Professional Documents
Culture Documents
Contents
Chapter 1 Welcome
Access Gateway Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Smart Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SmoothRoaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Secure by Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
New Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Appendix A Glossary
Welcome
Citrix Access Gateway is a universal SSL VPN appliance that provides a secure,
always-on, single point-of-access to all applications and protocols. It has all of
the advantages of IPSec and SSL VPNs, without their costly and cumbersome
implementation and management. With the Advanced Edition, Access Gateway
finely controls both the resources users can access and what actions they can
perform, facilitating regulatory compliance. Access Gateway delivers the best
access experience for everyone: secure access to corporate data for the business,
easy access for users, and easy administration and management for IT.
Smart Access
SmartAccess analyzes the access scenario and then delivers the appropriate level
of access without compromising security. Depending on who and where users are
and what device and network they are using, users are granted different levels of
access, such as the ability to preview, but not edit, documents.
Advanced Access Control provides SmartAccess through two key phases—sense
and respond. In the sensing phase of SmartAccess, the system analyzes the users’
access scenario and then responds with an appropriate level of access. “Granted”
or “denied” are no longer the only answers to an access attempt because
organizations not only control which resources users get access to based on their
access scenario, but how they can use these resources when they gain access.
For example, a user at an airport kiosk could be allowed to only preview or read
email attachments and files but would not be allowed to download, edit, or print
these files. However, that same user working from home may be granted full
download, editing, and printing capabilities. In addition, Advanced Access
Control integrates seamlessly with Citrix Presentation Server to give
organizations this same level of granular control over published applications.
12 Access Gateway Advanced Edition Administrator’s Guide
SmoothRoaming
Advanced Access Control supports SmoothRoaming technology by ensuring that
as users move between devices, networks, and locations, the appropriate level of
access is configured automatically for each new access scenario.
Secure by Design
Advanced Access Control provides users with access that is inherently secure by
design, protecting both the security of company information as well as the
integrity of the network.
SmartAccess, SmoothRoaming, and Secure by Design technologies work
together by combining the following features:
• Integrated endpoint security. Provides continuous real-time monitoring to
ensure that the device is safe to connect and remain connected to the
network. Endpoint analysis further evaluates the integrity of connecting
devices and allows you to tailor the level of access you grant in policies
according to analysis results.
• VPN connectivity. Network resources enable direct SSL virtual private
network (VPN) connectivity to servers, services, and networks within the
corporate LAN.
• Action controls. Allow administators to set policies that allow or deny
viewing, editing, and saving documents depending on the user’s identity,
device, location and connection.
• Mobile device awareness. Re-factors email and file interfaces for personal
digital assistants (PDAs) and small form factor devices.
• Browser-only access. Provides access with any Web browser on any
device to Web sites, files, and email. You can automatically render
Microsoft Office documents for HTML Preview.
• Secure access to Web-based email and files. Provides access to corporate
email securely over the Internet through a Web-based user interface.
Allows users to securely access Microsoft Outlook and Lotus Notes in real
time and synchronize information for offline use. Enables access to
corporate network file shares securely over the Internet through a Web-
based user interface.
• Advanced Presentation Server integration. You can use endpoint
analysis and client location to control which published applications are
available to the user. This feature extends SmartAccess to Presentation
Server, including the use of Advanced Access Control filters to control
local client drive mapping, clipboard operations, and local printer mapping.
Chapter 1 Welcome 13
• Multilingual support. Provides full server and client support for Japanese,
German, French, and Spanish.
• Standards-based encryption. Uses industry-standard SSL encryption to
provide secure access to corporate resources.
• Common management platform. Provides a unified framework
containing client and server configuration, licensing, monitoring, and
reporting tools for administrative simplicity, business visibility, and
corporate security
New Features
This release provides the following new features and enhancements.
• Support for UPN and Alternate UPN credentials. Users who log on to
internal networks with credentials specified in User Principal Name (UPN)
or Alternate UPN format can log on to the Access Gateway and seamlessly
access corporate resources such as published Web sites, file shares, and
Web email.
• Enhanced access to Citrix Presentation Server published applications.
Citrix Presentation Server published applications are accessible as Access
Platform sites from within the Access Interface, allowing users to quickly
access and launch published applications. You can enable up to three
Access Platform sites to display applications from multiple Presentation
Server farms.
• Support for third-party load balancers. In addition to its internal load
balancing capabilities, Access Gateway Advanced Edition supports
configurations that include third-party load balancers such as Citrix
Netscaler. In the event an Advanced Access Control server in a farm
becomes unavailable, users are routed automatically to another Advanced
Access Control server.
• Enhanced access to documents hosted on Sharepoint sites. Microsoft
Sharepoint sites that are accessed through the Web proxy retain many of the
menu-driven features users need to work with files, such as Delete, Edit
Properties, and Alert Me.
• Support for double-hop DMZ deployments. Organizations can provide
an extra layer of security for their internal resources by deploying Access
Gateway appliances in a two-stage DMZ configuration.
• Policies dynamically determine best resource delivery method. You can
configure policies to determine the best method for accessing resources
based on users’ connection bandwidth. Using the Citrix Bandwidth
endpoint analysis scan, the connection bandwidth is calculated and the
14 Access Gateway Advanced Edition Administrator’s Guide
New Name
Access Gateway Advanced Edition is the new name for the products formerly
known as Access Gateway with Advanced Access Control, Access Gateway
Enterprise, and MetaFrame Secure Access Manager.
C HAPTER 2
The topics in this section describe how to get more information about the product
and how to contact Citrix.
• “Accessing Product Documentation” on page 15
• “Getting Service and Support” on page 18
• “Education and Training” on page 19
• “Customizing the Software” on page 19
Document Conventions
This documentation uses the following typographic conventions for menus,
commands, keyboard keys, and items in the program interface:
Chapter 2 Getting Information and Help 17
Convention Meaning
Boldface Commands, names of interface items such as text boxes,
option buttons, and user input.
Italics Placeholders for information or parameters that you
provide. For example, filename in a procedure means you
type the actual name of a file. Italics also are used for new
terms and the titles of books.
%SystemRoot% The Windows system directory, which can be WTSRV,
WINNT, WINDOWS, or other name you specify when you
install Windows.
Monospace Text displayed in a text file.
{ braces } A series of items, one of which is required in command
statements. For example, { yes | no } means you must type
yes or no. Do not type the braces themselves.
[ brackets ] Optional items in command statements. For example, [/
ping] means that you can type /ping with the command. Do
not type the brackets themselves.
| (vertical bar) A separator between items in braces or brackets in
command statements. For example, { /hold | /release | /
delete } means you type /hold or /release or /delete.
… (ellipsis) You can repeat the previous item or items in command
statements. For example, /route:devicename[,…] means
you can type additional device names separated by
commas.
Command-Line Conventions
Some components run from a DOS command line interface. If you are not
familiar with DOS command lines, note that:
• Slashes and hyphens in a command line are important and must be entered
exactly as described in the instruction
• The spacing on the command line is important and must be followed
exactly as described in the instructions
• Help is available for DOS-based programs by entering the command name
followed by a forward slash and a question mark, for example:
C:>sessmon/?
18 Access Gateway Advanced Edition Administrator’s Guide
Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage
program. The Citrix Subscription Advantage program gives you an easy way to
stay current with the latest software versions and information for your Citrix
products. Not only do you get automatic access to download the latest feature
releases and software upgrades and enhancements that become available during
the term of your membership, you also get priority access to important Citrix
technology information.
You can find more information on the Citrix Web site at http://www.citrix.com/
services/ (select Subscription Advantage). You can also contact your Citrix sales
representative, Citrix Customer Care, or a member of the Citrix Solutions
Advisors program for more information.
http://support.citrix.com. After you are logged on, in the upper right corner, click
My Watches and follow the instructions.
Before you install Advanced Access Control, you should evaluate your
infrastructure and collect the information necessary to develop an access strategy
that meets the specific needs of your corporation. When planning an access
strategy, follow the general steps below.
“Step 1: Evaluating Corporate Infrastructure” on page 21
“Step 2: Performing a Risk Analysis” on page 25
“Step 3: Developing Your Access Strategy” on page 25
Each of these steps is discussed in detail in the following sections. Consider
documenting your findings throughout this process to assist you in designing and
scoping the overall effort of the project, determining a realistic timeline for
implementation, and setting benchmarks against which to measure your overall
progress.
After you identify the elements within your corporate infrastructure, you can
perform a risk analysis and then develop a strategy for providing the appropriate
level of access to these resources.
Traversing Firewalls
Access Gateway eases firewall traversal and provides a secure Internet gateway
between Advanced Access Control servers and client devices. Scenarios in which
firewalls are commonly used include:
• Demilitarized zones (DMZs). In this scenario, firewalls are used to create
one-stage or two-stage DMZs to protect the corporate network from
Internet traffic. This deployment requires users external to the network to
traverse firewalls protecting the corporate network before gaining access to
corporate resources.
• Enclaves. In this scenario, firewalls limit traffic between specific segments
of the network. For example, hospital administrators may segment their
LAN so that access to sensitive information such as patient records is
accessible only from specific enclaves within the network.
• Perimeter of access server farm. In this scenario, firewalls secure
Advanced Access Control servers from threats within the corporate LAN
by forming a secure perimeter around the access server farm. This
deployment ensures that the access server farm is not directly accessible to
users.
Corporations often implement a combination of the above deployments to protect
against different types of threats. See the Access Gateway Standard Edition
Administrator’s Guide for more information about supported Access Gateway
deployment scenarios.
One-Factor Authentication
One-factor authentication is based on something users know such as a PIN,
password, or pass phrase. When implementing one-factor authentication, users
authenticate to Advanced Access Control by entering their user name and
password when they log on. Users are assumed to be valid because they enter the
correct credentials.
The advantages of using one-factor authentication include:
• Advanced Access Control supports standard Windows- and LDAP-based
one-factor authentication. Therefore, no additional effort or implementation
costs are associated with this authentication method.
• Passwords are easily revokable and replaceable in the event that they are
compromised.
• All users are familiar with user names and passwords.
The disadvantages of using one-factor authentication include:
• Passwords are highly susceptible to “social engineering” attacks where
users unknowingly provide their passwords to unauthorized users.
• Users can share passwords and as a result, it is not possible to rely on a
password to ensure that the authentication is genuine. In addition, after
sharing passwords for a particular purpose, users often forget to change
their passwords. This allows multiple users to authenticate using the same
set of credentials.
Advanced Authentication
Advanced authentication combines something a user knows with a second piece
of information. The second piece of information can be something the user has,
such as a hardware token, or something a user knows, such as an additional
password. Advanced Access Control integrates with RSA Security SecurID,
Secure Computing SafeWord, and RADIUS to support advanced authentication.
The advantages of advanced authentication include:
• It increases your overall confidence in the authentication process. Whether
it is an additional password or a one-time passcode generated from a
hardware token, requiring users to provide an additional piece of
information greatly mitigates authentication-related risks. For example, if a
user’s main password is compromised, an attacker must obtain the user’s
RADIUS password or hardware token to access the network.
• Token-based solutions provide an additional benefit in that users cannot
record their authentication information for later use. This ensures that users
30 Access Gateway Advanced Edition Administrator’s Guide
servers for each Advanced Access Control server with this role enabled.
For more information about assigning the HTML Preview server role, see
“Modifying Server Roles” on page 219.
• Database redundancy. A SQL database server stores all of Advanced
Access Control’s data. Therefore, to ensure that this data is always
available to users, consider one or more of the high availability strategies:
• Clustering
• Log shipping
• Network load balancing to switch SQL servers
• Stretch clustering
For more information about the above high availability solutions, refer to
your SQL documentation.
Note: Not all Web applications support browser-only access. For more
information, see “Limitations of Browser-Only Access” on page 145.
C HAPTER 4
Citrix Licensing limits the number of concurrent user sessions to the number of
licenses purchased. If you purchase 100 licenses, you can have 100 concurrent
user sessions at any time. When a user ends a session, the license is released for
the next user. A user who connects from more than one computer at the same time
uses a license for each session.
The licensing process includes the following steps:
• “Installing Citrix Licensing” on page 33 (optional if you already have
Citrix Licensing)
• “Obtaining Licenses” on page 34
• “Specifying the License Server” on page 36
• “Adding Shortcuts to the License Management Console” on page 37
(optional)
Note: The Access Gateway Standard Edition uses a license server on the
gateway appliance and does not require a dedicated Citrix license server. You
must use a dedicated license server for the Advanced Edition. If you upgrade
from the Standard Edition and do not already have a Citrix license server, you
need to install one.
You can install and configure Citrix Licensing before, during, or after you install
Access Gateway Advanced Edition.
34 Access Gateway Advanced Edition Administrator’s Guide
To install Citrix Licensing, follow the procedures in the Getting Started with
Citrix Licensing Guide, available from:
• The Citrix Knowledge Center (http://support.citrix.com/)
• The Documentation folder on the product CD
• Start > All Programs or Programs > Citrix > Access Gateway >
Documentation on a server running Access Gateway Advanced Edition
Because licensing is a crucial part of your product installation, Citrix strongly
recommends that you read the licensing guide before installing Citrix Licensing.
Obtaining Licenses
If you have not already done so, you must obtain license files to download and
copy to your license server. License files contain the licenses that you allocated
for a specified license server. You obtain these files from the Licensing area of the
MyCitrix Web site (http://www.mycitrix.com/).
Before downloading a license file, be prepared with the case-sensitive name of
the license server that will store the license file and the number of licenses you
want to allocate to that server.
Further details about the information to have ready and the steps for downloading
license files are provided in the Getting Started with Citrix Licensing Guide,
available on the product CD, from the Start menu of a server running the Access
Gateway Advanced Edition, or the Support area of the Citrix Web site
(http://support.citrix.com).
Note that each server occupies one of the Access Gateway Advanced Edition
concurrent user licenses. When tallying the number of licenses you need, include
one for each server.
Mixed Environments
For environments with a mixture of deployments (in other words, Access
Gateway Standard Edition deployments and Advanced Edition deployments),
you can allocate the desired number of licenses among the different deployments
when you generate your license files.
By default, the Citrix Activation System saves files to the last location used by
the Save As control. License files have the extension .lic. In the event you cannot
locate the downloaded license file, search your computer for files with an .lic
extension.
Note: If you have trouble downloading license files, contact Citrix Customer
Care.
Important: Do not edit license files without understanding their format. You
can unintentionally corrupt them and render the licensing system unusable.
1. From the console tree, select the server farm node and choose Define
license server under Other Tasks.
2. Configure the following settings:
A. Host name. Type the name of the license server.
B. License server port number. This is the port number the product
uses to communicate with the license server. Unless you must
perform configurations to accommodate a firewall or the default port
is already in use, Citrix recommends you leave the port at its default
setting.
Pre-Installation Tasks
Many of the features of Access Gateway Advanced Edition require that certain
components are installed or settings are configured before you install the
Advanced Access Control software.
40 Access Gateway Advanced Edition Administrator’s Guide
The following table provides an overview of these prerequisites to help you plan
your installation. References to additional information about each component or
feature are included.
Post-Installation Tasks
The following table provides an overview of tasks you perform immediately after
installing the Advanced Access Control software. References to additional
information about each component or feature are included.
Server Requirements
Before proceeding with software installation, verify that the servers you are using
meet the hardware and software requirements for Advanced Access Control.
System Requirements
• PC with a 550 MHz processor
• 768 MB of physical memory
• 9 GB of available hard disk space
• Microsoft Windows 2000 Server Family with Service Pack 4, or Windows
Server 2003, Standard Edition, Web Edition, or Enterprise Edition with all
service packs and updates installed
• Internet Information Services (IIS) 5.0 or 6.0
• Microsoft Windows Installer 3.0 or 3.1
• Microsoft .NET Framework 2.0
• Microsoft Data Access Components (MDAC) Version 2.7 Refresh or 2.8
Before installing Advanced Access Control, you must ensure the following Web
services extensions are set appropriately in the Internet Information Services (IIS)
Manager:
1. Click Start > Programs or All Programs > Administrative Tools >
Internet Information Services (IIS) Manager.
2. Expand the local computer node and then select Web Services Extensions.
3. Make the following selections as required:
• Select ASP.NET and click Allow.
• Select Active Server Pages and click Allow.
• Select FrontPage Server Extensions and click Prohibit.
• Select WebDAV and click Prohibit.
You may need to register ASP.NET if you installed the .NET Framework before
installing IIS. To register ASP.NET, locate aspnet_regiis.exe and then type
aspnet_regiis.exe -i from a command prompt.
Network Requirements
Before installing Advanced Access Control, ensure that your network
configuration meets the following requirements:
• The computers or resources that users will access are connected to the
Advanced Access Control servers you will deploy
• The Advanced Access Control server is:
• A member of the domain to which users who authenticate to the
server belong
—Or—
• A member of a domain that trusts and is trusted by the domain(s) of
the authenticating users
• In a multi-domain environment, trust relationships have been established so
that users in all domains can authenticate and access resources
• To provide access to the Internet, a Domain Naming System (DNS) host
record resolves to a public IP address for the Access Gateway appliance
Account Requirements
This section describes the server accounts required to install Advanced Access
Control.
Note: The database creation and access requirements in this section apply to
both SQL Server authentication and Windows authentication for database user
accounts.
• The service account must not be disabled and not subject to password
expiration or other credential changes. If the service account is removed,
the access server farm will not operate.
• The service account can be a local user account only if you are creating a
single-server access server farm and do not intend to scale the farm. You
cannot install Advanced Access Control on multiple servers with a local
user account selected for the service account. Citrix strongly recommends
using a domain account instead of a local user account when installing
Advanced Access Control.
Database Requirements
Access Gateway Advanced Edition supports the following database packages:
• Microsoft SQL Server 2005
• Microsoft SQL Server 2000 with Service Pack 4
• Microsoft SQL Server Express 2005
Note: If you install Microsoft SQL Server and you create a database before you
install Advanced Access Control, be sure to specify case-insensitive collation
when you create the database. This ensures the names you assign to resources
remain unique and prevents resources with duplicate names from being created.
Feature Requirements
You can use Advanced Access Control to allow users to view, upload, or
download Web-based resources using any client device that has a Web browser.
However, some features such as Live Edit use additional client software. Other
features require additional server software. This section provides information to
help you plan access to features depending on a feature’s client or server
requirements.
D. Add the User account you created and allow the Local Access
permission.
8. On the Identity tab, select This user and enter the credentials of the User
account you created.
9. Restart the server.
Repeat these steps for each Office application you want to configure. After you
restart the server, start the Task Manager and then start each application to verify
it is running under the new User account.
Note: After installing any Microsoft Office applications, run the application for
the first time before using Live Edit. This ensures that any post-installation tasks
are completed and allows the Live Edit Client to display documents for editing
without delay.
50 Access Gateway Advanced Edition Administrator’s Guide
For information about requirements for running the Live Edit Client, see “Client
Requirements” on page 58. For more information about using Live Edit to
provide access to documents, see “Allowing Live Edit” on page 140.
• Ensure the WebDAV Web service extension is set to “Prohibit” if you use
Outlook Web Access for your Web-based email interface. If this extension
is set to “Allowed,” users’ inboxes may not display correctly.
For information about configuring Web email, see “Providing Users with Secure
Web-Based Email” on page 184.
1. On the server running Microsoft Exchange 2003, copy the following files:
• mapi32.dll
• mapisvc.inf
2. On the Advanced Access Control server, paste the files to the
%SystemRoot/system32 directory.
For information about requirements for running the Endpoint Analysis Client, see
“Client Requirements” on page 58. For more information about configuring
endpoint analysis scans, see “Creating Endpoint Analysis Scans” on page 166.
LDAP Requirements
To use LDAP with Access Gateway Advanced Edition, you must have an LDAP-
compliant directory service in your environment such as Microsoft Active
Directory, Novell eDirectory, or IBM Directory Server.
RADIUS Requirements
To use RADIUS with Access Gateway Advanced Edition, you must install the
Microsoft Visual J# .NET Version 2.0 executable file (vjredist.exe) on the server
running Advanced Access Control before you install the Advanced Access
Control software. This executable file is located in the JSharp20 folder on the
Advanced Access Control Server CD-ROM.
For more information about using RADIUS with logon points, see “Creating
RADIUS Authentication Profiles” on page 102.
SecurID Requirements
To use SecurID authentication with Access Gateway Advanced Edition, install
the RSA ACE/Agent for Windows software before installing the Advanced
Access Control software. If you install Advanced Access Control before you
install the ACE/Agent, SecurID authentication does not function correctly.
For information about requirements for installing RSA SecurID, refer to the RSA
product documentation.
SafeWord Requirements
To use SafeWord authentication with Access Gateway Advanced Edition:
• Obtain the latest version of the SafeWord Agent from Secure Computing
• Install the SafeWord Agent software on the server before installing the
Advanced Access Control software
For information about requirements for installing SafeWord PremierAccess and
SafeWord for Citrix, refer to the Secure Computing documentation for these
products.
Note: Advanced Access Control supports application policies that are applied
using Citrix Presentation Server Version 4.0 and above. While Advanced Access
Control can communicate with older versions of Citrix Presentation Server, it
does not allow application-specific policies to be applied.
You can configure the logon point to use either the Web Client or the Client for
Java on demand when users access published resources.
Advanced Access Control supports using the following Citrix Presentation Server
Clients:
For more information about requirements for running the Client for Java, see the
Client for Java Administrator’s Guide. For more information about configuring
Advanced Access Control to access published resources, see “Allowing File Type
Association” on page 138.
SmartAccess Requirements
The SmartAccess feature enables organizations to better control how published
applications are accessed and used.
56 Access Gateway Advanced Edition Administrator’s Guide
You can use SmartAccess with Advanced Access Control to control which
resources users can access, based on their access scenario, and what they can do
within those resources after they get access. SmartAccess integrates with Web
Interface for Citrix Presentation Server to give organizations granular control
over published applications. To use SmartAccess, you must have the following
components in your environment:
• Citrix Access Gateway Advanced Edition
• Citrix Presentation Server 4.0
Note: SmartAccess is not supported with Citrix Presentation Server for UNIX.
If you are using Web Interface to access published applications, you must also
have the following software:
• Access Suite Console 4.0 for Citrix Presentation Server with the Web
Interface Extension 4.2 patch applied
• Web Interface for Citrix Presentation Server 4.0 or 4.5
You must also ensure that address translation and firewall settings are identical
for the Web Interface and Advanced Access Control. For more information about
configuring SmartAccess, see the Web Interface Administrator’s Guide.
SmoothRoaming Requirements
The SmoothRoaming features of Citrix Presentation Server provide users with
uninterrupted access to information. These features include Workspace Control,
Session Reliability, and Dynamic Session Reconfiguration.
Chapter 5 Installing Advanced Access Control 57
Note: Workspace Control is not supported with Citrix Presentation Server for
UNIX.
You can use SmoothRoaming features with Advanced Access Control to enable
users to move between client devices and gain access to all of their applications
when they log on. To use SmoothRoaming, you must have the Advanced or
Enterprise edition of Citrix Presentation Server 3.0 or 4.0 installed on a server in
your environment. SmoothRoaming is not available in the Citrix Presentation
Server Standard Edition.
Additionally, custom menu items that require ActiveX to function are not
available to users when Sharepoint is accessed through the Web proxy.
Client Requirements
This section describes the client requirements for the platforms that Advanced
Access Control supports.
Note: If you are using Apple Macintosh OS X, apply all updates, service packs,
and patches to ensure Web-based features function properly.
60 Access Gateway Advanced Edition Administrator’s Guide
The following table describes localization support based on the platform and Web
browser:
To use the Live Edit Client, the following software is required on users’
workstations:
• Microsoft Windows 2000 or XP with all service packs and critical updates
• Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission
to load signed ActiveX controls
Console Requirements
The Access Management Console is the configuration and administration tool for
Advanced Access Control. You can install the console on an Advanced Access
Control server or on a standalone workstation.
The Console requires at least:
• Windows Server 2003, Standard Edition, Enterprise Edition, or Datacenter
Edition with Service Pack 1; Microsoft Windows Server 2003, 64-bit
Edition; Windows XP Professional with Service Pack 2; or Windows 2000
Professional with Service Pack 4
• 25 MB of hard drive space
• .NET Framework Version 2.0
• Microsoft Data Access Components (MDAC) Version 2.7 Refresh
Important: If you install the console on the Advanced Access Control server,
you must install the .NET Framework and MDAC 2.7 Refresh (mdac_typ.exe)
before you install Advanced Access Control. The .NET Framework and MDAC
2.7 Refresh executable files are located on the Advanced Access Control Server
CD-ROM.
Installation Overview
This overview includes the basic steps for installing Advanced Access Control.
Citrix supports deploying Advanced Access Control on a single server or on
multiple servers.
For important information to consider before installing Citrix products, review
the readme files and administrator guides for components you plan to install. The
readme files and administrator guides are available in the Documentation folder
of the Advanced Access Control Server CD-ROM.
Chapter 5 Installing Advanced Access Control 63
To get started with Advanced Access Control, complete the following steps:
1. Before you begin installation, use Windows Update to ensure all Advanced
Access Control servers are patched with critical updates.
2. Ensure your servers meet all requirements for components and features you
plan to use.
3. Install and configure Citrix Licensing. See the Readme for Citrix Licensing
and the Getting Started with Citrix Licensing Guide, available in the
Documentation folder of the Advanced Access Control Server CD-ROM.
1. Insert the Advanced Access Control Server CD-ROM in the CD drive. The
startup screen appears if autorun is enabled. If autorun is not enabled,
navigate to the CD root directory and double-click AutoRun.exe.
2. On the startup screen, click Access Gateway Advanced Edition.
3. Read and accept the Citrix license agreement.
64 Access Gateway Advanced Edition Administrator’s Guide
Note: If you remove the Citrix Access Gateway Console component before
removing the Citrix Access Gateway Server component, the Server component
cannot be removed successfully.
The Citrix License Server Administration and Citrix Access Management
Console - Diagnostics components can be removed at any time in the
uninstallation. However, the Citrix Access Management Console - Framework
component must be removed last.
After you install Advanced Access Control, you configure each of your servers in
the access server farm. The following topics discuss server configuration:
• “Supported Configurations” on page 68
• “Configuring Your Server” on page 76
• “Steps to Configuring A Server” on page 77
• “Enabling Advanced Access Control” on page 80
• “Using the Access Management Console” on page 82
• “Configuring Your Farm with the Getting Started Panel” on page 84
• “Linking to Citrix Presentation Server” on page 85
• “Configuring Logon Points” on page 89
• “Logging on through the Logon Point” on page 92
• “Updating Logon Page Information” on page 93
• “Changing Expired Passwords” on page 93
• “Setting the Default Logon Point” on page 93
• “Removing Logon Points” on page 94
• “Configuring the Access Gateway” on page 95
• “Configuring Split Tunneling” on page 95
• “Forwarding System Messages” on page 96
• “Configuring Client Properties” on page 97
• “Configuring Server Properties” on page 98
• “Configuring ICA Access Control” on page 99
68 Access Gateway Advanced Edition Administrator’s Guide
Supported Configurations
You can deploy Access Gateway Advanced Edition in a variety of ways to meet
the needs of your organization. Supported configurations include:
• One or more Access Gateway appliances deployed in the DMZ and the
Advanced Access Control server deployed in the internal network
• One or more Access Gateway appliances deployed behind a load balancer
in the DMZ and the Advanced Access Control server deployed in the
internal network
• A double-hop DMZ scenario where one or more Access Gateway
appliances are deployed in the first DMZ, one or more Access Gateway
appliances are deployed in the second DMZ, and the Advanced Access
Control server is deployed in the internal network
Note: The term Access Gateway Proxy refers to the Access Gateway appliance
deployed in the second DMZ.
In this example, each Access Gateway in the first DMZ communicates with a
subset of the Access Gateway Proxy appliances in the second DMZ. This ensures
the Proxy appliances are able to respond to the appropriate Access Gateway in the
first DMZ. Otherwise, notifications from the Advanced Access Control server
would be lost and users could not log on and use corporate resources.
1. From the Administration Tool, click the Access Gateway Cluster tab and
then expand the window for the Access Gateway in the first DMZ.
Chapter 6 Configuring Advanced Access Control 73
To add entries to the Hosts file on the Advanced Access Control server
Note: You can configure the Access Gateway Proxy to communicate with only
one Access Gateway in the first DMZ. For more information about
communication between the Access Gateway and Access Gateway Proxy, see
“Understanding the Relationship between the Access Gateway and the Access
Gateway Proxy” on page 70.
If you have multiple appliances installed in the second DMZ, perform this
procedure on each appliance.
74 Access Gateway Advanced Edition Administrator’s Guide
1. From the Administration Tool, select the Access Gateway Cluster tab and
then expand the window for the appliance in the second DMZ.
2. On the General Networking tab, in DMZ Configuration, select Second
hop in double DMZ.
3. In Protocol, select either SOCKS over SSL or SOCKS.
4. In Port, the default port is either 443 (for secure connections) or 1080 (for
unsecure connections).
5. Select the Advanced Access Control check box.
6. In FQDN of the first appliance in the DMZ, type the FQDN or IP address
of the Access Gateway in the first DMZ. If you are using the SOCKS over
SSL protocol, you must type the FQDN address. If you are using the
SOCKS protocol, you can type either the FQDN or IP address.
7. Click Submit and restart the Access Gateway Proxy.
After you configure the Access Gateway Proxy, you can configure the Access
Gateway in the first DMZ.
Note: If you have multiple Access Gateway appliances installed in the first
DMZ, you will need to configure each of these appliances to communicate with a
subset of Access Gateway Proxy appliances. For more information, see
“Understanding the Relationship between the Access Gateway and the Access
Gateway Proxy” on page 70.
1. From the Administration Tool, click the Access Gateway Cluster tab and
then expand the window for the Access Gateway in the first DMZ.
2. On the General Networking tab, in DMZ Configuration, select First hop
in double DMZ.
3. Select the Configure for Advanced Access Control check box. Click
Add.
Chapter 6 Configuring Advanced Access Control 75
4. In the Add appliance from second hop window, complete the following:
• FQDN or IP address. Enter the FQDN or IP address of the Access
Gateway Proxy installed in the second DMZ. If you are using the
SOCKS over SSL protocol, you must enter the FQDN address. If you
are using the SOCKS protocol, you can enter either the FQDN or IP
address.
• Port. The default port for a SOCKS over SSL connection is 443. The
default port for a SOCKS connection is 1080. You can change the
default ports as necessary.
• Protocol. Select SOCKS over SSL if you want to secure the SOCKS
connection to the Access Gateway Proxy in the second DMZ with
SSL. Select SOCKS if you want this connection to be unsecured.
• Second hop appliance MAC address. Enter the MAC address of the
network card associated with Interface 0 on the Access Gateway
Proxy installed in the second DMZ.
5. Click Validate to verify that the Access Gateway in the first DMZ can
connect to the Access Gateway Proxy in the second DMZ using the
specified address, protocol, and port.
6. Repeat Steps 3 through 5 to add more appliances to the Appliances in
second hop list.
Note: The Access Gateway in the first DMZ uses the Appliances in
second hop list to load balance connections to the appliances installed in the
second DMZ.
• Log on as a service
Important: The Server Configuration utility cannot create a SQL user account
for access to the farm database. You must create an account in SQL Enterprise
Manager before you change the user account for database access. The database
user account must have System Administrator privileges.
The Server Configuration utility does not add the service account to network
shares.
The Server Configuration utility does not remove previous service accounts from
the local security policy or network shares. If this is a security concern, remove
the old accounts after updating the account information with the utility.
The Server Configuration utility performs the following operations:
• Verifies all account information
• Updates services
• Stops Advanced Access Control services
• Starts Advanced Access Control services
• Updates internal service account information
• Updates internal database account information
• Synchronizes the access server farm
Click Start > Programs > Citrix > Access Gateway > Server Configuration.
Selecting a Database
When you create an access server farm, the Server Configuration utility prompts
you to specify whether to use an existing SQL Server database or to install a local
database engine. The database server stores the configuration data for the access
server farm.
• Microsoft SQL Server
Choose this option to use a supported version of Microsoft SQL Server as
the database server for the access server farm. SQL Server can run on the
same server running Advanced Access Control or on a separate database
server.
Important: If you want to select a SQL Server database, be sure the SQL
Service is running on the server you want to specify. If the SQL Service is
not running, the Server Configuration utility cannot detect the server.
Note: Use the Microsoft SQL Server Express option for a pilot
deployment of Advanced Access Control. Citrix recommends the use of
Microsoft SQL Server for large-scale deployments.
• Access server farm name. Type the name of the access server farm you
want to create or join.
• Use the Service Account to access the configuration database. Choose
this option to use the Advanced Access Control service account credentials
to access the SQL database.
• Use SQL Authentication to access the configuration database. Choose
this option to use the SQL database account credentials to access the SQL
database. If you choose this option, you must also enter the database user
name and password.
Important: You must have the required digital certificates installed on the
server before configuring Advanced Access Control. This check box is not
enabled unless SSL is enabled on the server.
After you perform these tasks and reboot the appliance, you use the
Administration Tool to manage appliance-specific settings only. For more
information about using the Administration Tool, see the Access Gateway
Standard Edition Administrator’s Guide.
• The details pane on the right displays information about your deployment
items and associated tasks.
The following nodes are available under the top-level node in the console tree:
• Alerts. Lists the alerts created by all the items in your deployment. Double-
click an alert to drill down to the affected item.
• Search Results. Displays the results of any search that you performed.
Click Search in the task pane to perform a standard or advanced search.
• My Views. Allows you to customize the information that you display in the
details pane.
In addition, nodes are created by some Access Management Console snap-ins
when they are installed. Depending on your Access Management Console
installation, the following snap-ins are available:
• Licensing. Launches the License Management Console that allows you to
manage licenses for your Citrix products. For more information about the
License Management Console, see the Getting Started with Citrix
Licensing Guide.
• Diagnostic Facility. Creates and packages trace logs and other system
information to assist Citrix Technical Support in diagnosing problems.
Click Start > Programs > Citrix > Management Consoles > Access
Management Console.
By default, the Getting Started panel appears when you click the Advanced
Access Control node. To prevent the Getting Started panel from appearing
automatically, clear the Always show this page check box located near the
bottom of the panel.
1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. Select the Presentation Server Farm page and click New.
86 Access Gateway Advanced Edition Administrator’s Guide
3. In the Citrix Presentation Server farm name box, type the name or IP
address of the farm to which you want to link your access server farm.
4. If you want to secure the link between Advanced Access Control and Citrix
Presentation Server, select the Secure communication with the farm by
applying a secure protocol check box.
Note: To apply a secure protocol, you must have the appropriate client
and server certificates installed on the Advanced Access Control servers
and Access Gateway appliances.
Important: Do not prioritize the data collector or master ICA browser server as
the first server on the list.
You can use the list to sequence failover in case connectivity to a server becomes
unavailable. Use failover support to ensure continued access to published
resources.
The server list can sequence load balancing or failover support, but not both. By
default, the server list is used for failover.
1. Select the access server farm node and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
The Presentation Server Farm Properties appear.
Chapter 6 Configuring Advanced Access Control 87
3. On the Servers page, use Up and Down to change the sequence of servers.
4. Select Load balance requests to servers or Set failover sequence of
unavailable servers.
5. To change the bypass interval, change the value displayed in minutes. The
default is five minutes.
1. Select the access server farm node and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
3. On the Address Mode page, click New.
4. In the Client IP Address box, type the incoming client IP address or range
of IP addresses for client requests in dot address format (for example,
255.255.255.255). For Access Gateway, the incoming address is the
address of the Access Gateway appliance.
5. Select the Server Address Mode from the list:
• Normal. The IP address sent to the client is the actual address of the
server. This is the default setting.
• Alternate Address. The IP address sent to the client is the alternate
address of the server. Alternate addresses are configured on the server
running Citrix Presentation Server. To use this option, you must have
a firewall with NAT enabled and alternate IP addresses assigned to
the servers. For more information about setting alternate addresses,
see the Citrix Presentation Server Administrator’s Guide.
• Translated Address. The IP address sent to the client is based on the
configured address translation mappings. For more information, see
“Configuring Address Translation” on page 88.
• Access Gateway. The IP address sent to the client is the actual
address of the Access Gateway appliance. To use this option, you
must also define the Access Gateway settings. For more information,
see “Configuring the Access Gateway Address Mode” on page 88.
You can assign addressing modes for specific IP addresses or a range of IP
addresses. You can use asterisks as wildcards (such as 10.12.128.*) to indicate a
range of IP addresses.
88 Access Gateway Advanced Edition Administrator’s Guide
Note: To use this option, you must have a firewall with Network Address
Translation (NAT) enabled.
1. Select the access server farm node and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
The Presentation Server Farm Properties appear.
3. On the Address Mode page, click Address Translation.
4. Click New.
5. Enter the internal IP address and port of the server running Citrix
Presentation Server.
6. In the Translated address box, enter the external IP address and port that
clients must use to connect to the server.
7. On the Address Mode page, click New to open the New Client Address
Mode dialog box. Add the client IP address or range of addresses for the
clients that use the translated address you just configured. Select
Translated Address from the Server Address Mode list.
The Address Translation settings apply only to the specified client IP addresses
on the Address Mode page.
1. Select the access server farm and click Edit farm properties.
2. On the Presentation Server Farms page, select the farm and click Edit.
Chapter 6 Configuring Advanced Access Control 89
8. On the Clients page, select the clients you want to deploy to users during
logon.
9. On the Sessions Settings page, set the options for the method of prompting
users for their domain and the number of days to warn users about
password expiration.
Chapter 6 Configuring Advanced Access Control 91
10. On the Session Timeouts page, set the interval, in minutes, for the
following time-out settings:
• Maximum time for VPN client sessions. The length of time a
session using the Secure Access Client is allowed to remain active.
The default value of zero means the session remains active
indefinitely.
• Maximum time for traffic inactivity before session ends. The
length of time a browser-only session or a session using the Secure
Access Client is allowed to remain active without any traffic activity
detected. The default value is 20 minutes. You may want to increase
this value if users experience excessive time-outs with features such
as Live Edit that do not communicate with the Advanced Access
Control server to keep sessions active. If you enter zero for this
setting, the session will remain active regardless of inactivity.
• Maximum time for mouse and keyboard inactivity before VPN
session ends. The length of time a session using the Secure Access
Client is allowed to remain active without any mouse or keyboard
input detected. If you enter zero for this setting, the session will
remain active regardless of inactivity.
11. On the Visibility page, select whether to show the logon page to users
logging on through the Access Gateway or to set conditions for showing the
logon page to users logging on to Advanced Access Control directly. The
default logon point is always visible to users logging on through the Access
Gateway. For more information about using conditions for showing the
logon page, see “Setting Conditions for Showing the Logon Page” on page
141.
1. Click Start > Programs or All Programs > Citrix > Access Gateway >
Server Configuration.
2. From the Configured Logon Points page, select the logon point you want
to deploy.
3. Click Deploy.
92 Access Gateway Advanced Edition Administrator’s Guide
Important: The sample logon point is designed for testing purposes only.
Default policies created for the sample logon point allow all authenticated users
to see the logon page and to log on. After testing your system, replace the sample
logon point or edit these policies to comply with your network security
guidelines. For more information, see “Controlling Access Through Policies” on
page 131.
Users can also access the default logon point by typing the following URL:
https://appliancename/
where appliancename is the FQDN or IP address of the Access Gateway
appliance. For more information about default logon points, see “Setting the
Default Logon Point” on page 93.
For more information about distributing logon points to users, see “Rolling Out
Advanced Access Control to Users” on page 195.
Chapter 6 Configuring Advanced Access Control 93
1. From the console tree, expand Logon Points and select the logon point you
want to update.
2. In Common Tasks, click Refresh logon page information.
If the Access Gateway is unavailable when you perform this task, the console
displays an error message indicating the gateway appliance is out of date. If the
Access Gateway becomes available when you rerun the task, the console displays
a message indicating the update was successful.
When you set a logon point as the default, the logon point becomes visible
automatically to users logging on through the Access Gateway. If, at a later time,
you set a different logon point as the default, the logon point remains visible to
these users. If you want the logon point to be visible only to users logging on to
Advanced Access Control within the corporate network, you must change the
visibility settings in the logon point properties. For more information about
configuring logon points, see “Configuring Logon Points” on page 89.
1. In the console tree, expand Logon Points and select the logon point you
want to designate as the default.
2. Under Common Tasks, click Set as default logon point.
1. In the console tree, expand Logon Points and then select the logon point
you want to delete.
2. Under Common Tasks in the task pane, click Delete logon point.
1. Click Start > Programs or All Programs > Citrix > Access Gateway >
Server Configuration.
2. On the Configured Logon Points page, select the logon point you want to
remove.
3. Click Remove.
Chapter 6 Configuring Advanced Access Control 95
4. If you enable split tunneling, click New to configure the list of accessible
networks.
5. In the New Accessible Network box, select the addressing method you
want to use.
6. Enter the destination IP address and, depending on the selected addressing
method, the corresponding subnet mask or network prefix length.
3. On the Syslog and SNMP page under Syslog Settings, type the IP address
or the FQDN of the syslog server you want to capture system messages sent
by the Access Gateway.
4. In Syslog facility, select the facility you want to use for captured messages.
Select User Level for generic user processes. Select Local Use 0 - 7 if you
defined one of these facilities for Access Gateway processes. For example,
a syslog server may have Local Use 0 defined for anonymous FTP
processes while Local Use 1 is reserved for Access Gateway processes.
5. In Statistics broadcast interval, type the frequency in minutes at which
you want the Access Gateway to send system messages. If the broadcast
interval is set to zero, broadcasting is continuous.
3. On the Client Properties page, select any of the following check boxes:
• Require SSL client certificate for users connecting via the
gateway appliances. If you want additional authentication, select
this option to require certificates for Windows client computers. If a
client certificate is required, it must be provided by the network
administrator. The certificate is installed separately into the certificate
store using the Microsoft Management Console. When this
requirement is enforced, every computer that logs on through the
Access Gateway must have an SSL client certificate that is in P12
format.
• Enable internal failover. Select this option to enable the Secure
Access Client to connect to the Access Gateway from inside the
firewall if the Access Gateway IP address cannot be reached. When
internal failover is configured, the client will failover to the internal
IP address of the Access Gateway if the external IP address cannot be
reached. The Secure Access Client must connect at least once to
retrieve the failover list. This list is then cached in the registry.
Important: ACLs you specify are not applied when published applications are
configured as network resources.
1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. Select Authentication Profiles and then click New under RADIUS
profiles. Type a name and description to define the profile.
3. Click New to enter the RADIUS server and corresponding ports.
4. If you have multiple RADIUS servers, select to use the server list for one of
the following:
• Load balancing of requests to the servers. Requests follow the
sequence of the server list so that the initial request goes to the first
server in the list, the next request goes to the second server, and so on.
• Failover sequence of communication if servers become
unavailable. In the event connectivity to a server becomes
unavailable, connectivity with another server in the list ensures
RADIUS authentication services remain available to users.
5. Use the arrows to change a server’s position in the list.
6. Change the value in the Bypass failed servers for this time interval field
if you want to specify the amount of time an unavailable server should be
bypassed. The default value is 300 seconds.
7. If you want to audit RADIUS events, select Enable RADIUS auditing.
8. If you want to change the period in which the user authentication process
times out for lack of a server response, change the value in the Cancel
authentication after this time field. By default, authentication times out
after 30 seconds elapse.
3. Type the Separator you want to use if multiple user groups are included in
the RADIUS configuration. A separator can be a period, a semicolon, or a
colon.
4. In the Vendor identifier field, type the vendor-specific code number that
was entered on your RADIUS server.
5. In the Vendor specified type field, type the vendor-assigned attribute
number.
1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. Select Authentication Profiles and then click New under LDAP profiles.
3. Type a name and description to define the profile.
4. Type the name or IP address of the LDAP server you want to use.
5. In Port, type the server port number that your LDAP server uses for LDAP
requests.
6. In Administrator DN, type the distinguished name of the administrative
user that has access to your LDAP server and the rights to look up user
entries in the LDAP repository. The following are examples of syntax for
this field:
“domain/user name”
“ou=administrators,dc=ace,dc=com”
“user@domain.name” (for Active Directory)
“cn=Administrator,cn=Users,dc=ace,dc=com”
For Active Directory, the group name, specified as cn=groupname, is
required. The group name that is defined in the Access Gateway must be
identical to the group name that is defined on the LDAP server.
For other LDAP directories, the group name either is not required or, if
required, is specified as ou=groupname.
The Access Gateway binds to the LDAP server using the administrator
credentials and then searches for the user. After locating the user, the
Chapter 7 Securing User Connections 105
Access Gateway unbinds the administrator credentials and rebinds with the
user credentials.
7. In Base DN, type the distinguished name under which user lookups should
begin. Base DN is usually derived from the Bind DN by removing the user
name and specifying the group where users are located. Examples of syntax
for Base DN include:
“ou=users,dc=ace,dc=com”
“cn=Users,dc=ace,dc=com”
8. In LDAP attribute for user logon names, type the attribute under which
the Access Gateway should look for user logon names for the LDAP server
that you are configuring. Depending on the directory service you are using,
type one of the following attributes:
• For Active Directory, use the default sAMAccountName.
• For Novell eDirectory or Lotus Domino, use cn.
• For IBM Directory Server, use uid.
• For Sun ONE Directory , use uid or cn.
9. In LDAP group attribute, type the name of the group attribute the Access
Gateway should use to obtain the groups associated with a user during
authorization. Depending on the directory service you are using, type one
of the following attributes:
• For Active Directory, use the default memberOf.
• For Novell eDirectory, use groupMembership.
• For IBM Directory Server, use ibm-allGroups
• For Sun ONE Directory, use nsRole.
If you assign an LDAP profile to authenticate users, you can use Active Directory
or an LDAP profile to authorize users. If you assign a RADIUS profile for
authentication, you can choose the LDAP or RADIUS profile for authorization.
When using a RADIUS profile for authentication, you must use the same profile
for authorization.
When you use RADIUS or LDAP profiles, you can specify how users access
resources that require Active Directory credentials. In an advanced authentication
scenario where Active Directory is the group authority, you can specify whether
the Active Directory and RADIUS servers share the same password. In scenarios
where RADIUS or LDAP authenticate and authorize users, you can enable pass-
through authentication to Active Directory. This allows users to access resources
smoothly, without entering their Active Directory credentials. To do this, you
supply the default Active Directory domain. User accounts in the default Active
Directory domain match those on your RADIUS or LDAP servers.
1. In the console tree, select the logon point you want to configure. For more
information about creating a new logon point, see “Configuring Logon
Points” on page 89.
2. Under Common Tasks, click Edit logon point.
3. On the Authentication page, select the RADIUS or LDAP profile you
want to use to identify users in your organization.
4. On the Authorization page, select the RADIUS or LDAP profile you want
to use to determine the level of access users receive when they authenticate
successfully.
After you assign the authentication profile to the logon point, use the Server
Configuration utility to set the authentication credentials for the profile.
1. On the Advanced Access Control server, click Start > Programs or All
Programs > Citrix > Access Gateway > Server Configuration.
2. Click Configured Logon Points and then select the logon point that you
have configured to use RADIUS authentication.
3. Click Authentication Credentials.
4. Under RADIUS Servers, select Global secret for all servers or Server
specific secrets.
5. Type the global secret in the Authentication secret and Confirm
authentication secret boxes.
6. For server-specific secrets, double-click the IP address of the RADIUS
server and enter the secret in the Server Credential box.
1. On the Advanced Access Control server, click Start > Programs or All
Programs > Citrix > Access Gateway > Server Configuration.
2. Click Configured Logon Points and then select the logon point that you
have configured to use LDAP authentication.
3. Click Authentication Credentials.
4. Under LDAP Servers, select Global password for all servers or Server
specific passwords.
5. Type the global password in the Authentication secret and Confirm
authentication secret boxes.
108 Access Gateway Advanced Edition Administrator’s Guide
1. On the Advanced Access Control server, install and launch the RSA ACE/
Agent Certificate Utility.
2. In Current Directory, enter the path of the directory in which you want to
store the certificate file.
3. Click the New Root Certificate and Keys button.
4. Enter your organization name, country, and key passwords.
5. Install the RSA ACE/Agent for Windows software and select the following
installation options:
• In Setup Type, select Custom
• In Custom Setup, select Local Authentication Client only. All
other client options should not be installed.
6. When prompted, locate the Sdroot certificate file you created.
7. Follow the remaining onscreen instructions to install the RSA ACE/Agent
software.
8. Restart the server after installation finishes.
1. On the Advanced Access Control server, click Start > Control Panel >
RSA ACE/Agent.
2. From the Main tab, click the Test Direct Authentication with RSA ACE/
Server button.
3. From the RSA ACE/Server Configuration Information window, click the
RSA ACE/Server Test Directly button and enter the user ID and token
passcode for the user you are testing.
110 Access Gateway Advanced Edition Administrator’s Guide
If you are using RSA SecurID as the only authentication method, ensure you
create an LDAP authentication profile, assign the profile to the logon point, and
set the authentication credentials prior to configuring the logon point. For more
information, see “Creating LDAP Authentication Profiles” on page 104 and
“Setting Authentication Credentials for Logon Points” on page 106.
1. In the console tree, select the logon point you want to configure. For more
information about creating a new logon point, see “Configuring Logon
Points” on page 89.
2. Under Common Tasks, click Edit logon point.
3. On the Authentication page, select one of the following options:
• Under Advanced Authentication, select RSA to use SecurID with
Active Directory to authenticate users.
• Under Authentication, select RSA to use SecurID as the only
authentication method.
4. If you are using RSA SecurID as the only authentication method, on the
Authorization page, select the LDAP profile you want to use.
1. On the Advanced Access Control server, install the SafeWord for Citrix
Secure Access Manager agent software located on the SafeWord product
CD. When prompted, accept the option to use the latest agent software from
Secure Computing and then select the Secure Access Manager Agent
option.
2. Restart the Advanced Access Control services. You can use the Server
Configuration utility to restart all the services simultaneously.
3. Restart the Citrix Access Gateway Server COM+ application from the
Component Services console.
4. From the console tree, select the logon point you want to configure and
click Edit logon point in Common Tasks. For more information about
creating a new logon point, see “Configuring Logon Points” on page 89.
5. On the Authentication page, under Advanced Authentication, select
SafeWord.
1. On the Advanced Access Control server, install the SafeWord for Citrix
Secure Access Manager agent software located on the SafeWord product
CD. When prompted, accept the option to use the latest agent software from
Secure Computing and then select the Secure Access Manager Agent
option.
2. Restart the Advanced Access Control services. You can use the Server
Configuration utility to restart all the services simultaneously.
3. Restart the Citrix Access Gateway Server COM+ application from the
Component Services console.
4. Create an LDAP authentication profile. For more information, see
“Creating LDAP Authentication Profiles” on page 104.
5. From the console tree, select the logon point you want to configure and
click Edit logon point in Common Tasks. For more information about
creating a new logon point, see “Configuring Logon Points” on page 89.
6. On the Authentication page, select SafeWord.
7. On the Authorization page, select the LDAP authentication profile you
want to use.
To complete the configuration, you need to set the authentication credentials for
the logon point to which you assigned the LDAP profile. See “Setting
Authentication Credentials for Logon Points” on page 106 for more information.
If you want to use RADIUS with either SafeWord product, perform the following
tasks:
• Configure Microsoft Internet Authentication Service (IAS) on a separate
server and configure the Advanced Access Control server as a RADIUS
client.
• Create a RADIUS authentication profile for the IAS server. If you want to
use LDAP as the group authority instead of RADIUS, you must also create
an LDAP authentication profile. For more information, see “Configuring
RADIUS and LDAP Authentication” on page 102.
• Assign the RADIUS authentication profile to the logon point. If you use
LDAP as the group authority, you must also assign the LDAP
authentication profile to the logon point. For more information, see
“Assigning Authentication Profiles to Logon Points” on page 105.
• Set the RADIUS authentication credentials for the logon point. If you use
LDAP as the group authority, you must also set the LDAP authentication
credentials. For more information, see “Setting Authentication Credentials
for Logon Points” on page 106.
• On the SafeWord server, install and configure the SafeWord IAS Agent
software.
1. Launch the IAS Agent by clicking Start > Programs or All Programs >
Secure Computing > SafeWord > IAS Agent > Configure IAS Agent.
2. Click Authentication Engine and enter the host name or IP address of the
authentication engine.
3. Click Groups and enter the user group and domain of the users using
SafeWord tokens.
Chapter 7 Securing User Connections 115
1. Open the Access Gateway Administration Tool and select the Access
Gateway from the Access Gateway Cluster tab.
2. Click the Advanced Options tab.
3. To enable SSL communication, select the Secure server communication
check box.
Before you install the root certificate, check to be sure it conforms to the Base64
file format. Access Gateway does not recognize other formats as valid.
1. From the Administration Tool, select the Access Gateway and then click
the Administration tab.
2. In Manage trusted root certificates, click Manage.
3. From Trusted Root Certificate Management, click the Manage tab.
4. Click Upload Trusted Root Certificate.
5. Select the root certificate you want to install.
116 Access Gateway Advanced Edition Administrator’s Guide
1. Open the Administration Tool and select the Access Gateway from the
Access Gateway Cluster tab.
2. Click the Administration tab and then click Browse to upload a .pem
private key and client certificate.
3. Locate the client certificate and enter the passphrase when prompted.
4. Reboot the Access Gateway.
After you install the client certificate, you can configure the Advanced Access
Control server to require the certificate from the Access Gateway.
1. Click Start > All Programs > Administrative Tools > Internet
Information Services (IIS) Manager.
2. Expand the local computer node and the Web Sites node.
3. Right-click the Default Web Site node and select Properties.
4. Click the Directory Security tab and then click the Server Certificate
button under Secure communications.
5. Follow the onscreen instructions in the IIS Certificate Wizard to create a
new server certificate or assign an existing certificate.
Chapter 7 Securing User Connections 117
After the server certificate is assigned, you can add the root certificate to the
server’s Certificate Trust List and configure the server to require client
certificates.
1. Open Internet Information Services (IIS) Manager and locate the Default
Web Site node.
2. Right-click the Default Web Site node and select Properties.
3. Click the Directory Security tab and then click the Edit button under
Secure communications.
4. Select the Enable certificate trust list check box.
5. Click the New button and follow the onscreen instructions to complete the
Certificate Trust List wizard. This wizard allows you to add the root
certificate that matches the Access Gateway’s client certificate to the
Certificate Trust List.
Adding Resources
To control your corporate resources with Advanced Access Control, you add
them to the console and then create policies for them.
Resources include corporate applications, Web sites, portals, file shares, services,
servers, email, and email synchronization—essentially any resource that you
want to provide for user access.
This section describes how and why you configure the following types of
resources:
• Network resources
• Web resources
• File shares
For information about configuring email resources, see “Providing Secure Access
to Corporate Email” on page 181.
1. In the console tree, select Network Resources and click Create network
resource in Common Tasks.
2. In the New Network Resource wizard, enter a name and description for the
resource.
3. On the Specify Servers and Ports page, click New to add network
identification, port, and protocol information for the resource.
• To define entire subnets, specify network addresses with subnet
masks. For example, to define all servers on the 10.x.x.x network,
120 Access Gateway Advanced Edition Administrator’s Guide
Note: Entire Network includes all resources on the secure network, including
servers or subnets you add later. For example, if you create an access policy that
includes Entire Network and later add a server to the network, the new server is
controlled by the settings of the existing policy.
For more information about creating policies that include Entire Network, see
“Granting Access to the Entire Network” on page 154.
Chapter 8 Adding Resources 121
1. In the console tree, select Resources > Web resources and click Create
Web resource in Common Tasks.
2. Enter a name and description for the resource.
3. On the Configure Addresses page, click New for each URL address you
want to add and enter the address.
Addresses can include:
• virtual directories but not individual documents. For example, you
can add http://PeopleManagementSystem/Recruiting/
but not
http://PeopleManagementSystem/How-to-Interview.html
• dynamic system tokens, such as
http://www.MyCompany.com/users/#<FullName>
Addresses cannot include:
• general regular expressions such as
http://www.server[1-0]+.com/[A-Za-z]+(A-Za-z0-9)*/
• wildcards such as
*.MyURL.com or http://www.*/Dept/MyCompany.com
4. From the Application type list, select the type of application the URL
opens. The application type determines if specialized information is needed
in the URL configuration.
• Citrix Web Interface 4.2 or later points to a Web Interface site
displaying users’ published applications from Citrix Presentation
Server. For more information see “Integrating Web Interface” on
page 158.
• SharePoint points to a SharePoint site.
• SharePoint with Web Interface Web Part points to a Web Part
designed to provide Citrix Web Interface as an area on a SharePoint
site. Supports SmartAccess features through the Web Interface.
• Web Application points to a Web site URL that needs no specialized
configuration information. This is the default setting.
• Web Application (requires session cookies) points to Web sites
allowed to receive cookies. By default the Web proxy does not
forward cookies to redirected URL addresses. The Web proxy does
not pass cookies to the default Web application type.
Chapter 8 Adding Resources 123
5. From the Authentication types supported area of the New URL dialog
box, you can enable pass-through authentication to the site by selecting the
site’s authentication method. For more information, see “Enabling Pass-
Through Authentication for Web Resources” on page 124.
6. Select the option to publish in users’ lists of resources if you want this
resource to appear on the Access Interface.
• The home page must be a page within the exact URL you specify in
Step 3. For example, if you enter http://MyCompany.net for the
resource address, you can specify a page within that site, such as
http://MyCompany.net/Finance.aspx.
• If your directory service uses the homepage token, you can enter
#<HomePage> for the URL home page. For more information about
using tokens, see “Using Dynamic System Tokens” on page 128.
7. Select the option to use an interface that is common for all browser types if
users are not allowed to use ActiveX controls or use a variety of browser
versions. Selecting this option presents users with a generic interface that
does not require advanced browser technologies such as ActiveX.
8. Specify whether or not to create a default policy. If you create a default
policy, you can edit its properties later.
This requirement does not apply if the Web proxy is bypassed for access to the
server hosting the URL address. For more information about bypassing URL
rewriting, see “Bypassing URL Rewriting” on page 144.
• Digest authentication. Hashed credentials are passed to the Web site using
Digest Authentication.
• Integrated Windows authentication. Hashed credentials are passed to the
Web site using Integrated Authentication. NTLM or Kerberos
authentication is used, depending on your Web server configuration.
Chapter 8 Adding Resources 125
Caution: When using any of the three pass-through authentication methods, the
target Web application is first presented with the credentials with which the user
logged on to the Access Gateway. Accessing Web sites that require a second,
differing set of credentials through Access Gateway can result in the caching of
the second set of credentials.
1. In the console tree, select the Web resource and click Edit Web resource in
Common Tasks.
2. On the URL Addresses page, select the Web site’s URL and click Edit.
3. In the Authentication types supported area, select the authentication
method being used by the Web site.
1. In the console tree, select Resources > File Shares and click Create file
share in Common Tasks.
2. Enter a name and description for the resource.
126 Access Gateway Advanced Edition Administrator’s Guide
3. On the Configure Addresses page, click New to add each shared item, for
example, \\MyServer\Shared-Files-Folder.
• You can include addresses for specific document files as well as
directories.
• You can use dynamic system tokens, such as #<username>. To use
system tokens, the service account in the Server Configuration for
Advanced Access Control must be a domain account and not a local
machine account.
4. In the File Share dialog box, select Publish for users in their list of
resources if you want this resource to be listed on the Access Interface.
5. Specify whether or not to create a default policy. If you create a default
policy, you can edit its properties later.
If you do not select the option to publish a file share, users can still navigate to the
share in their browsers as long as a policy allows access to the file share. A file
share that a user has access to but which is not published can also be accessed if it
appears embedded in a Web page or email.
Caution: Using Registry Editor incorrectly can cause serious problems that can
require you to reinstall the operating system. Citrix cannot guarantee that
problems resulting from incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Make sure you back up the registry before you
edit it.
Examples:
\\Public-shares\Departments\#<Department>\Reports
http://inotes.my-server.com/mail/#<username>.nsf
Chapter 8 Adding Resources 129
3. Create a resource group that includes all the resources you listed in Step 1.
4. Create a filter that includes your requirements for the access scenario. For
example, you can create a filter that requires users to authenticate with RSA
authentication, log on to your Sales logon point URL, and pass specified
endpoint analysis scans of the client device.
5. Create a policy for the resource group. Associate the policy with the filter
you created in Step 4 and select the action controls you want for each
resource.
Resource group names or descriptions do not appear to users in published lists of
resources. The name and description you define for a resource group is for
administrative use only. If you choose to publish a Web resource or file share,
users see the resource’s description (not the description of the resource group) in
their lists of resources.
Each resource type has a wizard to guide you through adding the resource. These
wizards are available from Common Tasks when the Resources node is selected.
By default, users are denied access to any resource you define until you create
policies that grant access permissions. This includes all resources and resource
groups.
Policies provide granular control of access at the resource level. Use policies to
control which resources users can get to and what actions they can perform on
those resources. You can leverage the power of filters to apply policies based on
information detected about the client device, who users are, the strength of their
authentication, and where they are logging on. Filters provide the flexibility to
match policies with your access scenarios. This section discusses how to
implement policies and formulate strategies to control resources according to the
user scenario.
Policies extend the security of your network environment by enabling you to
control:
• Access. You can control users’ ability to connect to your resources unless
they meet security requirements such as identity, authentication, antivirus,
firewall, and client software.
• Actions. You can control specific actions that users perform on resources
accessed through the browser, based on the user scenario.
• Connections. You can control Secure Access Client connections and apply
settings to those connections.
For example, you might create a resource group that contains several file shares,
Web resources, and email that require very restricted access when users are
connecting remotely. In another resource group you might add Web resources and
file shares and that you want users to have access to at all times, as long as they
have a trusted client device.
User Device Resources Users Can Access Actions Users Can Take
Corporate desktop • All corporate networks and file • Download files
running required systems • Upload files
antivirus software
• Full email services • Edit files on the local client device
• Corporate portals and Web • Edit files on servers running Citrix
applications Presentation Server
• Published applications through • Send documents as email attachments
Citrix Presentation Server
• Other applications
Remote corporate • Web applications • Edit and save documents with Live Edit
device running required • Synchronized email applications ActiveX control without needing to
antivirus and firewall download and upload
software • Published applications through
Citrix Presentation Server • Limited client mapping or printing
• Limited access to file systems documents on servers running Citrix
• Servers or services defined as Presentation Server
network resources • Send documents as email attachments
• Connect directly to network resources
through VPN using Secure Access Client
134 Access Gateway Advanced Edition Administrator’s Guide
User Device Resources Users Can Access Actions Users Can Take
Public kiosk running a • Web applications • Preview documents as HTML
required browser • Web-based email only • No client mapping or printing documents
• Limited access to published on servers running Citrix Presentation
applications Server
Personal digital Web-based email only • View Web-based email, which supports
assistant (PDA) refactoring for small devices
• Preview documents as HTML, which
supports refactoring for small devices
• Send documents as email attachments
• No application access
Remote corporate Full access to individual mission critical Connect directly to network resources through
laptops for system applications defined as network VPN using Secure Access Client
administrators who resources or the Entire Network resource
cover emergencies from
home
After you develop an access strategy, you configure resources, policies, and
filters in combinations that comply with and extend your corporate security
guidelines. Resources and policies define the access control you allow. Filters
define when and under what conditions the access is granted.
You must create a Web resource or network resource for any application that you
want users to have remote access to and you must create policies for these items
granting explicit “Access” permission for users. Configuring file share access is
slightly different than for Web resources, because you do not choose the “Access”
permission in policies for file shares. Users can view a file share resource through
their browser if you publish the resource and if the operating system access
control list (ACL) allows access permission to the users. Policies for file shares
define the users who can view the file share, the actions those users are allowed to
take on the documents in those file shares, and the conditions under which they
can take the actions.
1. In the console tree select Policies and choose Create access policy from
Common Tasks.
2. In the New Access Policy wizard, name and describe the policy.
3. On the Select Resources page, select the resource groups and resources for
the policy to control.
• Select Network Resources > Entire Network if you want this policy
to control access to all visible servers and services on the network.
• Select the Allow Logon resource if you want this policy to include
the conditions under which the users are allowed to log on to the
network.
Take care to review selections in the available resources tree. When you
select or clear a category of resource, such as File Shares, all items grouped
under that category are selected or cleared. Expand nodes to display the
selections under each category.
4. On the Configure Settings page, enable each desired setting individually
and select Allow or Deny. Take care to review your selections in the
settings tree.
It is possible to select policy settings on the Configure Settings page for
types of resources that you did not select for the policy to control. The
policy applies settings only for the resources that are selected for the policy.
136 Access Gateway Advanced Edition Administrator’s Guide
5. On the Select Filter page, select a filter that defines the conditions to be
met for the policy to be enforced.
If you have not yet configured filters, you can edit the policy and assign a
filter to it later.
6. On the Select Users page, select the users to whom the policy applies.
Naming Policies
All policy names must be unique. Developing a consistent naming convention or
practice eases administration of policies. Because policies are defined per
resource to provide granular control, you can potentially create many policies.
The naming convention you develop should help you quickly identify the
resource and, if possible, the level of access you are applying.
You can develop a convention that meets your organization’s needs. In general,
the policy name should include the resource. One typical naming convention
names policies by resource name and an access level phrase that coincides with
your access strategy or the permissions allowed. For example:
• Web resource X_full access_all users
• Web resource X_limited access_field users
• Web resource X_full access_administrators
• File share Z_all actions_all users
• File share Z_restricted actions_unknown devices
You can change the name of default policies.
For example, you might choose to grant file type association for a file share
where employees post reports of ongoing project meetings, without providing the
ability to download or upload.
Providing file type association requires that:
• Users run Citrix Presentation Server Client software on the client device.
• Users connect through a logon point configured for Citrix Presentation
Server.
• Users are assigned to the desired applications in Citrix Presentation Server.
• Citrix Presentation Server is configured to work with Advanced Access
Control.
Allowing Logon
The privilege of logging on is treated as a resource so you can secure the privilege
through policies, just as you do for other resources. This feature enables you to
configure additional requirements, beyond the authentication of credentials, that
users must meet to log on to your network.
The resource is named Allow Logon. You can select the Allow Logon resource
along with other resources when you create an access policy.
Users cannot log on until you create an access policy to allow them to do so.
Chapter 9 Controlling Access Through Policies 141
1. In the console tree, select the logon point and click Edit logon point in
Common Tasks.
2. In the logon point properties, select the Visibility page.
3. Select Show logon page.
4. If you want to show the logon page conditionally, use the logical expression
builder to define the conditions to be met by the connecting client device.
142 Access Gateway Advanced Edition Administrator’s Guide
A. Insert the logical operators AND, OR, and NOT and click Endpoint
Analysis Output to choose from a list of your configured scans.
B. Review the resulting logical statement in the Expression preview.
Note: The expression builder appears unavailable until you have created
endpoint analysis scans.
The Root object displayed in the expression builder does not affect
expression logic. The root signals the beginning of your expression tree.
where scan_name is the name you assigned to the scan when you created it.
Assume that the conditions you want to set are reflected by the following
statement: Show the logon page to users with client devices that are running a
required level of McAfee VirusScan or McAfee VirusScan Enterprise. Before you
build this conditional expression, you must create an endpoint analysis scan for
your required versions of McAfee VirusScan and McAfee VirusScan Enterprise.
Note: This example requires you to have configured two endpoint analysis
scans to verify whether or not the client device is running McAfee VirusScan or
McAfee VirusScan Enterprise. For information about creating scans, see
“Creating Endpoint Analysis Scans” on page 166.
The following example shows a conditional expression using the NOT operator.
To pass this complex condition, the client device must have your required version
of McAfee VirusScan or McAfee VirusScan Enterprise, but the device cannot be
connecting with the Mozilla Firefox browser.
Note: This example requires you to have configured three endpoint analysis
scans to verify whether or not the client device is running McAfee VirusScan or
McAfee VirusScan Enterprise, and to also verify if the client device is connecting
with the Mozilla Firefox browser. For information about creating scans, see
“Creating Endpoint Analysis Scans” on page 166.
Select Bypass URL rewriting in the policy settings of the policy that controls
access to the Web resource.
Important: When defining resources that bypass URL rewriting, you must
specify entire servers, such as //server/. All URL addresses hosted on the
specified server are bypassed by the Web proxy, even if those URL addresses
appear in the properties of other Web resources that are supposed to be routed
through the Web proxy.
Note: You cannot incorporate the failover feature for Access Gateway
appliances for users accessing Web resources only with a browser.
determines whether or not a group of users can access a certain file share
and whether they can preview files in HTML or use Live Edit to modify the
file.
One of the filters you can apply to a connection policy is a continuous scan filter.
A continuous scan filter comprises a set of scans that continue to monitor the
connection during the entire user session. As soon as the client device ceases to
meet the requirements defined in the continuous scan filter, the connection is
disconnected.
1. In the console tree, select Policies > Connection Policies and choose
Create connection policy from Common Tasks.
2. Name and describe the policy.
3. Configure the connection settings you want to apply by selecting each
setting and choosing Yes or No to allow or deny it. You must allow the
setting Launch Secure Access Client if access allowed to make additional
settings available. Select from among the following settings:
• Authenticate after system resume forces authentication after the
client device goes into standby or hibernate mode.
• Authenticate after network interruption forces authentication if
the network connection is interrupted.
• Enable split DNS allows failover to a user’s local DNS if the remote
DNS is not available. By default, Access Gateway checks a user’s
remote DNS only.
• Execute logon scripts runs Windows logon scripts when the
connection is established.
• Desktop sharing allows users to share their desktop with other users
who are logged on to the Access Gateway from a Secure Access
Client. Users can then share their desktop by right-clicking the Secure
Access Client icon in the Windows notification area and selecting
Share Desktop.
148 Access Gateway Advanced Edition Administrator’s Guide
4. If you want to give client devices a unique IP address, add and define the
address pools from which address aliases are assigned. On the Define IP
Pool Configuration page, click New to add each available IP pool.
• For Access Gateway, enter the IP address of the Access Gateway
appliance.
• For Gateway, enter the IP address of the default gateway if you use
one. If you do not use a default gateway, you can leave this box blank.
• Each IP range should be valid but unused on the network.
• To avoid conflicting assignments, ensure that you configure a unique
IP range or ranges for each gateway appliance. You should not assign
the same IP range or ranges to multiple gateway appliances.
Note: If you add address pools, you must restart each Access
Gateway appliance in the farm before the IP pool becomes available.
You might want to schedule IP pool configuration for a convenient
time.
5. Select filters that define the conditions for policy enforcement. You can
select two types of filters:
• A filter defines requirements for logon points, endpoint analysis,
authentication, and client certificates. This type of filter checks for
your requirements once during logon.
• A continuous scan filter defines requirements of registry entries,
files, or processes that must be verified on the client device. This
filter checks its requirements throughout the user session.
6. Select users and user groups to whom the policy applies.
If no IP pools are defined, the client device is identified by the IP address of the
Access Gateway appliance and connects directly to the server running
Presentation Server without being controlled by policies assigned to the network
resources defined for the servers running Presentation Server.
1. In the console tree, select Connection Policies and choose Set connection
policy priority from Common Tasks.
2. Select a policy and use the arrow buttons to move its position in the ordered
list. The highest priority policy appears at the top of the list.
You can create a filter before, at the same time, or after you create the policies
you want to associate with it.
1. Open the New Filter wizard from one of the following locations:
• In the console tree, select Policies > Filters and click Create filter in
Common Tasks.
• On the Select Filters page of a policy wizard, click New.
2. Enter a name and description for the filter.
3. Select the option Create a typical filter.
4. If you want the policy to apply when users enter through specific logon
points, select those logon points.
5. If you want the policy to apply based on the authentication used, select the
authentication.
6. If you want the policy to apply based on endpoint analysis scans of the
client device, select the appropriate scan outputs.
7. If you want the policy to apply based on required information in an SSL
client certificate, select Specify SSL client certificate matching criteria.
You can require that the certificate contain specified values for common
name, organization, or organizational unit.
• You cannot specify SSL client certificate values for filtering unless
the option to require client certificates is selected in Access Gateway
Global Properties (Gateway Appliances > Edit gateway appliances
properties > Client Properties).
• Do not add quotation marks around the values you enter for common
name, organization, or organizational unit.
Each type of filter condition is optional. For example, you can configure a filter
based on logon point only. Logically, the conditions defined in a filter are
combined with the AND logical operator, and within a condition type, the settings
are combined with an OR operator. For example, if your filter settings specify
Logon Point A, Logon Point B, and Scan Output C, the policy is applied with the
following logic:
Chapter 9 Controlling Access Through Policies 151
1. In the console tree, select Policies > Filters and click Create filter in
Common Tasks. The New Filter wizard opens.
2. Enter a name and description for the filter.
3. Select the option Create a custom filter.
4. On the Build Custom Filter page, use the logical expression builder to
create an expression that reflects the conditions you want met before the
policy is enforced.
• Insert the logical operators AND, OR, and NOT along with elements
for logon point, authentication, endpoint analysis output, client
certificate, or another filter to create the logical expression.
• Note that the Root object displayed in the expression builder does not
affect expression logic. The root signals the beginning of your
expression tree.
Assume for this example that your network security strategy is to deny logon
privileges to client devices running Windows 2000 unless those devices have
Windows 2000 Service Pack 4 installed OR are running Internet Explorer 6.0.
You want to build a filter for this scenario that you can assign to a policy that
includes the Allow Logon privilege.
Before creating the custom filter, create two scans as follows:
152 Access Gateway Advanced Edition Administrator’s Guide
1. Use “Citrix Scans for Windows Service Pack” to create a scan with these
settings:
• Rule conditions: operating system = Windows 2000; client device
regional locale = all
• Property value to verify: Service Pack 4
2. Use “Citrix Scans for Internet Explorer” to create a scan with these settings:
• Rule conditions: operating system = Windows 2000; client device
regional locale = all
• Property value to verify is the minimum required version: 6.0
On the Build Custom Filter page of the New Filter wizard, follow these steps to
create the logical expression:
1. Click OR from the Insert group box.
2. Click Endpoint Analysis Output and choose the scan output for Service
Pack 4.
3. Select OR in the expression builder and click Endpoint Analysis Output
again to choose the scan output for Internet Explorer Version 6.0.
The result in the expression builder appears as:
OR
Citrix Scans for Windows Service Pack.scan_name.Verified-Windows-
Service-Pack
Citrix Scans for Internet Explorer.scan_name.Verified-Internet-
Explorer
1. In the console tree, select Policies > Continuous Scan Filters and click
Create filter in Common Tasks.
2. Enter a name and description for the filter.
3. On the Configure Requirements page, use the logical expression builder
to create an expression that reflects the conditions you want the client
device to meet.
• Insert the logical operators AND, OR, and NOT and click File Scan,
Process Scan, or Registry Scan to choose from your configured
scans.
• Note that the Root object displayed in the expression builder does not
affect expression logic. The root signals the beginning of your
expression tree.
Assume that you want to create an expression that requires an antivirus program's
executable file to be installed on the client device and that you configured a file
scan to verify this file. From the Configure Requirements page of the
continuous scan filter wizard, click File Scan and choose the file scan. The result
of this example procedure looks like this in the expression tree:
ROOT
scan_name
where scan_name is the name you assigned to the scan when you created it.
Assume that the conditions you want to set are reflected by the following
statement: Client devices must be running the process for a personal firewall from
either Company A or Company B. Before you build this conditional expression,
you must create a process scan for Company A's personal firewall process and
another process scan for Company B's personal firewall process.
1. Click OR.
2. Click Process Scan and choose the scan for Company A’s personal firewall
process.
3. Click Process Scan and choose the scan for Company B’s personal firewall
process.
The result of this example procedure looks like this in the expression tree:
154 Access Gateway Advanced Edition Administrator’s Guide
ROOT
OR
scan_name_CompanyA_process
scan_name_CompanyB_process
Note: Policy Manager does not present information about the filtered results of
policy control with live connecting clients, such as the resulting set of access
permissions after endpoint analysis scans or continuous scans are taken into
consideration.
156 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 10
You can integrate Advanced Access Control and Citrix Presentation Server so
that users can easily access all of their resources, including published
applications, from a common interface. For example, you can embed a Citrix
Access Platform site within the Access Interface. The Access Interface is a
navigation page shipped with Advanced Access Control that can list available
published applications alongside other available resources such as Web resources,
file shares, and so on.
In addition, you can share information collected by Advanced Access Control to
extend the policy-based access control capabilities of Citrix Presentation Server.
By integrating Advanced Access Control filters within Citrix Presentation Server
policies, you can control which published applications users can access and what
they can do within those applications once they get access. This allows you to
create Citrix Presentation Server policies to accommodate different access
scenarios based on a variety of factors such as authentication strength, logon
point, and client device information such as endpoint analysis.
For example, you can include endpoint analysis information collected by
Advanced Access Control within a Citrix Presentation Server policy to determine
access to a published application. In addition, you can selectively enable client-
side drive mapping, cut and paste functionality, and local printing based on the
logon point used to access the published application.
The next section discusses the supported deployments as well as the procedures
required to integrate Citrix Presentation Server and Advanced Access Control. If
you are passing Advanced Access Control information into Citrix Presentation
Server for policy evaluation, you must complete the following steps as well:
• Create one or more filters within Advanced Access Control. See “Creating
Policy Filters” on page 149 for more information about creating filters.
• Create policies within Citrix Presentation Server that reference Advanced
Access Control filters. See the Citrix Presentation Server Administrator’s
Guide for more information about creating policies.
158 Access Gateway Advanced Edition Administrator’s Guide
Note: Continuous scan filters, unlike regular policy filters, cannot be used by
Citrix Presentation Server policies.
Platform site is displayed alongside file shares and Web applications. You
can also configure the Access Interface to display up to three Presentation
Server sites in a separate tab.
• Citrix Access Platform site configured as the default home page for a logon
point. Once logged on, users are presented the Citrix Access Platform site.
This procedure requires that you use Version 4.2 of the Access Management
Console to create and manage Citrix Access Platform sites integrated with
Advanced Access Control. Version 4.0 of the console or command-line tool
cannot be used to manage sites created with later versions of the console. In
addition, once a Citrix Access Platform site is configured with the Advanced
Access Control access method, users can access this site only through Advanced
Access Control. Attempts to directly access the site are denied.
Complete the following steps in Advanced Access Control.
1. Configure Citrix Presentation Server to communicate with Advanced
Access Control. See “Integrating Citrix Presentation Server” on page 157
for more information.
2. Create a Web resource for the Citrix Access Platform site with the
following settings:
• Select Citrix Web Interface 4.2 or later as the application type
• Select the Publish for users in their list of resources check box
3. Specify the appropriate policy settings for the Web resource referencing the
Citrix Access Platform site.
4. Provide access to the Citrix Access Platform site in one of the following
ways:
• Display the Citrix Access Platform site as the default home page.
Configure a logon point to display the application with the highest
display priority as the home page. Then, configure the Citrix Access
Platform site as the application with the highest priority.
• Embed a Citrix Access Platform site within the Access Interface.
Configure a logon point to display the Access Interface as the home
page. The Citrix Access Platform site is embedded as a frame within
the Access Interface.
160 Access Gateway Advanced Edition Administrator’s Guide
Note: If users choose to store credentials for an Access Platform site and their
credentials for logging on to Advanced Access Control are later changed,
Advanced Access Control automatically deletes the stored credentials the next
time the users log on. The users are then prompted to re-enter their credentials for
the Access Platform site.
When you enable credential caching, Advanced Access Control stores the Access
Platform site credentials in the UserData table in the configuration database.
When a user logs on, the Web proxy reads the encrypted credentials from the
configuration database and forwards them to the Citrix Access Platform site. If
credential caching is disabled or the cached credentials for the site are incorrect,
users are prompted to enter the correct credentials to log on to the Access
Platform site.
To enable the display of multiple Citrix Access Platform sites and enable
credential caching
1. On the Advanced Access Control server, create a .vbs file that contains the
following script:
Dim object
Dim farmsetting
Set object =
WScript.CreateObject("Citrix.Msam.Amc.BusinessObjects.FarmSett
ingManager")
Set farmsetting = object.GetFarmSetting ()
farmsetting.CredentialCachingEnabled = 1
162 Access Gateway Advanced Edition Administrator’s Guide
farmsetting.MultipleWebInterfaceEnabled = 1
obj.UpdateFarmSetting (farmsetting)
Before you can associate an Access Platform site with a Presentation Server farm,
you must configure the site as a Web resource and publish it for users to access
from the Access Interface. If you do not select Publish for users in their list of
resources when you configure the Access Platform site as a Web resource, the
site is not available to associate with a Presentation Server farm.
1. In the console tree, select the access server farm node and click Edit farm
properties in Common Tasks.
2. From the Presentation Server Farms page, select the farm and click Edit.
3. On the Web Interface page, select the site you want to associate with the
farm.
To ensure Workspace Control functions for all users, you must define a STA in
the gateway properties. For more information, see “Configuring Authentication
with Citrix Presentation Server” on page 100.
• Session time-out. Ensure all logon points use the same settings as the
Citrix Access Platform site.
To configure file type association for file shares, Web resources, and Web-
based email
Before you configure file type association, verify that published application
settings in Citrix Presentation Server specify the associations you want. For
example, if you want a published application to be launched for users when they
open a bitmap image (.bmp) file, make sure that the application’s settings
associate it with .bmp files.
1. Configure Citrix Presentation Server to communicate with Advanced
Access Control. See “Integrating Citrix Presentation Server” on page 157
for more information.
2. Specify the farm(s) you want to link to your access server farm. See
“Specifying Server Farms” on page 85 for more information.
3. Specify the Citrix Presentation Server farms available to the logon point.
See “Configuring Logon Points” on page 89 for more information.
4. Create an access policy for the file share, Web resource, or Web-based
email application and enable and allow the File Type Association action
control. See “Configuring Policy Settings to Control User Actions” on page
137 for more information.
Important: Web Interface for Microsoft SharePoint is a Web Part that allows
the integration of a Web Interface within SharePoint. For more information about
Web Interface for Microsoft SharePoint, see the Citrix Web site. Generic third-
party portals must support the display of IFRAME-based Web content to properly
integrate a Citrix Access Platform site.
Endpoint analysis is a process that scans a client device and detects information
such as the presence and version level of operating system, antivirus, firewall, or
browser software. Use endpoint analysis to verify that the client device meets
your requirements before allowing it to connect to your network. You can monitor
files, processes, and registry entries on the client device throughout the user
session to ensure that the device continues to meet requirements.
You can use two types of scans:
• Endpoint analysis scans detect information about the client device, such
as the presence and version level of operating system, antivirus, firewall, or
browser software. This information can be included as a filter within an
access policy or a connection policy. Endpoint analysis scans are run once,
during logon.
• Continuous scans are scans of the client device that occur repeatedly
throughout the session to ensure that the client device continues to meet
requirements. The feature prevents, for example, users from changing the
status of a client device requirement after establishing the connection.
Types of continuous scans include file scans, process scans, and registry
scans. For more information, see “Creating Continuous Scans” on page
178.
You can incorporate detected information into policies, enabling you to grant
different levels of access based upon the client device. For example, you can
provide full access with download permission to users who connect from the field
using corporate laptops that are up-to-date with antivirus and firewall software
requirements. For users connecting from kiosks or untrusted home computers,
you can provide a more restricted level of access that allows previewing
documents only or editing the documents on remote servers without downloading
them.
Endpoint analysis performs these basic steps:
• Examines an initial set of information about the client device to determine
which scans to apply
166 Access Gateway Advanced Edition Administrator’s Guide
Note: The Citrix Scans for Macintosh and Citrix Scans for Browser Type do not
require that the Endpoint Analysis Client software run on the client device. These
scans can gather their results from information provided to the server from the
client device directly, without using Endpoint Analysis Client software.
Note that scans with conditions not matching the client device do not run on the
client device; however, even these scans receive a default output defined by the
scan package, such as False.
Endpoint analysis completes before the user session consumes a license.
Scans have rules that define when the scan is applied to a client device. Each rule
includes a set of conditions, which are required attributes of the client device that
must all be met for the scan to be applied.
Creating a scan includes defining the prerequisite conditions under which the
scan runs and configuring the properties to verify.
To create a scan
1. In the console tree, select the scan package for the properties you want to
scan.
2. From the Common Tasks area, click Create scan.
3. Name the scan.
4. Select the conditions that will define when the scan runs.
5. Provide a rule name for the set of conditions and properties you are
configuring.
6. Select all acceptable values for each condition.
• The condition is met if the client device matches any of the values
you select
• The wizard presents a separate page for each condition
7. Configure the property values to verify.
• For example, to verify that a minimum version of an antivirus
program is running on the client device, enter the minimum version
number.
• The wizard presents a separate page for each property value the scan
verifies. If the scan verifies multiple property values, the client device
must meet the requirements for all specified values.
• Version numbers follow the typical syntax for the specific product
and require at least one decimal point; for example, 2.1 or 2.1.1.
For information about individual scan packages and the properties you can set for
them, see “Scan Properties Reference” on page 239.
After creating a scan, you can add more rules to make the scan apply to multiple
user scenarios.
168 Access Gateway Advanced Edition Administrator’s Guide
The following steps describe the general process for using scan outputs in
policies.
1. Create a scan that verifies the properties you require.
2. Create a policy filter that uses the scan output from Step 1.
3. Create a policy and assign to it the filter you created in Step 2.
Steps 2 and 3 above can be combined in the policy wizard.
Scan Packages
Scan packages enable you to create scans to verify the properties of a client
device, such as the installed version of an antivirus software product. Each
package is designed to verify specific properties or software products.
Scan packages are listed in the console under the Endpoint Analysis node.
You can view individual properties of a scan package in the console, including a
description of its scan outputs. Look at the scan output descriptions when you
want to know which information about the client device is retrieved or verified.
A scan output can take two forms:
• Information about the client device. For example, the scan package Citrix
Scans for Trend OfficeScan detects and retrieves a value that is the product
version of Trend OfficeScan running on the client device, if any.
• A true/false Boolean verification indicating if the scan’s required property
values were detected.
2. From the details pane on the right, select Properties from the display
menu. The scan output table describes each output produced by the
package.
To add a rule
1. Select the scan in the console tree and click Create rule in Common Tasks.
2. Follow the wizard prompts to define the rule’s name, condition settings,
and property value settings.
Assume that your network security policy is to prevent access to client devices
unless they have Service Pack 4 installed for Windows 2000 and Service Pack 2
installed for any machines running Windows XP. You have an exception for
employees in the Tokyo office, because the Tokyo IT department decided not to
upgrade Windows XP to Service Pack 2 until further testing takes place. You can
use the same scan with different rules to verify the correct service pack for all
three of these scenarios.
Your environment includes a logon point named “Tokyo” that is used by your
Tokyo office users. Logon points apply settings to the connections that initiate
through their URLs.
The following steps create a scan that verifies these three service pack
requirements.
1. Create a scan with the Citrix Scans for Windows Service Pack, selecting the
Logon Point condition to configure.
170 Access Gateway Advanced Edition Administrator’s Guide
2. Create the first rule during scan creation with these settings:
• Conditions: set the Operating system to Windows 2000 and set the
Logon point to all
• Property value to verify: set the minimum required service pack to
Service Pack 4
3. Add a second rule to the same scan with these settings:
• Conditions: set the Operating system to WindowsXP and set the
Logon point to all except Tokyo
• Property value to verify: set the minimum required service pack to
Service Pack 2
4. Add a third rule to the same scan with these settings:
• Conditions: set the Operating system to WindowsXP and set the
Logon point to Tokyo
• Required property value: set the minimum required service pack to
Service Pack 1
You can create conditions from scan outputs in the following three ways:
• Select Endpoint Analysis or select a specific scan in the console tree and
click Edit available conditions list in Common Tasks
• On the Select Conditions page of the Create Scan wizard, select Use
Another Scan’s Output as a Condition
• Select a scan output in the Properties view for a specific scan and click
Create condition
Assume that you have two divisions, Sales and Finance, that are assigned their
own domain. The Sales group requires all of its client devices connecting
remotely to run Antivirus Program A, but the Finance group requires its client
devices to run Antivirus Program B.
Chapter 11 Verifying Requirements on Client Devices 171
Follow the steps below to verify that these client devices are running the required
antivirus program version.
1. Create two scans using Citrix Scans for Domain Membership:
• A Sales domain scan to verify that client devices belong to the Sales
domain
• A Finance domain scan to verify that client devices belong to the
Finance domain
2. Create a scan to check only Sales domain client devices for Antivirus
Program A:
• On the Select Conditions page of the Create Scan wizard, select Use
Another Scan’s Output as a Condition and follow the prompts to
identify the scan output for the Sales domain scan you created in Step
1
• Use the scan output “Verified-domain” from the Sales domain scan as
your new condition and require it to have a value of “True”
3. Create a scan to check only Finance domain client devices for Antivirus
Program B:
• On the Select Conditions page of the Create Scan wizard, select Use
Another Scan’s Output as a Condition and follow the prompts to
identify the scan output for the Finance domain scan you created in
Step 1
• Use the scan output “Verified-domain” from the Finance domain scan
as your new condition and require it to have a value of “True”
You can use scan outputs in custom filters to achieve similar results for complex
scenarios.
make sure you do not change the conditions of existing rules in unexpected
ways, check the properties for the scan’s rules after you add to the list of
available conditions.
• To remove a condition from a scan’s available conditions list, you must first
remove all rules that use the condition or select all possible values for the
condition in every rule that uses it.
Editing Rules
You can view all condition settings for a rule in the Properties display for the rule.
For example, if you add to the conditions that are available for a scan, all existing
rules of that scan receive the condition you added with all the settings selected.
You might need to adjust the settings that are automatically copied to existing
rules.
To edit the condition settings for a rule, select the rule in the console tree and
click Properties from the display menu in the details pane on the right.
Lists
Lists are single-column data sets that indicate multiple required values for a
single property. Scan packages that use lists include:
• Citrix Scans for Windows Update verifies that client devices are running all
of the updates you list in a data set
• Citrix Scans for Internet Explorer Update verifies that client devices are
running all of the updates you list in a data set
Maps
Maps, or double-column data sets, detect a value on the client device and map it
to another value used in the scan.
Chapter 11 Verifying Requirements on Client Devices 173
For example, Citrix Scans for MAC Address detects the MAC address for each
network interface card (NIC) or network adapter on the client device. The scans
reference a double-column data set to map the address (the first column value) to
a group name (the second column value). Scans use this mapping to verify the
logical group to which the client device belongs.
1. Select Endpoint Analysis in the console tree and click Manage data sets
in Common Tasks.
2. Select New.
3. Enter a name for the new data set.
4. Enter data in one of the following two ways:
• Enter a path to a .csv file containing initial data to import. You must
use this method to create a double-column set.
• Leave the file path blank to create an empty single-column data set.
Add values by editing the data set after you create it.
You can edit an existing data set from the Data Sets dialog box. To open Data
Sets, select Endpoint Analysis in the console tree and click Manage data sets in
Common Tasks.
This example describes the steps for creating a scan to verify that client devices
are running required updates for Version 6.0 of Internet Explorer.
174 Access Gateway Advanced Edition Administrator’s Guide
1. Use the Citrix Scans for Internet Explorer scan package to create a scan that
verifies whether or not the client device is running Version 6.0 of Internet
Explorer.
2. Create a single-column data set listing the Internet Explorer updates you
require if the client device is running Version 6.0. Example values for such
a data set might be KB834707, KB867232, and KB889293.
3. Use the Citrix Scans for Internet Explorer Update scan package to create a
scan to check for your required updates on client devices running Internet
Explorer Version 6.0.
A. On the Select Conditions page of the Create Scan wizard, click Use
Another Scan’s Output as a Condition and identify the scan output
that identifies product version from the scan you created in Step 1. In
the Define Values dialog box, name this new condition and add the
allowed value of 6.0.
B. When prompted for the property values of the required updates, select
the data set you created in Step 2.
1. In the console tree, select a scan group or Endpoint Analysis and click
Import scan package in Common Tasks.
• If you want the package to appear in a scan group, you must select
that scan group.
• If you select Endpoint Analysis during the importing, the scan
package does not appear under a scan group and appears directly
under the Endpoint Analysis node.
2. Browse to the scan package file and click OK.
Chapter 11 Verifying Requirements on Client Devices 175
Grouping Scans
Default scan groups for such categories as antivirus, firewall, and operating
system software are provided in the console tree to help organize scan packages
and their scans. Scan groups can help you find scan packages or scans more
quickly. You can create and name your own groups.
Scan groups exist to organize items within the console tree only and have no
effect on how scans run.
To create a scan group, select Endpoint Analysis in the console tree and click
Create scan group in Common Tasks.
Select Endpoint Analysis in the console tree and click Import language pack in
Common Tasks.
Note: You must run discovery after using these utilitiesfor the console to find
and display the new values.
Parameter Description
package_uri URI of the scan package to which the scan belongs. You can
find the URI information for a scan package in the
management console Properties view for the scan package.
package_version Version of the scan package to which the scan belongs. You
can find the version information for a scan package in the
management console Properties view for the scan package.
scan_name Name of the scan in which the property is set.
rule_name Name of the rule in which the required property value is set.
param_name Parameter name for the required value. You can find the
parameter name and its current setting in the management
console in the Properties view for the scan rule.
new_value The new value. If the required property has a restricted value
range, this new value must be within that range.
Let us assume you want to update an existing scan from the scan package Citrix
Scans for McAfee VirusScan Enterprise. To update the required engine version to
4.4 and the pattern version to 4641, type:
“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\
CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\
Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name”
“PatternVersion” “4641”
where scan_name and rule_name are the existing scan name and rule name.
Parameter Description
file_name.csv The name of the .csv file that contains the data set
dataset_name The name for the data set
key If the data set is a list (single-column data set), this is a value
in the list. If the data set is a map (double-column data set),
this is the first column value.
value If the data set is a map (double-column data set), this is the
second column value. If the data set is a list (single-column
data set), this parameter does not exist.
178 Access Gateway Advanced Edition Administrator’s Guide
For more information about data sets, see “Using Data Sets in Scans” on page
172.
You can find parameter names from the scan properties in the console.
1. In the console tree select a rule associated with the scan and choose the
Properties view in the right details pane.
2. Select the row that displays the property and look in the Parameter Name
column.
1. In the console tree, select Policies > Continuous Scans > File Scans and
click Create file scan from Common Tasks.
2. Name the scan.
3. Enter the file path.
4. Enter the following optional information you can require the scan to find:
• For Date on or after, enter a date to be verified against the file’s
creation date.
• The MD5 digital signature is added automatically from the entered
file path. You can modify this value if a different signature is required
on the client device. Because the MD5 signature for an executable
file can differ among different machine platforms, verify that the
signature you enter is used by your client devices.
Chapter 11 Verifying Requirements on Client Devices 179
1. In the console tree, select Policies > Continuous Scans > Process Scans
and click Create process scan from Common Tasks.
2. Name the scan.
3. Type the name or browse to the process.
4. The MD5 digital signature is added automatically from the entered file
path. You can modify this value if a different signature is required on the
client device. The MD5 digital signature is not required and can be left
blank. Because the MD5 signature for an executable file can differ among
different machine platforms, verify that the signature you enter is used by
your client devices.
1. In the console tree, select Policies > Continuous Scans > Registry Scans
and click Create registry scan from Common Tasks.
2. Name the scan.
3. Type the Registry path, Registry type, Entry name, and Entry value.
180 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 12
Note: If recipients access their email through Advanced Access Control and it
contains an embedded link to a file share or Web resource, a policy allowing the
recipients access to that resource is also required. However, if the email is sent to
recipients not using Advanced Access Control to access their email, no additional
permissions are required. These users can view the attachment without policy
restrictions.
Note: You can combine email access methods if you want to provide more than
one method of remote access. For example, in addition to providing access to
published email applications, you can also configure a Web-based email solution.
If you are using a portal solution, you can integrate the Web-based email interface
included with Advanced Access Control with these portal products. See
“Integrating Web-Based Email Access with a Third-Party Portal” on page 187 for
more information.
When you configure Web-based email access, users access their email from the
Email tab on the Access Interface. If you prefer, you can configure Advanced
Access Control so that the Web-based email interface is the default interface users
see when they log on to Advanced Access Control. See “Configuring Logon
Points” on page 89 for more information about how to achieve this configuration.
Use the following procedure to allow users to send and receive Web-based email
with Microsoft Exchange.
1. In the console tree, select Web Email and click Configure Web email in
Common Tasks.
2. Select Microsoft Exchange.
3. Select the Enable Web-based access check box.
4. Select one of the following Web-based interfaces:
• Email interface included with Advanced Access Control. Allows
access to email without the need for users to download or install
client software; they need to run only a supported browser.
• Specify the IP address, FQDN, or NetBIOS name of your
Microsoft Exchange server.
• Display email as HTML to support advanced text formatting
features including numbering, bullets, alignment, and linking to
file shares and Web pages. Only enable this option when email
messages originate from trusted sources within your corporate
network.
Note: Citrix recommends that you first test your Web-based email
application with this option disabled. If your testing reveals that the
application displays improperly, enable this option and verify that the
issue no longer exists.
Use the following procedure to allow users to send and receive Web-based email
with Lotus Notes/Domino.
1. In the console tree, select Web Email and click Configure Web email in
Common Tasks.
2. Select Lotus Notes/Domino or other email applications.
3. Select Enable Web-based access.
4. Specify the application’s start page as well as URLs for which the
application requires access. If you use a load balancer to manage iNotes
servers, enter the URL of the load balancer as the start page and add the
iNotes servers as URLs accessible by the application.
You can use dynamic token replacement to accommodate explicit links to
individual user database files. For example, enter
http://servername/mail/#<username>.nsf, where servername is the
NetBIOS name, IP address, or FQDN of your Lotus Notes/Domino server
and the username token is replaced with the user’s user name obtained from
Active Directory or Windows NT Directory Services. For a complete list of
tokens supported by Advanced Access Control, see “Using Dynamic
System Tokens” on page 128.
Chapter 12 Providing Secure Access to Corporate Email 187
5. Enable the interface common for all browser types option to suppress the
presentation of browser-specific ActiveX controls and other advanced
display types. Citrix recommends this option if you have users who cannot
download ActiveX controls or who use a variety of browser versions.
Note: Citrix recommends that you first test your Web-based email
application with this option disabled. If your testing reveals that the
application displays improperly, enable this option and verify that the issue
no longer exists.
When you configure this feature, roaming workers—whether connected over the
Web or within the enterprise—can securely connect to their email accounts on the
Exchange or Lotus Notes/Domino server and synchronize their locally installed
email application with the data stored on the corporate email server. This allows
users to work with their calendars, tasks, and contacts in real time when working
online, and then to synchronize their folders in preparation for working offline.
Use this feature if you want remote users with laptops to be able to securely
access and synchronize email as they move between office workstations, laptops,
and home workstations.
The basic steps involved in allowing users to work with and synchronize their
email accounts to their client devices are:
• Configure the email synchronization feature
• Create a policy to allow users to use the email synchronization feature
• Open the appropriate ports on the firewall between the Access Gateway and
internal mail servers
Chapter 12 Providing Secure Access to Corporate Email 189
When you are done configuring email synchronization, you must create a policy
that allows users to access this resource.
Create a policy to allow users to synchronize their email data to their client
devices following the steps in “Creating Access Policies” on page 135.
When you are done creating a policy to allow users to synchronize their email
data to their client devices, you must configure your firewall ports to allow users
to connect.
190 Access Gateway Advanced Edition Administrator’s Guide
1. In the console tree, select Email and choose Configure Web email from
Common Tasks.
2. On the Enable Web-based Email page, select the Enable Send as
Attachments for file shares check box.
3. Additional configuration depends on the email application server selected.
• Microsoft Exchange. Specify the NetBIOS name, IP address, or
FQDN of your Microsoft Exchange server. Advanced Access Control
uses the Microsoft Exchange server configuration information to
determine the MAPI server.
• Lotus Notes/Domino. Specify the name or IP address of the SMTP
(Simple Mail Transfer Protocol) and LDAP (Lightweight Directory
Access Protocol) servers.
Note: If you are using Notes/Domino servers, ensure SMTP port relay
outbound restrictions do not prevent users outside of the corporate network
from sending emails. For example, you can configure Notes/Domino
servers to allow all authenticated users to send outgoing email. Refer to
your Notes/Domino product documentation for additional information
about configuring SMTP port relay outbound restrictions.
Chapter 12 Providing Secure Access to Corporate Email 191
File Type
Level 1 (Blocked File .ade .adp .app .asx .bas .bat .chm .cmd .com .cpl .crt .csh
Types) .exe .fxp .hlp .hta .inf .ins .isp .js .jse .ksh .lnk .mda .mdb
.mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif
.prf .prg .reg .scf .scr .sct .shb .shs .url .vb .vbe .vbs .wsc
.wsf .wsh
Level 2 (Download Only .ade .adp .asx .bas .bat .chm .cmd .com .cpl .crt .dcr .dir
File Types) .exe .hlp .hta .htm .html .htc .inf .ins .isp .js .jse .lnk .mda
.mdb .mde .mdz .mht .mhtml .msc .msi .msp .mst .pcd .pif
.plg .prf .reg .scf .scr .sct .shb .shs .shtm .shtml .spl .stm
.swf .url .vb .vbe .vbs .wsc .wsf .wsh .xml
You can add and remove file types from either security levels by using Registry
Editor. If a file type is added to both levels, it is treated as a Level 1 file type.
Caution: Using Registry Editor incorrectly can cause serious problems that can
require you to reinstall the operating system. Citrix cannot guarantee that
problems resulting from incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Make sure you back up the registry before you
edit it.
Note: New file types must be separated by a new line with no additional
spaces and contain the preceding dot.
Note: This feature is not available to Lotus iNotes/Domino Web Access users.
Chapter 12 Providing Secure Access to Corporate Email 193
To configure the Web-based email interface for use with small form factor
devices
PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER
PR_PROVIDER_DLL_NAME=EMSMDB.DLL
PR_RESOURCE_FLAGS=STATUS_NO_DEFAULT_STORE
66090003=06000000
660A0003=03000000
34140102=78b2fa70aff711cd9bc800aa002fc45a
PR_DISPLAY_NAME=Public Folders
PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store
[EMS_MDB_private]
PR_PROVIDER_DLL_NAME=EMSMDB.DLL
PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER
PR_RESOURCE_FLAGS=STATUS_PRIMARY_IDENTITY|STATUS_DEFAULT_STORE
|STATUS_PRIMARY_STORE
66090003=0C000000
660A0003=01000000
34140102=5494A1C0297F101BA58708002B2A2517
PR_DISPLAY_NAME=Private Folders
PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store
[EMS_DSA]
PR_DISPLAY_NAME=Microsoft Exchange Directory Service
PR_PROVIDER_DISPLAY=Microsoft Exchange Directory Service
PR_PROVIDER_DLL_NAME=EMSABP.DLL
PR_RESOURCE_TYPE=MAPI_AB_PROVIDER
[MSEMS_MSMail_Section]
UID=13DBB0C8AA05101A9BB000AA002FC45A
66000003=01050000
66010003=04000000
66050003=03000000
66040003=02000000
The last step in deployment is providing users with the information and tools
necessary to access corporate resources. This process includes determining if
your implementation requires the distribution of client software and if so,
developing a strategy for deploying this software. In addition, training and other
forms of communication detailing how your deployment impacts the workplace
assist users as they transition to their new environment.
The topics in this section discuss the issues to consider when developing an
overall plan for rolling out Access Gateway Advanced Edition to users.
• “Developing a Client Software Deployment Strategy” on page 195
• “Managing Client Software Using the Access Client Package” on page 200
• “Downloading Client Software on Demand” on page 203
• “Ensuring a Smooth Logon Experience with the Secure Access Client” on
page 205
• “Ensuring a Smooth Rollout” on page 208
• “Browser Security Considerations” on page 209
• “Customizing the Logon Error Message” on page 211
However, for smaller companies, the costs associated with planning and
preparing an automated deployment could outweigh the benefits. These
companies should consider alternative deployment methods such as posting
client software to a network share or an on-demand deployment solution.
Both of these methods are described in detail in later sections.
• Corporate security requirements. If your corporation configures client
devices so that users do not have installation rights on their machines, you
must develop a strategy that allows someone with administrative rights to
perform the installation. In this scenario, larger companies should consider
a corporate deployment tool such as Systems Management Server. Smaller
companies should consider posting client installation packages to a file
share and having someone with administrative rights manually install the
software on each client device.
• Corporate management practices. If your organization maintains strong
centralized control over client software deployment—for example, if you
use Microsoft Systems Management Server to help control software
distribution—you can more reliably update client devices. Therefore, if
your goal is to ensure that all users have the most up-to-date software,
allowing them to install their own client software is not a recommended
option. Rather, a team dedicated to maintaining client software should be
responsible for ensuring client software is installed and updated properly.
• Cost factors. Consider the overall cost associated with each deployment
option including planning, preparation, and training costs. In addition,
determine if some of these costs are justifiable because of the return on
investment over a period of time. For example, the return on investment of
a centrally managed solution is usually much better than that of a manual
solution over time.
• Access to client devices. If your corporation supports remote access
scenarios such as using an Internet kiosk to check email, you will not have
the ability to install client software on these devices before users access the
corporate network. In these cases, consider an on-demand deployment
strategy where you configure Advanced Access Control so that client
software is automatically downloaded to the client device only when
required. However, if access to client devices is readily available, consider
deploying the client software prior to the user accessing Advanced Access
Control.
Weigh all of these factors when determining who should be responsible for
installing the client software on the client device. Then, select the deployment
solution that makes the most sense for your corporation.
198 Access Gateway Advanced Edition Administrator’s Guide
Note: The Endpoint Analysis Client is available as a stand-alone MSI and EXE
on the Server CD in the \Setup\EndpointAnalysisClient\lang directory. In
addition, individual installation packages can be created for all client software
components supported by Access Client package. For more information, see
“Managing Client Software Using the Access Client Package” on page 200.
Note: Small form factor devices are not compatible with the Advanced Access
Control client software. Therefore, features requiring client software are not
available on small form factor devices.
200 Access Gateway Advanced Edition Administrator’s Guide
Note: Each client installation that includes a Citrix Presentation Server Client
includes the Program Neighborhood Connection Center, allowing users to see
information about their current ICA connections.
The Access Client package installs and upgrades all available clients, as specified
when you build your software package. Every item included in your original
client software package should be included in any subsequent upgrade packages
you create.
For example, if you create a software package that includes the Endpoint
Analysis Client and the Web Client, subsequent upgrade packages must include
both client software packages. If you create an upgrade package that includes
only the Endpoint Analysis Client, the Access Client package uninstalls the Web
Client.
Important: The Gateway Client and Advanced Gateway Client are no longer
supported by Advanced Access Control and therefore, are removed from the
Access Client package. However, the Access Client package now includes the
Secure Access Client, the client software component that replaces the Gateway
Client and Advanced Gateway Client. As a result, the Access Client package
uninstalls the Gateway Client and Advanced Gateway Client from all client
devices. If users require the functionality previously available with these clients,
include the Secure Access Client in your package.
Conversely, if you later want to add the Secure Access Client to your
environment, rebuild your package to include the Endpoint Analysis, Web, and
Secure Access Clients. When this installation package is run on client devices
that have your original package installed, the Secure Access Client is installed,
while the Endpoint Analysis and Web clients will simply be verified as installed
and not changed in any way.
To uninstall a client that was installed or upgraded using a Windows Installer
package, users must run the Add/Remove Programs utility from the Control
Panel or run the installer package again and select the Remove option.
Important: To install the client software using the Windows Installer package,
the Windows Installer Service must be installed on the client device. This service
is present by default on Windows 2000 systems. To install clients on client
devices running earlier versions of the Windows operating system, you must use
the self-extracting executable or install the Windows Installer 2.0 Redistributable
for Windows, available at http://www.microsoft.com/.
For more information about the Access Client package, including a full list of
included clients, see the Download section of the Citrix Web site at
www.citrix.com.
Chapter 13 Rolling Out Advanced Access Control to Users 203
The requirements for installing on-demand clients include configuring the client
browser to accept client software such as ActiveX controls, plug-ins, and Java
applets. In addition, users running Windows XP or Windows 2000 must be
members of the Power Users or Administrators group to install the software on
their devices. For additional information about client software minimum
requirements, see “Client Requirements” on page 58.
You cannot configure the on-demand deployment of the Endpoint Analysis
Client. Rather, Advanced Access Control determines if, based on policies
associated with that logon point, an endpoint analysis scan is required. If a scan is
required, Advanced Access Control detects if the Endpoint Analysis Client is
present on the client device. If the client software is detected on the client device,
the Endpoint Analysis Client performs the appropriate scans. However, if the
software is not detected, users are prompted to download and install the Endpoint
Analysis Client as an ActiveX control when running Internet Explorer or a plug-
in when running Netscape Navigator or Firefox.
If users refuse to allow the Endpoint Analysis Client to install and scan the client
device, they receive the same level of access they would if the policies associated
with the scans were denied. This level can be limited or no access. Consider
deploying the Endpoint Analysis Client in advance if you want to avoid the on-
demand downloading of this client.
Note: Some endpoint analysis information is cached on the client device. Users
can empty this cache through the Manage Endpoint Analysis tool (Start >
Programs > Citrix > Endpoint Analysis Client).
1. In the console tree, select the appropriate logon point and choose Edit
Logon Point from Common Tasks.
2. On the Clients page, select the clients you want to deploy to users on-
demand from the options below.
• Web Client (ActiveX or Netscape plug-in). Select this option if
your users do not already have a Presentation Server Client installed
on their client device.
Select Use the Client for Java if the Web Client cannot be used to
deploy the Client for Java if the Web Client cannot be used or the user
chooses not to allow its download. In addition, you can configure the
automated update of the Web Client at logon (available for ActiveX
only). This option provides an automated method of updating client
Chapter 13 Rolling Out Advanced Access Control to Users 205
3. Repeat steps 1-2 for all logon points you want to modify.
3. Change the key value to the length of time, in seconds, you want to allow
the Secure Access Client to establish a connection with the Access
Gateway.
4. Repeat steps 1-3 for all remaining servers running Advanced Access
Control.
3. Change the first numeric value in both keys to the length of time, in
seconds, in which you want tickets to remain valid from the time of issue.
4. Repeat steps 1-3 for all remaining servers running Advanced Access
Control.
208 Access Gateway Advanced Edition Administrator’s Guide
the security level for the Local Intranet zone is set to High, customize the
browser security settings as described in the next section.
• If you want to keep the default security settings but also customize
individual security settings of your Advanced Access Control servers, you
can configure each server in the access server farm as a “trusted site.”
Configuring servers as trusted sites lets you customize their security
settings without affecting the Internet and Local Intranet settings.
Important: If your access server farm requires SSL, make sure that SSL is
required for all sites in the Trusted Site zone.
Caution: Do not modify the logic contained in the page because doing so
can yield undesirable results.
212 Access Gateway Advanced Edition Administrator’s Guide
After configuring the servers in your access server farm, you perform a variety of
tasks to manage your deployment. These tasks help you ensure your deployment
runs smoothly and efficiently.
This section describes how to:
• Administer your access server farm using multiple Consoles
• Secure the Access Management Console with COM+
• Add and remove farms and servers
• Change the service account or database credentials
• Change the server roles
• Minimize downtime of your access server farm
• Monitor user sessions
1. In a Web browser, type the URL of the Access Gateway and enter your
administrator credentials.
2. In the Access Gateway Administration Portal, click Downloads.
3. Under Administration, click Download Access Gateway Administration
Tool Installer.
214 Access Gateway Advanced Edition Administrator’s Guide
4. Select a location to save the installation application and click Save. The
installation tool is downloaded to your computer.
5. After downloading the file, navigate to the location it was saved and then
double-click the file.
6. To install the Administration Tool, follow the instructions in the wizard.
7. To start the Administration Tool, click Start > Programs > Citrix Access
Gateway Administration Tool > Citrix Access Gateway Administration
Tool.
8. In Username and Password, type the Access Gateway administrator
credentials. The default user name and password are root and rootadmin.
Important: The accounts appearing in the System role are required for
Advanced Access Control to function. You must also close the Access
Management Console before adding users to the Administrators or Non
Appliance Users role. If these System accounts are modified or if the console is
open when COM+ security is applied, your access server farm may stop
functioning and you may lose data.
2. Click Start > Programs or All Programs > Administrative Tools >
Component Services.
3. In the console tree, expand Component Services > Computers > My
Computer > COM+ Applications.
4. Expand Access Gateway Library > Roles and select the role that is
appropriate for the user(s) you want to add:
• To allow administrators to access appliance and farm settings with
the console, expand Administrators.
• To allow administrators to access farm settings only, expand Non
Appliance Administrators.
5. Right-click Users and select New.
6. Enter the user account(s) you want to add and click OK.
7. Restart the Access Gateway Library COM+ application.
8. Repeat steps 4-7 for the Access Gateway Server COM+ application.
1. Click Start > Programs or All Programs > Administrative Tools >
Component Services.
2. From the Component Services window, expand Computers > My
Computer > COM+ Applications.
3. Right-click Access Gateway Server and select Shut down.
4. Right-click Access Gateway Server and select Start.
Chapter 14 Managing Your Access Gateway Environment 217
Note: To manage multiple access server farms from Console instances running
on other machines, you must add the farms to each Console.
1. In the console tree, expand the Access Gateway node and select the farm
you want to remove.
2. Under Common Tasks, click Remove farm.
1. Launch the Access Gateway Administration Tool and select the gateway
appliance you want to remove.
2. Click the Advanced Options tab and then clear the Advanced Access
Control - includes an access server farm check box.
3. In Server running Advanced Access Control, remove the name of the
server running Advanced Access Control.
4. Click Submit to save your changes.
5. Restart the Access Gateway.
1. In the console tree, expand Gateway Appliances and select the gateway
appliance you want to remove.
2. Click Remove appliance and then click Yes to remove the gateway
appliance from the farm.
1. On the server running Advanced Access Control, choose Start > Programs
or All Programs > Citrix > Advanced Access Control > Server
Configuration.
2. Click Service Account to change the user name, password, or domain of
the service account. For information about requirements for valid service
accounts, see “Service Account Requirements” on page 44.
3. Click Server Farm Information to change the farm database server, farm
name, or database authentication method.
1. Run discovery to ensure Advanced Access Control detects all servers in the
farm.
2. In the console tree, expand the Servers node.
3. Select the server you want to remove.
4. Under Common Tasks, click Remove server.
220 Access Gateway Advanced Edition Administrator’s Guide
1. From the console tree, select the farm node and then click Export Farm in
Other Tasks.
2. Enter the location where you want to create the .cab file.
222 Access Gateway Advanced Edition Administrator’s Guide
When you click Next, the XML files are compressed into a .cab file and saved to
the location you specified.
1. From the console tree, select the farm node and then click Import Farm in
Other Tasks.
2. Enter the location of the .cab file you want to import.
When you click Next, the .cab file is decompressed and the existing configuration
data is replaced with the imported data.
Monitoring Sessions
The Access Gateway Advanced Edition Session Viewer is a session monitoring
tool that allows administrators to review user access to the access server farm and
terminate user sessions.
Note: You must have administrative privileges to run the Session Viewer. An
Advanced Access Control session is not required to run the Session Viewer.
Session Viewer displays data from the server on which you are logged or from
other Advanced Access Control servers. This data includes:
• Client IP address
• User name used to log on
• Installed clients
• Logon point accessed and default home page
• Name of the Advanced Access Control server the user is accessing
When you select a session from the Sessions pane, the data for that session
displays in the Session Values pane. You can sort sessions by clicking the column
headings in the Sessions pane.
Click Start > All Programs > Citrix > Access Gateway > Session Viewer.
To terminate sessions
1. From the Sessions pane, select the user session(s) you want to terminate.
2. Click Delete.
Chapter 14 Managing Your Access Gateway Environment 223
If the user attempts to access resources after you terminate the session, an error
page appears and the user must log on again.
224 Access Gateway Advanced Edition Administrator’s Guide
C HAPTER 15
The event logging capabilities in Advanced Access Control ensure you collect the
information needed to monitor access to corporate resources. Event logs allow
you to:
• Prove compliance with regulatory requirements
• Prove compliance with internal, corporate-specific requirements
• Take proactive measures to address existing vulnerabilities such as
evaluating incidents circumventing intended access and modifying your
access strategy to resolve these issues
• Assist support personnel in troubleshooting issues related to accessing
corporate resources
Event Description
Endpoint analysis scan results Logs all endpoint analysis scan results. Three events are generated for each scan.
The first event contains the raw endpoint analysis data from the client device. The
second event contains the scan results (true/false) based on analysis within
Advanced Access Control. The third event contains the scan results (true/false)
specific to the requirements for displaying the logon page.
Logon page denied Logs an event when a logon page is not displayed to the user due to your
configured requirements.
Logon allowed Logs an event when a successful Windows NT authentication is passed to the
domain controller. Events are not logged when a user sends valid credentials but is
denied access due to policy restrictions.
Logon denied Logs an event when an unsuccessful Windows NT authentication is passed to the
domain controller or when the Allow Logon policy denies a user access to the
logon page.
User logged off Logs an event when a user terminates a session.
Session timed out Logs an event when a session times out. The session time-out value is configured
as a logon point setting.
Web resources - HTML MIME Logs an event for successful access to HTML content within a Web resource such
type as HTML and ASP pages.
Web resources - other MIME Logs an event for successful access to non-HTML content within a Web resource
type such as JavaScript, Flash, XML, and so on.
Web resources - image MIME Logs an event for successful access to images referenced within a Web resource
type such as a GIF or JPEG file.
File shares Logs an event for successful access to file shares or documents within a file share.
Web email Logs an event for successful access to Web-based email including Outlook Web
Access, iNotes, and Advanced Access Control’s Web email interface. Outlook
Web Access and iNotes use the same event ID (304) while Advanced Access
Control’s Web email interface uses event ID (306).
Resource access denied Logs an event for unsuccessful access to any resource within an access server
farm. For Web resources, only unsuccessful access to the HTML MIME type is
logged. Unsuccessful access to other or image MIME types is not logged.
Important: Audit log configuration is set at the access server farm level and
applies to all resources within the farm. Therefore, if your access server farm is
distributed across multiple servers, audit logs are written to each server within the
farm.
• Specify the events to log for the access server farm. Use the Access
Management Console to specify the type of events logged by servers within
an access server farm.
• Configure log settings for each server within the farm. Use the Windows
Event Viewer to configure log settings for each server including specifying
the maximum log size, determining when to overwrite events, and so on.
By default, the maximum size of the CitrixAGE Audit log is 5120KB and is
retained for seven days before being overwritten. New events are not added
if the maximum log size is reached and there are no events older than this
period. If this configuration does not meet your auditing needs, consider
increasing the size of the log file as well as modifying the event overwrite
settings.
• Consolidate event logs into a single view. Each server within an access
server farm maintains its own event log. Use the Event Log Consolidator in
Advanced Access Control to collect event log data from all servers within
the farm and display this data in a single, consolidated view. After the data
is collected by the Event Log Consolidator, you can perform additional
analysis by running a variety of reports based on user access, resource
access, and so on.
1. In the console tree, select the access server farm you want to audit and click
Edit farm properties in Common Tasks.
2. On the Event Logging page, select from among the auditing options
described below. For detailed descriptions of these events, see the table in
“Configuring Audit Logging” on page 225.
• Endpoint analysis scan results
• Allowed and denied access to resources (Web resources, file shares,
and Web email)
• Logon point data including logon page denial, logon denial, logon
allowed, user log off, and session time-out
After auditing is enabled and configured within Advanced Access Control, you
can use the Windows Event Viewer to configure audit log settings including:
• Specifying the maximum log size
• Determining when to overwrite events
1. In the console tree, select Access Gateway and click View Events in
Common Tasks.
2. In the Event Log Consolidator, click File > Configure.
3. In the Polling Interval box, specify the time interval (in seconds) at which
the Event Log Consolidator collects audit log data from Advanced Access
Control servers.
4. Under Available Farms, select the access server farm for which you want
to view auditing data.
5. Click File > Collect to begin polling Advanced Access Control servers.
Field Description
DateTime Date and time of the request.
UserName Name of the authenticated user accessing the resource.
ServiceName Name of the Advanced Access Control component logging
the request.
Status Status of the request (accepted, denied, or completed).
Machine Name Name of the server logging the event.
Session ID Reference number assigned to a session upon successful user
authentication and license validation. This number is used to
track session events such as logon allowed, user logged off,
and session timed out.
PolicyReference Reference number for denied attempts. This number is also
displayed to users when access is denied.
EPAReference Reference number for endpoint analysis scans. This number
is referenced by endpoint analysis before a user is
authenticated to associate a session ID with scan results.
Resource Name or URI (Uniform Resource Identifier) of the resource
requested.
Data Additional data specific to a message.
Although logging is enabled at the access server farm level, each server maintains
its own log file. To gather logging information from all servers within the farm
into a single view, use the Event Log Consolidator.
1. In the console tree, select Access Gateway and click View Events in
Common Tasks.
2. Sort events or generate reports to assist in the evaluation of this data.
230 Access Gateway Advanced Edition Administrator’s Guide
Glossary
Access Client package. The tool administrators use to manage the distribution and
upgrade of Access Suite clients. Allows administrators to quickly and easily
deploy client-side software to end-users with one convenient Windows
Installer package.
Access Gateway Administration Desktop. A window where administrators can monitor
Access Gateway network activity. Tools included in the Administration
Desktop include the Citrix Real-Time Monitor, Ethereal Network Analyzer,
xNetTools, My traceroute, fnetload, Gnome System Monitor, and the
Workplace Switcher.
Access Gateway Administration Portal. A Web-based interface for performing
administration tasks for Access Gateway appliances. From the Administration
Portal you can download other administration tools for remote use, such as the
Administration Desktop and the Access Gateway Administration Tool.
Access Gateway Administration Tool. A 32-bit management console downloaded from
the Administration Portal and installed on a Windows computer in the secure
network. The Administration Tool can administer individual settings for all
gateway appliances in a cluster.
Access Gateway Real-Time Monitor. A console window listing current users and their
related information. You can close the VPN connection for any user from the
Real-Time Monitor. The Real-Time Monitor is accessed using the
Administration Desktop.
Access Interface. The user-facing Web page that displays the available corporate
resources, including URLs, email, and files.
access policy. A policy that enforces configuration settings for user access under
specified conditions. See also connection policy.
access scenario. The access scenario includes all the information about the user and
the user’s client device used to apply policies. Depending on the type of policy
being evaluated, the access scenario can include the user identity, the client
device, client device details discovered through endpoint analysis scans, the
authentication method employed, the logon point used to enter the network,
and so on.
232 Access Gateway Advanced Edition Administrator’s Guide
access server farm. A logical grouping of servers on which Advanced Access Control
Services run. An access server farm consists of one or more networked
computers that run Advanced Access Control components such as the Web
Server, database server, and so on. These components work together to provide
access to corporate resources such as Web sites, file shares, and email. See also
server farm.
accessible networks. The IP addresses of the computers in the secure network to
which the Access Gateway is allowed to connect.
action controls. The permissions that users are granted for working with files through
Access Gateway Advanced Edition such as Download, Send as Email, and file
type association.
activation server. A server that performs file activation services such as HTML
Preview, Download, and Live Edit. It houses the Activation Host Service and
Activation Engine Service; the Activation Host Service acts as a “sandbox” for
the Activation Engine Service to activate a file.
activation services. A service that provides stateless load balanced file activation
including HTML Preview, Download, and Live Edit.
Advanced Access Control. Software components and features in Access Gateway
Advanced Edition which enable granular policy-based access control.
Advanced Access Control allows you to control user access based on such
factors as user location and authentication, endpoint analysis, and verification
of the client device.
Allow Logon. A permission (the ability to log on) that is controlled by policy. The
Allow Logon permission is treated as a resource to enable administrators to
add criteria for users to meet in addition to the usual authentication process.
application policy. A policy that can be configured for any software program,
including Web applications, when you are using the Access Gateway
appliance. Application policies allow you to restrict applications to a specified
network path and to make access to the application dependent upon endpoint
policies.
authentication profile. An authentication profile contains configuration settings that
define the authentication to be used with a logon point.
authentication type. The type of authentication being used, such as RADIUS, LDAP,
SafeWord, and so on.
authorization rejection page. The user-facing Web page that displays when a client
environment does not possess the baseline requirements for accessing
corporate network resources.
browser-only access. The ability to access corporate network resources without
requiring any client-side software other than a Web browser.
Citrix Activation System (CAS). The Citrix license management system available from
a secure area of the Citrix Web site that allows customers to generate license
files for Access Suite products. CAS stores a downloadable copy of all license
files generated and can display a list of licenses registered to an organization.
Appendix A Glossary 233
logon point. The URL from which users access corporate resources. The logon point
settings determine access to server farms, Access Interface configuration, and
other session-specific settings. In addition, a logon point can be used as a filter
within policies.
Microsoft SQL Server Desktop Engine (MSDE). A fully SQL Server-compatible data
engine. SQL Server Express 2005, the newest version of MSDE, can be used
in Access Gateway Advanced Edition for data storage in place of Microsoft
SQL Server. See also SQL Server Express.
network resource. A network resource defines subnets or servers on the corporate
network that users can connect to through the Access Gateway using the
Secure Access Client over specified ports. After defining network resources,
you can create policies that control their user access and connection settings.
pass-through authentication. The ability for Access Gateway to pass the user’s
authentication information to another corporate resource requiring this
information. Pass-through authentication is used for single sign-on to the Web
Interface in an Access Gateway deployment.
policy-based access control. The ability to grant granular access to users based on
their access scenario.
policy priority. A ranking system that allows you to prioritize policies to resolve
conflicts when multiple policies apply to the same situation. The settings of a
higher priority policy take precedence over conflicting settings in a lower
priority policy.
pre-authentication policy. A policy that allows users to log on if a set of scans validate
the client device. Pre-authentication policies can be created only using the
Access Gateway Administration Tool. If you are using Access Gateway
Advanced Edition, you can create a logon policy for similar functionality.
Presentation Server Client. Citrix software that enables users from a variety of client
devices to connect to computers running Presentation Server.
process scan. A type of continuous scan that verifies that a specified process is
running on the client device.
published application. An application installed on a server or server farm that is
configured for multiuser access from clients through Citrix Presentation
Server.
realm. A realm is used in Access Gateway Standard Edition to specify the logical area
of access granted through a specified type of authentication. Realms are
replaced in the Advanced Edition by authentication profile settings. The
Default realm authenticates against the local user list on the Access Gateway.
Additional realms for LDAP, SafeWord, RADIUS, and RSA SecurID can be
created or can be used as the Default realm.
registry scan. A type of continuous scan that validates a registry setting on the client
device.
resource group. A resource group combines multiple resources of differing types into
one named resource so that policies can be applied to the aggregate.
Appendix A Glossary 237
resources. The file shares, Web resources, email, and applications available through
the Access Gateway.
rule. In endpoint analysis, a rule is a set of conditions that define when to apply a
scan and which property values to check. Multiple rules can apply to a single
scan. The first rule of a scan is defined when you create the scan. After
creating the scan, you can add more rules to make the scan apply to multiple
scenarios.
scan. A process that verifies specific properties of client devices connecting to your
network, such as the installed version of an antivirus software product or
verification that the device belongs to a required domain.
scan output. A result of an endpoint analysis scan run on a connecting client device to
detect or verify information about the client device. There are two types of
scan outputs. One type is a property value that is detected and reported about
the client device, such as the version number of an antivirus program running
on the device. Another type is a simple Boolean (True or False) result
indicating whether or not the client device passed the requirements of the scan.
scan package. A package of code that allows administrators to configure endpoint
analysis scans. Each scan package is designed to examine a set of properties
for a specific software product. You can expand the default set of scan
packages by importing new ones. Citrix, partners, or developers in your
organization can develop additional scan packages using the Endpoint
Analysis Software Development Kit (SDK).
Secure Access Client. Citrix software used to connect users to network resources. In
the Standard Edition, users access a secure URL to download the software and
authenticate to the Access Gateway appliance. In the Advanced Edition,
administrators create a connection policy to require use of the software when
users access specific logon points. Users may download the software after they
authenticate.
Secure Sockets Layer (SSL). A standards-based security protocol for encryption,
authentication, and message integrity. It is used to secure the communications
between two computers across a public network, authenticate the two
computers to each other based on a separate trusted authority, and ensure that
the communications are not tampered with. SSL supports a wide range of
ciphersuites. The most recent version of SSL is Transport Layer Security
(TLS).
server farm. A group of computers running Citrix Presentation Server and managed as
a single entity, with some form of physical connection between servers and a
database used for the farm’s data store. See also, access server farm.
session reliability. Part of the collection of features that comprise SmoothRoaming,
Session Reliability enables ICA sessions to remain active and on the user’s
screen when network connectivity is interrupted. Session Reliability
incorporates Common Gateway Protocol (CGP) which restores the user’s
session quickly and transparently.
small form factor device. A client device, such as a PDA, with limited display
capabilities.
238 Access Gateway Advanced Edition Administrator’s Guide
SmartAccess. A feature that allows organizations to control which resources users get
access to, based on their access scenario, and what they can do with those
resources when they get access. In addition, this functionality integrates with
Citrix Presentation Server to give organizations this same level of granular
control over published applications.
SmoothRoaming. The ability to access information continuously across devices,
locations, and networks. This feature includes Workspace Control, session
reliability, and dynamic display reconfiguration.
split DNS. A feature that enables failover to a user’s local DNS if the default remote
DNS is unavailable.
split tunneling. A feature enabling the client device to send only the traffic destined for
the secured network through the VPN tunnel. With split tunneling, group-
based policies apply to the internal network interface only. For connections
from inside of the firewall, group-based policies do not apply to traffic to
external resources or resources local to the network; that traffic is not
encrypted.
SQL Server Express. The newest version of MSDE. See Microsoft SQL Server
Desktop Engine (MSDE) for more information.
Transport Layer Security (TLS). See Secure Sockets Layer (SSL).
trusted. Refers to a user, service, or resource that is specifically allowed to access the
corporate network.
untrusted. Refers to a user, service, or resource that is specifically disallowed from
accessing the corporate network.
user groups. In Access Gateway Standard Edition, a user group consists of a
collection of users, policies, and resources. User groups can be configured to
correspond with user groups configured on authentication servers. All local
users are automatically added to the Default user group. Users can also be
added to other user groups you have configured.
Web-based email. A method of receiving, composing, and sending email using a Web
browser instead of a local email application.
Web client. An ActiveX control that supports the launching and embedding of
published applications.
Web proxy. The URL rewriting component of Access Gateway Advanced Edition.
Web resource. A set of URLs or Web applications that consists of virtual directory
paths such as http://mycompany/mydocument. A Web resource is one of the
corporate resources available to users through the Access Gateway.
Web server. A computer that delivers Web pages to browsers and other files to
applications using HyperText Transfer Protocol (HTTP).
A PPENDIX B
Scan packages contain the software you need to create scans to detect information
about client devices. When creating scans, you typically specify one or more
property values that you’re looking for, such as an operating system version or
service pack level. This reference topic lists the properties you can configure for
Citrix scan packages.
For information about creating scans, see “Creating Endpoint Analysis Scans” on
page 166.
Note: This topic is available from the online help system of any server running
the Advanced Access Control software. If you need information about specific
properties while creating scans, use your online help to locate this reference topic.
Scan packages are organized alphabetically within the following groups by the
type of product or properties being scanned:
• “Antivirus Scan Packages” on page 240
• “Browser Scan Packages” on page 245
• “Firewall Scan Packages” on page 248
• “Machine Identification Scan Packages” on page 253
• “Miscellaneous Scan Packages” on page 255
• “Operating System Scan Packages” on page 256
240 Access Gateway Advanced Edition Administrator’s Guide
Supported Versions
• At least up to VirusScan 2006 v.11.0.209
Scan Outputs
Supported Versions
• At least up to VirusScan Enterprise v.8.0i Pattern 4825
Appendix B Scan Properties Reference 241
Scan Outputs
Supported Versions
• At least up to Norton AntiVirus 2006 v.12.2.0.13 Pattern 2006 0809.018
242 Access Gateway Advanced Edition Administrator’s Guide
Scan Outputs
Supported Versions
• At least up to Symantec AntiVirus Enterprise v10.0.0.359 Pattern 2006
0809.018
Appendix B Scan Properties Reference 243
Scan Outputs
Supported Versions
• At least up to Version 7.3 Pattern 3.645.00
Scan Outputs
Supported Versions
• Windows XP SP2 - Security Center
Scan Outputs
Supported Versions
• At least up to Microsoft Internet Explorer 6.0
• At least up to Mozilla Firefox 1.5.06
• At least up to Netscape Navigator 8.1
• At least up to Safari 2.0
Scan Outputs
Supported Versions
• At least up to Internet Explorer Version 6.0 Service Pack 2
Scan Outputs
Supported Versions
• At least up to Internet Explorer Version 6.0 SP2
Scan Outputs
Supported Versions
• At least up to Firefox Version 1.5.06
Scan Outputs
Supported Versions
• At least up to Netscape Navigator Version 8.1
Scan Outputs
Supported Versions
• At least up to McAfee Desktop Firewall 8.5 Build 260
Appendix B Scan Properties Reference 249
Scan Outputs
Supported Versions
• At least up to McAfee Personal Firewall Plus 2006 Version 7.1.113
Scan Outputs
Supported Versions
The scan can detect the following firewalls on these operating systems:
• Microsoft Windows XP Home and Professional: ICF
• Microsoft Windows XP Home and Professional Service Pack 1: ICF
• Microsoft Windows XP Home and Professional Service Pack 1: Windows
Firewall
• Microsoft Windows 2003: ICF
Scan Outputs
Supported Versions
• At least up to Norton Personal Firewall 2006 Version 9.1.0.33
Scan Outputs
Supported Versions
• Windows XP SP2 - Security Center
Scan Outputs
Supported Versions
• At least up to ZoneAlarm 2006 Version 6.5.731.00
Scan Outputs
Supported Versions
• At least up to ZoneAlarm 2006 Version 6.5.731.00
Scan Outputs
Scan Outputs
Important: This scan package treats data as case sensitive. Avoid creating
conflicting entries that differ in case. For example, it is possible to create an entry
for the same address and map it to two different groups. One entry might map the
address 00:50:8b:e8:f9:28 to the Finance group. Another entry can map the same
address with different case lettering, 00:50:8B:E8:F9:28, to the Sales group. Such
entries make scan results unreliable.
For more information about using data sets, see “Using Data Sets in Scans” on
page 172.
Scan Outputs
Scan Outputs
Supported Versions
• Mac OS X
Scan Outputs
Scan Outputs
Note: This scan package requires you to create a single-column data set listing
the update names you wish to detect.
Scan Outputs