple Sites and Caching Credentials” on
page 160.

7. Select the option to use an interface that is common for all browser types if
users are not allowed to use ActiveX controls or use a variety of browser
versions. Selecting this option presents users with a generic interface that
does not require advanced browser technologies such as ActiveX.
8. Specify whether or not to create a default policy. If you create a default
policy, you can edit its properties later.

Including Related Files


For Web sites, make sure when you create the resource that you include all the
necessary files required by the pages of the Web site, such as image files that
might be stored in a separate location or separate server. For example, if a site
such as www.citrix.com uses images stored on www.webimages.site.com, add the
URL www.webimages.site.com to the Web resource.

Configuring Sites Secured with SSL


When creating Web resources that contain URL addresses secured with Secure
Sockets Layer (SSL), you must ensure that all servers in the access server farm
with the role of Web server have the root certificate for the secured URL
addresses.
124 Access Gateway Advanced Edition Administrator’s Guide

This requirement does not apply if the Web proxy is bypassed for access to the
server hosting the URL address. For more information about bypassing URL
rewriting, see “Bypassing URL Rewriting” on page 144.

Web Resources that Keep Sessions Alive


User sessions for Web resources and applications normally time out according to
the time-out settings of the logon point through which users connect.
Note that when users view a Web resource that uses a keep-alive mechanism, the
session remains open until the user closes the window displaying the Web
resource. An example of such a resource is Microsoft Outlook Web Access,
which performs regular polling to discover new email messages. This polling
keeps the user’s session open until the Outlook Web Access window is closed.

Enabling Pass-Through Authentication for Web


Resources
You can pass user credentials to Web servers on the secured network configured
for Basic, Digest, or Integrated Windows Authentication. This feature avoids
requiring users to enter their credentials multiple times to access Web resources.
For example, if a team Web site in your organization is configured for Digest
Authentication, you can pass the credentials with which users log on to the
Access Gateway to that site. If you do not enable the URL address to support
Digest Authentication, users might be required to log on to the Web site.
Note that the authentication required for a Web site is determined by the settings
of the site’s host Web server.
When configuring a Web resource, you can enable its URL addresses to use one
of the following methods of pass-through authentication:
• Basic authentication. Credentials are passed to the Web site in plain text.

Important: Because credentials are passed in plain text, consider using


SSL for Web sites that use Basic pass-through authentication.

• Digest authentication. Hashed credentials are passed to the Web site using
Digest Authentication.
• Integrated Windows authentication. Hashed credentials are passed to the
Web site using Integrated Authentication. NTLM or Kerberos
authentication is used, depending on your Web server configuration.
Chapter 8 Adding Resources 125

Caution: When using any of the three pass-through authentication methods, the
target Web application is first presented with the credentials with which the user
logged on to the Access Gateway. Accessing Web sites that require a second,
differing set of credentials through Access Gateway can result in the caching of
the second set of credentials.

To specify pass-through authentication for a Web site

1. In the console tree, select the Web resource and click Edit Web resource in
Common Tasks.
2. On the URL Addresses page, select the Web site’s URL and click Edit.
3. In the Authentication types supported area, select the authentication
method being used by the Web site.

Configuring Sites with Form-Based


Authentication
Web sites that require form-based authentication must be configured with the
application type of Web application.
Each URL defined in a Web resource is assigned an application type. For URLs
that are assigned the application type Web Application, credentials are not
passed and users might need to log on to the Web site. This is the default setting.
You must use this option for sites that require form-based authentication.

Creating File Shares


File shares are shared directories, folders, and files on your network that you want
to secure with policies.
You can group multiple shares and define them as a single resource. Grouping file
shares requires you to create fewer policies, because each policy you create for
the resource applies to all shares in the group.
By default, users are denied access to file shares until you create policies that
grant them access permission.

To create a file share

1. In the console tree, select Resources > File Shares and click Create file
share in Common Tasks.
2. Enter a name and description for the resource.
126 Access Gateway Advanced Edition Administrator’s Guide

3. On the Configure Addresses page, click New to add each shared item, for
example, \\MyServer\Shared-Files-Folder.
• You can include addresses for specific document files as well as
directories.
• You can use dynamic system tokens, such as #<username>. To use
system tokens, the service account in the Server Configuration for
Advanced Access Control must be a domain account and not a local
machine account.
4. In the File Share dialog box, select Publish for users in their list of
resources if you want this resource to be listed on the Access Interface.
5. Specify whether or not to create a default policy. If you create a default
policy, you can edit its properties later.
If you do not select the option to publish a file share, users can still navigate to the
share in their browsers as long as a policy allows access to the file share. A file
share that a user has access to but which is not published can also be accessed if it
appears embedded in a Web page or email.

Uploading Large Documents to File Shares


When users access a published file share through the Access Interface and
policies allow them to upload documents, users can upload documents up to 100
MB in size by default. To enable users to upload larger documents, you must edit
the Windows Registry.

Caution: Using Registry Editor incorrectly can cause serious problems that can
require you to reinstall the operating system. Citrix cannot guarantee that
problems resulting from incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Make sure you back up the registry before you
edit it.

To enable users to upload documents larger than 100 MB

1. From Registry Editor, find the following key:


HKEY_LOCAL_MACHINE\SOFTWARE\CITRIX\MSAM\FEI
2. Click Edit > New > DWORD Value and type MaxUploadSize in the right
pane.
3. Right-click on the new value and select Modify.
4. In Value Data, type the maximum document size in kilobytes (KB). For
example, to specify a maximum size of 120 MB, you type 120000.
Chapter 8 Adding Resources 127

5. Under Base, select Decimal.


128 Access Gateway Advanced Edition Administrator’s Guide

Using Dynamic System Tokens


You can use dynamic token replacement in UNC or URL addresses when
defining resources that can retrieve dynamic information from the directory
service. Dynamic token replacement provides replacement of strings with user
attributes obtained from Active Directory.

Note: There is one attribute from Lightweight Directory Access Protocol


(LDAP) or NT Directory Services that you can use without Active Directory.
This is the #<username> attribute. All other attributes require Active Directory.

For example, if an enterprise with thousands of employees provides each user


with a unique file share named for the user, it is more efficient to use a token in
place of the user name rather than listing each explicit file share to define the
resource group.
To use system tokens the service account in the Server Configuration for
Advanced Access Control must be a domain account and not a local machine
account.
Use the following syntax for token replacement:
#<Attribute>

Examples:
\\Public-shares\Departments\#<Department>\Reports
http://inotes.my-server.com/mail/#<username>.nsf
Chapter 8 Adding Resources 129

Active Directory Attributes


The following attributes can be used with Active Directory.
#<Department>
#<displayname>
#<Division>
#<domain>
#<EmployeeId>
#<FirstName>
#<FirstNameInitial>
#<FullName>
#<HomeDirectory>
#<HomePage>
#<Initials>
#<LastName>
#<LastNameInitial>
#<MiddleName>
#<OtherName>
#<UPN>
#<username>

Creating Resource Groups to Ease Policy Administration


Resource groups enable you to group different types of resources into a single
entity and apply policies to the group. Using resource groups requires fewer total
policies and eases policy administration. The basic steps for bundling resources
are:
1. Decide which resources you want to provide to users under a specific
access scenario. For example, make a list of all the resources (including
email, Web sites, and file shares) that your sales force needs to access from
corporate laptops they use on the road.
2. Ensure that each of the resources from Step 1 is configured in the console.
For example, if you want to include five corporate Web sites and Web-
based email, make sure you configure one or more Web resources that
include these sites and configure Web Email before you create the resource
group.
130 Access Gateway Advanced Edition Administrator’s Guide

3. Create a resource group that includes all the resources you listed in Step 1.
4. Create a filter that includes your requirements for the access scenario. For
example, you can create a filter that requires users to authenticate with RSA
authentication, log on to your Sales logon point URL, and pass specified
endpoint analysis scans of the client device.
5. Create a policy for the resource group. Associate the policy with the filter
you created in Step 4 and select the action controls you want for each
resource.
Resource group names or descriptions do not appear to users in published lists of
resources. The name and description you define for a resource group is for
administrative use only. If you choose to publish a Web resource or file share,
users see the resource’s description (not the description of the resource group) in
their lists of resources.
Each resource type has a wizard to guide you through adding the resource. These
wizards are available from Common Tasks when the Resources node is selected.
By default, users are denied access to any resource you define until you create
policies that grant access permissions. This includes all resources and resource
groups.

Integrating Resource Lists in Third-Party Portals


If you provide users with the lists of Web resources or file shares included with
Advanced Access Control, you can integrate these lists into any portal solution.
For example, if you are using Microsoft SharePoint as a portal or information
aggregation point, you can display for users their list of Web resources or file
shares in the SharePoint portal.

To integrate user resource lists with a third-party portal

1. Configure Web resources and files shares for users.


2. Configure your portal product’s Web site viewer to display one or both of
the following:
• The Web resources list at http://servername/CitrixSessionInit/
URLList.aspx
• The file share list at http://servername/citrixfei/myfiles.asp
where servername is the name of a Web server running Access Gateway
Advanced Edition.
C HAPTER 9

Controlling Access Through


Policies

Policies provide granular control of access at the resource level. Use policies to
control which resources users can get to and what actions they can perform on
those resources. You can leverage the power of filters to apply policies based on
information detected about the client device, who users are, the strength of their
authentication, and where they are logging on. Filters provide the flexibility to
match policies with your access scenarios. This section discusses how to
implement policies and formulate strategies to control resources according to the
user scenario.
Policies extend the security of your network environment by enabling you to
control:
• Access. You can control users’ ability to connect to your resources unless
they meet security requirements such as identity, authentication, antivirus,
firewall, and client software.
• Actions. You can control specific actions that users perform on resources
accessed through the browser, based on the user scenario.
• Connections. You can control Secure Access Client connections and apply
settings to those connections.

Controlling User Access


Policies help you secure the corporate network even before users log on and
allow you to extend that security down to the individual resource level. Policies
enable you to:
• Provide connection privileges to trusted devices only. When you create
policies for the “Allow Logon” resource, you can deny connection
privileges unless the client device meets your minimum security
requirements verified through endpoint analysis scans. You can use
connection policies with continuous scans to monitor Secure Access Client
132 Access Gateway Advanced Edition Administrator’s Guide

connections throughout the user session, disconnecting as soon as the client


device fails to meet your requirements.
• Allow logon permission only to trusted users and devices. When you
configure logon point properties, you can hide the logon page from users
with unknown client devices or client devices that do not meet your
security requirements. This feature prevents viruses on the client device
from stealing the users’ credentials as they type them on the logon page.
• Allowing or denying individual actions on resources. After users pass
your security requirements for connecting, they must be granted explicit
permission to a resource before the resource is available to them. You
control this access through policies defined for each resource or group of
resources. For more information about creating policies, see “Creating
Access Policies” on page 135.
By default, users are not provided permission to access or take action on any
resources on your networks. You must define your resources for the farm and then
create policies that grant access to them and control actions users can perform on
them.
Advanced Access Control policies extend the operating system security settings
and cannot override them. For example, if a user is denied access to a file share in
the share’s Windows NT File System (NTFS) security settings, granting access to
that file share through Access Gateway policies will not allow access to the file
share.

Note: Access to applications and resources published by Citrix Presentation


Server is not controlled by Advanced Access Control policies. Access to these
resources depends on the properties of the logon point through which users log on
and the permissions that users are assigned in Citrix Presentation Server.

Integrating Your Access Strategy


The way you define resources and create policies is influenced by your overall
strategy for controlling access. The goal is to make sure users get the level of
access that you can securely provide given the user situation.
Your strategy determines how you pool resources and design policies.

Pooling Resources By Access Needs


Before defining resources and creating policies, pool resources into resource
groups that reflect their relative security requirements. When you define
resources, group similar resources together.
Chapter 9 Controlling Access Through Policies 133

For example, you might create a resource group that contains several file shares,
Web resources, and email that require very restricted access when users are
connecting remotely. In another resource group you might add Web resources and
file shares and that you want users to have access to at all times, as long as they
have a trusted client device.

Designing Policies From User Scenarios


Plan policies according to a basic set of user scenarios, such as the ones presented
in the next table. Start with just a few scenarios. Define a few types of resources,
pool them into resource groups, and practice creating policies until you have
enough policies to cover all the user scenarios needed in your organization.
The following table provides a few example scenarios of user situations with
different access and actions that might be permitted:

User Device Resources Users Can Access Actions Users Can Take
Corporate desktop • All corporate networks and file • Download files
running required systems • Upload files
antivirus software
• Full email services • Edit files on the local client device
• Corporate portals and Web • Edit files on servers running Citrix
applications Presentation Server
• Published applications through • Send documents as email attachments
Citrix Presentation Server
• Other applications
Remote corporate • Web applications • Edit and save documents with Live Edit
device running required • Synchronized email applications ActiveX control without needing to
antivirus and firewall download and upload
software • Published applications through
Citrix Presentation Server • Limited client mapping or printing
• Limited access to file systems documents on servers running Citrix
• Servers or services defined as Presentation Server
network resources • Send documents as email attachments
• Connect directly to network resources
through VPN using Secure Access Client
134 Access Gateway Advanced Edition Administrator’s Guide

User Device Resources Users Can Access Actions Users Can Take
Public kiosk running a • Web applications • Preview documents as HTML
required browser • Web-based email only • No client mapping or printing documents
• Limited access to published on servers running Citrix Presentation
applications Server
Personal digital Web-based email only • View Web-based email, which supports
assistant (PDA) refactoring for small devices
• Preview documents as HTML, which
supports refactoring for small devices
• Send documents as email attachments
• No application access
Remote corporate Full access to individual mission critical Connect directly to network resources through
laptops for system applications defined as network VPN using Secure Access Client
administrators who resources or the Entire Network resource
cover emergencies from
home

After you develop an access strategy, you configure resources, policies, and
filters in combinations that comply with and extend your corporate security
guidelines. Resources and policies define the access control you allow. Filters
define when and under what conditions the access is granted.

Differentiating Access Control and Publishing


Allowing access to a resource through policy control is not the same as
publishing the resource. When you define file shares and Web resources you can
choose to publish the resource, which means it is listed for users on the Access
Interface or third-party portals.
The built-in file share and Web resource lists can also appear as plug-ins to third-
party corporate portals. For information about integrating resource lists in third-
party portals, see “Integrating Resource Lists in Third-Party Portals” on page
130.
Enabling the Access permission to a Web resource permits the user to view it with
a browser. What the user can do with the item or which application is used to
open it depends on the group of policy settings you have defined for the resource.
Simply enabling the Access permission for a resource does not provide a
navigation to that resource. For example, if you enable the Access permission to a
URL address but do not publish it, users can get to the URL only through a link
embedded on a Web page or, if the resource is configured to bypass the Web
proxy, by typing the URL directly in their browser.
Chapter 9 Controlling Access Through Policies 135

You must create a Web resource or network resource for any application that you
want users to have remote access to and you must create policies for these items
granting explicit “Access” permission for users. Configuring file share access is
slightly different than for Web resources, because you do not choose the “Access”
permission in policies for file shares. Users can view a file share resource through
their browser if you publish the resource and if the operating system access
control list (ACL) allows access permission to the users. Policies for file shares
define the users who can view the file share, the actions those users are allowed to
take on the documents in those file shares, and the conditions under which they
can take the actions.

Creating Access Policies


You must create policies to provide users with access to resources. By default,
users have no access privileges to any resource. When you create an access
policy, you define who has access, the conditions under which access is granted,
and the granular access controls that are allowed or denied.

To create an access policy

1. In the console tree select Policies and choose Create access policy from
Common Tasks.
2. In the New Access Policy wizard, name and describe the policy.
3. On the Select Resources page, select the resource groups and resources for
the policy to control.
• Select Network Resources > Entire Network if you want this policy
to control access to all visible servers and services on the network.
• Select the Allow Logon resource if you want this policy to include
the conditions under which the users are allowed to log on to the
network.
Take care to review selections in the available resources tree. When you
select or clear a category of resource, such as File Shares, all items grouped
under that category are selected or cleared. Expand nodes to display the
selections under each category.
4. On the Configure Settings page, enable each desired setting individually
and select Allow or Deny. Take care to review your selections in the
settings tree.
It is possible to select policy settings on the Configure Settings page for
types of resources that you did not select for the policy to control. The
policy applies settings only for the resources that are selected for the policy.
136 Access Gateway Advanced Edition Administrator’s Guide

5. On the Select Filter page, select a filter that defines the conditions to be
met for the policy to be enforced.
If you have not yet configured filters, you can edit the policy and assign a
filter to it later.
6. On the Select Users page, select the users to whom the policy applies.

Note: If multiple policies apply to a resource, a policy that denies an access


permission takes precedence over other policies that allow the access permission.

Naming Policies
All policy names must be unique. Developing a consistent naming convention or
practice eases administration of policies. Because policies are defined per
resource to provide granular control, you can potentially create many policies.
The naming convention you develop should help you quickly identify the
resource and, if possible, the level of access you are applying.
You can develop a convention that meets your organization’s needs. In general,
the policy name should include the resource. One typical naming convention
names policies by resource name and an access level phrase that coincides with
your access strategy or the permissions allowed. For example:
• Web resource X_full access_all users
• Web resource X_limited access_field users
• Web resource X_full access_administrators
• File share Z_all actions_all users
• File share Z_restricted actions_unknown devices
You can change the name of default policies.

To change a policy name

1. Select the policy in the right details pane of the console.


2. At the bottom of the details pane click Edit policy properties.
3. In the policy Properties, change the name and save the policy.
Chapter 9 Controlling Access Through Policies 137

Configuring Policy Settings to Control User Actions


Policies for resources opened through the browser (Web resources, file shares,
and email) enable you to control not only access, but also what actions users can
perform with the resource.
Policy settings enable you to allow or deny specific action controls. Configure
policy settings in the policy wizard or policy properties.
The policy settings that are available when you create a policy depend on the type
of resource you are securing and your environment. For example, if the access
server farm is not configured to link to a farm running Citrix Presentation Server,
the File Type Association permission setting is not available.
Depending on the type of resource and your farm configuration, you can allow or
deny the following policy settings:

Policy Setting Description


Access Allows users access to the resource through a Web browser or Secure
Access Client connection.
For Web-based email, this setting allows all functionality provided
by the Web-based email application, such as viewing and sending
emails, managing the Calendar, and viewing an address book, but
does not allow the ability to access email attachments. Accessing
email attachments is allowed through the Email as Attachment
setting.
For network resources, Access allows a direct VPN connection to
the resource using the Secure Access Client. Access is the only
permission you can set for network resources.
Bypass URL Allows the browser to retrieve a Web resource without the URL
Rewriting address of the resource being rewritten by the Web proxy component
of Advanced Access Control. By default, URL addresses are
rewritten by the Web proxy.
For more information, see “Bypassing URL Rewriting” on page 144.
Download Allows documents or email attachments to be sent to the user’s
browser as HTTP content and saved on the local client device. The
browser performs its default action depending on the MIME type of
the content.
Email as Allows users to attach documents to email. You can use this control to
Attachment allow users to email documents without having other action controls
(such as Download) that require sending the document to the client
device.
138 Access Gateway Advanced Edition Administrator’s Guide

Policy Setting Description


File Type Allows users to open documents in applications published through
Association Citrix Presentation Server. You can use this permission to allow users
to open and edit documents on servers in the trusted environment and
avoid sending the document to the user’s client device. You can use
file type association only for document types that are associated with
a published application and only if the logon point properties are
correctly configured.
HTML Preview Allows users to view non-HTML content as HTML in a browser
without needing to run additional client software. Supports a wide
range of client devices, including small form factors. Users need this
access control or Download to view an HTML document in a file
share. This feature is available only for document types for which
there is conversion software installed on a farm Web server. At least
one Web server must have the conversion software installed and must
be assigned to perform the HTML Preview server role.
Live Edit Allows users to edit remote documents using the Live Edit Client, an
ActiveX control. Users can conveniently edit and save documents
without needing to download and upload them.
Upload Allows users to save new documents and overwrite existing files in a
file share.

Allowing Access to Standard Web Content


The only policy setting that applies for standard Web content is the Allow or
Deny Access setting. Standard Web content includes those document types that
you typically view with a browser. These documents are simply downloaded to
the client device as usual for browsing, and do not come under the varying levels
of access control (HTML Preview or Live Edit, for example) that you can apply
to other document types.
The following document types are treated as standard Web content:

Text: HTML; CSS; XML; X-component


Applications: X-Java Script; S-Component
Images: GIF; JPEG; PNG

Allowing File Type Association


Allowing file type association for a resource enables users to open the resource
with an application running in Citrix Presentation Server. Providing file type
association as the only means for editing resource documents can heighten
security because it requires that editing occur on the server and not on the client
device.
Chapter 9 Controlling Access Through Policies 139

For example, you might choose to grant file type association for a file share
where employees post reports of ongoing project meetings, without providing the
ability to download or upload.
Providing file type association requires that:
• Users run Citrix Presentation Server Client software on the client device.
• Users connect through a logon point configured for Citrix Presentation
Server.
• Users are assigned to the desired applications in Citrix Presentation Server.
• Citrix Presentation Server is configured to work with Advanced Access
Control.

Allowing HTML Preview


HTML Preview enables users to view non-HTML content in a browser without
requiring any additional client software. HTML Preview displays documents:
• For read-only permission
• On a wide range of devices when the associated application is not available
• On small form factor devices such as PDAs
HTML Preview is designed primarily for situations in which you want users to be
able to view documents even if they don’t have an application installed on the
client device that can display the document. For example, you might decide to
allow HTML Preview for employees who need to view documents on the road
from public kiosks, PDAs, or non-corporate devices.
For more information about the requirements of providing HTML Preview in the
farm, see “HTML Preview Requirements” on page 46.

Allowing Email Attachments


The Email as Attachment access control is designed to allow users to email
documents from a location on a remote server to a recipient, without having to
download the document to the client device. You might choose to allow Email as
Attachment along with or in similar situations as the HTML Preview.
For example, you might provide email attachment capability for employees on
the road when they are using unrecognized or untrusted client devices. These
employees can view documents, write their comments in a Web-based version of
their email program, and attach the document to the email message. Users can
take these actions without downloading the document to the client device.
140 Access Gateway Advanced Edition Administrator’s Guide

Allowing Live Edit


Live Edit is a convenience feature that allows users to edit remote documents
with an ActiveX control. Users can edit and save documents without needing to
download and upload them.
The following notes explain how Live Edit works in combination with other
action controls you can allow for the same resource:
• Live Edit allowed without other action controls. Users can save the
document on the source repository.
• Live Edit and Email As Attachment allowed. Users can save the
document on the local client device and email it from within the Live Edit
session.
• Live Edit and Download allowed. Users can save the document on the
local client device.
• Live Edit and Upload allowed. Users can save the document on the local
client device. Users can upload (save) the document to published file
shares. Published file shares have the option Publish for users in their list
of resources selected in their properties.
For more information the requirements for using Live Edit in your environment,
see “Live Edit Requirements” on page 49.

Allowing Logon
The privilege of logging on is treated as a resource so you can secure the privilege
through policies, just as you do for other resources. This feature enables you to
configure additional requirements, beyond the authentication of credentials, that
users must meet to log on to your network.
The resource is named Allow Logon. You can select the Allow Logon resource
along with other resources when you create an access policy.
Users cannot log on until you create an access policy to allow them to do so.
Chapter 9 Controlling Access Through Policies 141

To allow users to log on

1. Open the properties of an existing access policy or create a new access


policy.
• To open an existing policy’s properties, select Policies and click
Manage policies in Common Tasks. Search for the policy you want,
select it, right-click, and choose Edit policy.
• To create a new access policy, select Policies in the console tree and
click Create access policy in Common Tasks.
2. On the Resources page, select Allow Logon.
3. On the Settings page, locate the heading Allow Logon and select from
under it Access.
4. Select Enable this policy to control this setting and select Allow, unless
denied by another policy.

Setting Conditions for Showing the Logon Page


The logon point sends the logon page to the client device browser, allowing users
to enter their credentials. You can make display of the logon page conditional by
requiring that users’ client devices pass endpoint analysis scans before displaying
the page.
This feature adds security to your logon page. For example, you can create an
endpoint analysis scan that verifies that the client device is running your required
level of antivirus protection. Client devices that are not running the required level
of antivirus protection might host a virus or sniffing program to record a user’s
keystrokes. Such programs can record and steal credentials as users log on.
You can set conditions for showing the logon page in logon point properties. If
users do not meet the specified conditions, they receive an Access Denied error
when they attempt to open the logon page URL.
If you do not set any conditions in the Visibility section of logon point properties,
the logon page is visible to any user who is allowed to browse to the URL.

To set conditions for showing the logon page

1. In the console tree, select the logon point and click Edit logon point in
Common Tasks.
2. In the logon point properties, select the Visibility page.
3. Select Show logon page.
4. If you want to show the logon page conditionally, use the logical expression
builder to define the conditions to be met by the connecting client device.
142 Access Gateway Advanced Edition Administrator’s Guide

A. Insert the logical operators AND, OR, and NOT and click Endpoint
Analysis Output to choose from a list of your configured scans.
B. Review the resulting logical statement in the Expression preview.

Note: The expression builder appears unavailable until you have created
endpoint analysis scans.

The Root object displayed in the expression builder does not affect
expression logic. The root signals the beginning of your expression tree.

Example 1: An Expression Requiring One Scan

To create an expression that requires the client device to be running a required


level of McAfee VirusScan, click Endpoint Analysis Output and choose the scan
output for the antivirus application. The expression builder contains:
Citrix Scans for McAfee VirusScan.scan_name.Verified-McAfee-
VirusScan

where scan_name is the name you assigned to the scan when you created it.

Example 2: Creating a Conditional Expression with OR

Assume that the conditions you want to set are reflected by the following
statement: Show the logon page to users with client devices that are running a
required level of McAfee VirusScan or McAfee VirusScan Enterprise. Before you
build this conditional expression, you must create an endpoint analysis scan for
your required versions of McAfee VirusScan and McAfee VirusScan Enterprise.

Note: This example requires you to have configured two endpoint analysis
scans to verify whether or not the client device is running McAfee VirusScan or
McAfee VirusScan Enterprise. For information about creating scans, see
“Creating Endpoint Analysis Scans” on page 166.

1. Select the Root object in the tree and click OR.


2. Click Endpoint Analysis Output and choose the scan output for McAfee
Virus Scan.
3. Click Endpoint Analysis Output and choose the scan output for McAfee
Virus Scan Enterprise.
The result of this example procedure looks like this in the expression tree:
ROOT
OR
Citrix Scans for McAfee VirusScan.scan_name.Verified-
McAfee-VirusScan
Chapter 9 Controlling Access Through Policies 143

Citrix Scans for McAfee VirusScan Enterprise.scan_


name.Verified-McAfee-VirusScan-Enterprise

where scan_name is the name you assigned to the scans.

Example 3: Creating a Complex Conditional Expression with NOT

The following example shows a conditional expression using the NOT operator.
To pass this complex condition, the client device must have your required version
of McAfee VirusScan or McAfee VirusScan Enterprise, but the device cannot be
connecting with the Mozilla Firefox browser.

Note: This example requires you to have configured three endpoint analysis
scans to verify whether or not the client device is running McAfee VirusScan or
McAfee VirusScan Enterprise, and to also verify if the client device is connecting
with the Mozilla Firefox browser. For information about creating scans, see
“Creating Endpoint Analysis Scans” on page 166.

1. Select the Root object in the tree and click AND.


2. Click OR.
3. Click Endpoint Analysis Output and choose your scan output for McAfee
VirusScan.
4. Click Endpoint Analysis Output and choose your scan output for McAfee
VirusScan Enterprise.
5. Select the AND object that you created in Step 1 and click NOT.
6. Click Endpoint Analysis Output and choose your scan output for Mozilla
Firefox.
The result of the example looks like this in the expression tree:
ROOT
AND
OR
Citrix Scans for McAfee VirusScan.scan_name.
Verified-McAfee-VirusScan
Citrix Scans for McAfee VirusScan Enterprise.
scan_name.Verified-McAfee-VirusScan-Enterprise
NOT
Citrix Scans for Mozilla Firefox.scan_name.
Verified-Mozilla-Firefox-Connecting

where scan_name is the name you assigned to the scans.


The Expression preview shows the following logical statement:
((Citrix Scans for McAfee VirusScan.scan_name.Verified-
McAfee-VirusScan OR Citrix Scans for McAfee VirusScan
Enterprise.scan_name.Verified-McAfee-VirusScan-Enterprise)
144 Access Gateway Advanced Edition Administrator’s Guide

AND (NOT Citrix Scans for Mozilla Firefox.scan_name.


Verified-Mozilla-Firefox-Connecting))

where scan_name is the name you assigned to the scans.


Note the following about this example:
• Inserting the NOT operator results in an OR NOT logic by default. If you
want logic for AND NOT, insert the AND operator before the NOT
operator in your tree, as you did in the above example.
• The Mozilla Firefox scan package verifies a minimum version number. In
this example, we want to verify any known version. To detect all known
versions, we can create the scan to verify that the client device is
connecting with a minimum of version 0.1.

Bypassing URL Rewriting


By default, Access Gateway rewrites the URL addresses of Web resources using
a built-in Web proxy component. Web servers in the farm proxy the URL
addresses of these internal resources. If you select the policy setting to bypass
URL rewriting, you decrease your ability to set differing levels of access. This
occurs because some action controls (policy settings) are not available for the
resource unless Web proxy URL rewriting is used.
In some documentation, this feature is referred to as bypassing the Web proxy.
You might decide to bypass URL rewriting to:
• Increase performance among the farm’s Web servers
• Provide end-to-end SSL connections between the client device browser and
the destination Web server hosting the resource
• Provide access to internal Web sites that do not allow or work well when
their URLs are rewritten.
• Provide access to Web resources that are stored on a Web server hosting
Advanced Access Control.

Considerations about URL Rewriting


Note the following considerations when deciding to use or bypass the URL
rewriting feature:
• If you select Bypass URL rewriting for a Web resource, all URL addresses
for the host name are subject to the option and bypass the Web proxy. For
example, if you select the option for the address
“http://www.server1.company.com/folder1/folder2/”, all URL addresses
Chapter 9 Controlling Access Through Policies 145

hosted on server1.company.com bypass the Web proxy, even if those


addresses are not specified within the Web resource.
• Users cannot access Web resources stored on a Web server hosting
Advanced Access Control unless URL rewriting is bypassed. If you want to
provide such access, you must create a policy for the Web resources and
select Bypass URL Rewriting in the policy settings.
• Ensure that the Web sites you make accessible are secure from
vulnerabilities such as cross-site scripting and SQL injection. When the
Web proxy is used to rewrite Web resource URLs (the default case), all
resources appear to reside on the Web proxy server. In such cases you
cannot rely upon protection by the JavaScript “same origin” policy to
prevent malicious scripts from one server accessing properties of resources
on another server, because resources from all servers appear to share the
same origin.

To bypass URL Rewriting

Select Bypass URL rewriting in the policy settings of the policy that controls
access to the Web resource.

Important: When defining resources that bypass URL rewriting, you must
specify entire servers, such as //server/. All URL addresses hosted on the
specified server are bypassed by the Web proxy, even if those URL addresses
appear in the properties of other Web resources that are supposed to be routed
through the Web proxy.

Limitations of Browser-Only Access


If your Advanced Access Control deployment does not require any client
software on client devices, your deployment is considered to provide browser-
only access. In this scenario, users need only a Web browser to access corporate
resources.
Browser-only access to Web resources depends on the URL rewriting function of
the Web proxy. Some Web applications do not handle URL rewriting well or do
not allow the cookie management needed for browser-only access. Such
applications are better suited for the simplified functionality of a common
browser interface or client access through the Access Gateway.
For example, the more a Web application uses the following advanced
technologies, the less likely it is to work smoothly with proxied URL rewriting:
• Flash animations
146 Access Gateway Advanced Edition Administrator’s Guide

• Shockwave multimedia objects


• ActiveX controls
• Advanced Java scripting languages
Test the behavior of those Web applications that you plan to provide only through
a browser. If the applications do not behave as expected, consider the following
alternatives:
• Bypass the Web proxy. You can choose for users to bypass the Web proxy.
For remote users (and possibly internal users in deployments of secure
enclaves), this means using the Access Gateway with the Secure Access
Client. For more information about bypassing the proxy, see “Bypassing
URL Rewriting” on page 144.
• Network resources. You can create a network resource to provide users
direct access to the application using the Secure Access Client. Network
resources do not appear in published lists of users’ resources such as the
Access Interface.
• Common browser interface. You can choose to use a basic browser-
independent interface that suppresses use of enhanced display or
functionality.
To implement the common interface, open the Properties for the Web
resource, choose the URL Addresses page, and select Use the interface
that is common for all browser types.

Note: You cannot incorporate the failover feature for Access Gateway
appliances for users accessing Web resources only with a browser.

Creating Connection Policies


Connection policies control connections that use the Secure Access Client. You
can assign filters to connection policies to define when the policy applies.
Take care not to confuse connection policies with access policies:
• Connection policies allow Secure Access Client connections and applies
settings to those connections. You must allow use of the Secure Access
Client to establish connections to any network resource and for email
synchronization, because these types of resources do not allow browser-
only access.
• Access policies define access permissions that specified users have to
resources under specified conditions. For example, an access policy
Chapter 9 Controlling Access Through Policies 147

determines whether or not a group of users can access a certain file share
and whether they can preview files in HTML or use Live Edit to modify the
file.
One of the filters you can apply to a connection policy is a continuous scan filter.
A continuous scan filter comprises a set of scans that continue to monitor the
connection during the entire user session. As soon as the client device ceases to
meet the requirements defined in the continuous scan filter, the connection is
disconnected.

To create a connection policy

1. In the console tree, select Policies > Connection Policies and choose
Create connection policy from Common Tasks.
2. Name and describe the policy.
3. Configure the connection settings you want to apply by selecting each
setting and choosing Yes or No to allow or deny it. You must allow the
setting Launch Secure Access Client if access allowed to make additional
settings available. Select from among the following settings:
• Authenticate after system resume forces authentication after the
client device goes into standby or hibernate mode.
• Authenticate after network interruption forces authentication if
the network connection is interrupted.
• Enable split DNS allows failover to a user’s local DNS if the remote
DNS is not available. By default, Access Gateway checks a user’s
remote DNS only.
• Execute logon scripts runs Windows logon scripts when the
connection is established.
• Desktop sharing allows users to share their desktop with other users
who are logged on to the Access Gateway from a Secure Access
Client. Users can then share their desktop by right-clicking the Secure
Access Client icon in the Windows notification area and selecting
Share Desktop.
148 Access Gateway Advanced Edition Administrator’s Guide

4. If you want to give client devices a unique IP address, add and define the
address pools from which address aliases are assigned. On the Define IP
Pool Configuration page, click New to add each available IP pool.
• For Access Gateway, enter the IP address of the Access Gateway
appliance.
• For Gateway, enter the IP address of the default gateway if you use
one. If you do not use a default gateway, you can leave this box blank.
• Each IP range should be valid but unused on the network.
• To avoid conflicting assignments, ensure that you configure a unique
IP range or ranges for each gateway appliance. You should not assign
the same IP range or ranges to multiple gateway appliances.

Note: If you add address pools, you must restart each Access
Gateway appliance in the farm before the IP pool becomes available.
You might want to schedule IP pool configuration for a convenient
time.

5. Select filters that define the conditions for policy enforcement. You can
select two types of filters:
• A filter defines requirements for logon points, endpoint analysis,
authentication, and client certificates. This type of filter checks for
your requirements once during logon.
• A continuous scan filter defines requirements of registry entries,
files, or processes that must be verified on the client device. This
filter checks its requirements throughout the user session.
6. Select users and user groups to whom the policy applies.

Creating Policies for Presentation Server


Connections
If you create policies for Secure Access Client connections to Citrix Presentation
Server, you must:
• Define at least one IP pool in the connection policy properties
• Create a network resource that includes the server or servers running
Presentation Server
Chapter 9 Controlling Access Through Policies 149

If no IP pools are defined, the client device is identified by the IP address of the
Access Gateway appliance and connects directly to the server running
Presentation Server without being controlled by policies assigned to the network
resources defined for the servers running Presentation Server.

Prioritizing Connection Policies


Because multiple connection policies can apply to the same user, you can
prioritize connection policies. The settings in policies with a higher ranking
priority take precedence over those in lower ranking policies.

To prioritize connection policies

1. In the console tree, select Connection Policies and choose Set connection
policy priority from Common Tasks.
2. Select a policy and use the arrow buttons to move its position in the ordered
list. The highest priority policy appears at the top of the list.

Creating Policy Filters


Filters define the conditions under which the policy applies. Consider the
following example of a policy statement:
Allow access and HTML Preview permission only to the Quarterly Sales Reports
file share for Sales department users when they log on from outside the secure
network using an SSL client certificate.
The filter part of the above policy statement is “when they log on from outside the
secure network using an SSL client certificate.” If you authenticate remote
workers through a specific logon point, you can filter by the logon point and you
can require the use of a client certificate.
You can configure four types of conditions for a filter:
• Logon point. Applies the policy based on the URL with which the user
connects to the network.
• Authentication strength. Applies the policy based on the authentication
being used. The options available in the filter depend on the authentication
configurations you have set up. For more information see “Securing User
Connections” on page 101.
• Endpoint analysis scan outputs. Applies the policy based on information
gathered by endpoint analysis scans of the client device. You must
configure scans before any scan outputs are available to integrate into a
filter.
150 Access Gateway Advanced Edition Administrator’s Guide

• Client certificate requirements. Applies the policy based on the presence


of specified criteria in the SSL client certificate.
Filters are designed so you can name them and use the same filter for multiple
policies. Each policy uses one filter only. To achieve the effect of using multiple
filters, you can use the custom filter feature to create complex filters that contain
other filters.

To create a policy filter

You can create a filter before, at the same time, or after you create the policies
you want to associate with it.
1. Open the New Filter wizard from one of the following locations:
• In the console tree, select Policies > Filters and click Create filter in
Common Tasks.
• On the Select Filters page of a policy wizard, click New.
2. Enter a name and description for the filter.
3. Select the option Create a typical filter.
4. If you want the policy to apply when users enter through specific logon
points, select those logon points.
5. If you want the policy to apply based on the authentication used, select the
authentication.
6. If you want the policy to apply based on endpoint analysis scans of the
client device, select the appropriate scan outputs.
7. If you want the policy to apply based on required information in an SSL
client certificate, select Specify SSL client certificate matching criteria.
You can require that the certificate contain specified values for common
name, organization, or organizational unit.
• You cannot specify SSL client certificate values for filtering unless
the option to require client certificates is selected in Access Gateway
Global Properties (Gateway Appliances > Edit gateway appliances
properties > Client Properties).
• Do not add quotation marks around the values you enter for common
name, organization, or organizational unit.
Each type of filter condition is optional. For example, you can configure a filter
based on logon point only. Logically, the conditions defined in a filter are
combined with the AND logical operator, and within a condition type, the settings
are combined with an OR operator. For example, if your filter settings specify
Logon Point A, Logon Point B, and Scan Output C, the policy is applied with the
following logic:
Chapter 9 Controlling Access Through Policies 151

(Logon Point A or Logon Point B) and Scan Output C

Creating Custom Filters


You can create custom filters that use logical expressions with the operators
AND, OR, and NOT, allowing you to create filters of greater complexity than you
can with typical filters. With typical filters you are limited to selecting conditions
that the wizard combines with AND logic only. Because they are made from
logical expressions, custom filters provide more complexity and flexibility, but
they are harder to create.
Using custom filters is optional and not required for common configurations. For
ease of administration, use typical policy filters.

To build a custom filter with logical expressions

1. In the console tree, select Policies > Filters and click Create filter in
Common Tasks. The New Filter wizard opens.
2. Enter a name and description for the filter.
3. Select the option Create a custom filter.
4. On the Build Custom Filter page, use the logical expression builder to
create an expression that reflects the conditions you want met before the
policy is enforced.
• Insert the logical operators AND, OR, and NOT along with elements
for logon point, authentication, endpoint analysis output, client
certificate, or another filter to create the logical expression.
• Note that the Root object displayed in the expression builder does not
affect expression logic. The root signals the beginning of your
expression tree.

Example: Creating a Custom Filter

Assume for this example that your network security strategy is to deny logon
privileges to client devices running Windows 2000 unless those devices have
Windows 2000 Service Pack 4 installed OR are running Internet Explorer 6.0.
You want to build a filter for this scenario that you can assign to a policy that
includes the Allow Logon privilege.
Before creating the custom filter, create two scans as follows:
152 Access Gateway Advanced Edition Administrator’s Guide

1. Use “Citrix Scans for Windows Service Pack” to create a scan with these
settings:
• Rule conditions: operating system = Windows 2000; client device
regional locale = all
• Property value to verify: Service Pack 4
2. Use “Citrix Scans for Internet Explorer” to create a scan with these settings:
• Rule conditions: operating system = Windows 2000; client device
regional locale = all
• Property value to verify is the minimum required version: 6.0
On the Build Custom Filter page of the New Filter wizard, follow these steps to
create the logical expression:
1. Click OR from the Insert group box.
2. Click Endpoint Analysis Output and choose the scan output for Service
Pack 4.
3. Select OR in the expression builder and click Endpoint Analysis Output
again to choose the scan output for Internet Explorer Version 6.0.
The result in the expression builder appears as:
OR
Citrix Scans for Windows Service Pack.scan_name.Verified-Windows-
Service-Pack
Citrix Scans for Internet Explorer.scan_name.Verified-Internet-
Explorer

where scan_name is the name you assigned to the scans.


For more examples of using an expression builder, see “Setting Conditions for
Showing the Logon Page” on page 141.

Creating Continuous Scan Filters


Continuous scan filters define the continuous scan requirements for a connection
policy. A continuous scan verifies one item (a file, registry entry, or process) on
the client device. The filter can include one or more continuous scans for
verification. When associated with a connection policy, the filter defines all the
requirements to be verified by continuous scans for the connection policy to take
effect.
Note that continuous scan filters, unlike regular policy filters, cannot be used by
Citrix Presentation Server policies. For more information, see “Integrating Citrix
Presentation Server” on page 157.
Chapter 9 Controlling Access Through Policies 153

For information about continuous scans, see “Creating Continuous Scans” on


page 178.

To create a continuous scan filter

1. In the console tree, select Policies > Continuous Scan Filters and click
Create filter in Common Tasks.
2. Enter a name and description for the filter.
3. On the Configure Requirements page, use the logical expression builder
to create an expression that reflects the conditions you want the client
device to meet.
• Insert the logical operators AND, OR, and NOT and click File Scan,
Process Scan, or Registry Scan to choose from your configured
scans.
• Note that the Root object displayed in the expression builder does not
affect expression logic. The root signals the beginning of your
expression tree.

Example 1: Conditional Expression Requiring One Scan

Assume that you want to create an expression that requires an antivirus program's
executable file to be installed on the client device and that you configured a file
scan to verify this file. From the Configure Requirements page of the
continuous scan filter wizard, click File Scan and choose the file scan. The result
of this example procedure looks like this in the expression tree:
ROOT
scan_name

where scan_name is the name you assigned to the scan when you created it.

Example 2: Conditional Expression Requiring One of Two Scans

Assume that the conditions you want to set are reflected by the following
statement: Client devices must be running the process for a personal firewall from
either Company A or Company B. Before you build this conditional expression,
you must create a process scan for Company A's personal firewall process and
another process scan for Company B's personal firewall process.
1. Click OR.
2. Click Process Scan and choose the scan for Company A’s personal firewall
process.
3. Click Process Scan and choose the scan for Company B’s personal firewall
process.
The result of this example procedure looks like this in the expression tree:
154 Access Gateway Advanced Edition Administrator’s Guide

ROOT
OR
scan_name_CompanyA_process
scan_name_CompanyB_process

where scan_name_CompanyA_process and scan_name_CompanyB_process are


the names you assigned to the scans.
For more examples of using an expression builder, see “Setting Conditions for
Showing the Logon Page” on page 141.

Granting Access to the Entire Network


The Entire Network resource represents all visible servers and services on your
secure network. If policies allow connections and access to this resource, Secure
Access Client users can access these servers or services through an SSL virtual
private network tunnel created between the client device and the network. The
Entire Network resource is a built-in network resource, the properties of which
cannot be edited or deleted. To control the conditions under which the Entire
Network resource is accessed, you must create access policies just as you do for
all other types of resources.
You can use the Entire Network resource to:
• Quickly set up your deployment and test access
• Provide unlimited access to a special class of user, such as administrators
who need wide access for disaster recovery or emergency operations
• Provide open access by default and later develop policies that deny access
to specified resources according to your security plan
The general steps involved in granting access to the Entire Network include:
1. Create an access policy for the Entire Network resource allowing access to
selected users.
2. Create a connection policy allowing user connections.
3. Filter the policies according to the conditions or requirements you want to
impose.
Because the Entire Network resource includes all visible servers on the network,
take care to allow access to this resource only under the conditions you intend.
Access to this resource is a powerful level of access.
Chapter 9 Controlling Access Through Policies 155

Reviewing Policy Information with Policy Manager


Policy Manager enables you to search your policies by resource, users, and filters.
You can use keywords for your searches. The search results can assist with quick
policy planning, management, or troubleshooting. The following are only a
sample of the types of information you can find quickly with Policy Manager:
• Find all the policies that affect a specified user or user group
• View all the policy settings that pertain to a specified resource
• List all policies that use a specified filter
• Find all policies that control the permission to logon

To search for policies and settings

1. Open Policy Manager by selecting Policies in the console and choosing


Manage policies from Common Tasks.
2. Use a mixture of keywords in the Resource, User, and Filter text boxes
and click Search. For example, to find every policy assigned to “All
authenticated users,” type all in the User text box.
• By default all policies are shown when you open the Policy Manager.
Clicking Clear at any time empties the search criteria boxes and
returns to a view of all policies.
• Double-click a filter to open the filter’s properties. Double-click in
any other column to open the policy’s properties.
• Click a column heading to sort results alphabetically by that column’s
entries. Click the same column again to reverse the sort order.

Note: Policy Manager does not present information about the filtered results of
policy control with live connecting clients, such as the resulting set of access
permissions after endpoint analysis scans or continuous scans are taken into
consideration.
156 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 10

Integrating Citrix Presentation


Server

You can integrate Advanced Access Control and Citrix Presentation Server so
that users can easily access all of their resources, including published
applications, from a common interface. For example, you can embed a Citrix
Access Platform site within the Access Interface. The Access Interface is a
navigation page shipped with Advanced Access Control that can list available
published applications alongside other available resources such as Web resources,
file shares, and so on.
In addition, you can share information collected by Advanced Access Control to
extend the policy-based access control capabilities of Citrix Presentation Server.
By integrating Advanced Access Control filters within Citrix Presentation Server
policies, you can control which published applications users can access and what
they can do within those applications once they get access. This allows you to
create Citrix Presentation Server policies to accommodate different access
scenarios based on a variety of factors such as authentication strength, logon
point, and client device information such as endpoint analysis.
For example, you can include endpoint analysis information collected by
Advanced Access Control within a Citrix Presentation Server policy to determine
access to a published application. In addition, you can selectively enable client-
side drive mapping, cut and paste functionality, and local printing based on the
logon point used to access the published application.
The next section discusses the supported deployments as well as the procedures
required to integrate Citrix Presentation Server and Advanced Access Control. If
you are passing Advanced Access Control information into Citrix Presentation
Server for policy evaluation, you must complete the following steps as well:
• Create one or more filters within Advanced Access Control. See “Creating
Policy Filters” on page 149 for more information about creating filters.
• Create policies within Citrix Presentation Server that reference Advanced
Access Control filters. See the Citrix Presentation Server Administrator’s
Guide for more information about creating policies.
158 Access Gateway Advanced Edition Administrator’s Guide

Note: Continuous scan filters, unlike regular policy filters, cannot be used by
Citrix Presentation Server policies.

Linking from Advanced Access Control to Citrix


Presentation Server
Complete the steps below to enable Citrix Presentation Server to allow
connections from Advanced Access Control.
1. Ensure that published resources are assigned to the same user groups
assigned to resources in the access server farm.
2. In Citrix Presentation Server:
• Enable Allow connections made through MetaFrame Secure
Access Manager for each published resource. This option appears in
the access control settings of the published resource properties.
• In each server's properties, select the option Trust requests sent to
the XML Service.
3. Complete the steps required to integrate published applications within your
deployment. Integration options include:
• Citrix Access Platform site created by Web Interface. Display
published applications within a Citrix Access Platform site. For more
information, see “Integrating Web Interface” on page 158.
• File type association. Documents are launched in an associated
application running on a server in a Citrix Presentation Server farm.
For more information, see “Configuring File Type Association” on
page 163.
• Third-party portals. Embed a Citrix Access Platform site within a
third-party portal such as Microsoft SharePoint. For more
information, see “Integrating Third-Party Portals” on page 163.

Integrating Web Interface


Advanced Access Control provides several methods for integrating Citrix Access
Platform sites created with Web Interface including:
• Citrix Access Platform site embedded within the Access Interface. When
the Access Interface is selected as the default home page, a Citrix Access
Chapter 10 Integrating Citrix Presentation Server 159

Platform site is displayed alongside file shares and Web applications. You
can also configure the Access Interface to display up to three Presentation
Server sites in a separate tab.
• Citrix Access Platform site configured as the default home page for a logon
point. Once logged on, users are presented the Citrix Access Platform site.

Note: Web Interface and its accompanying documentation is available for


download from the Citrix Web site at www.citrix.com/.

To integrate a Citrix Access Platform site

This procedure requires that you use Version 4.2 of the Access Management
Console to create and manage Citrix Access Platform sites integrated with
Advanced Access Control. Version 4.0 of the console or command-line tool
cannot be used to manage sites created with later versions of the console. In
addition, once a Citrix Access Platform site is configured with the Advanced
Access Control access method, users can access this site only through Advanced
Access Control. Attempts to directly access the site are denied.
Complete the following steps in Advanced Access Control.
1. Configure Citrix Presentation Server to communicate with Advanced
Access Control. See “Integrating Citrix Presentation Server” on page 157
for more information.
2. Create a Web resource for the Citrix Access Platform site with the
following settings:
• Select Citrix Web Interface 4.2 or later as the application type
• Select the Publish for users in their list of resources check box
3. Specify the appropriate policy settings for the Web resource referencing the
Citrix Access Platform site.
4. Provide access to the Citrix Access Platform site in one of the following
ways:
• Display the Citrix Access Platform site as the default home page.
Configure a logon point to display the application with the highest
display priority as the home page. Then, configure the Citrix Access
Platform site as the application with the highest priority.
• Embed a Citrix Access Platform site within the Access Interface.
Configure a logon point to display the Access Interface as the home
page. The Citrix Access Platform site is embedded as a frame within
the Access Interface.
160 Access Gateway Advanced Edition Administrator’s Guide

See “Configuring Logon Points” on page 89 for more information.


In Web Interface, complete the following steps. For additional information about
configuring Web Interface, see the Web Interface Administrator’s Guide.
1. Select Using Advanced Access Control when specifying an access method
for the site.
2. Enter the URL of the Advanced Access Control authentication service.
In both Web Interface and Advanced Access Control, ensure the Workspace
Control, Java Client fallback, and session time-out settings are configured
properly. For more information, see “Coordinating Advanced Access Control and
Web Interface Settings” on page 162.

Displaying Multiple Sites and Caching Credentials


You can embed multiple Citrix Access Platform sites within the Access Interface
and cache the credentials used to log on to those sites. You can display up to three
Access Platform sites as well as enable each site to “remember” and “forget”
users’ logon credentials.

Using Multiple Access Platform Sites from the Access


Interface
By enabling multiple Access Platform sites to display within the Access
Interface, you can provide access to published applications from multiple
Presentation Server farms. To enable Advanced Access Control to display these
sites, you create and run a Visual Basic script that modifies the values of the
CredentialCachingEnabled and MultipleWebInterfaceEnabled fields in the
FarmSettings table of the configuration database. When you do this, the layout of
the Access Interface changes to accommodate up to three sites. Access Platform
sites appear in the Applications tab while Web email appears on the Email tab.
File shares and published Web sites appear on the Home tab.

Using Credential Caching


When users log on to Advanced Access Control, their credentials are passed
through to the Access Platform sites. If the credentials for Advanced Access
Control match the credentials for the Access Platform site, users are
automatically logged on to the site. Additionally, if Workspace Control is enabled
at the logon point, published applications that were disconnected in the previous
session are automatically reconnected. If these credentials differ, users are
prompted to provide the correct credentials. After logging on, users can select the
Remember my logon check box to avoid re-entering their Access Platform site
credentials. Users can also delete their cached credentials by clicking the Forget
My Logon icon.
Chapter 10 Integrating Citrix Presentation Server 161

Note: If users choose to store credentials for an Access Platform site and their
credentials for logging on to Advanced Access Control are later changed,
Advanced Access Control automatically deletes the stored credentials the next
time the users log on. The users are then prompted to re-enter their credentials for
the Access Platform site.

When you enable credential caching, Advanced Access Control stores the Access
Platform site credentials in the UserData table in the configuration database.
When a user logs on, the Web proxy reads the encrypted credentials from the
configuration database and forwards them to the Citrix Access Platform site. If
credential caching is disabled or the cached credentials for the site are incorrect,
users are prompted to enter the correct credentials to log on to the Access
Platform site.

Preserving Workspace Control


When users log on to Advanced Access Control, the credentials they enter are
used to provide Workspace Control with the Presentation Server farms specified
in the access server farm properties. If users enter one set of credentials to log on
to Advanced Access Control and a different set of credentials to log on to the
Access Platform site, they may not be able to disconnect or reconnect their
applications when you enable multiple sites to be displayed. To preserve
Workspace Control for users with differing sets of credentials, you perform the
following tasks:
• Associate each Citrix Access Platform site with its corresponding farm
configured in Advanced Access Control.
• Define a Secure Ticket Authority (STA) so the Access Gateway can
authenticate users to the farm. For more information about defining the
STA, see “Configuring Authentication with Citrix Presentation Server” on
page 100.

To enable the display of multiple Citrix Access Platform sites and enable
credential caching

1. On the Advanced Access Control server, create a .vbs file that contains the
following script:
Dim object
Dim farmsetting
Set object =
WScript.CreateObject("Citrix.Msam.Amc.BusinessObjects.FarmSett
ingManager")
Set farmsetting = object.GetFarmSetting ()
farmsetting.CredentialCachingEnabled = 1
162 Access Gateway Advanced Edition Administrator’s Guide

farmsetting.MultipleWebInterfaceEnabled = 1
obj.UpdateFarmSetting (farmsetting)

2. Save and close the file.


3. Double-click the file to run the script.

To associate a Citrix Access Platform site with the corresponding farm

Before you can associate an Access Platform site with a Presentation Server farm,
you must configure the site as a Web resource and publish it for users to access
from the Access Interface. If you do not select Publish for users in their list of
resources when you configure the Access Platform site as a Web resource, the
site is not available to associate with a Presentation Server farm.
1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. From the Presentation Server Farms page, select the farm and click Edit.
3. On the Web Interface page, select the site you want to associate with the
farm.
To ensure Workspace Control functions for all users, you must define a STA in
the gateway properties. For more information, see “Configuring Authentication
with Citrix Presentation Server” on page 100.

Coordinating Advanced Access Control and Web


Interface Settings
Certain Citrix Presentation Server settings are available for configuration within
Advanced Access Control and Web Interface. However, because a Citrix Access
Platform site integrated with Advanced Access Control can be referenced by
more than one logon point, it is possible for one logon point to embed a Citrix
Access Platform site within its Access Interface page while another logon point
displays the site as its default home page. This can cause conflicts with certain
published application settings. To ensure your settings work as intended, follow
the instructions below.
• Workspace Control. Disable all Advanced Access Control Workspace
Control settings for all logon points that have a Citrix Access Platform site
as their home page. This ensures that the settings configured within Web
Interface are used. All other logon points can have Workspace Control
configured as desired.
• Java Client Fallback. Ensure that logon points using the Access Interface
as their home page have the same Java Client fallback settings as the Citrix
Access Platform site.
Chapter 10 Integrating Citrix Presentation Server 163

• Session time-out. Ensure all logon points use the same settings as the
Citrix Access Platform site.

Configuring File Type Association


When file type association is allowed, users opening a document launch it in an
associated application running on servers in Citrix Presentation Server farms. For
example, if a user opens a document within a file share configured with file type
association, the document opens within a published application. File type
association is available to Web resources, file shares, and Web-based email.

To configure file type association for file shares, Web resources, and Web-
based email

Before you configure file type association, verify that published application
settings in Citrix Presentation Server specify the associations you want. For
example, if you want a published application to be launched for users when they
open a bitmap image (.bmp) file, make sure that the application’s settings
associate it with .bmp files.
1. Configure Citrix Presentation Server to communicate with Advanced
Access Control. See “Integrating Citrix Presentation Server” on page 157
for more information.
2. Specify the farm(s) you want to link to your access server farm. See
“Specifying Server Farms” on page 85 for more information.
3. Specify the Citrix Presentation Server farms available to the logon point.
See “Configuring Logon Points” on page 89 for more information.
4. Create an access policy for the file share, Web resource, or Web-based
email application and enable and allow the File Type Association action
control. See “Configuring Policy Settings to Control User Actions” on page
137 for more information.

Integrating Third-Party Portals


You can incorporate a Citrix Access Platform site into a third-party portal such as
SharePoint to provide convenient access to published applications next to other
Web applications and content. You can integrate Advanced Access Control within
this deployment to provide granular policy-based control over files, Web content
and applications, and published applications.
164 Access Gateway Advanced Edition Administrator’s Guide

Important: Web Interface for Microsoft SharePoint is a Web Part that allows
the integration of a Web Interface within SharePoint. For more information about
Web Interface for Microsoft SharePoint, see the Citrix Web site. Generic third-
party portals must support the display of IFRAME-based Web content to properly
integrate a Citrix Access Platform site.

To display a Citrix Access Platform site in a portal

1. Configure Citrix Presentation Server to communicate with Advanced


Access Control. See “Integrating Citrix Presentation Server” on page 157
for more information.
2. Create a Web resource for the Citrix Access Platform site with the
following settings:
• When integrating with SharePoint, select SharePoint with Web
Interface Web Part application type
• When integrating with a generic third-party portal, select Citrix Web
Interface 4.2 or later application type
3. Enable the Publish for users in their list of resources check box.
4. Specify the appropriate policy settings for the Web resource referencing the
Citrix Access Platform site.
5. Create a Web resource for the SharePoint site or third-party portal
containing the Citrix Access Platform site and specify the appropriate
policy settings.
6. In Web Interface, configure a Citrix Access Platform site to use Advanced
Access Control as its access method by:
A. Selecting Using Advanced Access Control when specifying an
access method for the site
B. Entering the URL of the Advanced Access Control authentication
service
7. In both Web Interface and Advanced Access Control, ensure the Workspace
Control, Java Client fallback, and session time-out settings are configured
properly. For more information, see “Coordinating Advanced Access
Control and Web Interface Settings” on page 162.
C HAPTER 11

Verifying Requirements on Client


Devices

Endpoint analysis is a process that scans a client device and detects information
such as the presence and version level of operating system, antivirus, firewall, or
browser software. Use endpoint analysis to verify that the client device meets
your requirements before allowing it to connect to your network. You can monitor
files, processes, and registry entries on the client device throughout the user
session to ensure that the device continues to meet requirements.
You can use two types of scans:
• Endpoint analysis scans detect information about the client device, such
as the presence and version level of operating system, antivirus, firewall, or
browser software. This information can be included as a filter within an
access policy or a connection policy. Endpoint analysis scans are run once,
during logon.
• Continuous scans are scans of the client device that occur repeatedly
throughout the session to ensure that the client device continues to meet
requirements. The feature prevents, for example, users from changing the
status of a client device requirement after establishing the connection.
Types of continuous scans include file scans, process scans, and registry
scans. For more information, see “Creating Continuous Scans” on page
178.
You can incorporate detected information into policies, enabling you to grant
different levels of access based upon the client device. For example, you can
provide full access with download permission to users who connect from the field
using corporate laptops that are up-to-date with antivirus and firewall software
requirements. For users connecting from kiosks or untrusted home computers,
you can provide a more restricted level of access that allows previewing
documents only or editing the documents on remote servers without downloading
them.
Endpoint analysis performs these basic steps:
• Examines an initial set of information about the client device to determine
which scans to apply
166 Access Gateway Advanced Edition Administrator’s Guide

• Runs all applicable scans


• Compares property values detected on the client device against desired
property values listed in your configured scans
• Produces an output verifying if desired property values are found
When a user tries to connect through a logon point, endpoint analysis checks the
scans that are filtered for the logon point. All scans with conditions met by the
client device are run on the client device using the Endpoint Analysis Client
software. These scans return results (called scan outputs) of detected information
or True or False results of required property values.

Note: The Citrix Scans for Macintosh and Citrix Scans for Browser Type do not
require that the Endpoint Analysis Client software run on the client device. These
scans can gather their results from information provided to the server from the
client device directly, without using Endpoint Analysis Client software.

Note that scans with conditions not matching the client device do not run on the
client device; however, even these scans receive a default output defined by the
scan package, such as False.
Endpoint analysis completes before the user session consumes a license.

To configure endpoint analysis

Follow these general steps to configure endpoint analysis:


1. Identify the scan packages that check the properties you want to verify.
2. Create scans, configuring the conditions under which they run and the
properties they verify.
3. Add additional rules if you want a scan to apply to multiple scenarios.
4. Use scan outputs in policies when you configure policy filters.
5. Deploy client software to users.
You can log endpoint analysis events through the system Event Viewer. For more
information about auditing such events, see “Auditing Access to Corporate
Resources” on page 225.

Creating Endpoint Analysis Scans


Scans verify specific properties of client devices connecting to your network,
such as the installed version of an antivirus software product or verification that
the machine belongs to a required domain.
Chapter 11 Verifying Requirements on Client Devices 167

Scans have rules that define when the scan is applied to a client device. Each rule
includes a set of conditions, which are required attributes of the client device that
must all be met for the scan to be applied.
Creating a scan includes defining the prerequisite conditions under which the
scan runs and configuring the properties to verify.

Note: For detailed information about the configurable properties of a specific


scan, see the “Scan Properties Reference” on page 239.

To create a scan

1. In the console tree, select the scan package for the properties you want to
scan.
2. From the Common Tasks area, click Create scan.
3. Name the scan.
4. Select the conditions that will define when the scan runs.
5. Provide a rule name for the set of conditions and properties you are
configuring.
6. Select all acceptable values for each condition.
• The condition is met if the client device matches any of the values
you select
• The wizard presents a separate page for each condition
7. Configure the property values to verify.
• For example, to verify that a minimum version of an antivirus
program is running on the client device, enter the minimum version
number.
• The wizard presents a separate page for each property value the scan
verifies. If the scan verifies multiple property values, the client device
must meet the requirements for all specified values.
• Version numbers follow the typical syntax for the specific product
and require at least one decimal point; for example, 2.1 or 2.1.1.
For information about individual scan packages and the properties you can set for
them, see “Scan Properties Reference” on page 239.
After creating a scan, you can add more rules to make the scan apply to multiple
user scenarios.
168 Access Gateway Advanced Edition Administrator’s Guide

Using Scan Outputs to Filter Policies


You can use endpoint analysis scan outputs to filter policy enforcement. Filtering
with scan outputs allows you to secure access to your network and resources
based on properties of the client device, such as whether or not it is running
required minimum levels of antivirus or firewall software.

To use a scan output in a policy

The following steps describe the general process for using scan outputs in
policies.
1. Create a scan that verifies the properties you require.
2. Create a policy filter that uses the scan output from Step 1.
3. Create a policy and assign to it the filter you created in Step 2.
Steps 2 and 3 above can be combined in the policy wizard.

Using Scan Outputs to Filter Logon Page Visibility


You can use the scanned information you discover about the client device to filter
users’ ability to see the logon page. For more information, see “Setting
Conditions for Showing the Logon Page” on page 141.

Scan Packages
Scan packages enable you to create scans to verify the properties of a client
device, such as the installed version of an antivirus software product. Each
package is designed to verify specific properties or software products.
Scan packages are listed in the console under the Endpoint Analysis node.
You can view individual properties of a scan package in the console, including a
description of its scan outputs. Look at the scan output descriptions when you
want to know which information about the client device is retrieved or verified.
A scan output can take two forms:
• Information about the client device. For example, the scan package Citrix
Scans for Trend OfficeScan detects and retrieves a value that is the product
version of Trend OfficeScan running on the client device, if any.
• A true/false Boolean verification indicating if the scan’s required property
values were detected.

To view the scan outputs produced by a scan package

1. In the console tree, select the scan package.


Chapter 11 Verifying Requirements on Client Devices 169

2. From the details pane on the right, select Properties from the display
menu. The scan output table describes each output produced by the
package.

Adding Rules to Scans


Rules are sets of conditions that define when to apply a scan and which property
values to check. Multiple rules can apply to a single scan. The first rule of a scan
is defined when you create the scan. After creating the scan, you can add more
rules to make the scan apply to multiple scenarios.
For example, the same scan can check for version X of an antivirus program on
devices running Windows NT-based operating systems. You can create a different
rule to check for version Y of the same antivirus program on devices running
earlier Windows operating systems.

To add a rule

1. Select the scan in the console tree and click Create rule in Common Tasks.
2. Follow the wizard prompts to define the rule’s name, condition settings,
and property value settings.

Example: Adding Multiple Rules to a Scan

Assume that your network security policy is to prevent access to client devices
unless they have Service Pack 4 installed for Windows 2000 and Service Pack 2
installed for any machines running Windows XP. You have an exception for
employees in the Tokyo office, because the Tokyo IT department decided not to
upgrade Windows XP to Service Pack 2 until further testing takes place. You can
use the same scan with different rules to verify the correct service pack for all
three of these scenarios.
Your environment includes a logon point named “Tokyo” that is used by your
Tokyo office users. Logon points apply settings to the connections that initiate
through their URLs.
The following steps create a scan that verifies these three service pack
requirements.
1. Create a scan with the Citrix Scans for Windows Service Pack, selecting the
Logon Point condition to configure.
170 Access Gateway Advanced Edition Administrator’s Guide

2. Create the first rule during scan creation with these settings:
• Conditions: set the Operating system to Windows 2000 and set the
Logon point to all
• Property value to verify: set the minimum required service pack to
Service Pack 4
3. Add a second rule to the same scan with these settings:
• Conditions: set the Operating system to WindowsXP and set the
Logon point to all except Tokyo
• Property value to verify: set the minimum required service pack to
Service Pack 2
4. Add a third rule to the same scan with these settings:
• Conditions: set the Operating system to WindowsXP and set the
Logon point to Tokyo
• Required property value: set the minimum required service pack to
Service Pack 1

Using Scan Outputs in Other Scans


You can use scan outputs as conditions in other scans. This feature allows you to
make the result of one scan a condition for another scan to run.

To create conditions from scan outputs

You can create conditions from scan outputs in the following three ways:
• Select Endpoint Analysis or select a specific scan in the console tree and
click Edit available conditions list in Common Tasks
• On the Select Conditions page of the Create Scan wizard, select Use
Another Scan’s Output as a Condition
• Select a scan output in the Properties view for a specific scan and click
Create condition

Example: Using a Scan Output as a Condition

Assume that you have two divisions, Sales and Finance, that are assigned their
own domain. The Sales group requires all of its client devices connecting
remotely to run Antivirus Program A, but the Finance group requires its client
devices to run Antivirus Program B.
Chapter 11 Verifying Requirements on Client Devices 171

Follow the steps below to verify that these client devices are running the required
antivirus program version.
1. Create two scans using Citrix Scans for Domain Membership:
• A Sales domain scan to verify that client devices belong to the Sales
domain
• A Finance domain scan to verify that client devices belong to the
Finance domain
2. Create a scan to check only Sales domain client devices for Antivirus
Program A:
• On the Select Conditions page of the Create Scan wizard, select Use
Another Scan’s Output as a Condition and follow the prompts to
identify the scan output for the Sales domain scan you created in Step
1
• Use the scan output “Verified-domain” from the Sales domain scan as
your new condition and require it to have a value of “True”
3. Create a scan to check only Finance domain client devices for Antivirus
Program B:
• On the Select Conditions page of the Create Scan wizard, select Use
Another Scan’s Output as a Condition and follow the prompts to
identify the scan output for the Finance domain scan you created in
Step 1
• Use the scan output “Verified-domain” from the Finance domain scan
as your new condition and require it to have a value of “True”
You can use scan outputs in custom filters to achieve similar results for complex
scenarios.

Editing Conditions and Rules


Editing the Available Conditions
All rules for a scan share the scan’s list of available conditions. The available
conditions are the conditions that you can configure for the scan’s rules.
Interdependencies exist between the various rules and conditions of a scan.
If you edit the list of available conditions, be aware of the following
considerations:
• If you add to a scan’s list of available conditions, all existing rules for the
scan receive the new condition with all possible values selected for use. To
172 Access Gateway Advanced Edition Administrator’s Guide

make sure you do not change the conditions of existing rules in unexpected
ways, check the properties for the scan’s rules after you add to the list of
available conditions.
• To remove a condition from a scan’s available conditions list, you must first
remove all rules that use the condition or select all possible values for the
condition in every rule that uses it.

Editing Rules
You can view all condition settings for a rule in the Properties display for the rule.
For example, if you add to the conditions that are available for a scan, all existing
rules of that scan receive the condition you added with all the settings selected.
You might need to adjust the settings that are automatically copied to existing
rules.
To edit the condition settings for a rule, select the rule in the console tree and
click Properties from the display menu in the details pane on the right.

Using Data Sets in Scans


Some scans reference a data set of values to compare against values detected on
the client device. For example, you might require multiple operating system
updates on the client device and need to verify that the entire set of updates are
present. Such a list of required updates is an example of a data set. Data sets are
stored in the farm database. You can create a data set by importing a comma-
separated values (.csv) file or by entering individual values.

Lists
Lists are single-column data sets that indicate multiple required values for a
single property. Scan packages that use lists include:
• Citrix Scans for Windows Update verifies that client devices are running all
of the updates you list in a data set
• Citrix Scans for Internet Explorer Update verifies that client devices are
running all of the updates you list in a data set

Maps
Maps, or double-column data sets, detect a value on the client device and map it
to another value used in the scan.
Chapter 11 Verifying Requirements on Client Devices 173

For example, Citrix Scans for MAC Address detects the MAC address for each
network interface card (NIC) or network adapter on the client device. The scans
reference a double-column data set to map the address (the first column value) to
a group name (the second column value). Scans use this mapping to verify the
logical group to which the client device belongs.

Creating Data Sets


Follow the procedure below to create a named data set and then enter data into it.
For a list (single-column data set), you can enter data manually or import it from
a .csv file. For a map (double-column data set), you must import initial data from
a .csv file.

Important: Data set values can be treated as case-sensitive, depending on the


scan package using the data set. If you are using such a package, avoid creating
conflicting entries that differ in case. For example, with the Citrix Scans for MAC
Address package, it is possible to create an entry for the same address and map it
to two different groups. One entry might map the address 00:50:8b:e8:f9:28 to the
Finance group. Another entry can map the same address with different case
lettering, 00:50:8B:E8:F9:28, to the Sales group. Such entries make scan results
unreliable.

To create a data set

1. Select Endpoint Analysis in the console tree and click Manage data sets
in Common Tasks.
2. Select New.
3. Enter a name for the new data set.
4. Enter data in one of the following two ways:
• Enter a path to a .csv file containing initial data to import. You must
use this method to create a double-column set.
• Leave the file path blank to create an empty single-column data set.
Add values by editing the data set after you create it.
You can edit an existing data set from the Data Sets dialog box. To open Data
Sets, select Endpoint Analysis in the console tree and click Manage data sets in
Common Tasks.

Example: Verifying a Set of Required Updates

This example describes the steps for creating a scan to verify that client devices
are running required updates for Version 6.0 of Internet Explorer.
174 Access Gateway Advanced Edition Administrator’s Guide

1. Use the Citrix Scans for Internet Explorer scan package to create a scan that
verifies whether or not the client device is running Version 6.0 of Internet
Explorer.
2. Create a single-column data set listing the Internet Explorer updates you
require if the client device is running Version 6.0. Example values for such
a data set might be KB834707, KB867232, and KB889293.
3. Use the Citrix Scans for Internet Explorer Update scan package to create a
scan to check for your required updates on client devices running Internet
Explorer Version 6.0.
A. On the Select Conditions page of the Create Scan wizard, click Use
Another Scan’s Output as a Condition and identify the scan output
that identifies product version from the scan you created in Step 1. In
the Define Values dialog box, name this new condition and add the
allowed value of 6.0.
B. When prompted for the property values of the required updates, select
the data set you created in Step 2.

Adding Scan Packages


Each scan package is designed to examine a set of properties for a specific
software product. You can expand the default set of scan packages by importing
new ones. Citrix, partners, or developers in your organization can develop
additional scan packages using the Endpoint Analysis Software Development Kit
(SDK) available on your product CD or the Citrix Web site at www.citrix.com.

To import a scan package

1. In the console tree, select a scan group or Endpoint Analysis and click
Import scan package in Common Tasks.
• If you want the package to appear in a scan group, you must select
that scan group.
• If you select Endpoint Analysis during the importing, the scan
package does not appear under a scan group and appears directly
under the Endpoint Analysis node.
2. Browse to the scan package file and click OK.
Chapter 11 Verifying Requirements on Client Devices 175

Grouping Scans
Default scan groups for such categories as antivirus, firewall, and operating
system software are provided in the console tree to help organize scan packages
and their scans. Scan groups can help you find scan packages or scans more
quickly. You can create and name your own groups.
Scan groups exist to organize items within the console tree only and have no
effect on how scans run.
To create a scan group, select Endpoint Analysis in the console tree and click
Create scan group in Common Tasks.

Adding Language Packs


A scan package developer can create language packs to expand the languages in
which the package creates scans. For example, a developer can first develop a
scan package for English and decide later to add language packs for French,
German, or Spanish as development proceeds. Language packs are typically
distributed as .cab files.

To import a language pack for a scan package

Select Endpoint Analysis in the console tree and click Import language pack in
Common Tasks.

Scripting and Scheduling Scan Updates


Two command utilities are available to assist you in writing scripts or scheduling
scan updates. You can run these utilities from a command prompt in the following
default location on the server:
\\Program Files\Citrix\Access Gateway\MSAMExtensions\

Note: You must run discovery after using these utilitiesfor the console to find
and display the new values.

The next two sections describe each utility.


176 Access Gateway Advanced Edition Administrator’s Guide

Updating Property Values in Scans


You can use the CtxEpaParamUpdate utility to update the required property
values for a scan. For example, if you require client devices to have a specified
pattern version level of antivirus software, you can create a script to update the
scan when you need to change which pattern file is being detected. This
command is designed for use as a scheduled task on a server with the Access
Management Console installed.
Use the following syntax, including quotation marks:
“ctxepaparamupdate” package_uri package_version “scan_name”
“rule_name” “param_name” “new_value”

where the parameters are:

Parameter Description
package_uri URI of the scan package to which the scan belongs. You can
find the URI information for a scan package in the
management console Properties view for the scan package.
package_version Version of the scan package to which the scan belongs. You
can find the version information for a scan package in the
management console Properties view for the scan package.
scan_name Name of the scan in which the property is set.
rule_name Name of the rule in which the required property value is set.
param_name Parameter name for the required value. You can find the
parameter name and its current setting in the management
console in the Properties view for the scan rule.
new_value The new value. If the required property has a restricted value
range, this new value must be within that range.

Example: To update a scan with the CtxEpaParamUpdate utility

Let us assume you want to update an existing scan from the scan package Citrix
Scans for McAfee VirusScan Enterprise. To update the required engine version to
4.4 and the pattern version to 4641, type:
“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\
CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\
Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name”
“PatternVersion” “4641”

and also type:


“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\
CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\
Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name”
“EngineVersion” “4.4”
Chapter 11 Verifying Requirements on Client Devices 177

where scan_name and rule_name are the existing scan name and rule name.

Updating Data Sets


You can use CtxEpaDataSetUpdate to script or schedule updates to data sets. For
example, you might prefer to create your own script to automate a task such as
updating the pattern file number required for an antivirus program.
Use the following command options (switches) with this utility:

Switch option Description Syntax


/import Creates a new data set by ctxepadatasetupdate /import
importing a .csv file file_name.csv dataset_name
/reimport Replaces all contents of an ctxepadatasetupdate /reimport
existing data set by importing file_name.csv dataset_name
a new .csv file
/export Exports the data set in a .csv ctxepadatasetupdate /export
file file_name.csv dataset_name
/destroy Deletes the data set ctxepadatasetupdate /destroy
dataset_name
/add Adds an additional value to ctxepadatasetupdate /add dataset_name
the specified data set key [value]
/overwrite Replaces an entry in a ctxepadatasetupdate /overwrite
mapping (double-column) dataset_name key value
data set
/remove Deletes an entry in a data set ctxepadatasetupdate /remove
dataset_name key

Use the following parameters in the command options above:

Parameter Description
file_name.csv The name of the .csv file that contains the data set
dataset_name The name for the data set
key If the data set is a list (single-column data set), this is a value
in the list. If the data set is a map (double-column data set),
this is the first column value.
value If the data set is a map (double-column data set), this is the
second column value. If the data set is a list (single-column
data set), this parameter does not exist.
178 Access Gateway Advanced Edition Administrator’s Guide

For more information about data sets, see “Using Data Sets in Scans” on page
172.

To locate official parameter names in scans

You can find parameter names from the scan properties in the console.
1. In the console tree select a rule associated with the scan and choose the
Properties view in the right details pane.
2. Select the row that displays the property and look in the Parameter Name
column.

Creating Continuous Scans


Continuous scans verify required files, processes, or registry entries on client
devices connecting to your network. These scans run repeatedly during the user
session to ensure that the client device continues to meet your requirements. You
use continuous scans to define requirements for connection policies. If a file,
process, or registry scan required by a connection policy ceases to be verified, the
connection is disconnected.
Each continuous scan checks a single file, process, or registry entry on the client
device. You can bundle multiple scans together when you create a continuous
scan filter. When assigned to a connection policy, the filter represents the
requirements that are checked continuously during a connection. Unlike
continuous scan filters, other filters attached to policies verify their requirements
only at logon.

To create a file scan

1. In the console tree, select Policies > Continuous Scans > File Scans and
click Create file scan from Common Tasks.
2. Name the scan.
3. Enter the file path.
4. Enter the following optional information you can require the scan to find:
• For Date on or after, enter a date to be verified against the file’s
creation date.
• The MD5 digital signature is added automatically from the entered
file path. You can modify this value if a different signature is required
on the client device. Because the MD5 signature for an executable
file can differ among different machine platforms, verify that the
signature you enter is used by your client devices.
Chapter 11 Verifying Requirements on Client Devices 179

To create a process scan

1. In the console tree, select Policies > Continuous Scans > Process Scans
and click Create process scan from Common Tasks.
2. Name the scan.
3. Type the name or browse to the process.
4. The MD5 digital signature is added automatically from the entered file
path. You can modify this value if a different signature is required on the
client device. The MD5 digital signature is not required and can be left
blank. Because the MD5 signature for an executable file can differ among
different machine platforms, verify that the signature you enter is used by
your client devices.

To create a registry scan

1. In the console tree, select Policies > Continuous Scans > Registry Scans
and click Create registry scan from Common Tasks.
2. Name the scan.
3. Type the Registry path, Registry type, Entry name, and Entry value.
180 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 12

Providing Secure Access to


Corporate Email

Use Advanced Access Control to provide policy-based access to data on internal


servers, including email servers. When you configure your content aggregation
point—your intranet or corporate portal—you can provide your users with secure
access to their email accounts. Using access policies, you can determine what
level of access to give users and then what actions users can take after they are
granted access.
With Advanced Access Control, you can:
• Integrate the email solution you are already using with the secure remote
access Advanced Access Control provides. For example, if you are already
using Microsoft Outlook Web Access or Lotus iNotes/Domino Web Access
to allow users to access their email over the Web, you can integrate either of
those front ends with a content aggregation point such as your intranet or
corporate portal. Users then get remote access to their email from this
aggregation point, whether you decide to use the Access Interface provided
with Advanced Access Control or another portal solution you have in place.
If you do not already use Outlook Web Access or iNotes/Domino Web
Access to allow your users to access their email over the Web, you can use
the Web-based email interface provided with Advanced Access Control.
• Provide access to any email applications you publish with Citrix
Presentation Server. You can include the links to published applications in a
Presentation Server Web site.
• Provide users with the ability to securely connect to their email accounts on
Microsoft Exchange or Lotus Notes/Domino servers. Users can access all
email functions as well as synchronize their email data to their client
devices for offline use.
• Provide users of small form factor devices, such as Personal Digital
Assistants (PDAs), with secure remote access to email.
• Allow users to attach to email message files stored on network shares
without having to download the file to their local client device.
182 Access Gateway Advanced Edition Administrator’s Guide

Similar to other resources accessible through Advanced Access Control, you


control access to email through policies. For example, you can create a policy to
grant specific user groups access to Web-based email and create another policy to
prevent specific user groups from synchronizing the data in their email accounts
to their client devices.
Additionally, you can create a policy that allows a specific user group to
download attachments they receive using Web-based email and another policy
that prevents a different user group from performing this action.

Note: If recipients access their email through Advanced Access Control and it
contains an embedded link to a file share or Web resource, a policy allowing the
recipients access to that resource is also required. However, if the email is sent to
recipients not using Advanced Access Control to access their email, no additional
permissions are required. These users can view the attachment without policy
restrictions.

Choosing an Email Solution


To decide which email solution to provide, look at what type of access your users
need, what resources you already have in use in your network, and how much
control you want to have over user actions after they are granted access.
For example, if you want to allow users to securely access their email accounts
over the Internet and you are already using Outlook Web Access, you can
integrate the Outlook Web Access interface into the Email tab of the Access
Interface included with Advanced Access Control.
Conversely, if you want to allow remote access to email and are not already using
a Web front-end to your email servers, you can use the Web-based email interface
included with Advanced Access Control.
The following table lists the types of access to email and what you should
consider when deciding whether or not to choose each option. For information
about the minimum requirements for each email solution presented in this
chapter, see “Feature Requirements” on page 46.
Chapter 12 Providing Secure Access to Corporate Email 183

Client Device Server Small Form Factor Policy Enforcement


Requirements Requirements Support When Accessing File
Attachments
Web-based email Compatible browser; Email server No Yes
with Outlook Web see product (Microsoft
Access or iNotes/ documentation for Exchange or Lotus
Domino Web Access additional requirements Notes/Domino)
Web-based email Compatible browser Microsoft Exchange Yes Yes
with the Access only (Notes/Domino not
Interface (no other client software supported in this
required) configuration)
Synchronization of Email software Email server No No
email data to client (Microsoft Outlook or (Microsoft
devices Lotus Notes) and Secure Exchange or Lotus
Access Client Notes/Domino)
Email application Presentation Server Citrix Presentation No No
published with Client Server
Citrix Presentation
Server

Providing Access to Published Email Applications


If you are using Citrix Presentation Server to provide access to email applications
published on internal servers, you can easily integrate access to these applications
with your Advanced Access Control deployment.
Providing access to email through published applications extends the
SmartAccess capabilities of Advanced Access Control to Presentation Server by
incorporating Advanced Access Control policy information such as endpoint
analysis within Presentation Server policies. In addition, requiring users to access
email by launching applications published with Presentation Server is the most
secure method of providing email access because data never leaves the corporate
network.

Note: You can combine email access methods if you want to provide more than
one method of remote access. For example, in addition to providing access to
published email applications, you can also configure a Web-based email solution.

To provide access to published email applications

1. Publish and configure your email application for SmartAccess in


Presentation Server.
184 Access Gateway Advanced Edition Administrator’s Guide

2. Configure a Presentation Server Web site

Providing Users with Secure Web-Based Email


With Advanced Access Control, you can provide access to email accounts using
the following Web-based interfaces.
• The Web-based email interface included with Advanced Access Control
allows users to access email accounts on Microsoft Exchange servers.
Users do not need to download or install client software to access their
email using this interface; they need to run only a supported browser.
Additionally, the Web-based email user interface included with Advanced
Access Control is the only way to provide Web-based email access to PDAs
and other small form factor devices.
• Microsoft Outlook Web Access allows users to access email accounts on
Microsoft Exchange servers.
• Lotus iNotes/Domino Web Access allows users to access email accounts on
Lotus Notes/Domino servers.

Important: Advanced Access Control supports one back-end cluster— Notes/


Domino or Exchange—per access server farm. However, you can configure
multiple Outlook Web Access servers when using Exchange or multiple iNotes/
Domino Web Access servers when using Lotus Notes/Domino.

If you are using a portal solution, you can integrate the Web-based email interface
included with Advanced Access Control with these portal products. See
“Integrating Web-Based Email Access with a Third-Party Portal” on page 187 for
more information.
When you configure Web-based email access, users access their email from the
Email tab on the Access Interface. If you prefer, you can configure Advanced
Access Control so that the Web-based email interface is the default interface users
see when they log on to Advanced Access Control. See “Configuring Logon
Points” on page 89 for more information about how to achieve this configuration.

Enabling Access to Web-Based Email


The basic steps to follow to enable access to Web-based email are:
• Configure Web-based email in Advanced Access Control
• Create policies to allow access to the email resource
Chapter 12 Providing Secure Access to Corporate Email 185

Each of these steps is discussed in more detail below.

To configure Web-based email for Microsoft Exchange

Use the following procedure to allow users to send and receive Web-based email
with Microsoft Exchange.
1. In the console tree, select Web Email and click Configure Web email in
Common Tasks.
2. Select Microsoft Exchange.
3. Select the Enable Web-based access check box.
4. Select one of the following Web-based interfaces:
• Email interface included with Advanced Access Control. Allows
access to email without the need for users to download or install
client software; they need to run only a supported browser.
• Specify the IP address, FQDN, or NetBIOS name of your
Microsoft Exchange server.
• Display email as HTML to support advanced text formatting
features including numbering, bullets, alignment, and linking to
file shares and Web pages. Only enable this option when email
messages originate from trusted sources within your corporate
network.

Caution: If email messages originate from outside your corporate


network, configure Web email to display messages in plain text.
Failure to do so may expose your Advanced Access Control servers
and client devices to attacks using embedded malicious code within
HTML-formatted messages. Displaying messages as plain text
mitigates these types of attacks. Therefore, Citrix recommends
configuring Web email to display messages in plain text when any
email messages originate from outside your corporate network.

• Use Microsoft Outlook Web Access. Allows access to email using


Outlook Web Access.
• Specify the application’s start page as well as the URLs for
which the application requires access. The start page should
resemble http://servername/exchange, where servername is the
IP address, FQDN, or NetBIOS name of your Exchange server.
If you use a load balancer to manage Outlook Web Access
servers, enter the URL of the load balancer as the start page and
186 Access Gateway Advanced Edition Administrator’s Guide

add the Outlook Web Access servers as URLs accessible by the


application.

Note: To allow access to an entire server, add http://servername to


the URL list, where servername is the IP address, FQDN, or
NetBIOS name of your Exchange server. This configuration is useful
when providing access to dedicated Microsoft Exchange servers.

• Enable the interface common for all browser types option to


suppress the presentation of browser-specific ActiveX controls
and other advanced display types. Citrix recommends this
option if you have users who cannot download ActiveX
controls or who use a variety of browser versions.

Note: Citrix recommends that you first test your Web-based email
application with this option disabled. If your testing reveals that the
application displays improperly, enable this option and verify that the
issue no longer exists.

To configure Web-based Email for Lotus Notes/Domino

Use the following procedure to allow users to send and receive Web-based email
with Lotus Notes/Domino.
1. In the console tree, select Web Email and click Configure Web email in
Common Tasks.
2. Select Lotus Notes/Domino or other email applications.
3. Select Enable Web-based access.
4. Specify the application’s start page as well as URLs for which the
application requires access. If you use a load balancer to manage iNotes
servers, enter the URL of the load balancer as the start page and add the
iNotes servers as URLs accessible by the application.
You can use dynamic token replacement to accommodate explicit links to
individual user database files. For example, enter
http://servername/mail/#<username>.nsf, where servername is the
NetBIOS name, IP address, or FQDN of your Lotus Notes/Domino server
and the username token is replaced with the user’s user name obtained from
Active Directory or Windows NT Directory Services. For a complete list of
tokens supported by Advanced Access Control, see “Using Dynamic
System Tokens” on page 128.
Chapter 12 Providing Secure Access to Corporate Email 187

Note: To allow access to an entire server, add http://servername to the


URL list, where servername is the IP address, FQDN, or NetBIOS name of
your Lotus Notes/Domino server. This configuration is useful when
providing access to dedicated Lotus Notes/Domino servers.

5. Enable the interface common for all browser types option to suppress the
presentation of browser-specific ActiveX controls and other advanced
display types. Citrix recommends this option if you have users who cannot
download ActiveX controls or who use a variety of browser versions.

Note: Citrix recommends that you first test your Web-based email
application with this option disabled. If your testing reveals that the
application displays improperly, enable this option and verify that the issue
no longer exists.

6. Select the appropriate version of Lotus iNotes/Domino Web Access from


the available email application types.
When you are done configuring Web-based email, you must create a policy that
allows users to access email.
To allow user access to email, create a policy following the steps in “Creating
Access Policies” on page 135.

Note: For a recipient to access an email attachment through Advanced Access


Control, an email policy enabling the recipient at least one of the following is
required: download, HTML Preview, or Live Edit. Web-based email attachments
cannot be accessed through file type association.

Integrating Web-Based Email Access with a Third-Party


Portal
If you are using the Web-based email interface included with Advanced Access
Control to provide users with access to their email, you can integrate this
interface into any portal solution. For example, if you are using Microsoft
SharePoint as your corporate portal or information aggregation point, you can
display the Web-based email interface included with Advanced Access Control in
the SharePoint portal.
188 Access Gateway Advanced Edition Administrator’s Guide

To integrate the Web-based email interface with a third-party portal

1. Configure the Web-based email interface included with Advanced Access


Control. See “Providing Users with Secure Web-Based Email” on page 184
for instructions about how to do this.
2. Configure your portal product’s Web site viewer to display the Web-based
email interface at http://servername/citrixfei/classic.asp, where servername
is the name of a Web server running Advanced Access Control.

Providing Users with Secure Access to Email Accounts


Use Advanced Access Control to allow users to securely access their email
accounts on Microsoft Exchange servers or Lotus Notes/Domino servers.

Important: To securely connect to email accounts and synchronize email to


client devices, users must have the Secure Access Client installed on their client
device.

When you configure this feature, roaming workers—whether connected over the
Web or within the enterprise—can securely connect to their email accounts on the
Exchange or Lotus Notes/Domino server and synchronize their locally installed
email application with the data stored on the corporate email server. This allows
users to work with their calendars, tasks, and contacts in real time when working
online, and then to synchronize their folders in preparation for working offline.
Use this feature if you want remote users with laptops to be able to securely
access and synchronize email as they move between office workstations, laptops,
and home workstations.

Important: Advanced Access Control does not control access to any


attachments users receive when they connect to their email accounts through the
Secure Access Client. If you enable and configure the email synchronization
feature, users can access any attachments they receive without policy-based
restrictions.

The basic steps involved in allowing users to work with and synchronize their
email accounts to their client devices are:
• Configure the email synchronization feature
• Create a policy to allow users to use the email synchronization feature
• Open the appropriate ports on the firewall between the Access Gateway and
internal mail servers
Chapter 12 Providing Secure Access to Corporate Email 189

Each of these steps is discussed in more detail below.

To configure email synchronization

1. In the console tree, select Email Synchronization and choose Configure


email synchronization from Common Tasks.
2. Select Enable Email Synchronization.
3. Select the appropriate email server for your environment.
• If you select Microsoft Exchange, click New to enter the NetBIOS
name, IP address, or FQDN of your Exchange server. Add additional
Exchange servers if users will be connecting to more than one server.
When you add an Exchange server, Advanced Access Control
connects to the specified host and determines the secondary port
required for Messaging Application Programming Interface (MAPI).
Because this information is stored and not dynamically updated,
consider configuring your Exchange servers so that all MAPI ports
remain static. If you do not configure your Exchange servers this
way, you will need to reconfigure email synchronization in Advanced
Access Control each time the Exchange server restarts.
• If you select Lotus Notes/Domino, enter the NetBIOS name, IP
address, or FQDN of your Lotus Notes/Domino server. Port 1352 is
used by default. Modify the port if necessary.

Note: If you are using a TCP/IP-based email application other than


Exchange or Notes/Domino, you can use network resources to provide the
same level of functionality available with the email synchronization
feature. For more information about configuring network resources, see
“Creating Network Resources for VPN Access” on page 119.

When you are done configuring email synchronization, you must create a policy
that allows users to access this resource.

To create a policy to allow email synchronization

Create a policy to allow users to synchronize their email data to their client
devices following the steps in “Creating Access Policies” on page 135.
When you are done creating a policy to allow users to synchronize their email
data to their client devices, you must configure your firewall ports to allow users
to connect.
190 Access Gateway Advanced Edition Administrator’s Guide

To configure your firewall for email synchronization

1. Open your firewall application.


2. Set the port status as required for your environment. If the traffic between
your email server and the Access Gateway is secured, the data runs over
port 443.

Enabling Users to Attach Files to Web-Based Email


You can configure Advanced Access Control to allow users to attach documents
to new email messages directly from Web resources and file shares. When you
enable this feature, users can see and use the Send as attachment option from
configured Web resources and file shares. In addition, users can send files as
email attachments when using the Live Edit feature. When a user selects this
option, the file is attached to the Web-based email interface configured for your
environment.

To configure Web email to support sending email attachments

1. In the console tree, select Email and choose Configure Web email from
Common Tasks.
2. On the Enable Web-based Email page, select the Enable Send as
Attachments for file shares check box.
3. Additional configuration depends on the email application server selected.
• Microsoft Exchange. Specify the NetBIOS name, IP address, or
FQDN of your Microsoft Exchange server. Advanced Access Control
uses the Microsoft Exchange server configuration information to
determine the MAPI server.
• Lotus Notes/Domino. Specify the name or IP address of the SMTP
(Simple Mail Transfer Protocol) and LDAP (Lightweight Directory
Access Protocol) servers.

Note: If you are using Notes/Domino servers, ensure SMTP port relay
outbound restrictions do not prevent users outside of the corporate network
from sending emails. For example, you can configure Notes/Domino
servers to allow all authenticated users to send outgoing email. Refer to
your Notes/Domino product documentation for additional information
about configuring SMTP port relay outbound restrictions.
Chapter 12 Providing Secure Access to Corporate Email 191

4. Create a file share policy permitting the emailing of files as attachments.


For more information about the email as attachment permission, see
“Allowing Email Attachments” on page 139.

Restricting File Attachment Types


The Web-based email interface included with Advanced Access Control provides
two levels of security for file attachments. The first level of security includes file
types blocked by Advanced Access Control. The second level of security includes
file types that can be downloaded only to the user’s client device and cannot be
accessed using HTML Preview, Live Edit, or file type association.
The default file types included in each level of security are defined in the table
below.

File Type
Level 1 (Blocked File .ade .adp .app .asx .bas .bat .chm .cmd .com .cpl .crt .csh
Types) .exe .fxp .hlp .hta .inf .ins .isp .js .jse .ksh .lnk .mda .mdb
.mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif
.prf .prg .reg .scf .scr .sct .shb .shs .url .vb .vbe .vbs .wsc
.wsf .wsh
Level 2 (Download Only .ade .adp .asx .bas .bat .chm .cmd .com .cpl .crt .dcr .dir
File Types) .exe .hlp .hta .htm .html .htc .inf .ins .isp .js .jse .lnk .mda
.mdb .mde .mdz .mht .mhtml .msc .msi .msp .mst .pcd .pif
.plg .prf .reg .scf .scr .sct .shb .shs .shtm .shtml .spl .stm
.swf .url .vb .vbe .vbs .wsc .wsf .wsh .xml

You can add and remove file types from either security levels by using Registry
Editor. If a file type is added to both levels, it is treated as a Level 1 file type.

Caution: Using Registry Editor incorrectly can cause serious problems that can
require you to reinstall the operating system. Citrix cannot guarantee that
problems resulting from incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Make sure you back up the registry before you
edit it.

To modify file attachment type security lists

1. In Registry Editor, find the following key:


HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MSAM\FEI\FileExt
2. Edit the NoActivations value to modify Level 1 (blocked) file types and the
DownloadOnly value to modify Level 2 (download only) file types.
192 Access Gateway Advanced Edition Administrator’s Guide

Note: New file types must be separated by a new line with no additional
spaces and contain the preceding dot.

Enabling Access to Email on Small Form Factor Devices


Using the Web-based email interface included with Advanced Access Control,
you can provide email access to users of specific PDAs and other small form
factor devices. For a list of supported small form factor devices, see “Client
Requirements” on page 58.
To allow users of small form factor devices to access their email, choose one of
these options:
• Configure the Web-based email interface included with Advanced Access
Control as the default Web-based email interface. If you configure the
Advanced Access Control Web-based email interface as the default, all
users access this interface for their Web-based email, regardless of the type
of device from which they connect. See “Providing Users with Secure Web-
Based Email” on page 184 for information about how to make the
Advanced Access Control Web-based email interface the default interface.
• Configure the Web-based email interface included with Advanced Access
Control to be displayed specifically to users connecting from small form
factor devices. Use this configuration if you want users to see the Outlook
Web Access interface when they connect from other device types.
If you configure the Web-based email interface included with Advanced
Access Control to be displayed specifically to users connecting from small
form factor devices, the logon point detects that the connection is from a
small form factor device and automatically presents the Advanced Access
Control Web-based email interface.
To configure the Web-based email interface included with Advanced Access
Control to be displayed specifically to users connecting from small form factor
devices, follow the instructions below.

Note: This feature is not available to Lotus iNotes/Domino Web Access users.
Chapter 12 Providing Secure Access to Corporate Email 193

To configure the Web-based email interface for use with small form factor
devices

When configuring Web-based access to Exchange as described in “Providing


Users with Secure Web-Based Email” on page 148, select one of the following
options:
• Email interface included with Advanced Access Control. Displays the
email interface included with Advanced Access Control for all users,
regardless of the type of connecting device's form factor. Advanced Access
Control detects the form factor of the connecting device and presents the
appropriate interface for that connection. For example, Advanced Access
Control displays a small interface for users connecting with a small form
factor device.
• Microsoft Outlook Web Access and enable the Provide support for small
form factor devices feature. Advanced Access Control detects the form
factor of the connecting device and displays the email interface included
with Advanced Access Control for users connecting with small form factor
devices. Microsoft Outlook Web Access is provided for standard form
factor devices such as workstations and home computers.

Updating the Mapisvc.inf File


If you are using Microsoft Exchange 2000 and you want to use the default Email
Interface, install Microsoft Exchange System Management Tools before you
install Advanced Access Control. Then, update the mapisvc.inf file. If you are
using Microsoft Exchange 2003, you do not need to change the mapisvc.inf file.

To update the mapisvc.inf file

1. Save a copy of the mapisvc.inf file.


2. Insert the following lines:
[SERVICES]
MSEMS=Microsoft Exchange Server
[MSEMS]
PR_DISPLAY_NAME=Microsoft Exchange Server
Sections=MSEMS_MSMail_Section
PR_SERVICE_DLL_NAME=emsui.dll
PR_SERVICE_ENTRY_NAME=EMSCfg
PR_RESOURCE_FLAGS=SERVICE_SINGLE_COPY
WIZARD_ENTRY_NAME=EMSWizardEntry
Providers=ems_dsa, ems_mdb_public, ems_mdb_private
PR_SERVICE_SUPPORT_FILES=emsui.dll, emsabp.dll, emsmdb.dll
[Default Services]
MSEMS=Microsoft Exchange Server
[EMS_MDB_public]
194 Access Gateway Advanced Edition Administrator’s Guide

PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER
PR_PROVIDER_DLL_NAME=EMSMDB.DLL
PR_RESOURCE_FLAGS=STATUS_NO_DEFAULT_STORE
66090003=06000000
660A0003=03000000
34140102=78b2fa70aff711cd9bc800aa002fc45a
PR_DISPLAY_NAME=Public Folders
PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store
[EMS_MDB_private]
PR_PROVIDER_DLL_NAME=EMSMDB.DLL
PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER
PR_RESOURCE_FLAGS=STATUS_PRIMARY_IDENTITY|STATUS_DEFAULT_STORE
|STATUS_PRIMARY_STORE
66090003=0C000000
660A0003=01000000
34140102=5494A1C0297F101BA58708002B2A2517
PR_DISPLAY_NAME=Private Folders
PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store
[EMS_DSA]
PR_DISPLAY_NAME=Microsoft Exchange Directory Service
PR_PROVIDER_DISPLAY=Microsoft Exchange Directory Service
PR_PROVIDER_DLL_NAME=EMSABP.DLL
PR_RESOURCE_TYPE=MAPI_AB_PROVIDER
[MSEMS_MSMail_Section]
UID=13DBB0C8AA05101A9BB000AA002FC45A
66000003=01050000
66010003=04000000
66050003=03000000
66040003=02000000

3. Restart the Access Gateway Server COM+ application. For more


information, see “Restarting COM+ Applications” on page 216.
C HAPTER 13

Rolling Out Advanced Access


Control to Users

The last step in deployment is providing users with the information and tools
necessary to access corporate resources. This process includes determining if
your implementation requires the distribution of client software and if so,
developing a strategy for deploying this software. In addition, training and other
forms of communication detailing how your deployment impacts the workplace
assist users as they transition to their new environment.
The topics in this section discuss the issues to consider when developing an
overall plan for rolling out Access Gateway Advanced Edition to users.
• “Developing a Client Software Deployment Strategy” on page 195
• “Managing Client Software Using the Access Client Package” on page 200
• “Downloading Client Software on Demand” on page 203
• “Ensuring a Smooth Logon Experience with the Secure Access Client” on
page 205
• “Ensuring a Smooth Rollout” on page 208
• “Browser Security Considerations” on page 209
• “Customizing the Logon Error Message” on page 211

Developing a Client Software Deployment Strategy


Software deployment is the process of distributing and installing software on
client devices. If your corporation already uses a software deployment solution,
consider deploying Advanced Access Control clients using the same technique.
However, if you need to develop a strategy, you must determine who is
responsible for installing client software and then create a solution that supports
this decision.
196 Access Gateway Advanced Edition Administrator’s Guide

The following sections discuss issues to consider when determining who is


responsible for installing client software as well as deployment methods
supporting these use cases.

Determining Responsibility for Installing Client


Software
There are several methods of deploying client software ranging from automated
solutions that download and install the software from a centralized location to
posting an installation package to a network share and instructing users to
manually install the software on their client device. Before you can determine
how to deploy client software, you must determine who is responsible for
installing the software on the client device.
Depending on your corporate needs, you, support personnel, users, or a
combination thereof may be responsible for this task. This decision is a result of
several factors including:
• User needs and administrative costs. Consider the needs of your users
because their collective experience is critical to the adoption of access
control in your corporation. If the needs of your users greatly outweigh the
administrative costs associated with managing a deployment strategy,
consider a plan that places the responsibility of installing client software on
a team specializing in this area. Conversely, if the administrative costs
associated with managing a deployment solution is too great for your
organization, consider shifting this responsibility to individual users.
• The technical abilities of your users. If your user base is not technically
savvy, consider installing the software for them. In this scenario, a support
department such as IT or Technical Support is responsible for installing the
software. When deciding whether or not users should be responsible for
their own installations, consider the possible support issues as well.
Depending on the technical abilities of your users, the support costs
associated with users installing their own software could justify the
implementation of a centrally managed deployment strategy. However, if
your users are technically savvy, it may be more efficient for you to post the
software to a network share and allow users to install the software from this
location.
• Number of client devices in your corporation. Larger companies benefit
from centrally managed deployment strategies because they tend to scale
well and yield a higher return on investment as compared to manual
solutions. For this reason, medium to larger sized corporations should
consider using their Microsoft Active Directory infrastructure or a standard
third party deployment tool such as Systems Management Server.
Chapter 13 Rolling Out Advanced Access Control to Users 197

However, for smaller companies, the costs associated with planning and
preparing an automated deployment could outweigh the benefits. These
companies should consider alternative deployment methods such as posting
client software to a network share or an on-demand deployment solution.
Both of these methods are described in detail in later sections.
• Corporate security requirements. If your corporation configures client
devices so that users do not have installation rights on their machines, you
must develop a strategy that allows someone with administrative rights to
perform the installation. In this scenario, larger companies should consider
a corporate deployment tool such as Systems Management Server. Smaller
companies should consider posting client installation packages to a file
share and having someone with administrative rights manually install the
software on each client device.
• Corporate management practices. If your organization maintains strong
centralized control over client software deployment—for example, if you
use Microsoft Systems Management Server to help control software
distribution—you can more reliably update client devices. Therefore, if
your goal is to ensure that all users have the most up-to-date software,
allowing them to install their own client software is not a recommended
option. Rather, a team dedicated to maintaining client software should be
responsible for ensuring client software is installed and updated properly.
• Cost factors. Consider the overall cost associated with each deployment
option including planning, preparation, and training costs. In addition,
determine if some of these costs are justifiable because of the return on
investment over a period of time. For example, the return on investment of
a centrally managed solution is usually much better than that of a manual
solution over time.
• Access to client devices. If your corporation supports remote access
scenarios such as using an Internet kiosk to check email, you will not have
the ability to install client software on these devices before users access the
corporate network. In these cases, consider an on-demand deployment
strategy where you configure Advanced Access Control so that client
software is automatically downloaded to the client device only when
required. However, if access to client devices is readily available, consider
deploying the client software prior to the user accessing Advanced Access
Control.
Weigh all of these factors when determining who should be responsible for
installing the client software on the client device. Then, select the deployment
solution that makes the most sense for your corporation.
198 Access Gateway Advanced Edition Administrator’s Guide

Supported Deployment Options


Advanced Access Control supports the following client deployment options:
Integration with enterprise software deployment tools. Deploy client software
using a Microsoft Active Directory infrastructure or a standard third party MSI
deployment tool such as Systems Management Server. If you use a tool that
supports Windows Installer packages, you can use the Access Client package to
create a single installation package containing the Advanced Access Control
clients required for your environment. Then, use your client deployment tool to
deploy and install the software on the appropriate client devices.
Advantages of using a centralized deployment tool include:
• Ability to adhere to corporate security requirements. For example, you can
install client software without enabling software installation privileges for
non-administrative users.
• Control over software versions. You can deploy an updated version of client
software to all users simultaneously.
• Scalability. Easily scales to support additional users.
• Positive user experience. You can deploy, test, and troubleshoot
installation-related issues without involving users in this process.
Citrix recommends this option when administrative control over the installation
of client software is preferred and access to client devices is readily available.
Network share point. Post installation packages on a network share point. For
example, you can use the Access Client package to create an installation package
containing the clients required for your environment and post it to a network
share. In addition, the Server CD contains installation packages for certain client
software. Citrix recommends posting installation packages to a share point when
software is manually installed on client devices. For example, you can post client
software installation packages to an FTP site for remote users responsible for
installing client software on their home computers.
On demand. Configure the deployment of client software only when required.
Users connect to their network and clients are automatically downloaded on an
“as needed” basis. This option is preferable when access to client devices is not
readily available such as an Internet kiosk.
You can combine deployment options to create your deployment strategy. For
example, you can post installation packages on a network share point for users
within the corporate network and also enable on-demand deployment of clients
for those users connecting from an Internet kiosk.
The table below summarizes the deployment options supported for each client.
Chapter 13 Rolling Out Advanced Access Control to Users 199

Client Software Supported by On-demand Network Share


Access Client Point
package
Secure Access Client Yes Yes Yes
Endpoint Analysis Client Yes Yes Yes
Live Edit Client Yes Yes No
Client for Java No Yes No
Web Client Yes Yes No

Note: The Endpoint Analysis Client is available as a stand-alone MSI and EXE
on the Server CD in the \Setup\EndpointAnalysisClient\lang directory. In
addition, individual installation packages can be created for all client software
components supported by Access Client package. For more information, see
“Managing Client Software Using the Access Client Package” on page 200.

Determining Which Clients to Deploy


If your Advanced Access Control deployment does not require any client
software on client devices, your deployment is considered to provide browser-
only access. In this scenario, users need only a Web browser to access corporate
resources. However, there are certain features that require client software on the
user’s device. To determine if client software is required for your access strategy,
use the matrix below. For additional information about feature-specific
requirements, see “Feature Requirements” on page 46. For additional information
about client software minimum requirements, see “Client Requirements” on page
58.

Note: Small form factor devices are not compatible with the Advanced Access
Control client software. Therefore, features requiring client software are not
available on small form factor devices.
200 Access Gateway Advanced Edition Administrator’s Guide

Feature Client Software For more information, see...


Verifying requirements on Endpoint Analysis “Verifying Requirements on Client
client devices Client Devices” on page 165
Convenient editing and Live Edit Client “Allowing Live Edit” on page 140
saving of remote files
Access email accounts and Secure Access “Providing Users with Secure Access
synchronize email to client Client to Email Accounts” on page 188
devices
TCP access to services on Secure Access “Creating Network Resources for VPN
corporate servers Client Access” on page 119
Accessing published Citrix Presentation “Configuring File Type Association”
applications through file type Server Client for on page 163
association Java or Web Client
Bypassing the Web proxy to Secure Access “Bypassing URL Rewriting” on page
access resources Client 144

Managing Client Software Using the Access Client


Package
If you decide that you will control the deployment of client software, consider
using the Access Client package to create a Windows Installer package of specific
client software. After creating the package, you can deploy it using your
Microsoft Active Directory infrastructure or a standard third party MSI
deployment tool such as Systems Management Server.
The Access Client package contains a number of the client-side pieces of the
Citrix Access Suite, allowing you to quickly and easily deploy and maintain the
client-side software to your users using one convenient Windows Installer
package. After you deploy your client software, you can update your installations
simply by creating and deploying an updated installation package using the latest
version of the Access Client package.
The Access Client package is available in the Download section of the Citrix Web
site, www.citrix.com, and contains up-to-date client software and hotfixes for a
number of the client-side pieces of the Citrix Access Suite.
Chapter 13 Rolling Out Advanced Access Control to Users 201

Client Software Available for the Access Client


Package

Access Suite Component Client-Side Software


Citrix Presentation Server Program Neighborhood, Program Neighborhood
Agent, Web Client
Access Gateway Secure Access Client, Live Edit Client, Endpoint
Analysis Client
Citrix Password Manager Citrix Password Manager Agent

Creating a Client Distribution Package


You can run the Access Client package in administrative mode to select the
client-side software pieces you want to package together. Enter the following
command at a command prompt to run in administrative mode:
msiexec.exe /a [path to msi file]
Select your client components and optionally customize the installation process
of each client. To create an installation package for a specific piece of client
component, select only that client. Additionally, you can choose to reduce the
overall size of the final distribution package by selecting the option to remove
unused files.

Note: Each client installation that includes a Citrix Presentation Server Client
includes the Program Neighborhood Connection Center, allowing users to see
information about their current ICA connections.

Distributing and Installing Your Client Software


Package
After you create your client software package, you can make it available to your
users on a network share point or distribute it using your Active Directory
infrastructure.
Client devices must meet the requirements of each client software component
within your package. For example, if you attempt to install a package that
includes the Web Client and the Secure Access Client on a device that does not
meet the requirements for the Secure Access Client, only the Web client is
installed.
202 Access Gateway Advanced Edition Administrator’s Guide

The Access Client package installs and upgrades all available clients, as specified
when you build your software package. Every item included in your original
client software package should be included in any subsequent upgrade packages
you create.
For example, if you create a software package that includes the Endpoint
Analysis Client and the Web Client, subsequent upgrade packages must include
both client software packages. If you create an upgrade package that includes
only the Endpoint Analysis Client, the Access Client package uninstalls the Web
Client.

Important: The Gateway Client and Advanced Gateway Client are no longer
supported by Advanced Access Control and therefore, are removed from the
Access Client package. However, the Access Client package now includes the
Secure Access Client, the client software component that replaces the Gateway
Client and Advanced Gateway Client. As a result, the Access Client package
uninstalls the Gateway Client and Advanced Gateway Client from all client
devices. If users require the functionality previously available with these clients,
include the Secure Access Client in your package.

Conversely, if you later want to add the Secure Access Client to your
environment, rebuild your package to include the Endpoint Analysis, Web, and
Secure Access Clients. When this installation package is run on client devices
that have your original package installed, the Secure Access Client is installed,
while the Endpoint Analysis and Web clients will simply be verified as installed
and not changed in any way.
To uninstall a client that was installed or upgraded using a Windows Installer
package, users must run the Add/Remove Programs utility from the Control
Panel or run the installer package again and select the Remove option.

Important: To install the client software using the Windows Installer package,
the Windows Installer Service must be installed on the client device. This service
is present by default on Windows 2000 systems. To install clients on client
devices running earlier versions of the Windows operating system, you must use
the self-extracting executable or install the Windows Installer 2.0 Redistributable
for Windows, available at http://www.microsoft.com/.

For more information about the Access Client package, including a full list of
included clients, see the Download section of the Citrix Web site at
www.citrix.com.
Chapter 13 Rolling Out Advanced Access Control to Users 203

Posting Client Software to a Share Point


You can post available client software on a network share point so users or
support personnel can install the client software at their convenience. You can use
the Access Client package to create installation packages for each client software
component or a single installation package containing all of your Advanced
Access Control clients following the instructions above. Alternatively, for the
Endpoint Analysis Client, you can use the installation package available as an
EXE or MSI in the \Setup\EndpointAnalysisClient\lang directory of the Server
CD.

Downloading Client Software on Demand


You can configure client software so that it downloads and installs on the client
device on an “as needed” basis. Advanced Access Control supports this type of
deployment for the Secure Access Client, Endpoint Analysis Client, Web Client
and Client for Java. Use this deployment option when non-corporate devices such
as Internet kiosks are used to access the corporate network.
On-demand deployment of the Secure Access Client is configured within
connection policies. If a connection policy is configured to launch the Secure
Access Client, Advanced Access Control detects whether the Secure Access
Client is already installed on the client device. If the Secure Access Client is
detected, it is launched. If the Secure Access Client is not detected, it is
downloaded to the client device and then launched. If the client software cannot
be downloaded to the client device, Advanced Access Control attempts to
connect to resources using browser-only access.

Important: Access to Web applications configured to bypass the Web proxy,


email synchronization, and network resources require the Secure Access Client.

If you integrated Advanced Access Control with a farm running Presentation


Server, you can specify which Presentation Server Client to deploy for each logon
point. This allows you to configure the deployment of Presentation Server Clients
based on specific access scenarios. For example, you could configure on-demand
client downloads for the logon point available to users logging on over the
Internet. However, you could disable this feature for the logon point available to
users from an enclave within the corporate network.
204 Access Gateway Advanced Edition Administrator’s Guide

The requirements for installing on-demand clients include configuring the client
browser to accept client software such as ActiveX controls, plug-ins, and Java
applets. In addition, users running Windows XP or Windows 2000 must be
members of the Power Users or Administrators group to install the software on
their devices. For additional information about client software minimum
requirements, see “Client Requirements” on page 58.
You cannot configure the on-demand deployment of the Endpoint Analysis
Client. Rather, Advanced Access Control determines if, based on policies
associated with that logon point, an endpoint analysis scan is required. If a scan is
required, Advanced Access Control detects if the Endpoint Analysis Client is
present on the client device. If the client software is detected on the client device,
the Endpoint Analysis Client performs the appropriate scans. However, if the
software is not detected, users are prompted to download and install the Endpoint
Analysis Client as an ActiveX control when running Internet Explorer or a plug-
in when running Netscape Navigator or Firefox.
If users refuse to allow the Endpoint Analysis Client to install and scan the client
device, they receive the same level of access they would if the policies associated
with the scans were denied. This level can be limited or no access. Consider
deploying the Endpoint Analysis Client in advance if you want to avoid the on-
demand downloading of this client.

Note: Some endpoint analysis information is cached on the client device. Users
can empty this cache through the Manage Endpoint Analysis tool (Start >
Programs > Citrix > Endpoint Analysis Client).

To configure on-demand client deployment of Presentation Server Clients

1. In the console tree, select the appropriate logon point and choose Edit
Logon Point from Common Tasks.
2. On the Clients page, select the clients you want to deploy to users on-
demand from the options below.
• Web Client (ActiveX or Netscape plug-in). Select this option if
your users do not already have a Presentation Server Client installed
on their client device.
Select Use the Client for Java if the Web Client cannot be used to
deploy the Client for Java if the Web Client cannot be used or the user
chooses not to allow its download. In addition, you can configure the
automated update of the Web Client at logon (available for ActiveX
only). This option provides an automated method of updating client
Chapter 13 Rolling Out Advanced Access Control to Users 205

software. Clear this option if you do not want to upgrade existing


installations of the client on each user’s computer.
• Client for Java. Deployed in applet mode, this client does not
require the user to install any software. The user’s browser caches the
Java applet for the duration of the browser session. Select the Client
for Java as an alternative for users who cannot use the Web Client
software.
• None (use installed client). Select this option if you already
deployed the required client software to client devices.

To configure on-demand client deployment of Secure Access Client

1. In the console tree, select Connection Policies.


2. Double-click the connection policy you want to edit.
3. On the Settings page, click Launch Secure Access Client and click Yes to
allow this setting for the connection.
See the Access Gateway Standard Edition Administrator’s Guide for additional
information on configuring the deployment of the Secure Access Client.

Ensuring a Smooth Logon Experience with the Secure


Access Client
If users do not have the Secure Access Client installed when they log on, they
must download and install it. However, if the Secure Access Client does not
install and connect to the Access Gateway promptly, users will experience
difficulty in accessing the home page you designate for the logon point. To avoid
this, you can perform the following tasks:
• Enable the Web browser to redirect users to a URL outside of the internal
network
• Modify the browser delay setting
• Modify the ticket lifetime setting
206 Access Gateway Advanced Edition Administrator’s Guide

Modifying the Logon Point Redirect URL


When a user logs on to the Access Gateway, the Logon Agent verifies that the
user is allowed to log on and, if required by policies, the user’s Web browser
attempts to launch the Secure Access Client. Afterward, the Web browser
redirects the user to the home page designated for the logon point. By default, the
Web browser redirects the user to the SessionInit.aspx page using an internal
URL after 10 seconds elapse. If the Secure Access Client does not launch
successfully during this time, the user cannot access resources on the internal
network.
To ensure users can access resources in this case, you can enable the Web browser
to redirect users to an external URL. When you do this, users are redirected to the
SessionInit.aspx page using the URL for the Access Gateway appliance (for
example, https://AccessGatewayFQDN).

To modify the redirect URL

1. In Windows Explorer, navigate to the logon point’s virtual directory. For


example, C:\inetpub\wwwroot\CitrixLogonPoint\logonpointname, where
logonpointname is the name of the logon point.
2. Open the web.config file in a text editor and add the following line to the
appSettings section:
<add key=”AlwaysUseClientLessURL” value=”true”/>

3. Repeat steps 1-2 for all logon points you want to modify.

Modifying Browser Delay Settings


When a user launches the Secure Access Client and logs on to the Access
Gateway, the user’s Web browser delays displaying the home page while the
Secure Access Client establishes a connection with the Access Gateway. When
using Mozilla Firefox or Netscape Navigator, the Secure Access Client connects
after the default time period elapses. By default, this delay lasts 10 seconds. If the
Secure Access Client does not connect within this time period, the Web browser
will not display the home page unless the user refreshes the Web browser.
To ensure the Secure Access Client has sufficient time to connect and the home
page appears for Mozilla Firefox and Netscape Navigator, you can increase the
time period that the Web browser delays displaying the home page. To do this,
you modify the AdvancedGatewayClientActivationDelay key of the logon point’s
web.config file. If you choose to make this change on one server running
Advanced Access Control, you must make the same change on all servers in your
access server farm.
Chapter 13 Rolling Out Advanced Access Control to Users 207

To modify browser delay settings

1. In Windows Explorer, navigate to the logon point’s virtual directory. For


example, C:\inetpub\wwwroot\CitrixLogonPoint\logonpointname, where
logonpointname is the name of the logon point.
2. Open the web.config file in a text editor and locate the following line:
<add key=”AdvancedGatewayClientActivationDelay” value=”18” />

3. Change the key value to the length of time, in seconds, you want to allow
the Secure Access Client to establish a connection with the Access
Gateway.
4. Repeat steps 1-3 for all remaining servers running Advanced Access
Control.

Modifying Ticket Lifetime Settings


When a user launches the Secure Access Client and logs on to the Access
Gateway, the user’s Web browser receives a ticket from the Citrix Authentication
Service which must be used within a certain period of time. The default time
period is 85 seconds. When the ticket is used within this time period, the home
page appears in the user’s Web browser. If the Secure Access Client does not
connect within this time period, the ticket expires and the home page does not
appear. The user must access the logon point again and receive a new ticket.
To ensure the Secure Access Client has sufficient time to connect and tickets are
presented promptly, you can increase the lifetime of tickets issued to users. To do
this, you modify the Ticket Profile keys located in the web.config file of the
Citrix Authentication Service. If you choose to make this change on one server
running Advanced Access Control, you must make the same change on all servers
in your access server farm.

To modify the ticket lifetime settings

1. In Windows Explorer, navigate to the Citrix Authentication Service Web


directory (C:\inetpub\wwwroot\CitrixAuthService).
2. Open the web.config file in a text editor and locate the following lines:
<add key=”TicketProfile_SGC_CGP”
value=”MULTIUSE,85,1200,true,true” />
<add key=”TicketProfile_ASGC_CGP”
value=”MULTIUSE,85,1200,true,true” />

3. Change the first numeric value in both keys to the length of time, in
seconds, in which you want tickets to remain valid from the time of issue.
4. Repeat steps 1-3 for all remaining servers running Advanced Access
Control.
208 Access Gateway Advanced Edition Administrator’s Guide

Ensuring a Smooth Rollout


After your client software deployment strategy is implemented and tested, you
are ready to provide users with the information they need to access corporate
resources through Advanced Access Control. To ensure all users are aware of the
upcoming deployment of Advanced Access Control, consider a formal method of
communication such as posting information on your corporate intranet, training
sessions, and email.
If there are budgetary restrictions, determine if some of the costs of your
deployment strategy actually improve the company’s bottom line. For example,
the costs associated with user training could be justified if there is a significant
savings as a result of fewer support calls.
Topics to consider providing additional information to users include:
• Client software. Depending on your client deployment strategy, users may
need to install client software on their own device. In this scenario, provide
users with the location of the file share from which they can access the
installation packages. If you implemented an on-demand client software
strategy, instruct users to accept these clients when prompted. In addition,
inform users that failure to accept the installation of on-demand clients
results in reduced functionality for that session.
• Logon points. If users can access the corporate network from multiple
logon points, you must provide users with the URLs for these logon points.
For example, if you created two logon points—one for access from a
network enclave and another for external access through the Internet—
users will need the URLs for both logon points. Additional information
about providing logon information to users is discussed in the next section.
• Policy-based access. Inform users if you developed an access strategy that
includes different levels of access to corporate resources based on factors
such as endpoint analysis results, authentication type, or logon point.
For example, you may create a policy that allows users to download a
document when accessing it from within a network enclave and create
another policy that denies this level of access when accessing the document
from their home computer. Informing users of this type of access control
reduces user confusion as well as unnecessary support calls.

Providing Logon Information to Users


Users can access a specific logon point by navigating to the following URL:
https://GatewayApplianceFQDN/CitrixLogonPoint/LogonPointName/
Chapter 13 Rolling Out Advanced Access Control to Users 209

where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of


the Access Gateway server on which you deployed the logon point and
LogonPointName is the name of the logon point.
For example, if the FQDN of the Access Gateway server is
“companyserver.mydomain.com” and the logon point is “remote,” the URL for
logging on is https://companyserver.mydomain.com/CitrixLogonPoint/remote.
Alternatively, users can access the default logon point by navigating to the
following URL:
https://GatewayApplianceFQDN/
where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of
the Access Gateway server on which you deployed the logon point.

Browser Security Considerations


Certain custom Web browser security settings can prevent users from accessing
Advanced Access Control. Therefore, follow the guidelines below to ensure users
can access the appropriate servers within your network.
• For users to properly access corporate resources through Advanced Access
Control, the following browser settings must be enabled.
• Cookies. Advanced Access Control uses per-session cookies that are
not stored on disk. Therefore, third parties cannot access the cookies.
Disallowing per-session cookies prevents connections to Advanced
Access Control. Users cannot log on to Advanced Access Control
because logging on requires a session cookie.
• File download. Disabling “File download” prevents the downloading
of files from the corporate network, the launching of any seamless
ICA sessions, and access to internal Web servers outside the access
server farm.
• Scripting. Disabling active scripting makes Advanced Access
Control inaccessible. Disabling Java applet scripting prevents users
from launching published applications with the Client for Java.
• Change the security settings only for zones that contain resources accessed
through Advanced Access Control. If you fully trust the sites on your
company’s intranet, you can set the Local Intranet zone security level to
Low. If you do not fully trust the sites on your intranet, keep the Local
Intranet zone set to Medium-Low or Medium.
• Several browser security settings required to access Advanced Access
Control servers are disabled under the High security settings. Therefore, if
210 Access Gateway Advanced Edition Administrator’s Guide

the security level for the Local Intranet zone is set to High, customize the
browser security settings as described in the next section.
• If you want to keep the default security settings but also customize
individual security settings of your Advanced Access Control servers, you
can configure each server in the access server farm as a “trusted site.”
Configuring servers as trusted sites lets you customize their security
settings without affecting the Internet and Local Intranet settings.

Important: If your access server farm requires SSL, make sure that SSL is
required for all sites in the Trusted Site zone.

Customizing Browser Security Settings


The following table lists additional Internet Explorer browser security settings
required for those deployment scenarios requiring client software. Most of these
settings are available from the Security tab of the Internet Options dialog box.

Deployment Scenario Required Settings


Endpoint Analysis Client • Run ActiveX controls and plug-ins (Enable)
• Script ActiveX controls marked safe for scripting
(Enable)
• File download (Enable)
Live Edit Client • Run ActiveX controls and plug-ins (Enable)
• Script ActiveX controls marked safe for scripting
(Enable)
• File download (Enable)
Web Client • Run ActiveX controls and plug-ins (Enable)
• Script ActiveX controls marked safe for scripting
(Enable)
• File download (Enable)
• Do not save encrypted pages to disk (Disable)
Client for Java • Java Permissions (High safety or Custom)
If you select Custom, set the following options:
• Run Unsigned Content (Run in sandbox)
• Run Signed Content (Prompt or Enable)
• Do not save encrypted pages to disk (Disable)
• All Additional Signed Permissions must also be
set to Prompt or Enable
Chapter 13 Rolling Out Advanced Access Control to Users 211

Customizing the Logon Error Message


Users may see an “Access Denied” page when attempting to access the logon
page. This can occur if users do not meet the requirements in a policy controlling
the Allow Logon permission or do not meet the requirements configured in logon
point properties for displaying the logon page.
You can modify the “Access Denied” page to provide users with troubleshooting
information or redirect them to a different Web page that contains remedies for a
specific problem that is detected. In addition, because each logon point is
associated with its own “Access Denied” page, you can customize this message to
accommodate the specific access scenarios associated with each logon point.
For example, you can customize a logon point’s “Access Denied” page with
frequently asked questions and technical support contact information. Another
possible “Access Denied” page customization is to redirect users to a Web page
containing links to client software installation packages.
You can create and deploy a logon point for the sole purpose of testing your
modifications to the “Access Denied” page. Then, when you are ready to
incorporate the customized page into your production environment, copy the page
to the appropriate location on the Logon Agent server.
The “Access Denied” message is generated by an ASP.NET user control that can
be modified using any text editor that supports ASCX files.

To edit the “Access Denied” message

1. On an Advanced Access Control server, navigate to:


%systemdrive%:\Inetpub\wwwroot\Citrixlogonpoint\logon point name
where logon point name represents the name of the logon point associated
with the page you want to customize.
2. Make a backup copy of the disallowed.ascx file.
3. Edit disallowed.ascx.
For example, if you have a troubleshooting site named
www.gotoassist.com, add the following syntax to the end of
disallowed.ascx:
<a href=”http://www.gotoassist.com/ph/button”>Click here to
launch GoToAssist</a>

Caution: Do not modify the logic contained in the page because doing so
can yield undesirable results.
212 Access Gateway Advanced Edition Administrator’s Guide

4. Repeat Steps 1 - 3 to customize the “Access Denied” message for other


logon points.
5. Update logon page files on the Access Gateway as described in “Updating
Logon Page Information” on page 93.
C HAPTER 14

Managing Your Access Gateway


Environment

After configuring the servers in your access server farm, you perform a variety of
tasks to manage your deployment. These tasks help you ensure your deployment
runs smoothly and efficiently.
This section describes how to:
• Administer your access server farm using multiple Consoles
• Secure the Access Management Console with COM+
• Add and remove farms and servers
• Change the service account or database credentials
• Change the server roles
• Minimize downtime of your access server farm
• Monitor user sessions

Managing Access Server Farms Remotely


You can use the Access Gateway Administration Tool and the Access
Management Console on remote workstations to manage your access server farm.
You can install the Administration Tool from the Access Gateway Administration
Portal. Use the Advanced Access Control Server CD to install the Access
Management Console.

To download and install the Administration Tool

1. In a Web browser, type the URL of the Access Gateway and enter your
administrator credentials.
2. In the Access Gateway Administration Portal, click Downloads.
3. Under Administration, click Download Access Gateway Administration
Tool Installer.
214 Access Gateway Advanced Edition Administrator’s Guide

4. Select a location to save the installation application and click Save. The
installation tool is downloaded to your computer.
5. After downloading the file, navigate to the location it was saved and then
double-click the file.
6. To install the Administration Tool, follow the instructions in the wizard.
7. To start the Administration Tool, click Start > Programs > Citrix Access
Gateway Administration Tool > Citrix Access Gateway Administration
Tool.
8. In Username and Password, type the Access Gateway administrator
credentials. The default user name and password are root and rootadmin.

To install the Access Management Console

1. Insert the Server CD or start AutoRun.exe from the CD image.


2. Select Product Installations and Advanced Access Control to open
Setup.
3. Accept the license agreement and proceed to the Components Selection
page.
4. Select Management console and clear the selection of any other
components selected by default.
5. Proceed through the remainder of the wizard.

Controlling Access by Multiple Consoles


When a Console connects to an access server farm, other Console instances can
actively manage the server farm at the same time. If any changes are made to the
same configuration settings, Advanced Access Control writes the first change
saved to the database based on the timestamp at which the change occurred. If
two changes are saved simultaneously, the change with the earlier timestamp
prevails.
You are notified if an instance of the console connects to a farm and another
instance is detected. If you make any configuration changes, they may be
overridden depending on when each Console instance saves each change. Choose
Yes to acknowledge and close the message.

Important: Administering Advanced Access Control using multiple Console


instances simultaneously can result in data corruption and inconsistent server
performance. Citrix recommends you use only one Console instance at a time to
administer access server farms.
Chapter 14 Managing Your Access Gateway Environment 215

Using Groups in Policy Assignments


It is generally good practice to assign policies to domain user groups or account
authority groups only. If, however, you use the console on a remote workstation
and assign the workstation’s local users to a policy, you may receive an error
message when editing the policy from another Console. You can remove or edit
such a policy using the console on the server running Advanced Access Control.

Securing the Access Management Console Using COM+


Depending on your organization’s needs, you may allow other administrators to
manage your access server farm. Using COM+ role-based security, you can
specify the users who can make changes to your access server farm using the
Access Management Console.
During installation, Advanced Access Control creates the following security roles
for the Access Gateway Server COM+ application:
• Administrators. Users in this role are allowed to make changes to the
Advanced Access Control environment using the console.
• Non Appliance Administrators. Users in this role are allowed to make
changes to resources and policies only. Users assigned to this role are not
allowed to modify gateway appliance settings. Users assigned to this role
must not be assigned to the Administrators role as well. If the user is
assigned to both roles, the Non Appliance Administrators role is not
enforced.
• System. This role includes the service account and other local accounts that
require access to the Access Gateway Server COM+ application.
If you add users to the Administrators or Non Appliance Administrators roles,
they may have access to the API published by the application in addition to the
console. Consider all risks carefully before adding other users to the
Administrators role.

Important: The accounts appearing in the System role are required for
Advanced Access Control to function. You must also close the Access
Management Console before adding users to the Administrators or Non
Appliance Users role. If these System accounts are modified or if the console is
open when COM+ security is applied, your access server farm may stop
functioning and you may lose data.

To allow administrators to use the Access Management Console

1. Close the Access Management Console if it is open.


216 Access Gateway Advanced Edition Administrator’s Guide

2. Click Start > Programs or All Programs > Administrative Tools >
Component Services.
3. In the console tree, expand Component Services > Computers > My
Computer > COM+ Applications.
4. Expand Access Gateway Library > Roles and select the role that is
appropriate for the user(s) you want to add:
• To allow administrators to access appliance and farm settings with
the console, expand Administrators.
• To allow administrators to access farm settings only, expand Non
Appliance Administrators.
5. Right-click Users and select New.
6. Enter the user account(s) you want to add and click OK.
7. Restart the Access Gateway Library COM+ application.
8. Repeat steps 4-7 for the Access Gateway Server COM+ application.

Restarting COM+ Applications


Restart the Access Gateway Server COM+ application when:
• You add users to the Administrators or Non Appliance Administrators role
so they can make changes to your deployment using the Access
Management Console.
• Components such as logon points or the Web proxy function incorrectly, as
a preliminary troubleshooting measure.
• You modify components that access the Access Gateway Server COM+
application, such as Web email. For example, if you modify mapisvc.inf to
enable Microsoft Exchange 2000 to work with the default Email Interface,
you restart the Access Gateway Server COM+ application to ensure the
modifications are recognized at runtime.

To restart the Access Gateway Server COM+ application

1. Click Start > Programs or All Programs > Administrative Tools >
Component Services.
2. From the Component Services window, expand Computers > My
Computer > COM+ Applications.
3. Right-click Access Gateway Server and select Shut down.
4. Right-click Access Gateway Server and select Start.
Chapter 14 Managing Your Access Gateway Environment 217

Adding and Removing Farms


If your deployment consists of multiple access server farms, you can manage
them using a single Console. To do this, you add the other access server farms to
the console tree.

To add access server farms

1. In the console tree, select the Access Gateway node.


2. Under Common Tasks, click Add access server farm.
3. In the Server box, type the machine name or the IP address of any server in
the farm you want to add.
4. Click OK. The Access Management Console connects to the access server
farm and displays the farm node in the console tree.

Note: To manage multiple access server farms from Console instances running
on other machines, you must add the farms to each Console.

To remove access server farms

1. In the console tree, expand the Access Gateway node and select the farm
you want to remove.
2. Under Common Tasks, click Remove farm.

Adding and Removing Gateway Appliances


To add gateway appliances to your access server farm, perform the following
tasks:
1. Install and configure the appliance as described in the Getting Started with
Citrix Access Gateway Standard Edition.
2. In the Access Gateway Administration Tool, enable the Advanced Access
Control to administer the appliances. For more information, see “Enabling
Advanced Access Control” on page 80.
3. In the console, run discovery.
To remove gateway appliances from your access server farm, perform the
following tasks:
1. In the Access Gateway Administration Tool, disable gateway
administration with the Advanced Access Control and remove all access
server farm information.
218 Access Gateway Advanced Edition Administrator’s Guide

2. In the console, remove the gateway appliance.


When you remove a gateway appliance from the console, you remove only the
registration information from the access server farm database. If you do not
remove all access server farm information from the Access Gateway
Administration Tool before removing the appliance from the console, the
Advanced Access Control registers the appliance again and displays it in the
Gateway Appliances node when you run discovery.

To disable Access Gateway administration with the console

1. Launch the Access Gateway Administration Tool and select the gateway
appliance you want to remove.
2. Click the Advanced Options tab and then clear the Advanced Access
Control - includes an access server farm check box.
3. In Server running Advanced Access Control, remove the name of the
server running Advanced Access Control.
4. Click Submit to save your changes.
5. Restart the Access Gateway.

To remove a gateway appliance from the console

1. In the console tree, expand Gateway Appliances and select the gateway
appliance you want to remove.
2. Click Remove appliance and then click Yes to remove the gateway
appliance from the farm.

Changing Service Account and Database Credentials


You can change the credentials of the service account or SQL access account if
either of these accounts is deleted, is disabled, or changes passwords. If the
credentials are not changed, Advanced Access Control does not function.
Use the Server Configuration utility to change the credentials of these accounts.
You can run the Server Configuration utility at any time without interrupting farm
operations. However, the console must be closed on the machine on which it is
running. If the console is running remotely and the account credentials are
changed, the console displays an error message. Close and reopen the console to
correct the problem.
The Server Configuration utility and the account information are stored on each
server running Advanced Access Control. To use the Server Configuration utility,
you must log on to the server as an administrator.
Chapter 14 Managing Your Access Gateway Environment 219

To change account credentials

1. On the server running Advanced Access Control, choose Start > Programs
or All Programs > Citrix > Advanced Access Control > Server
Configuration.
2. Click Service Account to change the user name, password, or domain of
the service account. For information about requirements for valid service
accounts, see “Service Account Requirements” on page 44.
3. Click Server Farm Information to change the farm database server, farm
name, or database authentication method.

Modifying Server Roles


Each server running Advanced Access Control is assigned the HTML Preview
server role by default. If you do not want all servers in your farm to perform this
role, you can enable or disable it on a per-server basis.

To modify server roles

1. In the console tree, select Servers.


2. Under Common Tasks, click Manage server roles.
3. Select or clear the check boxes for each server you want to assign to or
remove from the HTML Preview role.

Removing Servers from the Farm


When you remove servers from the farm, the services the server provided to your
farm are no longer available. If you want to keep these services, ensure they are
enabled on other servers in your farm.

To remove servers from an access server farm

1. Run discovery to ensure Advanced Access Control detects all servers in the
farm.
2. In the console tree, expand the Servers node.
3. Select the server you want to remove.
4. Under Common Tasks, click Remove server.
220 Access Gateway Advanced Edition Administrator’s Guide

Maintaining Availability of the Access Server Farm


Advanced Access Control maintains all configuration, session, and user data for
the access server farm in a SQL database on the database server. If the database
server becomes unavailable, Advanced Access Control cannot retrieve data in
response to user or server requests. If the Advanced Access Control server
becomes unavailable, users cannot log on to the server or access resources. This
section describes how you can maximize the availability of your access server
farm.
• Create a backup of the SQL database.
After you create the initial backup, you should ensure the database is
backed up regularly at appropriate intervals. Additionally, you should
verify the data can be restored from the backups.
• Cluster the database server.
This allows another database server to continue farm operations in the
event the first database server becomes unavailable. The clustered servers
appear to Advanced Access Control as a single database server.
• Cluster the Advanced Access Control server.
As with the database server, clustering allows another Advanced Access
Control server to continue operations for an unavailable server. Users can
continue to log on to the server and access resources.

Exporting and Importing Configuration Data


You can export and import your farm configuration data using the Access
Management Console. This can be helpful when, for example, you want to save
the configuration data from a farm in a staging environment and copy it to a farm
in a production environment.
When you export your farm configuration, a .cab file is created which consists of
compressed XML files containing the following data:
• Global farm settings such as display order of home page applications,
license server, and authentication profiles
• Presentation Server farm settings
• Network and Web resource settings
• Logon point settings
• Policy settings
• Endpoint analysis settings
Chapter 14 Managing Your Access Gateway Environment 221

• Continuous scan settings


• Gateway appliance settings
Data that is not exported includes:
• Access server farm name
• Data that is valid only when the Advanced Access Control server is
running, such as user session data.
• Server information such as computer names.
After you export your farm configuration, you can import the .cab file to restore
the configuration on another server running the same version of Advanced
Access Control.
Before you export your farm configuration, be aware of the following conditions:
• You can import only .cab files that were exported using the same version of
Advanced Access Control. For example, if you export the configuration of
a farm running Version 4.5 of Advanced Access Control, you can import
the configuration data only on another Advanced Access Control server
running Version 4.5. If you import the configuration data on a server
running a different version of Advanced Access Control, the import fails.

Note: If you want to import configuration data from a previous version of


Advanced Access Control, you must first use the Migration Tool to prepare
your data for import into a farm running Version 4.5. For more information
about migrating to Version 4.5 from a previous version of Advanced Access
Control, see the Access Gateway Advanced Edition Upgrade Guide.

• Incremental export or import of farm configuration data is not supported.


You can export or import only entire farm configurations.
• When you import farm configuration data, the existing farm configuration
is deleted and replaced with the imported data.

Important: Before you import farm configuration data, Citrix recommends


creating a backup of the SQL database for the farm.

To export your access server farm configuration

1. From the console tree, select the farm node and then click Export Farm in
Other Tasks.
2. Enter the location where you want to create the .cab file.
222 Access Gateway Advanced Edition Administrator’s Guide

When you click Next, the XML files are compressed into a .cab file and saved to
the location you specified.

To import your access server farm configuration

1. From the console tree, select the farm node and then click Import Farm in
Other Tasks.
2. Enter the location of the .cab file you want to import.
When you click Next, the .cab file is decompressed and the existing configuration
data is replaced with the imported data.

Monitoring Sessions
The Access Gateway Advanced Edition Session Viewer is a session monitoring
tool that allows administrators to review user access to the access server farm and
terminate user sessions.

Note: You must have administrative privileges to run the Session Viewer. An
Advanced Access Control session is not required to run the Session Viewer.

Session Viewer displays data from the server on which you are logged or from
other Advanced Access Control servers. This data includes:
• Client IP address
• User name used to log on
• Installed clients
• Logon point accessed and default home page
• Name of the Advanced Access Control server the user is accessing
When you select a session from the Sessions pane, the data for that session
displays in the Session Values pane. You can sort sessions by clicking the column
headings in the Sessions pane.

To access the Session Viewer

Click Start > All Programs > Citrix > Access Gateway > Session Viewer.

To terminate sessions

1. From the Sessions pane, select the user session(s) you want to terminate.
2. Click Delete.
Chapter 14 Managing Your Access Gateway Environment 223

If the user attempts to access resources after you terminate the session, an error
page appears and the user must log on again.
224 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 15

Auditing Access to Corporate


Resources

The event logging capabilities in Advanced Access Control ensure you collect the
information needed to monitor access to corporate resources. Event logs allow
you to:
• Prove compliance with regulatory requirements
• Prove compliance with internal, corporate-specific requirements
• Take proactive measures to address existing vulnerabilities such as
evaluating incidents circumventing intended access and modifying your
access strategy to resolve these issues
• Assist support personnel in troubleshooting issues related to accessing
corporate resources

Configuring Audit Logging


You can configure Advanced Access Control to record specific user activities for
auditing purposes. For example, you can monitor endpoint analysis scan results;
successful logon attempts; and unsuccessful attempts to access resources such as
Web email, file shares, and so on. Before configuring event log settings,
determine the information you need to collect and enable logging only for the
associated events. This approach ensures logging does not impact system
performance or use unnecessary hard disk space. In addition, limiting logging to
only the information relevant to the auditing process streamlines the evaluation of
this data.
The table below describes the events available for logging.
226 Access Gateway Advanced Edition Administrator’s Guide

Event Description
Endpoint analysis scan results Logs all endpoint analysis scan results. Three events are generated for each scan.
The first event contains the raw endpoint analysis data from the client device. The
second event contains the scan results (true/false) based on analysis within
Advanced Access Control. The third event contains the scan results (true/false)
specific to the requirements for displaying the logon page.
Logon page denied Logs an event when a logon page is not displayed to the user due to your
configured requirements.
Logon allowed Logs an event when a successful Windows NT authentication is passed to the
domain controller. Events are not logged when a user sends valid credentials but is
denied access due to policy restrictions.
Logon denied Logs an event when an unsuccessful Windows NT authentication is passed to the
domain controller or when the Allow Logon policy denies a user access to the
logon page.
User logged off Logs an event when a user terminates a session.
Session timed out Logs an event when a session times out. The session time-out value is configured
as a logon point setting.
Web resources - HTML MIME Logs an event for successful access to HTML content within a Web resource such
type as HTML and ASP pages.
Web resources - other MIME Logs an event for successful access to non-HTML content within a Web resource
type such as JavaScript, Flash, XML, and so on.
Web resources - image MIME Logs an event for successful access to images referenced within a Web resource
type such as a GIF or JPEG file.
File shares Logs an event for successful access to file shares or documents within a file share.
Web email Logs an event for successful access to Web-based email including Outlook Web
Access, iNotes, and Advanced Access Control’s Web email interface. Outlook
Web Access and iNotes use the same event ID (304) while Advanced Access
Control’s Web email interface uses event ID (306).
Resource access denied Logs an event for unsuccessful access to any resource within an access server
farm. For Web resources, only unsuccessful access to the HTML MIME type is
logged. Unsuccessful access to other or image MIME types is not logged.

Important: Audit log configuration is set at the access server farm level and
applies to all resources within the farm. Therefore, if your access server farm is
distributed across multiple servers, audit logs are written to each server within the
farm.

The general steps involved in configuring event logging are:


Chapter 15 Auditing Access to Corporate Resources 227

• Specify the events to log for the access server farm. Use the Access
Management Console to specify the type of events logged by servers within
an access server farm.
• Configure log settings for each server within the farm. Use the Windows
Event Viewer to configure log settings for each server including specifying
the maximum log size, determining when to overwrite events, and so on.
By default, the maximum size of the CitrixAGE Audit log is 5120KB and is
retained for seven days before being overwritten. New events are not added
if the maximum log size is reached and there are no events older than this
period. If this configuration does not meet your auditing needs, consider
increasing the size of the log file as well as modifying the event overwrite
settings.
• Consolidate event logs into a single view. Each server within an access
server farm maintains its own event log. Use the Event Log Consolidator in
Advanced Access Control to collect event log data from all servers within
the farm and display this data in a single, consolidated view. After the data
is collected by the Event Log Consolidator, you can perform additional
analysis by running a variety of reports based on user access, resource
access, and so on.

To select events to be logged for an access server farm

1. In the console tree, select the access server farm you want to audit and click
Edit farm properties in Common Tasks.
2. On the Event Logging page, select from among the auditing options
described below. For detailed descriptions of these events, see the table in
“Configuring Audit Logging” on page 225.
• Endpoint analysis scan results
• Allowed and denied access to resources (Web resources, file shares,
and Web email)
• Logon point data including logon page denial, logon denial, logon
allowed, user log off, and session time-out

Note: To generate session-based reports in the Event Log Consolidator,


you must enable the “Logon allowed” event.

To configure log settings for Advanced Access Control servers

You must be logged on as an administrator or as a member of the Administrators


group to configure Advanced Access Control auditing information within the
Windows Event Viewer.
228 Access Gateway Advanced Edition Administrator’s Guide

After auditing is enabled and configured within Advanced Access Control, you
can use the Windows Event Viewer to configure audit log settings including:
• Specifying the maximum log size
• Determining when to overwrite events

Important: By default, the maximum size of the CitrixAGE Audit log is


5120KB and is retained for seven days before being overwritten. New events are
not added if the maximum log size is reached and there are no events older than
this period. If this configuration does not meet your auditing needs, consider
increasing the size of the log file as well as modifying the event overwrite
settings.

1. Open the Windows Event Viewer of a server running Advanced Access


Control.
2. Select CitrixAGE Audit from the console tree.
3. Configure logging properties as appropriate.
4. Repeat this step for all servers in the farm.
For help using the Windows Event Viewer, refer to the topic “Event Viewer” in
the Windows online Help.

To consolidate event logging results

1. In the console tree, select Access Gateway and click View Events in
Common Tasks.
2. In the Event Log Consolidator, click File > Configure.
3. In the Polling Interval box, specify the time interval (in seconds) at which
the Event Log Consolidator collects audit log data from Advanced Access
Control servers.
4. Under Available Farms, select the access server farm for which you want
to view auditing data.
5. Click File > Collect to begin polling Advanced Access Control servers.

Important: Excessive logging and polling can impact a system’s performance.


Therefore, avoid logging unnecessary events for an access server farm. In
addition, avoid unnecessary polling of audit log data by the Event Log
Consolidator.
Chapter 15 Auditing Access to Corporate Resources 229

Interpreting Audit Events


Audit information is written to the Windows Event Viewer and contains
information specific to the audit event as described in the table below.

Field Description
DateTime Date and time of the request.
UserName Name of the authenticated user accessing the resource.
ServiceName Name of the Advanced Access Control component logging
the request.
Status Status of the request (accepted, denied, or completed).
Machine Name Name of the server logging the event.
Session ID Reference number assigned to a session upon successful user
authentication and license validation. This number is used to
track session events such as logon allowed, user logged off,
and session timed out.
PolicyReference Reference number for denied attempts. This number is also
displayed to users when access is denied.
EPAReference Reference number for endpoint analysis scans. This number
is referenced by endpoint analysis before a user is
authenticated to associate a session ID with scan results.
Resource Name or URI (Uniform Resource Identifier) of the resource
requested.
Data Additional data specific to a message.

Although logging is enabled at the access server farm level, each server maintains
its own log file. To gather logging information from all servers within the farm
into a single view, use the Event Log Consolidator.

To view logging results

1. In the console tree, select Access Gateway and click View Events in
Common Tasks.
2. Sort events or generate reports to assist in the evaluation of this data.
230 Access Gateway Advanced Edition Administrator’s Guide

Troubleshooting User Access to Resources


There are a variety of reasons why a user may not be able to access a corporate
resource ranging from failed endpoint analysis scans, incorrect authentication
credentials, policy-based restrictions, and so on. Often, it is not possible for users
to know why access was denied and therefore, they rely on support personnel for
assistance in troubleshooting these issues.
For each denial of access to a resource or failed endpoint analysis scan, a unique
value is displayed in the user’s browser. This information is also written to the
event log as the PolicyReference or EPAReference value, respectively. For this
reason, consider instructing users to record reference numbers and provide this
information to support personnel because it expedites the troubleshooting
process. Support personnel can use this information to quickly search and identify
the specific event and begin troubleshooting the problem. In addition, support
personnel can use the table from the section “Interpreting Audit Events” on page
195 as a resource when evaluating events.

Performing Audit Log Maintenance


Several third-party tools provide advanced maintenance of Windows event logs.
For example, the Windows Event Viewer and Event Log Consolidator do not
support automatic rotation of logs without overwriting existing log data. If your
corporation requires archiving of log data on a regular basis, consider a third-
party tool that automates this process.
However, there may be situations when using the Event Log Consolidator or
Windows Event Viewer to perform basic maintenance tasks is appropriate. For
example, you may need to reimage a server within your access server farm. To
ensure no audit data is lost, you can use the Windows Event Viewer to save the
audit log prior to reimaging the server.
The decision regarding how to manage and maintain audit logs depends on your
corporate needs. Therefore, when determining how to manage audit data,
evaluate the auditing needs of your corporation and ensure that your solution
satisfies these needs.
A PPENDIX A

Glossary

Access Client package. The tool administrators use to manage the distribution and
upgrade of Access Suite clients. Allows administrators to quickly and easily
deploy client-side software to end-users with one convenient Windows
Installer package.
Access Gateway Administration Desktop. A window where administrators can monitor
Access Gateway network activity. Tools included in the Administration
Desktop include the Citrix Real-Time Monitor, Ethereal Network Analyzer,
xNetTools, My traceroute, fnetload, Gnome System Monitor, and the
Workplace Switcher.
Access Gateway Administration Portal. A Web-based interface for performing
administration tasks for Access Gateway appliances. From the Administration
Portal you can download other administration tools for remote use, such as the
Administration Desktop and the Access Gateway Administration Tool.
Access Gateway Administration Tool. A 32-bit management console downloaded from
the Administration Portal and installed on a Windows computer in the secure
network. The Administration Tool can administer individual settings for all
gateway appliances in a cluster.
Access Gateway Real-Time Monitor. A console window listing current users and their
related information. You can close the VPN connection for any user from the
Real-Time Monitor. The Real-Time Monitor is accessed using the
Administration Desktop.
Access Interface. The user-facing Web page that displays the available corporate
resources, including URLs, email, and files.
access policy. A policy that enforces configuration settings for user access under
specified conditions. See also connection policy.
access scenario. The access scenario includes all the information about the user and
the user’s client device used to apply policies. Depending on the type of policy
being evaluated, the access scenario can include the user identity, the client
device, client device details discovered through endpoint analysis scans, the
authentication method employed, the logon point used to enter the network,
and so on.
232 Access Gateway Advanced Edition Administrator’s Guide

access server farm. A logical grouping of servers on which Advanced Access Control
Services run. An access server farm consists of one or more networked
computers that run Advanced Access Control components such as the Web
Server, database server, and so on. These components work together to provide
access to corporate resources such as Web sites, file shares, and email. See also
server farm.
accessible networks. The IP addresses of the computers in the secure network to
which the Access Gateway is allowed to connect.
action controls. The permissions that users are granted for working with files through
Access Gateway Advanced Edition such as Download, Send as Email, and file
type association.
activation server. A server that performs file activation services such as HTML
Preview, Download, and Live Edit. It houses the Activation Host Service and
Activation Engine Service; the Activation Host Service acts as a “sandbox” for
the Activation Engine Service to activate a file.
activation services. A service that provides stateless load balanced file activation
including HTML Preview, Download, and Live Edit.
Advanced Access Control. Software components and features in Access Gateway
Advanced Edition which enable granular policy-based access control.
Advanced Access Control allows you to control user access based on such
factors as user location and authentication, endpoint analysis, and verification
of the client device.
Allow Logon. A permission (the ability to log on) that is controlled by policy. The
Allow Logon permission is treated as a resource to enable administrators to
add criteria for users to meet in addition to the usual authentication process.
application policy. A policy that can be configured for any software program,
including Web applications, when you are using the Access Gateway
appliance. Application policies allow you to restrict applications to a specified
network path and to make access to the application dependent upon endpoint
policies.
authentication profile. An authentication profile contains configuration settings that
define the authentication to be used with a logon point.
authentication type. The type of authentication being used, such as RADIUS, LDAP,
SafeWord, and so on.
authorization rejection page. The user-facing Web page that displays when a client
environment does not possess the baseline requirements for accessing
corporate network resources.
browser-only access. The ability to access corporate network resources without
requiring any client-side software other than a Web browser.
Citrix Activation System (CAS). The Citrix license management system available from
a secure area of the Citrix Web site that allows customers to generate license
files for Access Suite products. CAS stores a downloadable copy of all license
files generated and can display a list of licenses registered to an organization.
Appendix A Glossary 233

Citrix administrator. System administrator responsible for installing, configuring, and


maintaining computers running any product in the Citrix Access Suite.
Citrix XML Service. A Windows service that provides communication between Citrix
Presentation Server and Access Gateway, Web Interface, and some
Presentation Server Clients.
client device. Any hardware device used to access corporate resources.
Client for Java. A Java applet that supports the launching and embedding of published
applications.
cluster. A group of like hardware components (such as Access Gateway appliances or
Advanced Access Control servers) that can be managed as a single entity.
condition. (1) In general terms, a condition is any configurable requisite for the
enforcement of a policy. Policies can have multiple types of conditions, such
as endpoint analysis or logon point or authentication conditions.
(2) In endpoint analysis, a condition is a single required attribute of the client
device evaluated during endpoint analysis, such as the operating system or
browser being used. A rule is a set of conditions that are evaluated against the
client device. If the client device meets all the conditions in a scan’s rule, the
scan is applied and run on the client device.
connection policy. A policy that allows Secure Access Client connections and applies
settings to those connections. You must allow use of the Secure Access Client
to establish connections to any network resource and for email
synchronization, because these types of resources do not allow browser-only
access.
continuous scan. Scans of the client device that occur repeatedly throughout the
session to ensure that the client device continues to meet requirements. The
feature prevents, for example, users from changing the status of a client device
requirement after establishing the connection. Types of continuous scans
include file scans, process scans, and registry scans.
continuous scan filter. A filter that defines the continuous scan requirements for a
connection policy. A continuous scan verifies one item (a file, registry entry, or
process) on the client device. The filter can include one or more continuous
scans for verification. When associated with a connection policy, the filter
defines all the requirements to be verified by continuous scans for the
connection policy to take effect.
device-specific presentation. The automatic display of content that is appropriate to
the device when a user uses a non-PC device, such as a PDA.
disconnected session. A client session in which the client is no longer connected to an
application on Citrix Presentation Server, but the user’s applications are still
running. A user can reconnect to a disconnected session. If the user does not
do so within a specified time-out period, the server automatically terminates
the session.
234 Access Gateway Advanced Edition Administrator’s Guide

email synchronization. A comparison of separate email account instances resulting in


both instances containing the same information. This feature allows remote
users to access email in real time when working online and synchronize their
folders in preparation for working offline.
email synchronization group. A list of email servers that can be accessed for email
synchronization.
enclave deployment. A deployment scenario in which a network is segmented or
fragmented in a manner (such as with firewalls) that forces users to log on
through a specific logon point.
endpoint analysis. A process that scans a client device and detects information such as
the presence and version level of operating system, antivirus, firewall, or
browser software. Endpoint analysis can verify that the client device meets
your requirements before allowing it to connect. This information can be
included as a filter within a policy to determine the appropriate level of access
to corporate resources. Endpoint analysis scans are run against the client
device once, during logon. See also continuous scan.
Endpoint Analysis Client. An ActiveX control or browser plug-in used to discover
information about a device’s configuration (such as the operating system,
antivirus pattern, and so on).
Endpoint Analysis SDK. The software development kit that allows customers and
partners to modify and create endpoint analysis packages.
endpoint policy. An endpoint policy is a Boolean expression that defines the files,
processes, or registry entries that must be on the client computer before users
can connect to corporate resources through the Access Gateway appliance.
You can create and use endpoint policies on the appliance only. If you are
using Access Gateway Advanced Edition, this functionality is configured
through the logon point properties, where you can specify the requirements to
be met by the client device before the user is shown the logon page.
endpoint requirement. A file, process, or registry entry that must be on the client
device. An endpoint requirement is configured with Access Gateway Standard
Edition administration and then used to create an endpoint policy that is then
added to one or more user groups.
endpoint resource. A file, process, or registry entry that must be on the client device to
log on. In the Access Gateway Standard Edition, a group of endpoint resources
is used to create an endpoint policy.
file activation. The actions a user can take on a file including HTML Preview, Live
Edit, downloading, opening in a published application through file type
association, and sending the file as an email attachment.
file scan. A type of continuous scan that validates a specified file on the client device.
file share. A directory (UNC) on a file server that is shared among a group of users. In
Access Gateway Standard Edition, file shares are one of the corporate resource
types available to users when they are logged on in kiosk mode. In Access
Gateway Advanced Edition, file shares are available to users when an
administrator publishes them to the Access Interface and configures policies
allowing access.
Appendix A Glossary 235

file type association. A method that allows a document to be opened with an


application published in Citrix Presentation Server that is registered to open
documents of that type.
filter. Configured criteria, including endpoint analysis, logon point, and
authentication type, that can be used by policies to determine access to
corporate resources. A filter is a single named entity that can be used in
multiple policies. A filter may include another filter as part of its criteria. An
access policy may have only one filter, but each filter can be associated with
multiple access policies.
In addition, filters created in Access Gateway Advanced Edition can be used
in Citrix Presentation Server, which extends the SmartAccess capabilities to
published applications.
home page. The page the user sees after authentication. This page could be the default
Access Interface, a third-party portal, or email access interface, such as iNotes
or Outlook Web Access.
HTML Preview. The name of the service that allows documents to be previewed in
HTML rather than downloaded in their native format. This feature also refers
to the role that an administrator can assign to a server for performing this
service.
Independent Computing Architecture (ICA). The architecture that Citrix uses to
separate an application’s logic from its user interface. With ICA, only
keystrokes, mouse clicks, and screen updates pass between the client and
server on the network, while all the application’s logic executes on the server.
intellectual property control. The protection of corporate intellectual property or
sensitive information using features such as HTML Preview, file type
association, and client drive mapping. The goal of intellectual property control
is to prevent the exposure of sensitive corporate data.
kiosk mode. Used in Access Gateway Standard Edition to describe a type of limited
access to corporate resources from public computers, such as those found in
airports or hotels.
Live Edit. The feature that allows users to edit remote documents using the Live Edit
Client. Users can conveniently edit and save documents without needing to
download or upload them.
Live Edit Client. The ActiveX control that integrates with a user’s local editing
application to support the Live Edit feature.
local users. Users who are created in Access Gateway Standard Edition. Local users
are configured when they do not require authentication using other
authentication types such as RADIUS, SafeWord, RSA SecurID, or LDAP. A
realm for local authentication must be configured on the Access Gateway
appliance for local users to connect. Authentication credentials are checked
against the local user list if the user name does not match the authentication
server’s list of users.
236 Access Gateway Advanced Edition Administrator’s Guide

logon point. The URL from which users access corporate resources. The logon point
settings determine access to server farms, Access Interface configuration, and
other session-specific settings. In addition, a logon point can be used as a filter
within policies.
Microsoft SQL Server Desktop Engine (MSDE). A fully SQL Server-compatible data
engine. SQL Server Express 2005, the newest version of MSDE, can be used
in Access Gateway Advanced Edition for data storage in place of Microsoft
SQL Server. See also SQL Server Express.
network resource. A network resource defines subnets or servers on the corporate
network that users can connect to through the Access Gateway using the
Secure Access Client over specified ports. After defining network resources,
you can create policies that control their user access and connection settings.
pass-through authentication. The ability for Access Gateway to pass the user’s
authentication information to another corporate resource requiring this
information. Pass-through authentication is used for single sign-on to the Web
Interface in an Access Gateway deployment.
policy-based access control. The ability to grant granular access to users based on
their access scenario.
policy priority. A ranking system that allows you to prioritize policies to resolve
conflicts when multiple policies apply to the same situation. The settings of a
higher priority policy take precedence over conflicting settings in a lower
priority policy.
pre-authentication policy. A policy that allows users to log on if a set of scans validate
the client device. Pre-authentication policies can be created only using the
Access Gateway Administration Tool. If you are using Access Gateway
Advanced Edition, you can create a logon policy for similar functionality.
Presentation Server Client. Citrix software that enables users from a variety of client
devices to connect to computers running Presentation Server.
process scan. A type of continuous scan that verifies that a specified process is
running on the client device.
published application. An application installed on a server or server farm that is
configured for multiuser access from clients through Citrix Presentation
Server.
realm. A realm is used in Access Gateway Standard Edition to specify the logical area
of access granted through a specified type of authentication. Realms are
replaced in the Advanced Edition by authentication profile settings. The
Default realm authenticates against the local user list on the Access Gateway.
Additional realms for LDAP, SafeWord, RADIUS, and RSA SecurID can be
created or can be used as the Default realm.
registry scan. A type of continuous scan that validates a registry setting on the client
device.
resource group. A resource group combines multiple resources of differing types into
one named resource so that policies can be applied to the aggregate.
Appendix A Glossary 237

resources. The file shares, Web resources, email, and applications available through
the Access Gateway.
rule. In endpoint analysis, a rule is a set of conditions that define when to apply a
scan and which property values to check. Multiple rules can apply to a single
scan. The first rule of a scan is defined when you create the scan. After
creating the scan, you can add more rules to make the scan apply to multiple
scenarios.
scan. A process that verifies specific properties of client devices connecting to your
network, such as the installed version of an antivirus software product or
verification that the device belongs to a required domain.
scan output. A result of an endpoint analysis scan run on a connecting client device to
detect or verify information about the client device. There are two types of
scan outputs. One type is a property value that is detected and reported about
the client device, such as the version number of an antivirus program running
on the device. Another type is a simple Boolean (True or False) result
indicating whether or not the client device passed the requirements of the scan.
scan package. A package of code that allows administrators to configure endpoint
analysis scans. Each scan package is designed to examine a set of properties
for a specific software product. You can expand the default set of scan
packages by importing new ones. Citrix, partners, or developers in your
organization can develop additional scan packages using the Endpoint
Analysis Software Development Kit (SDK).
Secure Access Client. Citrix software used to connect users to network resources. In
the Standard Edition, users access a secure URL to download the software and
authenticate to the Access Gateway appliance. In the Advanced Edition,
administrators create a connection policy to require use of the software when
users access specific logon points. Users may download the software after they
authenticate.
Secure Sockets Layer (SSL). A standards-based security protocol for encryption,
authentication, and message integrity. It is used to secure the communications
between two computers across a public network, authenticate the two
computers to each other based on a separate trusted authority, and ensure that
the communications are not tampered with. SSL supports a wide range of
ciphersuites. The most recent version of SSL is Transport Layer Security
(TLS).
server farm. A group of computers running Citrix Presentation Server and managed as
a single entity, with some form of physical connection between servers and a
database used for the farm’s data store. See also, access server farm.
session reliability. Part of the collection of features that comprise SmoothRoaming,
Session Reliability enables ICA sessions to remain active and on the user’s
screen when network connectivity is interrupted. Session Reliability
incorporates Common Gateway Protocol (CGP) which restores the user’s
session quickly and transparently.
small form factor device. A client device, such as a PDA, with limited display
capabilities.
238 Access Gateway Advanced Edition Administrator’s Guide

SmartAccess. A feature that allows organizations to control which resources users get
access to, based on their access scenario, and what they can do with those
resources when they get access. In addition, this functionality integrates with
Citrix Presentation Server to give organizations this same level of granular
control over published applications.
SmoothRoaming. The ability to access information continuously across devices,
locations, and networks. This feature includes Workspace Control, session
reliability, and dynamic display reconfiguration.
split DNS. A feature that enables failover to a user’s local DNS if the default remote
DNS is unavailable.
split tunneling. A feature enabling the client device to send only the traffic destined for
the secured network through the VPN tunnel. With split tunneling, group-
based policies apply to the internal network interface only. For connections
from inside of the firewall, group-based policies do not apply to traffic to
external resources or resources local to the network; that traffic is not
encrypted.
SQL Server Express. The newest version of MSDE. See Microsoft SQL Server
Desktop Engine (MSDE) for more information.
Transport Layer Security (TLS). See Secure Sockets Layer (SSL).
trusted. Refers to a user, service, or resource that is specifically allowed to access the
corporate network.
untrusted. Refers to a user, service, or resource that is specifically disallowed from
accessing the corporate network.
user groups. In Access Gateway Standard Edition, a user group consists of a
collection of users, policies, and resources. User groups can be configured to
correspond with user groups configured on authentication servers. All local
users are automatically added to the Default user group. Users can also be
added to other user groups you have configured.
Web-based email. A method of receiving, composing, and sending email using a Web
browser instead of a local email application.
Web client. An ActiveX control that supports the launching and embedding of
published applications.
Web proxy. The URL rewriting component of Access Gateway Advanced Edition.
Web resource. A set of URLs or Web applications that consists of virtual directory
paths such as http://mycompany/mydocument. A Web resource is one of the
corporate resources available to users through the Access Gateway.
Web server. A computer that delivers Web pages to browsers and other files to
applications using HyperText Transfer Protocol (HTTP).
A PPENDIX B

Scan Properties Reference

Scan packages contain the software you need to create scans to detect information
about client devices. When creating scans, you typically specify one or more
property values that you’re looking for, such as an operating system version or
service pack level. This reference topic lists the properties you can configure for
Citrix scan packages.
For information about creating scans, see “Creating Endpoint Analysis Scans” on
page 166.

Note: This topic is available from the online help system of any server running
the Advanced Access Control software. If you need information about specific
properties while creating scans, use your online help to locate this reference topic.

Scan packages are organized alphabetically within the following groups by the
type of product or properties being scanned:
• “Antivirus Scan Packages” on page 240
• “Browser Scan Packages” on page 245
• “Firewall Scan Packages” on page 248
• “Machine Identification Scan Packages” on page 253
• “Miscellaneous Scan Packages” on page 255
• “Operating System Scan Packages” on page 256
240 Access Gateway Advanced Edition Administrator’s Guide

Antivirus Scan Packages


Citrix Scans for McAfee VirusScan
Detects if the required version of McAfee VirusScan software (personal edition)
is running on the client device.

Supported Versions
• At least up to VirusScan 2006 v.11.0.209

Properties You Can Specify

Property Name Description/Format


Minimum required build Note that this property is mislabelled and appears incorrectly
version as “Minimum required engine version.” Use format N.N,
where N is an integer. You can find the build version number
in the “About” information box for the installed application.

Scan Outputs

Scan Output Name Description


Program Version This is the version of the key program executable file. The
major and minor version numbers are the same as those
displayed in the program user interface. The rest of the
version number may be ignored when reported.
Verified-McAfee- This Boolean output indicates if the required minimum
VirusScan version of the application is running on the client device.

Citrix Scans for McAfee VirusScan Enterprise


Detects if McAfee VirusScan software (Enterprise edition) is running on the
client device.

Supported Versions
• At least up to VirusScan Enterprise v.8.0i Pattern 4825
Appendix B Scan Properties Reference 241

Properties You Can Specify

Property Name Description/Format


Minimum required engine Use format N.N. For example, 4.4. Note that the application
version user interface and registry may display the engine version
number in different formats. For example, engine version 4.4
may display in the user interface as 4400 and the same engine
version may display in the registry as 4.4.00. However, in
both cases, you should enter the “minimum required engine
version” as 4.4 when you create a scan.
Minimum required pattern Use format N, where N is an integer.
file version number

Scan Outputs

Scan Output Name Description


Verified-McAfee-Virus- This Boolean output indicates if this application is running on
Scan-Enterprise the client device.
Engine Version Indicates the On-Access scan engine version running on the
client device. If this product is not installed or is not
executing, the version defaults to 0.0.0.0.
Pattern Version Indicates the pattern file version running on the client device.
If this product is not installed or is not executing, the version
defaults to 0.

Citrix Scans for Norton AntiVirus Personal


Detects if Norton AntiVirus software (personal edition) is running on the client
device.

Supported Versions
• At least up to Norton AntiVirus 2006 v.12.2.0.13 Pattern 2006 0809.018
242 Access Gateway Advanced Edition Administrator’s Guide

Properties You Can Specify

Property Name Description/Format


Days between required This is the number of days within which a full-system
virus scans antivirus scan must have run. Zero (0) indicates that any or no
scan is acceptable. Use an integer between 0 and 365.
Minimum required product Use the format N.N.N, where N is an integer.
version
Minimum required pattern Use the format YYYYMMDD.NNN, where YYYY is the
file version number four-digit year, MM is the two-digit month, DD is the two-
digit day, and NNN is a three-digit integer.

Scan Outputs

Scan Output Name Description


Verified-Norton-Antivirus Indicates if this application is running on the client device.
Product version Indicates the software version running on the client device. If
this product is not installed or is not executing, the version
defaults to 0.0.0.0.
Pattern version Indicates the pattern file version running on the client device.
If this product is not installed or is not executing, the version
defaults to 0.0.0.0.

Citrix Scans for Symantec AntiVirus Enterprise


Detects if Symantec AntiVirus Enterprise software is running on the client
device.

Supported Versions
• At least up to Symantec AntiVirus Enterprise v10.0.0.359 Pattern 2006
0809.018
Appendix B Scan Properties Reference 243

Properties You Can Specify

Property Name Description/Format


Minimum required product Use the format N.N.N, where N is an integer.
version
Minimum required pattern Use the format YYYYMMDD.NNN, where YYYY is the
file version number four-digit year, MM is the two-digit month, DD is the two-
digit day, and NNN is a three-digit integer.

Scan Outputs

Scan Output Name Description


Verified-Symantec-AV- Indicates if this application is running on the client device.
Enterprise
Product version Indicates the software version running on the client device. If
this product is not installed or is not executing, the version
defaults to 0.0.0.0.
Pattern version Indicates the pattern file version running on the client device.
If this product is not installed or is not executing, the version
defaults to 0.0.0.0.

Citrix Scans for Trend OfficeScan


Detects if Trend OfficeScan antivirus software is running on the client device.

Supported Versions
• At least up to Version 7.3 Pattern 3.645.00

Properties You Can Specify

Property Name Description/Format


Minimum required product Use the format N.N, where N is an integer.
version
Minimum required pattern The three-digit short form of the pattern file version running
file version number on the client device. Use the format N, where N is an integer.
For example, for version 2.763, 763 is the short form you
enter.
244 Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs

Scan Output Name Description


Verified-Trend-OfficeScan Indicates if this application is running on the client device.
Product Version Indicates the software version running on the client device. If
this product is not installed or is not executing, the version
defaults to 0.0.0.0.
Pattern Version Indicates the pattern file version running on the client device.
If this product is not installed or is not executing, the version
defaults to -1.

Citrix Scans for Windows Security Center


Antivirus
Detects if the Windows Security Center reports that the client device is using
antivirus software. There are no properties for you to specify in this scan beyond
specifying the conditions under which the scan is applied.
Note that accurate scan results require that antivirus software be monitored
through the Windows Security Center. If an antivirus software product does not
register properly with the Windows Security Center, it is possible for the scan to
indicate incorrectly that the client device has no antivirus software enabled. Test
to ensure that Windows Security Center correctly registers the antivirus software
products you deem acceptable or check the Windows Security Center
documentation for details of the products it supports.

Supported Versions
• Windows XP SP2 - Security Center

Scan Outputs

Scan Output Name Description


Antivirus Enabled Indicates (True/False) if the Windows Security Center reports
that the client device is using antivirus software.
Appendix B Scan Properties Reference 245

Browser Scan Packages


Citrix Scans for Browser Type
Detects if specified browser software is being used to connect from the client
device. You can scan for Microsoft Internet Explorer, Mozilla Firefox, Netscape
Navigator, Safari, or other software.
Scans from this package do not require client-side software to run on the client
device. Scan outputs are determined by examining the communication sent by the
user’s browser.

Supported Versions
• At least up to Microsoft Internet Explorer 6.0
• At least up to Mozilla Firefox 1.5.06
• At least up to Netscape Navigator 8.1
• At least up to Safari 2.0

Properties You Can Specify

Property Name Description/Format


Expected browser type This is the browser you want to check for on the client device.
Select Microsoft Internet Explorer, Mozilla Firefox, Netscape
Navigator, Safari, or Other.

Scan Outputs

Scan Output Name Description


Verified - Browser Type Indicates whether (True or False) the browser type you
specified is being used to connect from the client device.
Browser Type Returns the type of the client browser. “Other” is returned if a
browser other than Microsoft Internet Explorer, Mozilla
Firefox, Netscape Navigator, or Safari is being used.

Citrix Scans for Internet Explorer


Detects if the specified version of the browser software exists on the client
device.
246 Access Gateway Advanced Edition Administrator’s Guide

Supported Versions
• At least up to Internet Explorer Version 6.0 Service Pack 2

Properties You Can Specify

Property Name Description/Format


Minimum required version Use the format N.N.N.N, where N is an integer. However, you
can specify a version as simple as N.N or as detailed as
N.N.N.N (for example, 6.0.3790.1830).

Scan Outputs

Scan Output Name Description


Product Version The version of the key program executable file. The major
and minor version numbers are the same as those displayed in
the program user interface. The rest of the version number
may be ignored when reported.
Verified-Internet-Explorer- This Boolean output indicates if the minimum or later
Installed required version of the application is running on the client
device.
Verified-Internet-Explorer- This Boolean output indicates if the minimum or later
Connecting required version of the application is being used to perform
the connection.

Citrix Scans for Internet Explorer Update


Detects if the specified version (including update or hotfix version level) of the
browser software exists on the client device.

Supported Versions
• At least up to Internet Explorer Version 6.0 SP2

Properties You Can Specify

Property Name Description/Format


Data Set Provide the name of a data set file containing the specified
updates or hotfix version levels required. See “Using Data
Sets in Scans” on page 172 for more information.
Appendix B Scan Properties Reference 247

Scan Outputs

Scan Output Name Description


Verified-Internet-Explorer- Indicates if the updates specified in the data set are present on
Patch the client device.

Citrix Scans for Mozilla Firefox


Detects if the specified version of the Mozilla Firefox browser exists on the client
device. The scan package uses the published Windows registry settings.

Supported Versions
• At least up to Firefox Version 1.5.06

Properties You Can Specify

Property Name Description/Format


Minimum required version Use the format N.N.N.N, where N is an integer. However, you
can specify a version as simple as N.N or as detailed as
N.N.N.N (for example, 1.0.3.3).

Scan Outputs

Scan Output Name Description


Product Version The version of the key program executable file. The major
and minor version numbers are the same as those shown in
the program user interface. The rest of the version number
may be ignored when reported.
Verified-Mozilla-Firefox- This Boolean output indicates if the minimum or later
Installed required version of the application is running on the client
device.
Verified-Mozilla-Firefox- This Boolean output indicates if the minimum or later
Connecting required version of the application is being used to perform
the connection.

Citrix Scans for Netscape Navigator


Detects if the specified version of the Netscape Navigator browser exists on the
client device. The scan package uses the published Windows registry settings.
248 Access Gateway Advanced Edition Administrator’s Guide

Supported Versions
• At least up to Netscape Navigator Version 8.1

Properties You Can Specify

Property Name Description/Format


Minimum required version Use the format N.N.N.N, where N is an integer. However,
you can specify a version as simple as N.N or as detailed as
N.N.N.N (for example, 8.0.3.3).

Scan Outputs

Scan Output Name Description


Product Version The version of the key program executable file. The major
and minor version numbers are the same as those shown in
the program user interface. The rest of the version number
may be ignored when reported.
Verified-Netscape- This Boolean output indicates if the minimum or later
Navigator-Installed required version of the application is running on the client
device.
Verified-Netscape- This Boolean output indicates if the minimum or later
Navigator-Connecting required version of the application is being used to perform
the connection.

Firewall Scan Packages


Citrix Scans for McAfee Desktop Firewall
Detects if the specified version of the firewall software exists on the client device.

Supported Versions
• At least up to McAfee Desktop Firewall 8.5 Build 260
Appendix B Scan Properties Reference 249

Properties You Can Specify

Property Name Description/Format


Minimum required version To specify the version number, use the format N.N, where N
number or combined is an integer. To specify the version and build number, use the
version and build number format N.N.NNN, where N is an integer.

Scan Outputs

Scan Output Name Description


Version The version of the key program executable file. The major
and minor version numbers are the same as those displayed in
the program user interface. The rest of the version number
may be ignored when reported.
Verified-McAfee-Desktop- This Boolean output indicates if the required minimum
Firewall version of the application is running on the client device.

Citrix Scans for McAfee Personal Firewall Plus


Detects if the specified version of the firewall software exists on the client device.

Supported Versions
• At least up to McAfee Personal Firewall Plus 2006 Version 7.1.113

Properties You Can Specify

Property Name Description/Format


Minimum required version N.N, where N is an integer.
number
250 Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs

Scan Output Name Description


Version The version of the key program executable file. The major
and minor version numbers will be the same as those
displayed in the program user interface. The rest of the
version number may be ignored when reported.
Verified-McAfee-Personal- This Boolean output indicates if the required minimum
Firewall-Plus version of the application is running on the client device.

Citrix Scans for Microsoft Windows Firewall


Detects if the specified version of the Microsoft Windows Firewall or Internet
Connection Firewall (ICF) exists on the client device.

Supported Versions
The scan can detect the following firewalls on these operating systems:
• Microsoft Windows XP Home and Professional: ICF
• Microsoft Windows XP Home and Professional Service Pack 1: ICF
• Microsoft Windows XP Home and Professional Service Pack 1: Windows
Firewall
• Microsoft Windows 2003: ICF

Properties You Can Specify

Property Name Description/Format


Windows Firewall without Select True if you require Windows Firewall to be active
exceptions is required without exceptions. Select False if you require ICF to be
active on all connections or if you require Windows Firewall
to be active (with exceptions). See “Adding Rules to Scans”
on page 169 for an example showing how to add multiple
rules with exceptions to a scan.

Scan Outputs

Scan Output Name Description


Verified-Windows-Firewall This Boolean output indicates if the required minimum
version of the application is running on the client device.
Appendix B Scan Properties Reference 251

Citrix Scans for Norton Personal Firewall


Detects if the specified version of Norton Personal Firewall exists on the client
device.

Supported Versions
• At least up to Norton Personal Firewall 2006 Version 9.1.0.33

Properties You Can Specify

Property Name Description/Format


Minimum required version Use the format N.N, where N is an integer.
number

Scan Outputs

Scan Output Name Description


Version The version of the key program executable file. The major
and minor version numbers are the same as those displayed in
the program user interface. The rest of the version number
may be ignored when reported.
Version-Norton-Personal- This Boolean output indicates if the required version of the
Firewall application is running on the client device.

Citrix Scans for Windows Security Center Firewall


Detects if the Windows Security Center reports that the client device is using a
firewall. The Windows Security Center allows you to monitor various security
items on a client device running the Windows XP SP2 operating system. There
are no properties for you to specify in this scan beyond specifying the conditions
under which the scan is applied.
Note that accurate scan results require that the firewall be monitored through the
Windows Security Center on the client device. If a firewall product does not
register properly with the Windows Security Center, it is possible for the scan to
indicate incorrectly that the client device has no firewall enabled. Test to ensure
that Windows Security Center correctly registers the firewall products you deem
acceptable or check the Windows Security Center documentation for details of
the products it supports.
252 Access Gateway Advanced Edition Administrator’s Guide

Supported Versions
• Windows XP SP2 - Security Center

Scan Outputs

Scan Output Name Description


Firewall Enabled Indicates if (True/False) the Windows Security Center reports
that the client device is using a firewall.

Citrix Scans for ZoneAlarm


Detects if the specified version of the free ZoneAlarm firewall exists on the client
device.

Supported Versions
• At least up to ZoneAlarm 2006 Version 6.5.731.00

Properties You Can Specify

Property Name Description/Format


Minimum required version Use the format N.N, where N is an integer.
number

Scan Outputs

Scan Output Name Description


Version The version of the key program executable. The major and
minor version numbers are the same as those displayed in the
program user interface. The rest of the version number may
be ignored when reported.
Verified-ZoneAlarm This Boolean output indicates if the required minimum
version of the application is running on the client device.

Citrix Scans for ZoneAlarm Pro


Detects if the specified version of the ZoneAlarm Pro firewall exists on the client
device.
Appendix B Scan Properties Reference 253

Supported Versions
• At least up to ZoneAlarm 2006 Version 6.5.731.00

Properties You Can Specify

Property Name Description/Format


Minimum required version Use the format N.N, where N is an integer.
number

Scan Outputs

Scan Output Name Description


Engine Version The version of the key program executable. The major and
minor version numbers are the same as those displayed in the
program user interface. The rest of the version number may
be ignored when reported.
Verified-ZoneAlarm-Pro This Boolean output indicates if the required minimum
version of the application is running on the client device.

Machine Identification Scan Packages


Citrix Scans for Domain Membership
Detects if the client device belongs to a specified domain.

Properties You Can Specify

Property Name Description/Format


A client domain name is True means the client device must belong to a named
required domain. False means the client device is not required to
belong to a domain.
Domain name A valid domain name. Workgroup names are not valid.
254 Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs

Scan Output Name Description


Domain The name of the domain that the client device belongs to. If a
client domain name is not required, the output is “unknown.”
Verified-Domain Indicates if the client device belongs to the specified domain.

Citrix Scans for MAC Address


Detects the media access control (MAC) address for each network interface card
(NIC) or network adapter on the client device and compares the address against a
data set containing the list of group names mapped to valid MAC addresses.
This scan requires you to create a double-column data set listing valid MAC
addresses mapped to group names. The scan detects the network adapter (the first
value or column in the data set) and maps that address to a group name (the
second value or column in the data set). Scans use this mapping to verify to which
group the client device belongs. The MAC addresses in the data set should be in
the format NN:NN:NN:NN:NN:NN, such as 00:11:11:06:B3:E9. Note that you
should use a colon (:) as the separator in this format rather than a hyphen (-).

Important: This scan package treats data as case sensitive. Avoid creating
conflicting entries that differ in case. For example, it is possible to create an entry
for the same address and map it to two different groups. One entry might map the
address 00:50:8b:e8:f9:28 to the Finance group. Another entry can map the same
address with different case lettering, 00:50:8B:E8:F9:28, to the Sales group. Such
entries make scan results unreliable.

For more information about using data sets, see “Using Data Sets in Scans” on
page 172.

Properties You Can Specify

Property Name Description/Format


Data set name Name of a data set file that maps each MAC address to a
group name.
Group name Name of a group to which the NIC or network adapter must
belong.
Appendix B Scan Properties Reference 255

Scan Outputs

Scan Output Name Description


Group name Returns the group name associated with the MAC address of
the client device network interface or adapter.
Matched-MAC-Address This Boolean output indicates if the network interface or
adapter belongs to the specified group of MAC addresses.

Miscellaneous Scan Packages


Citrix Bandwidth Scan
Determines the connection bandwidth between the client and the Access Gateway
appliance. You can use the results of this scan in policies to determine, for
example, whether published applications can be launched.
This scan determines the bandwidth of a client’s connection by reading an image
file and calculating the time it takes to read the file during the time the scan runs.
The image file, citrix_bw.gif, is located in the themes/default/images folder of the
logon point’s virtual directory. To change the size of this image file, overwrite this
file with another of the same name.
Note that the accuracy of scan results is affected by the time allotted for the scan
to run as well as the size of the image file. For example, users on slow
connections may experience prolonged logon times if the image file is 72 MB and
the scan runs for 120 seconds. If the scan runs for 5 seconds, however, the correct
bandwidth may not be calculated. Test to ensure there is a balance between the
size of the image file and the time allotted for the scan to run so that users with
high bandwidth and low bandwidth connections have similar logon experiences.

Properties You Can Specify

Property Name Description/Format


Desired Bandwidth The level at which a connection is considered “high
bandwidth.”
Time The maximum length of time the scan is allowed to run.
256 Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs

Scan Output Name Description


Bandwidth This Boolean output indicates if the client connection meets
the specified bandwidth.

Operating System Scan Packages


Citrix Scans for Macintosh
Detects whether or not the client device is running the Mac OS system software.
Scans from this package do not require client-side software to run on the client
device. Scan outputs are determined by examining the communication sent by the
user’s browser.
There are no properties for you to specify in this scan beyond specifying the
conditions under which the scan is applied.

Supported Versions
• Mac OS X

Scan Outputs

Scan Output Name Description


Client Is Macintosh Reports whether or not the client device is running Mac OS
system software.

Citrix Scans for Microsoft Windows Service Pack


Detects if the operating system software on the client device is running at a
required minimum service pack level.

Properties You Can Specify

Property Name Description/Format


Minimum required service Select a Windows service pack version from the drop-down
pack menu. Select None to detect a base, unpatched operating
system version.
Appendix B Scan Properties Reference 257

Scan Outputs

Scan Output Name Description


Service Pack Returns the service pack version running on the client device.
Verified-Windows-Service- This Boolean output indicates if the required minimum
Pack service pack level is met.

Citrix Scans for Microsoft Windows Update


Detects whether a set of specified operating system updates are installed on the
client device.

Note: This scan package requires you to create a single-column data set listing
the update names you wish to detect.

Properties You Can Specify

Property Name Description/Format


Data set name Name of a data set file that contains a single column list of
updates appropriate for the detected operating system.

Scan Outputs

Scan Output Name Description


Verified-Windows-Updates This Boolean output indicates if the updates specified in the
data set file exist on the client device.
258 Access Gateway Advanced Edition Administrator’s Guide

You might also like