Access Gateway Advanced Edition Administrator’s Guide

Citrix® Access Gateway™ 4.5 Citrix Access Suite™

Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. Copies of the End User License Agreement are included in the Documentation folder of the product CD-ROM. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. © 2003-2006 Citrix Systems, Inc. All rights reserved. Citrix, Citrix Presentation Server, Citrix Access Gateway, ICA (Independent Computing Architecture), Access Suite, Citrix Program Neighborhood, and SmoothRoaming are registered trademarks or trademarks of Citrix Systems, Inc. in the United States and other countries. RSA Encryption © 1996-1997 RSA Security Inc., All rights reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple, Mac, Mac OS, and Macintosh are registered trademarks or trademarks of Apple Computer Inc. Flash and Shockwave are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Java is a registered trademark of Sun Microsystems, Inc. in the U.S. and other countries. Microsoft, MS-DOS, Windows, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory and Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Lotus, Domino, Notes, and iNotes are trademarks of International Business Machines Corporation in the United States, other countries, or both. Mozilla and Firefox are trademarks or registered trademarks of the Mozilla Foundation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Secure Computing and SafeWord are registered trademarks of Secure Computing Corporation. McAfee and VirusScan are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. Norton AntiVirus, Norton Personal Firewall, Symantec, Symantec AntiVirus Solution, and Symantec Desktop Firewall are registered trademarks or trademarks of Symantec Corporation in the US and/or other countries. OfficeScan, Trend Micro, and Trend Micro Incorporated are trademarks of Trend Micro in the US and/or other countries. ZoneAlarm and Zone Labs are trademarks or registered trademarks of Zone Labs LLC in the United States and other countries. All other trademarks and registered trademarks are the property of their owners. Document code: September 19, 2006 (JB)

C ONTENTS

Contents

Chapter 1

Welcome
Access Gateway Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Smart Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 SmoothRoaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Secure by Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 New Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Chapter 2

Getting Information and Help
Accessing Product Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Knowledge Center Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Education and Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Customizing the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Chapter 3

Planning Your Access Strategy
Step 1: Evaluating Corporate Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Step 2: Performing a Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Step 3: Developing Your Access Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Securing Access and Resources with Policies . . . . . . . . . . . . . . . . . . . . . . . . . .26 Planning for Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Traversing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Protecting Sensitive Corporate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Evaluating Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 One-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Planning for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

4

Access Gateway Advanced Edition Administrator’s Guide

Considering Users’ Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Chapter 4

Licensing the Advanced Edition
Installing Citrix Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Getting More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Obtaining Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Determining the Licenses Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Licensing Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Mixed Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Specifying the License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Adding Shortcuts to the License Management Console . . . . . . . . . . . . . . . . . . . . .37

Chapter 5

Installing Advanced Access Control
Planning Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Pre-Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Post-Installation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Account Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Microsoft SQL Server User Account Requirements . . . . . . . . . . . . . . . . . . . . .44 Service Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Using Security Templates with the Service Account . . . . . . . . . . . . . . . . . . . . .45 Database Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Access Gateway Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Feature Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 HTML Preview Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Live Edit Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Email Synchronization Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Web Email Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Using Microsoft Windows 2003 Server Web Edition for Web Email . . . . . . .52 Endpoint Analysis Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Authentication Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Citrix Presentation Server Integration Requirements . . . . . . . . . . . . . . . . . . . .54 Requirements for Bypassing the Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Third Party Portal Integration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Web Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Live Edit Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

5

Access Gateway Advanced Edition Administrator’s Guide

Endpoint Analysis Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Secure Access Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Console Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Installing Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Uninstalling Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Chapter 6

Configuring Advanced Access Control
Supported Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Access Gateway Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Advanced Access Control Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Double-Hop DMZ Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 Changing the Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Configuring Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Steps to Configuring A Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Creating or Joining an Access Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Selecting a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Specifying an Existing Database Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Specifying a License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Selecting a Web Site Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Securing Web Site Traffic with SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Finishing Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Enabling Advanced Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Using the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Installing the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Users and Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Deploying the Console to Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 The Access Management Console User Interface . . . . . . . . . . . . . . . . . . . . . . .82 Starting the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 Finding Items in Your Deployment Using Discovery . . . . . . . . . . . . . . . . . . . .83 Customizing Your Displays Using My Views . . . . . . . . . . . . . . . . . . . . . . . . . .84 Configuring Your Farm with the Getting Started Panel . . . . . . . . . . . . . . . . . . . . .84 Linking to Citrix Presentation Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Specifying Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Configuring Load Balance or Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Configuring Address Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Configuring Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 Configuring the Access Gateway Address Mode. . . . . . . . . . . . . . . . . . . . . . . .88 Associating Access Platform Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

6

Access Gateway Advanced Edition Administrator’s Guide

Configuring Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Renaming Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Logging on through the Logon Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Updating Logon Page Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Changing Expired Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Setting the Default Logon Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Removing Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Configuring Split Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Configuring Accessible Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Forwarding System Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Configuring Client Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Configuring Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Configuring ICA Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Configuring Authentication with Citrix Presentation Server. . . . . . . . . . . . . . . . .100

Chapter 7

Securing User Connections
Configuring Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Configuring RADIUS and LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . .102 Creating RADIUS Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Creating LDAP Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Assigning Authentication Profiles to Logon Points . . . . . . . . . . . . . . . . . . . . .105 Setting Authentication Credentials for Logon Points . . . . . . . . . . . . . . . . . . .106 Configuring RSA SecurID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Configuring SafeWord Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Configuring Advanced Authentication with SafeWord . . . . . . . . . . . . . . . . . .111 Configuring Authentication with SafeWord Only . . . . . . . . . . . . . . . . . . . . . .111 Configuring RADIUS with SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112 Configuring Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Configuring the Access Gateway for Trusted Authentication . . . . . . . . . . . .115 Configuring Advanced Access Control for Trusted Authentication . . . . . . . .116

Chapter 8

Adding Resources
Creating Network Resources for VPN Access. . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Using the Entire Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Defining Resources to Avoid Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Creating Web Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Including Related Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Configuring Sites Secured with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

7

Access Gateway Advanced Edition Administrator’s Guide

Web Resources that Keep Sessions Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Enabling Pass-Through Authentication for Web Resources . . . . . . . . . . . . . . . . .124 Configuring Sites with Form-Based Authentication . . . . . . . . . . . . . . . . . . . .125 Creating File Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Using Dynamic System Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128 Active Directory Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Creating Resource Groups to Ease Policy Administration . . . . . . . . . . . . . . . . . .129 Integrating Resource Lists in Third-Party Portals . . . . . . . . . . . . . . . . . . . . . . . . .130

Chapter 9

Controlling Access Through Policies
Controlling User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Integrating Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Pooling Resources By Access Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Designing Policies From User Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Differentiating Access Control and Publishing . . . . . . . . . . . . . . . . . . . . . . . .134 Creating Access Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Naming Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Configuring Policy Settings to Control User Actions . . . . . . . . . . . . . . . . . . . . . .137 Allowing Access to Standard Web Content . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Allowing File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Allowing HTML Preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Allowing Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Allowing Live Edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Allowing Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Setting Conditions for Showing the Logon Page. . . . . . . . . . . . . . . . . . . . . . . . . .141 Bypassing URL Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Considerations about URL Rewriting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Limitations of Browser-Only Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Creating Connection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Creating Policies for Presentation Server Connections . . . . . . . . . . . . . . . . . .148 Prioritizing Connection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Creating Policy Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Creating Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Creating Continuous Scan Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Granting Access to the Entire Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Reviewing Policy Information with Policy Manager . . . . . . . . . . . . . . . . . . . . . .155

Chapter 10

Integrating Citrix Presentation Server
Linking from Advanced Access Control to Citrix Presentation Server . . . . . . . .158

8

Access Gateway Advanced Edition Administrator’s Guide

Integrating Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Displaying Multiple Sites and Caching Credentials. . . . . . . . . . . . . . . . . . . . .160 Coordinating Advanced Access Control and Web Interface Settings . . . . . . .162 Configuring File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Integrating Third-Party Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

Chapter 11

Verifying Requirements on Client Devices
Creating Endpoint Analysis Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Using Scan Outputs to Filter Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Using Scan Outputs to Filter Logon Page Visibility . . . . . . . . . . . . . . . . . . . .168 Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Adding Rules to Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Using Scan Outputs in Other Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Editing Conditions and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Editing the Available Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Using Data Sets in Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Creating Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Adding Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Grouping Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Adding Language Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Scripting and Scheduling Scan Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Updating Property Values in Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Updating Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 Creating Continuous Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

Chapter 12

Providing Secure Access to Corporate Email
Choosing an Email Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Providing Access to Published Email Applications. . . . . . . . . . . . . . . . . . . . . . . .183 Providing Users with Secure Web-Based Email . . . . . . . . . . . . . . . . . . . . . . . . . .184 Enabling Access to Web-Based Email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Integrating Web-Based Email Access with a Third-Party Portal . . . . . . . . . . . . .187 Providing Users with Secure Access to Email Accounts. . . . . . . . . . . . . . . . . . . .188 Enabling Users to Attach Files to Web-Based Email . . . . . . . . . . . . . . . . . . . . . .190 Restricting File Attachment Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Enabling Access to Email on Small Form Factor Devices . . . . . . . . . . . . . . . . . .192 Updating the Mapisvc.inf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

9

Access Gateway Advanced Edition Administrator’s Guide

Chapter 13

Rolling Out Advanced Access Control to Users
Developing a Client Software Deployment Strategy. . . . . . . . . . . . . . . . . . . . . . .195 Determining Responsibility for Installing Client Software . . . . . . . . . . . . . . .196 Supported Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198 Determining Which Clients to Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Managing Client Software Using the Access Client Package . . . . . . . . . . . . . . . .200 Client Software Available for the Access Client Package . . . . . . . . . . . . . . . .201 Creating a Client Distribution Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Distributing and Installing Your Client Software Package . . . . . . . . . . . . . . .201 Posting Client Software to a Share Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 Downloading Client Software on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 Ensuring a Smooth Logon Experience with the Secure Access Client . . . . . . . . .205 Modifying the Logon Point Redirect URL . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Modifying Browser Delay Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Modifying Ticket Lifetime Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Ensuring a Smooth Rollout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 Providing Logon Information to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 Browser Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209 Customizing Browser Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Customizing the Logon Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Chapter 14

Managing Your Access Gateway Environment
Managing Access Server Farms Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Controlling Access by Multiple Consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Using Groups in Policy Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Securing the Access Management Console Using COM+ . . . . . . . . . . . . . . . . . .215 Restarting COM+ Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Adding and Removing Farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 Adding and Removing Gateway Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 Changing Service Account and Database Credentials. . . . . . . . . . . . . . . . . . . . . .218 Modifying Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Removing Servers from the Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Maintaining Availability of the Access Server Farm. . . . . . . . . . . . . . . . . . . . . . .220 Exporting and Importing Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . .220 Monitoring Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Chapter 15

Auditing Access to Corporate Resources
Configuring Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Interpreting Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

10

Access Gateway Advanced Edition Administrator’s Guide

Troubleshooting User Access to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Performing Audit Log Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230

Appendix A Appendix B

Glossary Scan Properties Reference
Antivirus Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Citrix Scans for McAfee VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Citrix Scans for McAfee VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . .240 Citrix Scans for Norton AntiVirus Personal . . . . . . . . . . . . . . . . . . . . . . . . . . .241 Citrix Scans for Symantec AntiVirus Enterprise . . . . . . . . . . . . . . . . . . . . . . .242 Citrix Scans for Trend OfficeScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Citrix Scans for Windows Security Center Antivirus . . . . . . . . . . . . . . . . . . .244 Browser Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 Citrix Scans for Browser Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 Citrix Scans for Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 Citrix Scans for Internet Explorer Update . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Citrix Scans for Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Citrix Scans for Netscape Navigator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Firewall Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Citrix Scans for McAfee Desktop Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Citrix Scans for McAfee Personal Firewall Plus . . . . . . . . . . . . . . . . . . . . . . .249 Citrix Scans for Microsoft Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . .250 Citrix Scans for Norton Personal Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 Citrix Scans for Windows Security Center Firewall . . . . . . . . . . . . . . . . . . . .251 Citrix Scans for ZoneAlarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 Citrix Scans for ZoneAlarm Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 Machine Identification Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Citrix Scans for Domain Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Citrix Scans for MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Miscellaneous Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Citrix Bandwidth Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Operating System Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Citrix Scans for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Citrix Scans for Microsoft Windows Service Pack . . . . . . . . . . . . . . . . . . . . .256 Citrix Scans for Microsoft Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . .257

C HAPTER 1

Welcome

Citrix Access Gateway is a universal SSL VPN appliance that provides a secure, always-on, single point-of-access to all applications and protocols. It has all of the advantages of IPSec and SSL VPNs, without their costly and cumbersome implementation and management. With the Advanced Edition, Access Gateway finely controls both the resources users can access and what actions they can perform, facilitating regulatory compliance. Access Gateway delivers the best access experience for everyone: secure access to corporate data for the business, easy access for users, and easy administration and management for IT.

Access Gateway Advanced Edition
The Advanced Edition expands your Access Gateway environment with Advanced Access Control software, which provides your users with the following standard features.

Smart Access
SmartAccess analyzes the access scenario and then delivers the appropriate level of access without compromising security. Depending on who and where users are and what device and network they are using, users are granted different levels of access, such as the ability to preview, but not edit, documents. Advanced Access Control provides SmartAccess through two key phases—sense and respond. In the sensing phase of SmartAccess, the system analyzes the users’ access scenario and then responds with an appropriate level of access. “Granted” or “denied” are no longer the only answers to an access attempt because organizations not only control which resources users get access to based on their access scenario, but how they can use these resources when they gain access. For example, a user at an airport kiosk could be allowed to only preview or read email attachments and files but would not be allowed to download, edit, or print these files. However, that same user working from home may be granted full download, editing, and printing capabilities. In addition, Advanced Access Control integrates seamlessly with Citrix Presentation Server to give organizations this same level of granular control over published applications.

12

Access Gateway Advanced Edition Administrator’s Guide

SmoothRoaming
Advanced Access Control supports SmoothRoaming technology by ensuring that as users move between devices, networks, and locations, the appropriate level of access is configured automatically for each new access scenario.

Secure by Design
Advanced Access Control provides users with access that is inherently secure by design, protecting both the security of company information as well as the integrity of the network. SmartAccess, SmoothRoaming, and Secure by Design technologies work together by combining the following features: • Integrated endpoint security. Provides continuous real-time monitoring to ensure that the device is safe to connect and remain connected to the network. Endpoint analysis further evaluates the integrity of connecting devices and allows you to tailor the level of access you grant in policies according to analysis results. VPN connectivity. Network resources enable direct SSL virtual private network (VPN) connectivity to servers, services, and networks within the corporate LAN. Action controls. Allow administators to set policies that allow or deny viewing, editing, and saving documents depending on the user’s identity, device, location and connection. Mobile device awareness. Re-factors email and file interfaces for personal digital assistants (PDAs) and small form factor devices. Browser-only access. Provides access with any Web browser on any device to Web sites, files, and email. You can automatically render Microsoft Office documents for HTML Preview. Secure access to Web-based email and files. Provides access to corporate email securely over the Internet through a Web-based user interface. Allows users to securely access Microsoft Outlook and Lotus Notes in real time and synchronize information for offline use. Enables access to corporate network file shares securely over the Internet through a Webbased user interface. Advanced Presentation Server integration. You can use endpoint analysis and client location to control which published applications are available to the user. This feature extends SmartAccess to Presentation Server, including the use of Advanced Access Control filters to control local client drive mapping, clipboard operations, and local printer mapping.

• •

Chapter 1

Welcome

13

• • •

Multilingual support. Provides full server and client support for Japanese, German, French, and Spanish. Standards-based encryption. Uses industry-standard SSL encryption to provide secure access to corporate resources. Common management platform. Provides a unified framework containing client and server configuration, licensing, monitoring, and reporting tools for administrative simplicity, business visibility, and corporate security

New Features
This release provides the following new features and enhancements. • Support for UPN and Alternate UPN credentials. Users who log on to internal networks with credentials specified in User Principal Name (UPN) or Alternate UPN format can log on to the Access Gateway and seamlessly access corporate resources such as published Web sites, file shares, and Web email. Enhanced access to Citrix Presentation Server published applications. Citrix Presentation Server published applications are accessible as Access Platform sites from within the Access Interface, allowing users to quickly access and launch published applications. You can enable up to three Access Platform sites to display applications from multiple Presentation Server farms. Support for third-party load balancers. In addition to its internal load balancing capabilities, Access Gateway Advanced Edition supports configurations that include third-party load balancers such as Citrix Netscaler. In the event an Advanced Access Control server in a farm becomes unavailable, users are routed automatically to another Advanced Access Control server. Enhanced access to documents hosted on Sharepoint sites. Microsoft Sharepoint sites that are accessed through the Web proxy retain many of the menu-driven features users need to work with files, such as Delete, Edit Properties, and Alert Me. Support for double-hop DMZ deployments. Organizations can provide an extra layer of security for their internal resources by deploying Access Gateway appliances in a two-stage DMZ configuration. Policies dynamically determine best resource delivery method. You can configure policies to determine the best method for accessing resources based on users’ connection bandwidth. Using the Citrix Bandwidth endpoint analysis scan, the connection bandwidth is calculated and the

14

Access Gateway Advanced Edition Administrator’s Guide

result is used to determine whether resources such as published applications are streamed or delivered to the user through an ICA session.

New Name
Access Gateway Advanced Edition is the new name for the products formerly known as Access Gateway with Advanced Access Control, Access Gateway Enterprise, and MetaFrame Secure Access Manager.

C HAPTER 2

Getting Information and Help

The topics in this section describe how to get more information about the product and how to contact Citrix. • • • • “Accessing Product Documentation” on page 15 “Getting Service and Support” on page 18 “Education and Training” on page 19 “Customizing the Software” on page 19

Accessing Product Documentation
Your product documentation includes PDF guides, online documentation, known issue information, integrated on-screen assistance, and application help. • User documentation is provided through the online help system and Adobe Portable Document Format (PDF) files. Guides correspond to different features. For example, information for administrators is contained in the Access Gateway Standard Edition Administrator’s Guide. Guides are stored in the \Documentation folder on the Server CD. Installation places documentation files in the C:\Program Files\Citrix\Access Gateway\Documentation\lang directory. In these examples, lang refers to the language, such as en for English, de for German, and so on. Note: Online guides are provided as Adobe Portable Document Format (PDF) files. To view, search, and print the PDF documentation, you need to have Adobe Acrobat Reader 5.0.5 with Search or Adobe Reader 6.0 through 7.0. You can download these products for free from the Adobe Systems Web site at http://www.adobe.com/. • In many places in the user interface, integrated on-screen assistance is available to help you complete tasks. For example, in the Access

16

Access Gateway Advanced Edition Administrator’s Guide

Management Console, you can position your mouse over a setting to display help text that explains how to use that control. • Online help is available in many components such as the console. You can access the online help from the Help menu or Help button.

The following documentation is included with your software: • The Readme files on the Server CD provide the latest information about functionality, known issues, and documentation changes. Be sure to read these documents for important information before you install the product or its components. This manual, the Access Gateway Advanced Edition Administrator’s Guide, provides conceptual information and procedures for system administrators who plan, design, pilot, or deploy the software. It provides information about features, installation and setup, and access server farm maintenance. Access Gateway Advanced Edition Upgrade Guide provides procedures for system administrators upgrading from an earlier release. It provides information about how to back up your access server farm’s data, upgrade server components, and migrate data and license information. Getting Started with Citrix Licensing Guide and the licensing Readme file provide conceptual and procedural information about deploying, maintaining, and using licensing for Citrix products.

Additional gateway appliance documentation available from the Access Gateway’s Administration Portal includes Getting Started with Citrix Access Gateway Standard Edition, Access Gateway Standard Edition Pre-Installation Checklist, Access Gateway Standard Edition Administrator's Guide, and a Readme file. To provide feedback about the documentation, go to www.citrix.com and click Support > Knowledge Center > Product Documentation. To access the feedback form, click the Submit Documentation Feedback link.

Document Conventions
This documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Chapter 2

Getting Information and Help

17

Convention Boldface Italics

Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other name you specify when you install Windows. Text displayed in a text file. A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves. Optional items in command statements. For example, [/ ping] means that you can type /ping with the command. Do not type the brackets themselves. A separator between items in braces or brackets in command statements. For example, { /hold | /release | / delete } means you type /hold or /release or /delete. You can repeat the previous item or items in command statements. For example, /route:devicename[,…] means you can type additional device names separated by commas.

%SystemRoot%

Monospace { braces }

[ brackets ]

| (vertical bar)

… (ellipsis)

Command-Line Conventions
Some components run from a DOS command line interface. If you are not familiar with DOS command lines, note that: • • • Slashes and hyphens in a command line are important and must be entered exactly as described in the instruction The spacing on the command line is important and must be followed exactly as described in the instructions Help is available for DOS-based programs by entering the command name followed by a forward slash and a question mark, for example: C:>sessmon/?

18

Access Gateway Advanced Edition Administrator’s Guide

Getting Service and Support
Citrix provides technical support primarily through the Citrix Solution Advisors (CSA) Program. Our CSA partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support or check for your nearest CSA partner at http://www.citrix.com/support/. In addition to the CSA program, Citrix offers a variety of self-service, Web-based technical support tools that include the following: • • • • The Citrix Knowledge Center, an interactive tool containing thousands of technical solutions to support your Citrix environment Support forums, where you can participate in technical discussions and search for previous responses from other forum members Software downloads, for access to the latest service packs, hotfixes, and utilities Downloadable clients, available at http://www.citrix.com/download/

Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization’s Citrix products.

Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software versions and information for your Citrix products. Not only do you get automatic access to download the latest feature releases and software upgrades and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at http://www.citrix.com/ services/ (select Subscription Advantage). You can also contact your Citrix sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information.

Knowledge Center Watches
The Citrix Knowledge Center allows you to configure watches. A watch notifies you if the topic you are interested in was updated. Watches allow you to stay notified of updates to Knowledge Base or Forum content. You can set watches on product categories, document types, individual documents, and on Forum product categories and individual topics. To set up a watch, log on to the Citrix Support Web site at

Chapter 2

Getting Information and Help

19

http://support.citrix.com. After you are logged on, in the upper right corner, click My Watches and follow the instructions.

Education and Training
Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available from http://www.citrix.com/edu/.

Customizing the Software
The Citrix Developer Network (CDN) is an open-enrollment membership program that provides access to developer toolkits, technical information, and test programs. Software and hardware vendors, system integrators, ICA licensees, and corporate IT developers who incorporate Citrix computing solutions into their products can access CDN at http://apps.citrix.com/cdn/. Some operations can be scripted with a Citrix Software Development Kit (SDK). The Endpoint Analysis SDK that is included with your software supports customization of endpoint analysis and is located on the Server CD in the \Setup\EndpointAnalysisSDK folder.

20

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 3

Planning Your Access Strategy

Before you install Advanced Access Control, you should evaluate your infrastructure and collect the information necessary to develop an access strategy that meets the specific needs of your corporation. When planning an access strategy, follow the general steps below. “Step 1: Evaluating Corporate Infrastructure” on page 21 “Step 2: Performing a Risk Analysis” on page 25 “Step 3: Developing Your Access Strategy” on page 25 Each of these steps is discussed in detail in the following sections. Consider documenting your findings throughout this process to assist you in designing and scoping the overall effort of the project, determining a realistic timeline for implementation, and setting benchmarks against which to measure your overall progress.

Step 1: Evaluating Corporate Infrastructure
Corporate infrastructure includes all of the hardware components comprising your company’s network such as client devices, servers, load balancers, firewalls, and so on. In addition, include the resources for which you want to provide access such as applications, services, and data in your assessment. The most common types of corporate infrastructure include: • • • Web applications such as a corporate intranet, Web-based email application, and so on Corporate data such as databases, documents, presentations, spreadsheets, and so on Servers such as Exchange or Notes/Domino servers, Web servers, database servers, and so on

You can use Advanced Access Control to secure and control users’ access to all their resources on the corporate network. The following diagrams show three traffic routes (VPN, browser, or Presentation Server ICA) you can provide and combine to satisfy a wide variety of remote access needs.

22

Access Gateway Advanced Edition Administrator’s Guide

Virtual private network traffic:

Chapter 3

Planning Your Access Strategy

23

Web browser traffic:

24

Access Gateway Advanced Edition Administrator’s Guide

Presentation Server traffic:

Chapter 3

Planning Your Access Strategy

25

After you identify the elements within your corporate infrastructure, you can perform a risk analysis and then develop a strategy for providing the appropriate level of access to these resources. Note: Advanced Access Control includes built-in load balancing support. Therefore, you do not need to deploy a load balancer to manage requests made to Advanced Access Control servers.

Step 2: Performing a Risk Analysis
In the context of access control, vulnerabilities represent the possibility of unauthorized users gaining access to corporate resources. There are various methods of deriving risk, usually based on a combination of likelihood and consequence information. For example, when providing users with access to a specific corporate resource, how likely is a particular threat and what damage could be done if that threat is realized? The key elements to consider when determining the risks associated with providing access to a corporate resource include the type of resource accessed, the sensitivity of the data included in that resource, and the environment from which the resource is accessed. Due to its subjective nature and the resulting damage, it is difficult to quantify risk. However, the goal of risk analysis is to ensure that your Advanced Access Control policies enable users to access corporate resources at an acceptable risk level. For example, consider the benefits of enabling users to access confidential data compared with the possibility that this data is accidentally revealed to unauthorized users. If your analysis reveals the risk is too great, you can create policies that further restrict access to this data and, as a result, minimize the risk associated with providing access to this data.

Step 3: Developing Your Access Strategy
After you collect information about your corporate infrastructure, identify the corporate resources for which you want to provide access, and perform a risk analysis, you are ready to develop your access strategy. This process includes determining how to integrate Advanced Access Control into your existing network.

26

Access Gateway Advanced Edition Administrator’s Guide

Securing Access and Resources with Policies
Policies extend the security of your network by controlling which resources users can access and what actions users can perform on those resources. Before creating policies, consider: • • • Resources. Identify the resources for which you want to provide access. Use the results of your risk analysis to assist you in this process. Users. Associate policies with the appropriate users. Access scenarios. Develop policies to support the scenarios in which users access corporate resources. A scenario is defined by the logon point used to access the network, endpoint analysis scan results, authentication type, or a combination thereof. For example, determine if users can access their email over the Internet using a corporate laptop. In addition, determine the actions users can perform when they gain access. For example, you can specify whether users can modify documents using a published application, preview a document as an HTML file, and so on. For a detailed explanation about how to incorporate policies into your access strategy, see “Controlling Access Through Policies” on page 131.

Planning for Client Requirements
Advanced Access Control includes two methods of verifying information on the client device. Continuous scans verify required files, processes, or registry entries on client devices connecting to your network. These scans run repeatedly during the user session to ensure that the client device continues to meet your requirements. You can incorporate continuous scans into connection policies so that if a required file, process, or registry scan ceases to be verified, the connection is disconnected. Endpoint analysis scans detect information about a client device, such as the operating system version and service pack level. The scans run when a user tries to connect through a logon point. However, unlike continuous scans, endpoint analysis scans run only once per session. You can incorporate scan results into access policies, allowing you to base access to your networks and resources on the information you gather about the client device. For example, you can prohibit access to your corporate network by employees working from a home workstation unless the workstation is running a required version of antivirus software. For more information about incorporating continuous and endpoint analysis scans into your access strategy, see “Verifying Requirements on Client Devices” on page 165.

Chapter 3

Planning Your Access Strategy

27

Traversing Firewalls
Access Gateway eases firewall traversal and provides a secure Internet gateway between Advanced Access Control servers and client devices. Scenarios in which firewalls are commonly used include: • Demilitarized zones (DMZs). In this scenario, firewalls are used to create one-stage or two-stage DMZs to protect the corporate network from Internet traffic. This deployment requires users external to the network to traverse firewalls protecting the corporate network before gaining access to corporate resources. Enclaves. In this scenario, firewalls limit traffic between specific segments of the network. For example, hospital administrators may segment their LAN so that access to sensitive information such as patient records is accessible only from specific enclaves within the network. Perimeter of access server farm. In this scenario, firewalls secure Advanced Access Control servers from threats within the corporate LAN by forming a secure perimeter around the access server farm. This deployment ensures that the access server farm is not directly accessible to users.

Corporations often implement a combination of the above deployments to protect against different types of threats. See the Access Gateway Standard Edition Administrator’s Guide for more information about supported Access Gateway deployment scenarios.

Protecting Sensitive Corporate Data
Sensitive data, often referred to as intellectual property, is any information, application, or service considered proprietary to the corporation. Examples of intellectual property include financial documents, customer data, employee records, and so on. The sensitivity of data is based on the assessment of impact if there is a loss of data confidentiality or integrity. When assessing the sensitivity of data consider: • Regulatory requirements. More stringent privacy laws impose new levels of confidentiality on several business sectors including health care, insurance, and finance. In addition, the global environment necessitates an awareness of regulations in any state or country in which your corporation performs business. Legal ramifications. Determine if there are any legal implications related to the exposure of proprietary data; specifically, whether or not another party takes legal action against your corporation due to the exposure of confidential information to unauthorized users.

28

Access Gateway Advanced Edition Administrator’s Guide

Competitive impact. Determine if the loss of information results in your corporation’s inability to remain competitive. For example, consider a scenario in which your company’s “secret recipe” is made available to your competitors. Corporate reputation. Determine the impact to your corporation’s reputation if certain proprietary information is made available to unauthorized users. For example, consider a scenario in which your customers’ credit card information is accessed by unauthorized users. In addition to possible legal action, customers may lose faith in your company’s ability to maintain their privacy and, as a result, choose to stop using your services.

The goal of intellectual property control is to prevent the exposure of sensitive corporate data. Using Advanced Access Control, you can protect intellectual property through the use of the following policy-based access control features: • HTML Preview. You can configure Microsoft Office files such as Word and Excel so that they display as HTML files instead of their native file format. This allows users to view but not modify the document. In addition, the risks associated with temporary files are mitigated as the HTML files are removed from the client device’s cache when the user terminates the session. Therefore, no sensitive data is accidentally left on the client device after users log off. Citrix Presentation Server integration. You can configure files to open within a published application instead of a local application on a client device. This increases the protection of intellectual property because proprietary data remains within the protected corporate network at all times. In addition, you can share Advanced Access Control policy information with Citrix Presentation Server to selectively enable functionality for a specific published application session such as client drive mapping and local printing. For more information about filters, see “Controlling Access Through Policies” on page 131.

Evaluating Authentication Types
Authentication is the process of determining whether users are, in fact, who they declare to be. Advanced Access Control supports one-factor and advanced authentication. Each authentication option is described in the following sections.

Chapter 3

Planning Your Access Strategy

29

One-Factor Authentication
One-factor authentication is based on something users know such as a PIN, password, or pass phrase. When implementing one-factor authentication, users authenticate to Advanced Access Control by entering their user name and password when they log on. Users are assumed to be valid because they enter the correct credentials. The advantages of using one-factor authentication include: • Advanced Access Control supports standard Windows- and LDAP-based one-factor authentication. Therefore, no additional effort or implementation costs are associated with this authentication method. Passwords are easily revokable and replaceable in the event that they are compromised. All users are familiar with user names and passwords.

• •

The disadvantages of using one-factor authentication include: • • Passwords are highly susceptible to “social engineering” attacks where users unknowingly provide their passwords to unauthorized users. Users can share passwords and as a result, it is not possible to rely on a password to ensure that the authentication is genuine. In addition, after sharing passwords for a particular purpose, users often forget to change their passwords. This allows multiple users to authenticate using the same set of credentials.

Advanced Authentication
Advanced authentication combines something a user knows with a second piece of information. The second piece of information can be something the user has, such as a hardware token, or something a user knows, such as an additional password. Advanced Access Control integrates with RSA Security SecurID, Secure Computing SafeWord, and RADIUS to support advanced authentication. The advantages of advanced authentication include: • It increases your overall confidence in the authentication process. Whether it is an additional password or a one-time passcode generated from a hardware token, requiring users to provide an additional piece of information greatly mitigates authentication-related risks. For example, if a user’s main password is compromised, an attacker must obtain the user’s RADIUS password or hardware token to access the network. Token-based solutions provide an additional benefit in that users cannot record their authentication information for later use. This ensures that users

30

Access Gateway Advanced Edition Administrator’s Guide

adhere to the basic password protection best practice of not saving proprietary authentication information in electronic or paper format. The disadvantages of advanced authentication include: • Implementation costs are significant. In addition to the software required to validate advanced authentication information, token-based solutions also require the purchase of hardware tokens. Tokens can be lost, stolen, or forgotten.

Consider the advantages and disadvantages of one-factor and advanced authentication. For some corporations, one-factor authentication provides a sufficient level of security. However, if your corporation requires additional security, an advanced authentication solution may be more appropriate.

Planning for High Availability
Advanced Access Control includes built-in load balancing support. In addition, Advanced Access Control servers support industry-standard server clustering applications and techniques to ensure high availability and maximum business continuity. When planning your Advanced Access Control deployment, consider implementing one or more of the following solutions: • Database backups. Back up your Advanced Access Control SQL database to recover from a variety of problems including database storage failures, application errors, and user errors. In addition, backups are often critical when recovering from catastrophic disasters such as hurricanes, fires, floods, and so on. Hardware redundancy. Prevent downtime due to hardware failures by detecting a failing component before it actually fails and bypassing a failure when it does occur. To achieve hardware redundancy, ensure your hardware meets the minimum requirements as specified in “Server Requirements” on page 41. In addition, determine if redundancy is needed in the following areas: • • • • Switches and routers transporting Advanced Access Control traffic Network cards on Advanced Access Control servers Database servers

Server redundancy. Each Advanced Access Control server within an access server farm is configured for the HTML Preview server role by default. Therefore, each server you add to your farm acts as a redundant server to minimize downtime in the event of a server failure. If you do not want all servers in your farm assigned to this role, deploy one or more

Chapter 3

Planning Your Access Strategy

31

servers for each Advanced Access Control server with this role enabled. For more information about assigning the HTML Preview server role, see “Modifying Server Roles” on page 219. • Database redundancy. A SQL database server stores all of Advanced Access Control’s data. Therefore, to ensure that this data is always available to users, consider one or more of the high availability strategies: • • • • Clustering Log shipping Network load balancing to switch SQL servers Stretch clustering

For more information about the above high availability solutions, refer to your SQL documentation.

Considering Users’ Needs
When planning your access strategy, consider the needs of your users. This analysis helps you determine the type of access users need to perform effectively. Consider the following issues: • • • Productivity. Create policies that provide the appropriate level of access for users to remain efficient and productive. Access to resources. Evaluate which resources users need to access such as email, Web applications, published applications, file shares, and so on. User interface. Determine the default user interface you want users to see when they log on. Advanced Access Control includes the Access Interface, a Web page that displays a user’s available corporate resources and email. In addition, you can configure any Web application such as a Citrix Access Platform site or a third-party portal as the default user interface. Working offline. Consider whether users periodically access the network to synchronize data and work offline. For example, users who travel often could benefit from securely accessing their email in real-time and synchronizing data to their client device. This allows these employees to remain productive because they can continue to work even while disconnected from the network. Client devices. Advanced Access Control supports a range of client devices. Therefore, evaluate the hardware and software profile of your client devices including form factor, operating system, browser, and so on to ensure the client devices in your environment meet the minimum

32

Access Gateway Advanced Edition Administrator’s Guide

requirements of Advanced Access Control. For additional information about client device requirements, see “Client Requirements” on page 58. • Browser-only access. Determine if users need to access network file shares, Web email, and internal Web sites from “locked down” client devices that do not permit the downloading of any client software. In this scenario, a Web browser is the only client software needed to access the corporate network. Note: Not all Web applications support browser-only access. For more information, see “Limitations of Browser-Only Access” on page 145.

C HAPTER 4

Licensing the Advanced Edition

Citrix Licensing limits the number of concurrent user sessions to the number of licenses purchased. If you purchase 100 licenses, you can have 100 concurrent user sessions at any time. When a user ends a session, the license is released for the next user. A user who connects from more than one computer at the same time uses a license for each session. The licensing process includes the following steps: • • • • “Installing Citrix Licensing” on page 33 (optional if you already have Citrix Licensing) “Obtaining Licenses” on page 34 “Specifying the License Server” on page 36 “Adding Shortcuts to the License Management Console” on page 37 (optional)

Installing Citrix Licensing
Access Gateway Advanced Edition requires access to at least one shared or dedicated license server running Citrix Licensing. If your product portfolio already includes other Citrix products, you may already have a license server available to store and manage your user licenses. If so, you can skip this step and proceed to obtain your license files. Note: The Access Gateway Standard Edition uses a license server on the gateway appliance and does not require a dedicated Citrix license server. You must use a dedicated license server for the Advanced Edition. If you upgrade from the Standard Edition and do not already have a Citrix license server, you need to install one. You can install and configure Citrix Licensing before, during, or after you install Access Gateway Advanced Edition.

34

Access Gateway Advanced Edition Administrator’s Guide

To install Citrix Licensing, follow the procedures in the Getting Started with Citrix Licensing Guide, available from: • • • The Citrix Knowledge Center (http://support.citrix.com/) The Documentation folder on the product CD Start > All Programs or Programs > Citrix > Access Gateway > Documentation on a server running Access Gateway Advanced Edition

Because licensing is a crucial part of your product installation, Citrix strongly recommends that you read the licensing guide before installing Citrix Licensing.

Getting More Information
In addition to the Getting Started with Citrix Licensing Guide, you can find a series of articles designed to provide you with more detailed information for tasks that extend beyond the scope of installing your licensing components. These articles are listed in Chapter 3 of the guide and are found in the Citrix Knowledge Center (http://support.citrix.com/).

Obtaining Licenses
If you have not already done so, you must obtain license files to download and copy to your license server. License files contain the licenses that you allocated for a specified license server. You obtain these files from the Licensing area of the MyCitrix Web site (http://www.mycitrix.com/). Before downloading a license file, be prepared with the case-sensitive name of the license server that will store the license file and the number of licenses you want to allocate to that server. Further details about the information to have ready and the steps for downloading license files are provided in the Getting Started with Citrix Licensing Guide, available on the product CD, from the Start menu of a server running the Access Gateway Advanced Edition, or the Support area of the Citrix Web site (http://support.citrix.com).

Determining the Licenses Required
Users connecting through the Access Gateway Advanced Edition occupy two licenses—one for the gateway appliance and one for the Advanced Access Control server. Therefore, ensure that you have an adequate number of both Access Gateway and Access Gateway Advanced Edition user licenses to support your deployment. Both types of licenses can be bundled together into a single license file for copying to the license server.

Chapter 4

Licensing the Advanced Edition

35

Note that each server occupies one of the Access Gateway Advanced Edition concurrent user licenses. When tallying the number of licenses you need, include one for each server.

Licensing Grace Period
A 96-hour grace period goes into effect at installation if you point your Access Gateway Advanced Edition server to a license server with no product licenses installed. A grace period of 30 days goes into effect if communication with a license server is lost after having contacted the license server successfully at least once. During the grace period, user sessions are not disconnected. However, new user sessions cannot be connected. If the grace period runs out before communication is established with a license server with the appropriate licenses, all active user sessions are disconnected.

Mixed Environments
For environments with a mixture of deployments (in other words, Access Gateway Standard Edition deployments and Advanced Edition deployments), you can allocate the desired number of licenses among the different deployments when you generate your license files.
To allocate new or migrated licenses

1. 2.

Log on to MyCitrix (http://www.mycitrix.com). Choose Licensing > Fulfillment > Fulfill Eligible Products, choose the licensing program type of your license, and follow the on-screen instructions to select licenses. A Product Fulfillment Certificate verifies license conversion and presents the resulting license codes.

After you generate new license codes, you must allocate licenses into license files that you copy to the license server. Allocating licenses lets you choose the number of licenses to include in a license file; you can allocate all or some of your available licenses at a time. The license file is a digitally signed, text-only file that contains product licenses and information needed by the license server.
To download license files

1. 2. 3.

From MyCitrix (http://www.mycitrix.com), choose Licensing > Citrix Activation System > Activate or Allocate Licenses. Follow the on-screen allocation instructions. Note that the License Server Name is case-sensitive. Download the license file.

36

Access Gateway Advanced Edition Administrator’s Guide

By default, the Citrix Activation System saves files to the last location used by the Save As control. License files have the extension .lic. In the event you cannot locate the downloaded license file, search your computer for files with an .lic extension. Note: If you have trouble downloading license files, contact Citrix Customer Care.
To copy licenses to the license server

1. 2. 3.

In the License Management Console, navigate to the License Files pages of the Configuration tab. On the License Files page, click Copy license file to License Server, browse to your license file, and copy it to the license server. Ensure that the license server recognizes the new file by performing one of the following actions. • • In the License Management Console, from the Welcome page, click Configure License Server, followed by Update license data. If you are not using the License Management Console, you must initiate a reread of the file. At a command prompt, navigate to C:\Program Files\CitrixLicensing\LS\ and type the following command: lmreread -c @localhost After the license server recognizes the file, your Citrix products can be launched.

Important: Do not edit license files without understanding their format. You can unintentionally corrupt them and render the licensing system unusable.

Specifying the License Server
All computers in an access server farm must communicate with the same license server. You can specify the license server during initial installation through the Server Configuration Utility, or specify it later through the farm node of the Access Management Console.

Chapter 4 To specify a license server

Licensing the Advanced Edition

37

1. 2.

From the console tree, select the server farm node and choose Define license server under Other Tasks. Configure the following settings: A. B. Host name. Type the name of the license server. License server port number. This is the port number the product uses to communicate with the license server. Unless you must perform configurations to accommodate a firewall or the default port is already in use, Citrix recommends you leave the port at its default setting.

Adding Shortcuts to the License Management Console
The License Management Console snap-in allows you to create a shortcut to one or more license servers. You have the option of installing the snap-in when you install the product or can add it later from the product CD. Use the shortcut to run the License Management Console remotely and administer licensing for your farm.
To create a shortcut to the license servers in your environment

1. 2. 3.

From the console tree, click the Licensing node. Under Common Tasks, click Add shortcut to license server. For Server name, type the DNS name or IP address of the license server for your farm.

38

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 5

Installing Advanced Access Control

The installation of Advanced Access Control varies depending on your deployment scenario. You can install the logical server components on a single physical server or distribute components across multiple servers. The topics in this section provide the following information: • • • • • • • • • • “Planning Your Installation” on page 39 “Server Requirements” on page 41 “Network Requirements” on page 43 “Feature Requirements” on page 46 “Authentication Software Requirements” on page 53 “Citrix Presentation Server Integration Requirements” on page 54 “Client Requirements” on page 58 “Console Requirements” on page 62 “Installation Overview” on page 62 “Installing Advanced Access Control” on page 63

Planning Your Installation
As part of your access strategy, you must also plan for the installation of the Access Gateway Advanced Edition components and the requirements for the features you want to implement. This section provides an overview of the tasks you must perform before and after you install the Advanced Access Control software.

Pre-Installation Tasks
Many of the features of Access Gateway Advanced Edition require that certain components are installed or settings are configured before you install the Advanced Access Control software.

40

Access Gateway Advanced Edition Administrator’s Guide

The following table provides an overview of these prerequisites to help you plan your installation. References to additional information about each component or feature are included.

Component or Feature Access Gateway appliance

Required Task Install appliance(s)

Additional Information Access Gateway Standard Edition Pre-Installation Checklist Access Gateway Standard Edition Administrator’s Guide

Advanced Access Control server

Ensure the server meets all hardware “System Requirements” on page 42 and software requirements • Supported version of Microsoft Windows • Windows Installer 3.0 or 3.1 • .NET Framework 2.0 • MDAC 2.7 or 2.8 Set Web extensions • ASP.NET (Allowed) • Active Server Pages (Allowed) • FrontPage Server Extensions (Prohibited • WebDAV (Prohibited) Ensure network configuration meets “Network Requirements” on page 43 requirements Ensure service account meets requirements “Service Account Requirements” on page 44 “Microsoft SQL Server User Account Requirements” on page 44 “Database Requirements” on page 46

Database server

Install database server and create user account

Restart the server if installing on the “Installing Advanced Access Advanced Access Control server Control” on page 63 License sever Install Citrix License Server on the Getting Started with Citrix Licensing Advanced Access Control server or a Guide separate server Install Microsoft Office (without Outlook) on the Advanced Access Control server “HTML Preview Requirements” on page 46

HTML Preview

Chapter 5

Installing Advanced Access Control

41

Component or Feature Web email

Required Task Install Microsoft Exchange System Management Tools and Microsoft Exchange Administrator 5.5 on the Advanced Access Control server Update the mapisvc.inf file on the Advanced Access Control server

Additional Information “Installing the Microsoft Exchange System Management Tools and Administrator Software” on page 51 “Default Email Interface Requirements” on page 51 “RADIUS Requirements” on page 53 “SecurID Requirements” on page 54 “SafeWord Requirements” on page 54 “Console Requirements” on page 62

RADIUS Authentication RSA SecurID Authentication Secure Computing SafeWord Access Management Console

Install Visual J# .NET 2.0 Install RSA ACE/Agent for Windows Install SafeWord Agent If installing on a standalone workstation, ensure required software is installed

Post-Installation Tasks
The following table provides an overview of tasks you perform immediately after installing the Advanced Access Control software. References to additional information about each component or feature are included.

Component or Feature Access Gateway appliance HTML Preview

Required Task Configure communication with Advanced Access Control server(s) To display PDF files, install and configure conversion software

Additional Information “Enabling Advanced Access Control” on page 80 “HTML Preview Requirements” on page 46

Server Requirements
Before proceeding with software installation, verify that the servers you are using meet the hardware and software requirements for Advanced Access Control. Important: To ensure that installation of Advanced Access Control progresses smoothly, use servers that are not configured as domain controllers. During installation, Advanced Access Control adds a service account to the local Administrators group that is not present on a domain controller. If you attempt to install Advanced Access Control on a domain controller, the service account cannot be added and the installation will fail.

42

Access Gateway Advanced Edition Administrator’s Guide

System Requirements
• • • • PC with a 550 MHz processor 768 MB of physical memory 9 GB of available hard disk space Microsoft Windows 2000 Server Family with Service Pack 4, or Windows Server 2003, Standard Edition, Web Edition, or Enterprise Edition with all service packs and updates installed Internet Information Services (IIS) 5.0 or 6.0 Microsoft Windows Installer 3.0 or 3.1 Microsoft .NET Framework 2.0 Microsoft Data Access Components (MDAC) Version 2.7 Refresh or 2.8

• • • •

Important: You must install the Windows Installer (WindowsInstallerKB884016-v2-x86.exe), the .NET Framework, and MDAC 2.7 Refresh (mdac_typ.exe) before you install Advanced Access Control. The Windows Installer, .NET Framework, and MDAC 2.7 Refresh executable files are located on the Advanced Access Control Server CD-ROM.
To set Web services extensions

Before installing Advanced Access Control, you must ensure the following Web services extensions are set appropriately in the Internet Information Services (IIS) Manager:

Extension Name ASP.NET Active Server Pages FrontPage Server Extensions WebDAV

Required for Advanced Access Control Installations? Yes Yes No. Must be prohibited for the Web proxy to function properly. No. Must be prohibited for Outlook Web Access (OWA) to display the contents of users’ inboxes.

Status in IIS Manager Allowed Allowed Prohibited Prohibited

Chapter 5

Installing Advanced Access Control

43

1. 2. 3.

Click Start > Programs or All Programs > Administrative Tools > Internet Information Services (IIS) Manager. Expand the local computer node and then select Web Services Extensions. Make the following selections as required: • • • • Select ASP.NET and click Allow. Select Active Server Pages and click Allow. Select FrontPage Server Extensions and click Prohibit. Select WebDAV and click Prohibit.

You may need to register ASP.NET if you installed the .NET Framework before installing IIS. To register ASP.NET, locate aspnet_regiis.exe and then type aspnet_regiis.exe -i from a command prompt.

Network Requirements
Before installing Advanced Access Control, ensure that your network configuration meets the following requirements: • • The computers or resources that users will access are connected to the Advanced Access Control servers you will deploy The Advanced Access Control server is: • A member of the domain to which users who authenticate to the server belong

—Or— • • • A member of a domain that trusts and is trusted by the domain(s) of the authenticating users

In a multi-domain environment, trust relationships have been established so that users in all domains can authenticate and access resources To provide access to the Internet, a Domain Naming System (DNS) host record resolves to a public IP address for the Access Gateway appliance

Note: To configure Advanced Access Control successfully, the server must belong to a domain. If the Advanced Access Control server is a member of a workgroup and not a domain, the Server Configuration wizard does not run.

44

Access Gateway Advanced Edition Administrator’s Guide

Account Requirements
This section describes the server accounts required to install Advanced Access Control.

Microsoft SQL Server User Account Requirements
When creating an access server farm, Advanced Access Control requests an account for access to SQL Server. The specified account must permit Advanced Access Control to create a database for the access server farm and then connect to the database. To create the database during install, at a minimum, the account must be included in the Database Creators server role on SQL Server. After Advanced Access Control creates the database, the database user must be assigned the db_datareader and db_datawriter permissions. SQL Server 2000 supports Windows Authentication mode, which requires Windows user accounts for access, and Mixed Mode, which accepts Windows user accounts and SQL Server accounts. When you first install Advanced Access Control and create an access server farm, Setup creates a database with the same name as the access server farm. Setup does not create additional databases when you add servers to an access server farm. Note: The database creation and access requirements in this section apply to both SQL Server authentication and Windows authentication for database user accounts.

Service Account Requirements
When you install Advanced Access Control and create a new access server farm, the Server Configuration wizard prompts you for an account to use for communicating with services and servers in the farm. This account is referred to as the service account. You must specify an existing account to be the service account. If you do not have a service account, create one prior to installing Advanced Access Control. Valid service accounts meet the following requirements: • The service account must be a member of the local Administrators group on every server in the farm.

Chapter 5

Installing Advanced Access Control

45

The service account must not be disabled and not subject to password expiration or other credential changes. If the service account is removed, the access server farm will not operate. The service account can be a local user account only if you are creating a single-server access server farm and do not intend to scale the farm. You cannot install Advanced Access Control on multiple servers with a local user account selected for the service account. Citrix strongly recommends using a domain account instead of a local user account when installing Advanced Access Control. Important: If you specify a local user account as the service account, ensure the local user account also has database owner permissions for the database Advanced Access Control creates during Setup. If the local user account does not have database owner permissions, some features might not be available to users.

In an Active Directory environment, when specifying the service account user name in User Principal Name (UPN) or Alternate UPN format, you must enter the full domain name.

If necessary, you can change the service account after installing Advanced Access Control. For more information about changing service account details, see “Changing Service Account and Database Credentials” on page 218. Note: If you are deploying Advanced Access Control in an environment where the Restricted Group policy is used to control the membership to the local Administrators group, ensure the user associated with the service account is in one of the groups added by the Restricted Group policy. For additional information, refer to the Resource Kit for Windows 2000 or Windows 2003.

Using Security Templates with the Service Account
Your corporate IT policy may require that security templates be applied to reduce the attack surface area of your Windows servers. The Highly Secure security template (HiSECWS.INF) removes the service account from the local Administrators group when applied after installing Advanced Access Control. After applying this security template, add the service account back to the local Administrators group. Otherwise, Advanced Access Control will not function correctly.

46

Access Gateway Advanced Edition Administrator’s Guide

Database Requirements
Access Gateway Advanced Edition supports the following database packages: • • • Microsoft SQL Server 2005 Microsoft SQL Server 2000 with Service Pack 4 Microsoft SQL Server Express 2005

Note: If you install Microsoft SQL Server and you create a database before you install Advanced Access Control, be sure to specify case-insensitive collation when you create the database. This ensures the names you assign to resources remain unique and prevents resources with duplicate names from being created.

Access Gateway Requirements
The Access Gateway appliance is a universal SSL VPN appliance that provides users with controlled access to application and information resources. For information about requirements for installing and using the Access Gateway appliance, see the Getting Started with Citrix Access Gateway Standard Edition guide.

Feature Requirements
You can use Advanced Access Control to allow users to view, upload, or download Web-based resources using any client device that has a Web browser. However, some features such as Live Edit use additional client software. Other features require additional server software. This section provides information to help you plan access to features depending on a feature’s client or server requirements.

HTML Preview Requirements
HTML Preview enables users to view files such as Microsoft Office documents or Adobe Acrobat PDF files in HTML.

Installing Microsoft Office for HTML Preview
To use HTML Preview to view Microsoft Office documents, the following software must be installed on a Web server in your access server farm: • Microsoft Word 2000, XP, or 2003

Chapter 5

Installing Advanced Access Control

47

• • •

Microsoft Excel 2000, XP, or 2003 Microsoft Powerpoint 2000, XP, or 2003 Microsoft Visio 2002 or 2003

If you install these programs after installing Advanced Access Control, you will need to restart the Citrix Activation Engine Service. If you use HTML Preview with Microsoft Office documents, be aware of the following considerations: • • Microsoft Outlook must be excluded from the Office installation because it interferes with Advanced Access Control’s Web email functions. All devices deploying HTML Preview content to users should have adequate Microsoft Office licenses. For more information about licensing requirements, refer to your Microsoft Office Licensing Agreement. If multiple servers are configured for HTML Preview, these servers must have the same version of Microsoft Office installed. Otherwise, a document viewed with HTML Preview may appear different to some users, depending on the version of Office rendering the document.

For more information about using HTML Preview to provide access to documents, see “Allowing HTML Preview” on page 139.

Using Macros with HTML Preview
When using HTML Preview to access Microsoft Office documents, it is possible to run macros embedded within these documents. Viewing a document containing macros could represent a security risk to your deployment because the macros may run on the Advanced Access Control server within the context of the service account. Before implementing HTML Preview, evaluate each of the following strategies for mitigating this potential risk: • • Set macro security in each Microsoft Office application according to your organization’s network security policies Configure each Microsoft Office application to run in the context of a User account with limited privileges

Important: These strategies do not provide protection against possible security risks related to functional issues in Microsoft Office applications (for example, Microsoft Word crashes when opening a document). As you evaluate these strategies, consider Microsoft’s recommendations for server and application security as well as your organization’s information security requirements.

48

Access Gateway Advanced Edition Administrator’s Guide To disable embedded macros in Microsoft Office

1. 2. 3.

Launch the Microsoft Office application installed on the Advanced Access Control server. Set the macro security level to the highest level available for the version of the Microsoft Office application you are running. Disable trust for all installed add-ins and templates.

For more information about setting macro security for Microsoft Office applications, refer to the Microsoft Office documentation or the Microsoft Office Web site.
To configure Microsoft Office applications to run under a User account

This procedure involves automating Office applications using an unattended user account. For more information about this approach and its accompanying considerations, refer to Microsoft knowledgebase article 288367, How to configure Office applications to run under a specific user account. 1. 2. 3. 4. 5. Log on to the Advanced Access Control server as Administrator and create a new User account. Start the Office application you want to configure and press ALT+F11 to load the Visual Basic for Applications (VBA) editor. Close the application and the VBA editor. Click Start > Run and type DCOMCNFG to open the Component Services console. From the DCOM Config node, locate the Office application you want to configure. They are listed as follows: • • • 6. 7. Microsoft Excel Application Microsoft PowerPoint Presentation Microsoft Word Document

Right-click the application and select Properties. Click the Security tab and perform the following tasks: A. B. Under Launch and Activation Permissions, select Customize and then click Edit. Add the User account you created and allow Local Launch and Local Activation permissions. Ensure the SYSTEM, INTERACTIVE and Everyone accounts are present. Under Access Permissions, select Customize and then click Edit.

C.

Chapter 5

Installing Advanced Access Control

49

D. 8. 9.

Add the User account you created and allow the Local Access permission.

On the Identity tab, select This user and enter the credentials of the User account you created. Restart the server.

Repeat these steps for each Office application you want to configure. After you restart the server, start the Task Manager and then start each application to verify it is running under the new User account.

Using HTML Preview with PDF Documents
If you want to use HTML Preview with PDF documents, you must install on the Advanced Access Control server software that converts the PDF file to HTML. For more information about configuring Advanced Access Control to view PDF files, see the Citrix Knowledge Center article CTX107543: Customizing HTML Preview in Advanced Access Control located on the Citrix Web site.

Live Edit Requirements
Live Edit is a convenient way for users to work remotely with files such as Word documents and Excel spreadsheets using a Web browser. To use Live Edit, users must have the following software installed on their computers: • • • Microsoft Internet Explorer 6.0 SP1 Live Edit Client ActiveX control An appropriate Microsoft Office editing application such as: • • • • Microsoft Word 2000, XP or 2003 Microsoft Excel 2000, XP, or 2003 Microsoft Powerpoint 2000, XP, or 2003 Microsoft Visio 2002 or 2003

Note: After installing any Microsoft Office applications, run the application for the first time before using Live Edit. This ensures that any post-installation tasks are completed and allows the Live Edit Client to display documents for editing without delay.

50

Access Gateway Advanced Edition Administrator’s Guide

For information about requirements for running the Live Edit Client, see “Client Requirements” on page 58. For more information about using Live Edit to provide access to documents, see “Allowing Live Edit” on page 140.

Email Synchronization Requirements
Email synchronization allows users to synchronize their email folders on their client devices with their folders on Microsoft Exchange or Lotus Notes/Domino servers to prepare for working offline. Email synchronization requires the following components: • • • Microsoft Outlook 2000, XP, or 2003; or Lotus Notes R5, R6, or R7 installed on the client device Secure Access Client installed on the client device An email server running Microsoft Exchange or Lotus Notes/Domino

For more information about requirements for the Secure Access Client, see “Client Requirements” on page 58. For more information about email synchronization, see “Providing Users with Secure Access to Email Accounts” on page 188.

Web Email Requirements
You can provide users with access to corporate email resources using Web email. Using the included default email interface, users can access their email accounts from a workstation or a handheld device with only a Web browser. This interface functions only with email servers using Microsoft Exchange. Advanced Access Control also supports using Outlook Web Access, Lotus iNotes/Domino Web Access, or other Web email interfaces. Outlook Web Access and iNotes do not operate on handheld devices such as PDAs. The following table lists the components required for each supported Web email platform.

Chapter 5

Installing Advanced Access Control

51

Advanced Access Control Web Email Required Email Server Microsoft Exchange Server, Versions 2000 or 2003 with all service packs and critical updates installed Microsoft Exchange System Management Tools Microsoft Exchange 5.5 Administrator Internet Explorer 6.0 SP1 Safari 1.1 and 1.3 Netscape Navigator 8.0 Mozilla Firefox 1.0

Outlook Web Access

iNotes/Domino Web Access

Microsoft Exchange Server, IBM Lotus Domino Server, Versions 2000 or 2003 with all Versions R6 or R7 service packs and critical updates installed Microsoft Exchange System Management Tools Microsoft Exchange 5.5 Administrator Internet Explorer 6.0 SP1 N/A

Required Server Administration Tools Supported Web Browsers

Internet Explorer 6.0 SP1

Default Email Interface Requirements
If you are using Microsoft Exchange 2000 and you want to use the default Email Interface, you must install Microsoft Exchange System Management Tools and then update the mapisvc.inf file on the Advanced Access Control server. For more information, see “Updating the Mapisvc.inf File” on page 193.

Installing the Microsoft Exchange System Management Tools and Administrator Software
Microsoft Exchange System Management Tools and Microsoft Exchange 5.5 Administrator supply the MAPI components that are required for Web email functionality. These tools are supported on the following operating systems: • • Microsoft Windows 2000 Server Family with Service Pack 3 or 4 Windows Server 2003, Standard Edition or Enterprise Edition

When using these tools, it is important that you: • Install Microsoft Exchange System Management Tools and Microsoft Exchange 5.5 Administrator on the server before installing Advanced Access Control or other software such as Microsoft Office. This ensures the required Messaging Application Programming Interface (MAPI) components are installed correctly. Install the versions of Microsoft Exchange System Management Tools and Microsoft Exchange 5.5 Administrator that are included with the version of Microsoft Exchange you are using. If they do not match, Web email may not function correctly.

52

Access Gateway Advanced Edition Administrator’s Guide

Ensure the WebDAV Web service extension is set to “Prohibit” if you use Outlook Web Access for your Web-based email interface. If this extension is set to “Allowed,” users’ inboxes may not display correctly.

For information about configuring Web email, see “Providing Users with Secure Web-Based Email” on page 184.

Using Microsoft Windows 2003 Server Web Edition for Web Email
If you are using Microsoft Windows Server 2003 Web Edition and you have Microsoft Exchange 2003 in your environment, you cannot install Microsoft Exchange System Management Tools or Microsoft Exchange 5.5 Administrator. Instead, copy the MAPI components to the %SystemRoot%/system32 directory of the Advanced Access Control server.
To install the MAPI components on a server running Microsoft Windows 2003 Server Web Edition

1.

On the server running Microsoft Exchange 2003, copy the following files: • • mapi32.dll mapisvc.inf

2.

On the Advanced Access Control server, paste the files to the %SystemRoot/system32 directory.

User Profile Access Requirements
Advanced Access Control stores MAPI user profiles in the Temp folder located in the Advanced Access Control installation directory. Users configured for Web email must have read/write access to this folder. Before installing Advanced Access Control, you must add the users to the Users group on all Advanced Access Control servers. The installation process grants the Users group read/write access to the Temp folder.

Endpoint Analysis Requirements
You can configure endpoint analysis scans to be run on client devices to check them for protective measures, such as operating system patches and antivirus software, before users access resources. Endpoint analysis scans require the Endpoint Analysis Client that can be installed as an ActiveX control, a plug-in for Netscape Navigator or Firefox, or as a Windows 32-bit application. To download and install the ActiveX control, users must be members of the Administrators or Power Users group of the client device.

Chapter 5

Installing Advanced Access Control

53

Important: If the Endpoint Analysis Client is not installed on a client system, the user can access only those resources for which a scan is not required. For information about requirements for running the Endpoint Analysis Client, see “Client Requirements” on page 58. For more information about configuring endpoint analysis scans, see “Creating Endpoint Analysis Scans” on page 166.

Authentication Software Requirements
Advanced Access Control supports using the following authentication methods to strengthen the security of your deployment: • • • • • Microsoft Active Directory Lightweight Directory Access Protocol (LDAP) Remote Authentication Dial-In User Service (RADIUS) RSA SecurID 5.2 or 6.0 Secure Computing SafeWord PremierAccess and SafeWord for Citrix

LDAP Requirements
To use LDAP with Access Gateway Advanced Edition, you must have an LDAPcompliant directory service in your environment such as Microsoft Active Directory, Novell eDirectory, or IBM Directory Server. Important: User credentials specified in User Principle Name (UPN) or Alternate UPN formats are not supported when using LDAP as an authentication method.

RADIUS Requirements
To use RADIUS with Access Gateway Advanced Edition, you must install the Microsoft Visual J# .NET Version 2.0 executable file (vjredist.exe) on the server running Advanced Access Control before you install the Advanced Access Control software. This executable file is located in the JSharp20 folder on the Advanced Access Control Server CD-ROM. Important: User credentials specified in User Principle Name (UPN) or Alternate UPN formats are not supported when using RADIUS as an authentication method.

54

Access Gateway Advanced Edition Administrator’s Guide

For more information about using RADIUS with logon points, see “Creating RADIUS Authentication Profiles” on page 102.

Supported RADIUS Authentication Protocols
Access Gateway Advanced Edition supports implementations of RADIUS that are configured to use the Password Authentication Protocol (PAP) for user authentication. Other authentication protocols such as the Challenge-Handshake Authentication Protocol (CHAP) are not supported. For more information about configuring RADIUS authentication, see “Creating LDAP Authentication Profiles” on page 104.

SecurID Requirements
To use SecurID authentication with Access Gateway Advanced Edition, install the RSA ACE/Agent for Windows software before installing the Advanced Access Control software. If you install Advanced Access Control before you install the ACE/Agent, SecurID authentication does not function correctly. For information about requirements for installing RSA SecurID, refer to the RSA product documentation.

SafeWord Requirements
To use SafeWord authentication with Access Gateway Advanced Edition: • • Obtain the latest version of the SafeWord Agent from Secure Computing Install the SafeWord Agent software on the server before installing the Advanced Access Control software

For information about requirements for installing SafeWord PremierAccess and SafeWord for Citrix, refer to the Secure Computing documentation for these products.

Citrix Presentation Server Integration Requirements
To access resources published with Citrix Presentation Server using file type association or Web Interface, users must have a Citrix Presentation Server Client on their client device. Advanced Access Control supports integration with the following versions of Citrix Presentation Server: • • Citrix Presentation Server 4.0 MetaFrame Presentation Server 3.0

Chapter 5

Installing Advanced Access Control

55

• •

MetaFrame XP 1.0 Feature Release 3 with Service Pack 4 MetaFrame for UNIX 4.0

Note: Advanced Access Control supports application policies that are applied using Citrix Presentation Server Version 4.0 and above. While Advanced Access Control can communicate with older versions of Citrix Presentation Server, it does not allow application-specific policies to be applied. You can configure the logon point to use either the Web Client or the Client for Java on demand when users access published resources. Advanced Access Control supports using the following Citrix Presentation Server Clients:

Client

English

Japanese German Yes Yes Yes Yes Yes Yes

Spanish Yes Yes Yes

French Yes Yes Yes

Citrix Presentation Server Client Yes Version 9.2 Client for Java Version 9.4 Web Client Version 9.2 Yes Yes

For more information about requirements for running the Client for Java, see the Client for Java Administrator’s Guide. For more information about configuring Advanced Access Control to access published resources, see “Allowing File Type Association” on page 138.

Citrix Presentation Server for UNIX Requirements
If you want to integrate Advanced Access Control with Citrix Presentation Server for UNIX, be aware of the following: • • • Workspace Control is not supported SmartAccess is not supported Because Web Interface requires users to enter a domain when logging on, users must enter the word “unix” as the domain to authenticate to Web Interface through Advanced Access Control

SmartAccess Requirements
The SmartAccess feature enables organizations to better control how published applications are accessed and used.

56

Access Gateway Advanced Edition Administrator’s Guide

You can use SmartAccess with Advanced Access Control to control which resources users can access, based on their access scenario, and what they can do within those resources after they get access. SmartAccess integrates with Web Interface for Citrix Presentation Server to give organizations granular control over published applications. To use SmartAccess, you must have the following components in your environment: • • Citrix Access Gateway Advanced Edition Citrix Presentation Server 4.0

Note: SmartAccess is not supported with Citrix Presentation Server for UNIX. If you are using Web Interface to access published applications, you must also have the following software: • • Access Suite Console 4.0 for Citrix Presentation Server with the Web Interface Extension 4.2 patch applied Web Interface for Citrix Presentation Server 4.0 or 4.5

You must also ensure that address translation and firewall settings are identical for the Web Interface and Advanced Access Control. For more information about configuring SmartAccess, see the Web Interface Administrator’s Guide.

Multiple Access Platform Site and Credential Caching Requirements
Advanced Access Control supports displaying up to three Citrix Access Platform sites within the Access Interface. If the credentials used to log on to the Access Platform sites are different from those used for Advanced Access Control, you can cache these credentials so users are not required to reenter them. These features require: • • Web Interface for Citrix Presentation Server 4.0 or 4.5. Advanced Access Control to authenticate users with Active Directory credentials only. Credential caching is not supported for use with RADIUS, LDAP, RSA SecurID, or Secure Computing SafeWord.

SmoothRoaming Requirements
The SmoothRoaming features of Citrix Presentation Server provide users with uninterrupted access to information. These features include Workspace Control, Session Reliability, and Dynamic Session Reconfiguration.

Chapter 5

Installing Advanced Access Control

57

Note: Workspace Control is not supported with Citrix Presentation Server for UNIX. You can use SmoothRoaming features with Advanced Access Control to enable users to move between client devices and gain access to all of their applications when they log on. To use SmoothRoaming, you must have the Advanced or Enterprise edition of Citrix Presentation Server 3.0 or 4.0 installed on a server in your environment. SmoothRoaming is not available in the Citrix Presentation Server Standard Edition.

Requirements for Bypassing the Web Proxy
If you want users to bypass the Web proxy when accessing a Web resource, you can allow them to access the resource using the Secure Access Client. For information about requirements for running the Secure Access Client, see “Client Requirements” on page 58.

Third Party Portal Integration Requirements
Access Gateway Advanced Edition supports integration with third party portals such as Microsoft Sharepoint to provide convenient access to Web resources, file shares, Web email, and published applications. To integrate Microsoft Sharepoint you must have one of the following versions installed in your environment: • • Microsoft Sharepoint 2001 Microsoft Sharepoint 2003

Typically, users can work with documents managed by Sharepoint using menudriven commands. When users access the Sharepoint site through the Web proxy, menu items that require ActiveX to function are not available. The following table describes these menu items:

Menu Item View Properties Edit Properties Edit in Microsoft Office Delete Check In Check Out

Requires ActiveX? No No Yes No No No

Available to Users by Default? Yes Yes No Yes Yes Yes

58

Access Gateway Advanced Edition Administrator’s Guide

Menu Item Version History Alert Me Discuss

Requires ActiveX? No No Yes

Available to Users by Default? Yes Yes No Yes

Create Document Workspace No

Additionally, custom menu items that require ActiveX to function are not available to users when Sharepoint is accessed through the Web proxy.

Client Requirements
This section describes the client requirements for the platforms that Advanced Access Control supports.

Web Browser Requirements
Advanced Access Control supports the use of Web browsers on the following platforms:

Devices Desktop Workstations

Operating System Microsoft Windows: Windows XP Home/ Professional SP2 Windows 2000 Professional SP4

Web Browser Internet Explorer 6.0 SP1 Netscape Navigator 8.0 Mozilla Firefox 1.5

Apple Macintosh OS X Safari 2.0 (English only) 10.3.9 or greater Netscape Navigator 8.0 Mozilla Firefox 1.5 Red Hat Linux Netscape Navigator 8.0 Mozilla Firefox 1.0.4

Chapter 5

Installing Advanced Access Control

59

Devices

Operating System

Web Browser PalmSource Web Browser 2.0

PDAs and Smartphones PalmOS 5.4 (Palm Treo 650)

Microsoft Windows Mobile 5.0 Internet Explorer (UT Starcom/Verizon Wireless XV6700) Microsoft Windows Mobile 2003 (HP iPAQ hw6515 Mobile Messenger) RIM BlackBerry (BlackBerry 7130e) Symbian (Japanese only) (Motorola FOMA M1000) Internet Explorer

Default Web Browser Default Web Browser

Note: If you are using Apple Macintosh OS X, apply all updates, service packs, and patches to ensure Web-based features function properly.

60

Access Gateway Advanced Edition Administrator’s Guide

The following table describes localization support based on the platform and Web browser:

Web Browser Internet Explorer 6.0 SP1 (Windows 2000/XP) Netscape Navigator 8.0 (Windows 2000/XP) Netscape Navigator 7.1 (Windows 2000/XP) Netscape Navigator 7.0 (Windows 2000/XP) Mozilla Firefox 1.5 (Windows 2000/XP) Safari 2.0 (Mac OS X) Netscape Navigator 7.1 (Mac OS X) Netscape Navigator 7.0 (Mac OS X) Mozilla Firefox 1.5 (Mac OS X)

English Yes Yes Yes Yes Yes Yes Yes Yes Yes

Japanese German Yes No Yes Yes Yes No No No No Yes No Yes Yes Yes No No No No

Spanish Yes No No Yes Yes No No No No

French Yes No Yes Yes Yes No No No No

Advanced Access Control delivers content to client Web browsers by transmitting Web pages encoded with HTML and JavaScript. In most cases, standard client configurations can support Advanced Access Control. You must ensure the following settings are configured for each Web browser: • • • Enable execution of client-side JavaScript Allow downloading of signed ActiveX controls Allow downloading of Java applets if you provide access to published applications and restrict users to the Client for Java

For more information about configuring Web browsers for use with Advanced Access Control, see “Browser Security Considerations” on page 209.

Live Edit Client Requirements
The Live Edit Client is an ActiveX control that downloads automatically to a client Web browser to provide remote editing capabilities for Microsoft Office documents.

Chapter 5

Installing Advanced Access Control

61

To use the Live Edit Client, the following software is required on users’ workstations: • • Microsoft Windows 2000 or XP with all service packs and critical updates Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission to load signed ActiveX controls

Note: Windows 2000 or XP users must be members of the Administrators or Power Users group to download and install ActiveX controls.

Endpoint Analysis Client Requirements
The Endpoint Analysis Client collects device information such as operating system, antivirus, or Web browser versions prior to logging on to Advanced Access Control. The Endpoint Analysis Client can be distributed as an ActiveX control, a browser plug-in, or a Windows 32-bit application. To use the Endpoint Analysis Client, the following software is required on users’ workstations: • • • • Microsoft Windows 2000 or XP with all service packs and critical updates Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission to load signed ActiveX controls if distributing the ActiveX control Netscape Navigator 8.0 if distributing the browser plug-in Mozilla Firefox 1.5 if distributing the browser plug-in

Note: Windows 2000 or XP users must be members of the Administrators or Power Users group to download and install ActiveX controls.

Secure Access Client Requirements
The Secure Access Client acts as a proxy between the client computer and the Access Gateway appliance. The Secure Access Client can be distributed as a desktop application for Microsoft Windows or Linux operating systems. The Secure Access Client is downloaded and installed automatically when users enter the secure Web address of the Access Gateway appliance and a logon point in a Web browser.

62

Access Gateway Advanced Edition Administrator’s Guide

Note: Windows 2000 and XP users must be members of the Administrators or Power Users group to install applications. Linux users must have the tcl and tk packages installed to use the Secure Access Client. The Secure Access Client is not supported in double-hop DMZ deployments. If you deploy Access Gateway Advanced Edition in a double-hop DMZ, users access resources only through a browser-only connection.

Console Requirements
The Access Management Console is the configuration and administration tool for Advanced Access Control. You can install the console on an Advanced Access Control server or on a standalone workstation. The Console requires at least: • Windows Server 2003, Standard Edition, Enterprise Edition, or Datacenter Edition with Service Pack 1; Microsoft Windows Server 2003, 64-bit Edition; Windows XP Professional with Service Pack 2; or Windows 2000 Professional with Service Pack 4 25 MB of hard drive space .NET Framework Version 2.0 Microsoft Data Access Components (MDAC) Version 2.7 Refresh

• • •

Important: If you install the console on the Advanced Access Control server, you must install the .NET Framework and MDAC 2.7 Refresh (mdac_typ.exe) before you install Advanced Access Control. The .NET Framework and MDAC 2.7 Refresh executable files are located on the Advanced Access Control Server CD-ROM.

Installation Overview
This overview includes the basic steps for installing Advanced Access Control. Citrix supports deploying Advanced Access Control on a single server or on multiple servers. For important information to consider before installing Citrix products, review the readme files and administrator guides for components you plan to install. The readme files and administrator guides are available in the Documentation folder of the Advanced Access Control Server CD-ROM.

Chapter 5

Installing Advanced Access Control

63

To get started with Advanced Access Control, complete the following steps: 1. 2. 3. Before you begin installation, use Windows Update to ensure all Advanced Access Control servers are patched with critical updates. Ensure your servers meet all requirements for components and features you plan to use. Install and configure Citrix Licensing. See the Readme for Citrix Licensing and the Getting Started with Citrix Licensing Guide, available in the Documentation folder of the Advanced Access Control Server CD-ROM. Note: Citrix recommends performing this step before installing Advanced Access Control to save time during server configuration and prevent user access delays due to licensing issues. However, you can install the licensing server during or after server configuration. 4. 5. 6. Install Advanced Access Control and the Access Management Console. Install additional components, if applicable. After you install components, visit the Citrix Hotfixes and Service Packs Web site to download and install critical updates.

Installing Advanced Access Control
The Advanced Access Control Setup wizard guides you through the process of installing Advanced Access Control and its components.
To install Advanced Access Control

1.

Insert the Advanced Access Control Server CD-ROM in the CD drive. The startup screen appears if autorun is enabled. If autorun is not enabled, navigate to the CD root directory and double-click AutoRun.exe. On the startup screen, click Access Gateway Advanced Edition. Read and accept the Citrix license agreement.

2. 3.

64

Access Gateway Advanced Edition Administrator’s Guide

4.

Select any of the following components to install: • • Server. Installs the Advanced Access Control server software, including the Logon Agent and server configuration tools. Management console. Installs the configuration and management tool for Advanced Access Control and the other products in the Citrix Access Suite. Access Management Console - Licensing. Installs the Licensing Console snap-in. For more information about this snap-in, see “The Access Management Console User Interface” on page 82. Access Management Console - Diagnostics. Installs the Diagnostic Facility Console snap-in. You do not need to install this component unless requested to do so by a Citrix Technical Support representative. For more information about this snap-in, see “The Access Management Console User Interface” on page 82.

5.

Follow the on-screen instructions to complete the Setup wizard.

As Advanced Access Control is installed, a message box displays the progress. When the installation is complete, you can configure the server with the Server Configuration utility or you can install Advanced Access Control on other servers. To begin configuring your server, click Finish. For more information about configuring your server, see “Configuring Your Server” on page 76.

Troubleshooting the Installation
During installation, Advanced Access Control creates the log file CTXMSAM40_Install.log that you can use to troubleshoot the server installation. This log file is written to a temporary folder by default. To define the location of this folder, Advanced Access Control checks the following environment variables: • • • • TMP TEMP USERPROFILE windir

The first valid path that Windows finds among these variables becomes the location of the installation log files. You can override this default path by typing /logfilepath folder_path at a command prompt, where folder_path is the location where you want to store the installation log files.

Chapter 5

Installing Advanced Access Control

65

Uninstalling Advanced Access Control
If you want to remove an Advanced Access Control component from a server, use Add/Remove Programs on the Control Panel. Depending on the options you selected during installation, remove these components in the following order: • • • • • Citrix Access Gateway 4.5 Server Citrix Access Gateway 4.5 Console Citrix License Server Administration Citrix Access Management Console - Diagnostics Citrix Access Management Console - Framework

Note: If you remove the Citrix Access Gateway Console component before removing the Citrix Access Gateway Server component, the Server component cannot be removed successfully. The Citrix License Server Administration and Citrix Access Management Console - Diagnostics components can be removed at any time in the uninstallation. However, the Citrix Access Management Console - Framework component must be removed last.
To remove Advanced Access Control components

1. 2. 3. 4.

Choose Start > Control Panel > Add or Remove Programs. In Add or Remove Programs, select an Advanced Access Control component. Click Change or Remove. The wizard prompts for verification that you want to remove the software. Click Yes or Next to remove the component.

66

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 6

Configuring Advanced Access Control

After you install Advanced Access Control, you configure each of your servers in the access server farm. The following topics discuss server configuration: • • • • • • • • • • • • • • • • • • • “Supported Configurations” on page 68 “Configuring Your Server” on page 76 “Steps to Configuring A Server” on page 77 “Enabling Advanced Access Control” on page 80 “Using the Access Management Console” on page 82 “Configuring Your Farm with the Getting Started Panel” on page 84 “Linking to Citrix Presentation Server” on page 85 “Configuring Logon Points” on page 89 “Logging on through the Logon Point” on page 92 “Updating Logon Page Information” on page 93 “Changing Expired Passwords” on page 93 “Setting the Default Logon Point” on page 93 “Removing Logon Points” on page 94 “Configuring the Access Gateway” on page 95 “Configuring Split Tunneling” on page 95 “Forwarding System Messages” on page 96 “Configuring Client Properties” on page 97 “Configuring Server Properties” on page 98 “Configuring ICA Access Control” on page 99

68

Access Gateway Advanced Edition Administrator’s Guide

“Configuring Authentication with Citrix Presentation Server” on page 100

Supported Configurations
You can deploy Access Gateway Advanced Edition in a variety of ways to meet the needs of your organization. Supported configurations include: • • One or more Access Gateway appliances deployed in the DMZ and the Advanced Access Control server deployed in the internal network One or more Access Gateway appliances deployed behind a load balancer in the DMZ and the Advanced Access Control server deployed in the internal network A double-hop DMZ scenario where one or more Access Gateway appliances are deployed in the first DMZ, one or more Access Gateway appliances are deployed in the second DMZ, and the Advanced Access Control server is deployed in the internal network

Access Gateway Configurations
Depending on your organization’s needs, you can deploy one or multiple Access Gateway appliances. If your deployment includes a load balancer with multiple appliances, you configure each appliance with the same FQDN as the load balancer but you do not specify Access Gateway failover servers. The load balancer handles failover as well as load balancing. If your deployment includes multiple appliances without a load balancer, you configure each appliance with a unique FQDN and specify the other appliances as failover servers. For more information about deploying the Access Gateway appliance, see Getting Started with Citrix Access Gateway Standard Edition.

Advanced Access Control Configurations
Advanced Access Control supports the following access server farm configurations: • Advanced Access Control on a single server. Install Advanced Access Control on a single server. The server contains all required access server farm components, including the database server. • Advanced Access Control on a single server and Microsoft SQL Server on a separate server. Install Microsoft SQL Server on a separate server. Install Advanced Access Control and specify the SQL database server for the server farm database.

Chapter 6

Configuring Advanced Access Control

69

Advanced Access Control on multiple servers. Install Microsoft SQL Server on a separate database server. Install Advanced Access Control on multiple servers.

Double-Hop DMZ Configurations
You can deploy two Access Gateway appliances in a double-hop DMZ to control access to corporate resources through Advanced Access Control. In a double-hop DMZ configuration, three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. One Access Gateway resides in the first DMZ while one or more Access Gateway appliances reside in the second DMZ. The Advanced Access Control server resides in the internal network. The Access Gateway in the first DMZ handles the client connections and performs the security functions of an SSL VPN. This Access Gateway encrypts the client connections, determines how clients are authenticated, and controls access to the servers in the internal network. The Access Gateway in the second DMZ serves as a proxy device. This Access Gateway enables the ICA traffic to traverse the second DMZ to complete Presentation Server Client connections to the access server farm. Communications between the Access Gateway in the first DMZ and the Secure Ticket Authority (STA) in the internal network are also proxied through the Access Gateway Proxy in the second DMZ. Note: The term Access Gateway Proxy refers to the Access Gateway appliance deployed in the second DMZ. When Access Gateway Advanced Edition is deployed in a double-hop DMZ configuration, the Access Gateway appliance in the first DMZ can communicate with any number of appliances in the second DMZ. However, the Access Gateway Proxy in the second DMZ can communicate with only one appliance in the first DMZ. Notification messages from the Advanced Access Control server are proxied through the Access Gateway in the second DMZ to the appliance in the first DMZ. For more information about communication between the Access Gateway and Access Gateway Proxy, see “Understanding the Relationship between the Access Gateway and the Access Gateway Proxy” on page 70. In a double-hop DMZ deployment, users connect to the Access Gateway in the first DMZ with a Web browser and a Citrix Presentation Server Client. Users access the logon point on the Advanced Access Control server with a Web browser to access corporate resources. Users connect with a Citrix Presentation Server Client to use the resources to which they have access such as published applications.

70

Access Gateway Advanced Edition Administrator’s Guide

Important: The Secure Access Client is not supported in a double-hop DMZ deployment. You cannot use the Secure Access Client to access network resources when Access Gateway appliances are deployed in a double-hop DMZ configuration.

Understanding the Relationship between the Access Gateway and the Access Gateway Proxy
Although the Access Gateway in the first DMZ can communicate with any number of Access Gateway Proxy appliances in the second DMZ, the Access Gateway Proxy in the second DMZ can communicate with only one Access Gateway in the first DMZ. If you deploy multiple Access Gateway appliances in the first DMZ, you should configure each appliance to communicate only with the Access Gateway Proxy that is configured to communicate with that specific Access Gateway. For example, an administrator has two Access Gateway appliances in the first DMZ (named Appliance 1 and Appliance 2) and four Access Gateway Proxy appliances in the second DMZ (named Appliance 4, Appliance 5, Appliance 6, and Appliance 7). The administrator configures Appliances 4 and 5 to communicate with Appliance 1; and Appliances 6 and 7 communicate with Appliance 2, as illustrated below.

Chapter 6

Configuring Advanced Access Control

71

When configuring Appliance 1 in the first DMZ, the administrator enables communication only with the Access Gateway Proxy that is configured to communicate with Appliance 1. Therefore, the administrator configures Appliance 1 to communicate with Appliances 4 and 5 only. Likewise, the administrator configures Appliance 2 to communicate with Appliances 6 and 7 only. The illustration below shows this configuration.

In this example, each Access Gateway in the first DMZ communicates with a subset of the Access Gateway Proxy appliances in the second DMZ. This ensures the Proxy appliances are able to respond to the appropriate Access Gateway in the first DMZ. Otherwise, notifications from the Advanced Access Control server would be lost and users could not log on and use corporate resources.

Deploying Double-Hop DMZ Configurations
Deploying Access Gateway Advanced Edition in a double-hop DMZ configuration involves the following tasks: • • Installing the Access Gateway appliances in the first and second DMZs. Adding the IP addresses and FQDNs of the Advanced Access Control server, the Access Gateway in the first DMZ, and the Access Gateway Proxy in the second DMZ to the Hosts file on the Access Gateway appliances in both DMZs and the Advanced Access Control server. This task is required if you are not using DNS in your environment.

72

Access Gateway Advanced Edition Administrator’s Guide

Configuring the Access Gateway Proxy in the second DMZ to communicate with the Access Gateway in the first DMZ and the Advanced Access Control server. Configuring the Access Gateway in the first DMZ to communicate with the Access Gateway Proxy in the second DMZ. Configuring the Access Gateway in the first DMZ to communicate with the Advanced Access Control server.

• •

Important: To deploy this configuration correctly, you must perform these tasks in the specified order. For example, if you configure the Access Gateway in the first DMZ before you configure the Access Gateway Proxy in the second DMZ, you will receive errors and communication between the appliances will not occur even if all the settings are correctly configured.

Step 1: Installing Access Gateway Appliances
The Access Gateway Standard Edition Administrator’s Guide describes in detail the process for installing the Access Gateway in the first DMZ and the Access Gateway Proxy in the second DMZ. After you install these appliances, proceed to Step 2.

Step 2: Adding Entries to the Hosts Files on the Access Gateway and Advanced Access Control Server
The Hosts files on the Access Gateway appliances and the Advanced Access Control server consist of entries that are used to resolve FQDNs to IP addresses. If you are not using DNS in your double-hop DMZ configuration, you must add these entries. Use the Administration Tool to add the following entries to the Hosts file: • On the Access Gateway, add the FQDNs and IP addresses of the Access Gateway Proxy in the second DMZ and the Advanced Access Control server On the Access Gateway Proxy, add the FQDNs and IP addresses of the Access Gateway in the first DMZ and the Advanced Access Control server

On the Advanced Access Control server, use a text editor to add the FQDNs and IP addresses of the Access Gateway appliances in both DMZs to the Hosts file.
To add entries to the Hosts file on the Access Gateway

1.

From the Administration Tool, click the Access Gateway Cluster tab and then expand the window for the Access Gateway in the first DMZ.

Chapter 6

Configuring Advanced Access Control

73

2. 3. 4. 5.

Click the Name Service Providers tab. Under Edit the HOSTS file, in IP address, enter the IP address of the Access Gateway Proxy installed in the second DMZ. In FQDN, enter the FQDN you want to associate with the IP address you entered in the previous step. Click Add. Repeat Steps 3 and 4 to add entries for any remaining Access Gateway Proxy appliances installed in the second DMZ and for the Advanced Access Control server.

To add entries to the Hosts file on the Advanced Access Control server

1. 2. 3. 4. 5.

In Windows Explorer, locate the Hosts file in the %SystemRoot\system32\drivers\etc directory. Open the file using a text editor. On a separate line, type the IP address and associated FQDN of each appliance. Save the Hosts file. Repeat Steps 1 through 4 for each Advanced Access Control server in your farm.

Step 3: Configuring Communication with the Access Gateway Proxy and Advanced Access Control
For a double-hop DMZ configuration, you must first configure the Access Gateway Proxy in the second DMZ to communicate with the Access Gateway in the first DMZ and with the Advanced Access Control server in the internal network. After you complete this step, the Access Gateway Proxy is ready to establish communication with the Access Gateway in the first DMZ. Note: You can configure the Access Gateway Proxy to communicate with only one Access Gateway in the first DMZ. For more information about communication between the Access Gateway and Access Gateway Proxy, see “Understanding the Relationship between the Access Gateway and the Access Gateway Proxy” on page 70.
To configure communication between the Access Gateway Proxy and the Access Gateway

If you have multiple appliances installed in the second DMZ, perform this procedure on each appliance.

74

Access Gateway Advanced Edition Administrator’s Guide

1. 2. 3. 4. 5. 6.

From the Administration Tool, select the Access Gateway Cluster tab and then expand the window for the appliance in the second DMZ. On the General Networking tab, in DMZ Configuration, select Second hop in double DMZ. In Protocol, select either SOCKS over SSL or SOCKS. In Port, the default port is either 443 (for secure connections) or 1080 (for unsecure connections). Select the Advanced Access Control check box. In FQDN of the first appliance in the DMZ, type the FQDN or IP address of the Access Gateway in the first DMZ. If you are using the SOCKS over SSL protocol, you must type the FQDN address. If you are using the SOCKS protocol, you can type either the FQDN or IP address. Click Submit and restart the Access Gateway Proxy.

7.

After you configure the Access Gateway Proxy, you can configure the Access Gateway in the first DMZ.

Step 4: Configuring Communication between the Access Gateway and Access Gateway Proxy
In a double-hop DMZ configuration, the Access Gateway in the first DMZ communicates with the Access Gateway Proxy in the second DMZ to deliver requests to the Advanced Access Control server in the internal network. Note: If you have multiple Access Gateway appliances installed in the first DMZ, you will need to configure each of these appliances to communicate with a subset of Access Gateway Proxy appliances. For more information, see “Understanding the Relationship between the Access Gateway and the Access Gateway Proxy” on page 70.
To configure communication between the Access Gateway and Access Gateway Proxy

1. 2. 3.

From the Administration Tool, click the Access Gateway Cluster tab and then expand the window for the Access Gateway in the first DMZ. On the General Networking tab, in DMZ Configuration, select First hop in double DMZ. Select the Configure for Advanced Access Control check box. Click Add.

Chapter 6

Configuring Advanced Access Control

75

4.

In the Add appliance from second hop window, complete the following: • FQDN or IP address. Enter the FQDN or IP address of the Access Gateway Proxy installed in the second DMZ. If you are using the SOCKS over SSL protocol, you must enter the FQDN address. If you are using the SOCKS protocol, you can enter either the FQDN or IP address. Note: This FQDN or IP address is also used by the Advanced Access Control server to communicate with the Access Gateway Proxy. When the Advanced Access Control server registers the Access Gateway in the first DMZ, the Gateway Appliances node in the Access Management Console displays the Access Gateway Proxy’s information. • Port. The default port for a SOCKS over SSL connection is 443. The default port for a SOCKS connection is 1080. You can change the default ports as necessary. Protocol. Select SOCKS over SSL if you want to secure the SOCKS connection to the Access Gateway Proxy in the second DMZ with SSL. Select SOCKS if you want this connection to be unsecured. Second hop appliance MAC address. Enter the MAC address of the network card associated with Interface 0 on the Access Gateway Proxy installed in the second DMZ.

5.

Click Validate to verify that the Access Gateway in the first DMZ can connect to the Access Gateway Proxy in the second DMZ using the specified address, protocol, and port. Repeat Steps 3 through 5 to add more appliances to the Appliances in second hop list. Note: The Access Gateway in the first DMZ uses the Appliances in second hop list to load balance connections to the appliances installed in the second DMZ.

6.

7.

Click Submit and restart the Access Gateway.

76

Access Gateway Advanced Edition Administrator’s Guide

Step 5: Configuring Communication between the Access Gateway and Advanced Access Control
In a double-hop DMZ configuration, the Access Gateway in the first DMZ communicates with the Advanced Access Control server through the Access Gateway Proxy in the second DMZ. To configure the Access Gateway in the first DMZ to communicate with the Advanced Access Control server, see “Enabling Advanced Access Control” on page 80 for instructions.

Changing the Server Configuration
You can make changes to the access server farm configuration at any time from the console. When you install more than one Advanced Access Control server in an access server farm, you can configure additional servers to provide recovery, enhance performance, and increase the server farm’s capacity to support additional users. For more information about managing Advanced Access Control servers, see “Managing Your Access Gateway Environment” on page 213.

Configuring Your Server
After you install Advanced Access Control, you configure your servers using the Server Configuration utility. This section describes the following configuration tasks: • • • • • Creating an access server farm Selecting a farm database and specifying a database server Specifying the Citrix Licensing Server Selecting a Web site path and securing Logon Agent traffic Enabling Advanced Access Control

Server Configuration Overview
The Server Configuration utility allows you to perform preliminary configuration tasks such as creating an access server farm and specifying a license server. This utility sets up the account you specify as the service account. It adds the account to the local Administrators group and grants the following local security policy rights: • • Act as part of the operating system Log on as a batch job

Chapter 6

Configuring Advanced Access Control

77

Log on as a service

Important: The Server Configuration utility cannot create a SQL user account for access to the farm database. You must create an account in SQL Enterprise Manager before you change the user account for database access. The database user account must have System Administrator privileges. The Server Configuration utility does not add the service account to network shares. The Server Configuration utility does not remove previous service accounts from the local security policy or network shares. If this is a security concern, remove the old accounts after updating the account information with the utility. The Server Configuration utility performs the following operations: • • • • • • • Verifies all account information Updates services Stops Advanced Access Control services Starts Advanced Access Control services Updates internal service account information Updates internal database account information Synchronizes the access server farm

Steps to Configuring A Server
After installing Advanced Access Control, you can configure a server with the Server Configuration Utility.
To run the Server Configuration utility

Click Start > Programs > Citrix > Access Gateway > Server Configuration.

Creating or Joining an Access Server Farm
When you install Advanced Access Control on a server, you can create a new access server farm or add the server to an existing access server farm. • Create a new access server farm Choose this option if you are creating an access server farm. The access server farm name becomes the SQL Server database name. Choosing this

78

Access Gateway Advanced Edition Administrator’s Guide

option requires you to enter licensing, service account, and database information. • Join an existing access server farm Choose this option if you are adding a server to an existing access server farm. Choosing this option requires you to enter service account and database information.

Selecting a Database
When you create an access server farm, the Server Configuration utility prompts you to specify whether to use an existing SQL Server database or to install a local database engine. The database server stores the configuration data for the access server farm. • Microsoft SQL Server Choose this option to use a supported version of Microsoft SQL Server as the database server for the access server farm. SQL Server can run on the same server running Advanced Access Control or on a separate database server. Important: If you want to select a SQL Server database, be sure the SQL Service is running on the server you want to specify. If the SQL Service is not running, the Server Configuration utility cannot detect the server. • Microsoft SQL Server Express Choose this option if you want Advanced Access Control to install the necessary components for a local database server and create a database for the access server farm. The Server Configuration utility searches for an instance of SQL Server Express labeled CitrixAAC. If this instance is not found, the Server Configuration utility installs this instance for you. Note: Use the Microsoft SQL Server Express option for a pilot deployment of Advanced Access Control. Citrix recommends the use of Microsoft SQL Server for large-scale deployments.

Specifying an Existing Database Server
If you select Microsoft SQL Server as your database, the Server Configuration utility prompts you to specify the server on which SQL Server is installed. • Farm database server. Type the name of the database server.

Chapter 6

Configuring Advanced Access Control

79

• •

Access server farm name. Type the name of the access server farm you want to create or join. Use the Service Account to access the configuration database. Choose this option to use the Advanced Access Control service account credentials to access the SQL database. Use SQL Authentication to access the configuration database. Choose this option to use the SQL database account credentials to access the SQL database. If you choose this option, you must also enter the database user name and password.

Specifying a License Server
If you are creating a new access server farm, the Server Configuration utility prompts you to identify the license server you want to use to validate your installation of Advanced Access Control. You must select one of the following options to continue server configuration. • I would like to use an existing license server. Choose this option if you want to specify a license server that you installed directly. In the Host name box, type the name of the license server you want to use. If the license server uses a port other than 27000, clear the Use default port check box and then type the correct port in the License server port box. I would like to install a new license server on this computer. Choose this option if you want to install a license server on the same machine as the server running Advanced Access Control. When you complete the server configuration, Advanced Access Control installs the license server. I do not wish to configure licensing at this time. Choose this option if you want to specify a license server later. If you do not specify a license server, users will receive an “Access Denied” message when they attempt to log on to Advanced Access Control.

Selecting a Web Site Path
The Web site path is the location where all Web content for Advanced Access Control is installed. Review the Web site path that Advanced Access Control detects to ensure it is valid for your deployment.
To change the physical path

1. 2. 3.

Select the Web site you want to change. Click the Use custom path for web content check box. In the Path box, type the physical path you want to use for the Web site. You can also click Browse to navigate to the directory you want to specify.

80

Access Gateway Advanced Edition Administrator’s Guide

Securing Web Site Traffic with SSL
When you select a Web site path, you can also enable the Secure Sockets Layer (SSL) protocol to secure communication with the Logon Agent. To secure Web site traffic, click the Secure traffic between the Logon Agent and the Authentication Service check box. Important: You must have the required digital certificates installed on the server before configuring Advanced Access Control. This check box is not enabled unless SSL is enabled on the server.

Finishing Server Configuration
The Server Configuration utility displays a summary of your selected options and configuration settings. After you review the summary, click Next to initiate server configuration. When configuration is complete, click Finish and proceed to enabling Advanced Access Control to manage the Access Gateway appliance.

Enabling Advanced Access Control
To use the granular access control features of Advanced Access Control, you must enable the Access Gateway appliance to communicate with the Advanced Access Control server. Note: If you are deploying Access Gateway Advanced Edition in a double-hop DMZ deployment, you enable communication with Advanced Access Control after several other tasks are completed. For more information about these additional tasks, see “Double-Hop DMZ Configurations” on page 69. To enable communication with Advanced Access Control, you perform the following tasks using the Access Gateway Administration Tool: • • • In the Name Service Providers tab, enter the DNS and WINS information for your Advanced Access Control server. In the Routes tab, configure the IP routes as needed. In the Advanced Options tab, select Advanced Access Control and enter the server information.

Chapter 6

Configuring Advanced Access Control

81

After you perform these tasks and reboot the appliance, you use the Administration Tool to manage appliance-specific settings only. For more information about using the Administration Tool, see the Access Gateway Standard Edition Administrator’s Guide. Important: When you enable Advanced Access Control to manage global gateway appliance settings, the corresponding settings in the Administration Tool are deactivated and any existing configuration values are removed. If you configured these settings with the Administration Tool before enabling Advanced Access Control, you must configure these settings again in the Access Management Console. For more information about configuring these settings in the console, see “Configuring the Access Gateway” on page 95. If you disable appliance administration with Advanced Access Control, the global gateway appliance settings you configured in the console are deactivated and existing configuration values are removed.
To enable Advanced Access Control

1. 2. 3. 4.

Launch the Access Gateway Administration Tool and select an Access Gateway appliance. On the Access Gateway Cluster tab, click Advanced Options. To manage the Access Gateway cluster using the Access Management Console, select Advanced Access Control. In Server running Advanced Access Control, type the IP address or FQDN of the server that is running Advanced Access Control. Important: If you specify the FQDN of the server running Advanced Access Control and you cannot connect to the server, ensure you have entered the DNS servers you want to use in the Name Service Providers tab of the Administration Tool. If you specify the IP address of the server running Advanced Access Control, you do not need to specify the DNS servers.

5. 6. 7.

To encrypt communication between the Access Gateway appliance and the Advanced Access Control server, select Secure server communication. Click Submit to save your changes. Restart the Access Gateway.

82

Access Gateway Advanced Edition Administrator’s Guide

Using the Access Management Console
The Access Management Console extends your ability to manage your deployment by integrating many of the administrative features of your Citrix products into the Microsoft Management Console (MMC). The Access Management Console is a standalone snap-in to the MMC. Management functionality is provided through a number of management tools (extension snapins) that you can select when you install the Access Management Console or at any time later.

Installing the Access Management Console
Before installing any snap-ins to the Access Management Console, ensure that you installed the Access Management Console - Framework Version 4.5. If you try to install any snap-ins before installing the Framework on your server, the installation fails. You cannot install any snap-in if a newer version of the snap-in is present on your server. If you try to do so, the installation fails. Before you install an older version of a snap-in, first uninstall your existing snap-in.

Users and Accounts
You must be a Citrix administrator to use the Access Management Console. You should therefore ensure that the correct administrator privileges are in place before allowing others to use the console. Do not run the console in two sessions simultaneously on one computer using the same user account. Changes made on the console in one session can overwrite changes made in the other.

Deploying the Console to Administrators
To use the console to make changes to an Advanced Access Control deployment, administrators must have permission to run the Access Gateway Server COM+ application. For more information about granting COM+ permissions, see “Securing the Access Management Console Using COM+” on page 215.

The Access Management Console User Interface
The main user interface of the Access Management Console consists of three panes: • • The left pane contains the console tree. The task pane in the middle displays administrative tasks and tools. This pane is not present in the MMC.

Chapter 6

Configuring Advanced Access Control

83

The details pane on the right displays information about your deployment items and associated tasks.

The following nodes are available under the top-level node in the console tree: • • • Alerts. Lists the alerts created by all the items in your deployment. Doubleclick an alert to drill down to the affected item. Search Results. Displays the results of any search that you performed. Click Search in the task pane to perform a standard or advanced search. My Views. Allows you to customize the information that you display in the details pane.

In addition, nodes are created by some Access Management Console snap-ins when they are installed. Depending on your Access Management Console installation, the following snap-ins are available: • Licensing. Launches the License Management Console that allows you to manage licenses for your Citrix products. For more information about the License Management Console, see the Getting Started with Citrix Licensing Guide. Diagnostic Facility. Creates and packages trace logs and other system information to assist Citrix Technical Support in diagnosing problems.

Starting the Access Management Console
To start the Access Management Console

Click Start > Programs > Citrix > Management Consoles > Access Management Console.

Finding Items in Your Deployment Using Discovery
Before you can use the Access Management Console to manage the items in your deployment, you must run discovery. Discovery is not equivalent to locating items that already exist in the console tree, which you perform using Search in the task pane. In contrast, discovery adds items to the console tree. You discover items using the Run discovery task. The first time you open the console, discovery runs automatically. At any stage afterwards, run discovery to locate newly installed products or components and to update the console if items were added to or removed from your deployment. For example, if another instance of the console was used to configure settings, you need to run discovery to add those updates.

84

Access Gateway Advanced Edition Administrator’s Guide To run discovery for all components

1. 2.

Select Suite Components in the console tree. Click Run discovery in the task pane.

To run discovery for one component in the console tree, select the component and then click Run discovery. Running discovery is something that you should consider doing on a regular basis to ensure that you have the most up-to-date view of your deployment. Run discovery if: • You installed or removed an Access Gateway or Advanced Access Control item or component. The Console does not recognize any recently installed items or components until you run discovery. Items are added to or removed from an existing deployment. The console tree, the details pane, and the available tasks are “refreshed” only after discovery is completed. Your administrative privileges change or you change a custom administrator’s privileges. Modifications to privileges do not take effect in the console until you rerun discovery.

Customizing Your Displays Using My Views
You can create custom displays of the details pane called My Views. These are configurable displays that give you quick access to items you need to examine regularly or items in different parts of the console tree that you want to group in the same display. Instead of repeatedly browsing the console tree, you can place the items in a single, easily retrieved display. For example, you can create a My View to display policies for servers in different access server farms.

Configuring Your Farm with the Getting Started Panel
To help you configure your deployment, the Getting Started panel presents links to several wizards that guide you through tasks such as configuring email and access policies.
To access the Getting Started Panel

1. 2.

Select the Access Gateway node in the navigation pane. Under Other Tasks in the task pane, click Getting started.

You can also right-click the Advanced Access Control node or the farm node in the console tree and then click All Tasks > Getting started.

Chapter 6

Configuring Advanced Access Control

85

By default, the Getting Started panel appears when you click the Advanced Access Control node. To prevent the Getting Started panel from appearing automatically, clear the Always show this page check box located near the bottom of the panel.

Linking to Citrix Presentation Server
You can link the access server farm to farms running Citrix Presentation Server. This allows you to offer published resources from Citrix Presentation Server through file type association or the Web Interface. When file type association is allowed by policies, opening a document launches it in an associated application running on a server. To link your access server farm to farms running Citrix Presentation Server, you: • • • Specify the farm(s) you want to link to your access server farm Configure load balancing or failover if the server farm includes multiple servers Configure address modes if the server farm is behind a firewall configured for Network Address Translation (NAT)

Before you link your access server farm, ensure the following requirements are met in Citrix Presentation Server: • • Published resources are assigned to the same user groups assigned to resources in the access server farm. The option Allow connections made through Access Gateway is enabled for each published resource. This option appears in the access control settings of the published resource properties. In each server’s properties, the option Trust requests sent to the XML Service is selected.

Specifying Server Farms
Create a list of the server farms that are available to users of Access Gateway. This list is used in logon point properties to specify which farms are available to users of the logon point. Each server farm you configure contains a list of servers you can use to specify load balancing or failover among servers within the farm.
To specify server farms

1. 2.

In the console tree, select the access server farm node and click Edit farm properties in Common Tasks. Select the Presentation Server Farm page and click New.

86

Access Gateway Advanced Edition Administrator’s Guide

3.

In the Citrix Presentation Server farm name box, type the name or IP address of the farm to which you want to link your access server farm. Note: Advanced Access Control accepts server farm names up to 50 characters long. If the server farm name is longer than 50 characters, type the IP address instead.

4.

If you want to secure the link between Advanced Access Control and Citrix Presentation Server, select the Secure communication with the farm by applying a secure protocol check box. Note: To apply a secure protocol, you must have the appropriate client and server certificates installed on the Advanced Access Control servers and Access Gateway appliances.

5. 6.

Click Next and then click Add. In the Server name box, type the machine name of the server running Citrix Presentation Server.

Configuring Load Balance or Failover
You can balance the load of requests sent to servers running Citrix Presentation Server. Requests follow the sequence of the server list in Presentation Server Farm Properties. The initial request goes to the first server on the list, the next request goes to the second server, and so on. After the last server, the process starts again at the top of the list. Important: Do not prioritize the data collector or master ICA browser server as the first server on the list. You can use the list to sequence failover in case connectivity to a server becomes unavailable. Use failover support to ensure continued access to published resources. The server list can sequence load balancing or failover support, but not both. By default, the server list is used for failover.
To implement load balancing or failover support

1. 2.

Select the access server farm node and click Edit farm properties. On the Presentation Server Farms page, select the farm and click Edit. The Presentation Server Farm Properties appear.

Chapter 6

Configuring Advanced Access Control

87

3. 4. 5.

On the Servers page, use Up and Down to change the sequence of servers. Select Load balance requests to servers or Set failover sequence of unavailable servers. To change the bypass interval, change the value displayed in minutes. The default is five minutes.

Configuring Address Modes
If your server farm is behind a firewall and the firewall is configured for Network Address Translation (NAT), you can define settings to determine the IP address of the server included in ICA files.
To configure address modes for client IP addresses

1. 2. 3. 4.

Select the access server farm node and click Edit farm properties. On the Presentation Server Farms page, select the farm and click Edit. On the Address Mode page, click New. In the Client IP Address box, type the incoming client IP address or range of IP addresses for client requests in dot address format (for example, 255.255.255.255). For Access Gateway, the incoming address is the address of the Access Gateway appliance. Select the Server Address Mode from the list: • • Normal. The IP address sent to the client is the actual address of the server. This is the default setting. Alternate Address. The IP address sent to the client is the alternate address of the server. Alternate addresses are configured on the server running Citrix Presentation Server. To use this option, you must have a firewall with NAT enabled and alternate IP addresses assigned to the servers. For more information about setting alternate addresses, see the Citrix Presentation Server Administrator’s Guide. Translated Address. The IP address sent to the client is based on the configured address translation mappings. For more information, see “Configuring Address Translation” on page 88. Access Gateway. The IP address sent to the client is the actual address of the Access Gateway appliance. To use this option, you must also define the Access Gateway settings. For more information, see “Configuring the Access Gateway Address Mode” on page 88.

5.

You can assign addressing modes for specific IP addresses or a range of IP addresses. You can use asterisks as wildcards (such as 10.12.128.*) to indicate a range of IP addresses.

88

Access Gateway Advanced Edition Administrator’s Guide

Configuring Address Translation
If your server farm is behind a firewall, you can hide internal server addresses by performing the following tasks: • • Map the internal IP address of each server to an external IP address Specify the client addresses that use the translated address

Note: To use this option, you must have a firewall with Network Address Translation (NAT) enabled.
To map the internal IP address of a server

1. 2. 3. 4. 5. 6. 7.

Select the access server farm node and click Edit farm properties. On the Presentation Server Farms page, select the farm and click Edit. The Presentation Server Farm Properties appear. On the Address Mode page, click Address Translation. Click New. Enter the internal IP address and port of the server running Citrix Presentation Server. In the Translated address box, enter the external IP address and port that clients must use to connect to the server. On the Address Mode page, click New to open the New Client Address Mode dialog box. Add the client IP address or range of addresses for the clients that use the translated address you just configured. Select Translated Address from the Server Address Mode list.

The Address Translation settings apply only to the specified client IP addresses on the Address Mode page.

Configuring the Access Gateway Address Mode
If you are providing applications through Citrix Presentation Server, you must configure the server address mode. The server address mode determines which server IP address is sent to users when they open applications from the farm running Citrix Presentation Server.
To configure the Access Gateway address mode

1. 2.

Select the access server farm and click Edit farm properties. On the Presentation Server Farms page, select the farm and click Edit.

Chapter 6

Configuring Advanced Access Control

89

3. 4. 5. 6.

On the Address Mode page, click Access Gateway. Select the option to configure Access Gateway. Enter the Access Gateway server name (exactly as it appears on the server certificate) and port. If the servers in your server farm are behind a firewall and configured to use NAT alternate addresses, select the option to use alternate addresses.

Associating Access Platform Sites
If you display multiple sites within the Access Interface and want to preserve Workspace Control functions, you must select an Access Platform site to associate with a Presentation Server farm. After you configure and publish an Access Platform site as a Web resource, you can select the site from the Web Interface page of the farm properties. For more information, see “Displaying Multiple Sites and Caching Credentials” on page 160.

Configuring Logon Points
The logon point defines the logon page for users and specifies settings that are applied to user sessions. These initial settings include the required authentication strength, the clients to use, the home page, and the accessible server farms. User sessions inherit the properties of the logon point through which they connect. To determine the logon points you will need, consider: • The users who will be accessing your deployment. For example, users in a particular department may require their own logon point. Likewise, users with a specific relationship to your organization, such as partners, may require their own logon point. The devices with which users access the logon point. For example, users who access resources with small form factor devices such as a PDA may require a logon point separate from the logon point accessed with workstations. The policies you want to create that restrict access to resources based on the logon point used. For example, users who authenticate from a specific logon point can access specific resources that are unavailable when using a different logon point.

For more information about using logon points in policies to control access to resources, see “Controlling Access Through Policies” on page 131. To configure a logon point in your deployment, you perform the following tasks: • Create the logon point using the console

90

Access Gateway Advanced Edition Administrator’s Guide

Deploy the logon point using the Server Configuration utility

To create a logon point

1. 2. 3. 4.

In the console tree, select Logon Points. Under Common Tasks in the task pane, click Create logon point. Type a unique name and description for the new logon point. Select a home page from the following options: • Display the default navigation page. Displays the Access Interface, a built-in default home page for users, with tabs for email, file shares, and Web applications. Display the home page application with the highest display priority. Displays the Web application listed at the top of the display order list. To change the display priority, click Set Display Order.

5.

On the Authentication and Authorization pages, select the authentication method and group authority you want to use when users log on. For more information about configuring authentication, see “Securing User Connections” on page 101. On the Presentation Server Farms page, add the farms that you want to make available to users through file type association. If you are using the Web Interface to deliver published applications, you do not need to add farms to the logon point. For more information about using the Web Interface with Advanced Access Control, see “Integrating Citrix Presentation Server” on page 157. Configure options for sound, windows, and Workspace Control. Note: Workspace Control allows users to reconnect to their open applications. If users have pop-up blockers enabled, they are prompted to allow each application to open in a separate window.

6.

7.

8. 9.

On the Clients page, select the clients you want to deploy to users during logon. On the Sessions Settings page, set the options for the method of prompting users for their domain and the number of days to warn users about password expiration.

Chapter 6

Configuring Advanced Access Control

91

Note: Users who allow their passwords to expire cannot log on to Advanced Access Control. For more information about restoring access to these users, see “Changing Expired Passwords” on page 93. 10. On the Session Timeouts page, set the interval, in minutes, for the following time-out settings: • Maximum time for VPN client sessions. The length of time a session using the Secure Access Client is allowed to remain active. The default value of zero means the session remains active indefinitely. Maximum time for traffic inactivity before session ends. The length of time a browser-only session or a session using the Secure Access Client is allowed to remain active without any traffic activity detected. The default value is 20 minutes. You may want to increase this value if users experience excessive time-outs with features such as Live Edit that do not communicate with the Advanced Access Control server to keep sessions active. If you enter zero for this setting, the session will remain active regardless of inactivity. Maximum time for mouse and keyboard inactivity before VPN session ends. The length of time a session using the Secure Access Client is allowed to remain active without any mouse or keyboard input detected. If you enter zero for this setting, the session will remain active regardless of inactivity.

11.

On the Visibility page, select whether to show the logon page to users logging on through the Access Gateway or to set conditions for showing the logon page to users logging on to Advanced Access Control directly. The default logon point is always visible to users logging on through the Access Gateway. For more information about using conditions for showing the logon page, see “Setting Conditions for Showing the Logon Page” on page 141.

To deploy a logon point

1. 2. 3.

Click Start > Programs or All Programs > Citrix > Access Gateway > Server Configuration. From the Configured Logon Points page, select the logon point you want to deploy. Click Deploy.

92

Access Gateway Advanced Edition Administrator’s Guide

Renaming Logon Points
If you rename an existing logon point, you must redeploy it to make it available to users. To redeploy a renamed logon point, open the Server Configuration utility and select the renamed logon point. Click Update to redeploy the logon point.

Logging on through the Logon Point
When you deploy a logon point, a logon point folder is created in a virtual directory named CitrixLogonPoint. A URL pointing to the logon point folder can be used to access the network. For example: https://appliancename/CitrixLogonPoint/logonpointname where appliancename is the FQDN or IP address of the Access Gateway appliance and logonpointname is the name of the logon point folder. During installation, Advanced Access Control creates a logon point, called SampleLogonPoint, that you can use for testing. To access this logon point, you type the following URL: https://appliancename/CitrixLogonPoint/SampleLogonPoint where appliancename is the FQDN or IP address of the Access Gateway appliance. Important: The sample logon point is designed for testing purposes only. Default policies created for the sample logon point allow all authenticated users to see the logon page and to log on. After testing your system, replace the sample logon point or edit these policies to comply with your network security guidelines. For more information, see “Controlling Access Through Policies” on page 131. Users can also access the default logon point by typing the following URL: https://appliancename/ where appliancename is the FQDN or IP address of the Access Gateway appliance. For more information about default logon points, see “Setting the Default Logon Point” on page 93. For more information about distributing logon points to users, see “Rolling Out Advanced Access Control to Users” on page 195.

Chapter 6

Configuring Advanced Access Control

93

Updating Logon Page Information
The Access Gateway stores copies of the Web pages and graphic files that comprise the logon pages users see when they access resources. You must update these files when you: • • • Deploy a new logon point Customize an existing logon page Redeploy a renamed logon point

To update logon page files on the Access Gateway

1. 2.

From the console tree, expand Logon Points and select the logon point you want to update. In Common Tasks, click Refresh logon page information.

If the Access Gateway is unavailable when you perform this task, the console displays an error message indicating the gateway appliance is out of date. If the Access Gateway becomes available when you rerun the task, the console displays a message indicating the update was successful.

Changing Expired Passwords
The Session Settings page in the logon point properties allows you to specify the number of days to warn users about password expiration. Users can change their password at any time during this period and continue accessing resources through the logon point. Users who allow their passwords to expire are denied access and are not prompted to change their expired passwords. To restore access to users with expired passwords, select the User must change password at next logon check box in the user’s Windows account properties. The next time the user attempts to log on to Advanced Access Control, the user is prompted to change the expired password.

Setting the Default Logon Point
Default logon points enable users to log on to the access server farm through the Access Gateway without specifying a logon point. You can designate a logon point as the default using the console. When you install Advanced Access Control the SampleLogonPoint is designated as the default logon point. Only one logon point can be designated as the default at any time.

94

Access Gateway Advanced Edition Administrator’s Guide

When you set a logon point as the default, the logon point becomes visible automatically to users logging on through the Access Gateway. If, at a later time, you set a different logon point as the default, the logon point remains visible to these users. If you want the logon point to be visible only to users logging on to Advanced Access Control within the corporate network, you must change the visibility settings in the logon point properties. For more information about configuring logon points, see “Configuring Logon Points” on page 89.
To set a default logon point

1. 2.

In the console tree, expand Logon Points and select the logon point you want to designate as the default. Under Common Tasks, click Set as default logon point.

Removing Logon Points
To remove a logon point from your deployment, you perform the following tasks: • • • Remove any policies associated with the logon point Delete the logon point from the console Remove the logon point’s virtual directory from the Advanced Access Control server using the Server Configuration utility

To delete a logon point from the console

1. 2.

In the console tree, expand Logon Points and then select the logon point you want to delete. Under Common Tasks in the task pane, click Delete logon point.

To remove a logon point’s virtual directory from the server

1. 2. 3.

Click Start > Programs or All Programs > Citrix > Access Gateway > Server Configuration. On the Configured Logon Points page, select the logon point you want to remove. Click Remove.

Chapter 6

Configuring Advanced Access Control

95

Configuring the Access Gateway
To enable the full range of access control features in Advanced Access Control, you configure the settings on the Advanced Options tab in the Access Gateway Administration Tool. Additionally, you use the Access Management Console to configure the settings that govern all the gateway appliances in your access server farm. These settings include: • • • • • Enable split tunneling and specify the networks that can be accessed through the Access Gateway Capture system log messages Enable Simple Network Management Protocol (SNMP) logs Enable features that are controlled by the communication between the Secure Access Client and the Access Gateway Create client access control lists (ACLs)

Configuring Split Tunneling
Split tunneling enables client devices to communicate with public Internet resources and your corporate network concurrently. Enabling split tunneling can improve the efficiency of the client connection and minimizes the occurrence of “Access Denied” messages when users access resources on the Internet or your corporate network. However, split tunneling requires you to configure a list of accessible networks so that users can access corporate resources. If this list is not defined, users cannot access any corporate resources regardless of any policies granting access. Disabling split tunneling maximizes the security of client connections and requires no additional configuration for users to begin accessing corporate resources. When split tunneling is disabled, all network traffic sent by the Secure Access Client is routed through the Access Gateway, including traffic to public Internet Web sites. Therefore, when users log on through the Access Gateway, they can access only the resources you define. If a user tries to access a resource that you have not defined, such as a public Web site, access is denied by default.
To configure split tunneling

1. 2. 3.

From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties. On the Accessible Networks page, select or clear the option to enable split tunneling.

96

Access Gateway Advanced Edition Administrator’s Guide

4. 5. 6.

If you enable split tunneling, click New to configure the list of accessible networks. In the New Accessible Network box, select the addressing method you want to use. Enter the destination IP address and, depending on the selected addressing method, the corresponding subnet mask or network prefix length.

Configuring Accessible Networks
Accessible networks are the networks and subnets that can be accessed through the Access Gateway when split tunneling is enabled for the Secure Access Client. Users can access a server or subnode address provided that address is defined in one of the accessible networks. When a user logs on using the Secure Access Client, the access control list (ACL) received during authorization governs the accessible networks available to that user. When using accessible networks, be aware of the following limitations: • The Secure Access Client can recognize only 24 accessible networks. If your organization has a large number of subnets and you want to enable split tunneling, you may need to define supersets of networks so that you can define all required networks within the 24 recognized accessible networks. When you enable split tunneling, all network resources you create in the Access Management Console must fall within the accessible networks you define. If you create a network resource that falls outside of these accessible networks, users cannot access the resource regardless of any policies granting access.

When you define an accessible network in the Access Management Console, you specify the destination using either an IP address and subnet mask or the Classless Inter-Domain Routing (CIDR) addressing scheme.

Forwarding System Messages
System message logs contain information that can help support personnel assist with troubleshooting. You can forward system messages to a syslog server or enable SNMP logs.
To forward Access Gateway messages to a syslog server

1. 2.

From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties.

Chapter 6

Configuring Advanced Access Control

97

3.

On the Syslog and SNMP page under Syslog Settings, type the IP address or the FQDN of the syslog server you want to capture system messages sent by the Access Gateway. In Syslog facility, select the facility you want to use for captured messages. Select User Level for generic user processes. Select Local Use 0 - 7 if you defined one of these facilities for Access Gateway processes. For example, a syslog server may have Local Use 0 defined for anonymous FTP processes while Local Use 1 is reserved for Access Gateway processes. In Statistics broadcast interval, type the frequency in minutes at which you want the Access Gateway to send system messages. If the broadcast interval is set to zero, broadcasting is continuous.

4.

5.

To enable logging of SNMP messages

When Simple Network Management Protocol (SNMP) is enabled, the Access Gateway reports the MIB-II system group (1.3.6.1.2.1). The Access Gateway does not support Access Gateway-specific SNMP data. 1. 2. 3. 4. 5. 6. 7. From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties. On the Syslog and SNMP page under SNMP Settings, select Enable logging of SNMP messages. In SNMP server name or address, type the location of the SNMP server. This required field is informational only. In Name of SNMP contact or associate, type the contact. This field is informational only. In SNMP Community, type the name of the community. This required field is informational only. In Port, type the port.

Configuring Client Properties
The Client Properties page of the gateway appliances properties controls a variety of settings that affect the interaction between the Access Gateway and the Secure Access Client.
To configure client properties

1. 2.

From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties.

98

Access Gateway Advanced Edition Administrator’s Guide

3.

On the Client Properties page, select any of the following check boxes: • Require SSL client certificate for users connecting via the gateway appliances. If you want additional authentication, select this option to require certificates for Windows client computers. If a client certificate is required, it must be provided by the network administrator. The certificate is installed separately into the certificate store using the Microsoft Management Console. When this requirement is enforced, every computer that logs on through the Access Gateway must have an SSL client certificate that is in P12 format. Enable internal failover. Select this option to enable the Secure Access Client to connect to the Access Gateway from inside the firewall if the Access Gateway IP address cannot be reached. When internal failover is configured, the client will failover to the internal IP address of the Access Gateway if the external IP address cannot be reached. The Secure Access Client must connect at least once to retrieve the failover list. This list is then cached in the registry. Note: Internal failover is not available for browser-only access. • Enable failover among gateway appliances. You can configure an Access Gateway to failover to multiple Access Gateways. Because the Access Gateway failover is active/active, you can use each Access Gateway as a primary gateway for a different set of users.

Configuring Server Properties
The Server Properties page of the gateway appliances properties controls settings related to securing communications between the Access Gateway and Secure Access Client and improving Voice over IP connections.
To configure server properties

1. 2. 3.

From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties. On the Server Properties page, select any of the following check boxes: • Validate SSL certificates on backend. Select this option to require the Access Gateway to validate SSL server certificates. This increases security for internal connections originating from the Access Gateway. Validating SSL server certificates is an important

Chapter 6

Configuring Advanced Access Control

99

security measure because it can help prevent security breaches, such as man-in-the-middle attacks. The Access Gateway requires installing the proper root certificates that are used to sign the server certificates. • Improve latency for Voice over IP traffic. Select this option to improve the latency and audio quality of Voice over IP (VoIP) traffic over an SSL connection. If you select this option, the Access Gateway appliance uses a 56-bit key to encrypt this traffic. Citrix recommends the use of strong ciphers to reduce the possibility of a malicious attack to the corporate network. For more information about improving VoIP connections made through the Access Gateway appliance, see the Access Gateway Standard Edition Administrator’s Guide.

4.

Select the bulk encryption cipher you want to use for symmetric encryption of data over SSL connections.

Configuring ICA Access Control
Citrix Presentation Server uses the Independent Computing Architecture (ICA) protocol for communication between its clients and servers. When using the Access Gateway as a proxy to tunnel ICA traffic without the Secure Access Client, you can control which servers running Citrix Presentation Server that users can access. To do this, you provide an access control list (ACL) in the Access Management Console. When users request published applications through the Access Gateway, they are granted or denied access based on the ACL you provide. If you are using the Web Interface to deliver published applications through the Access Gateway, you must configure the Web Interface’s Secure Gateway settings with the FQDN of the Access Gateway. Important: ACLs you specify are not applied when published applications are configured as network resources.
To configure ICA access control

1. 2. 3.

From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties. On the ICA Access Control page, select the option to provide unrestricted access or use an ACL to restrict access to servers running Citrix Presentation Server.

100

Access Gateway Advanced Edition Administrator’s Guide

4. 5. 6. 7.

To provide an ACL, click New. In Start IP address and End IP address, type the range of IP addresses of the servers running Citrix Presentation Server you want to include. In Port, type the port number or enable the default port. In Protocol, select the protocol you want to use. • Select ICA to allow ICA/SOCKS connections to the selected servers. Typically, you would use ICA for servers running Citrix Presentation Server that accept ICA/SOCKS connections. Select CGP to allow CGP connections to the selected servers. Typically, you would use CGP for servers running Citrix Presentation Server that accept CGP connections. CGP can provide session reliability if you enable session reliability on the selected servers.

Configuring Authentication with Citrix Presentation Server
Citrix Presentation Server works with the Web Interface and the Secure Ticket Authority (STA) to provide authentication and authorization for clients. To provide access to published applications using the Web Interface through the Access Gateway, you must configure the STA settings in the gateway appliances properties. You also configure these settings to preserve Workspace Control when you enable the display of multiple Access Platform sites within the Access Interface.
To configure the Access Gateway to use the Secure Ticket Authority

1. 2. 3. 4. 5. 6. 7.

From the console tree, select Gateway Appliances. Under Common Tasks, click Edit gateway appliances properties. On the Secure Ticketing Authority page, click New. Type the IP address or FQDN of the server where the STA is installed. Select Use secure communication to secure the connection to the STA. In STA Path, type the path of the STA. In STA ID, type the ID of the STA or click Retrieve STA ID to automatically enter the ID based on the server and path.

C HAPTER 7

Securing User Connections

Access Gateway Advanced Edition supports authentication and authorization for users connecting from remote locations. Advanced Access Control supports several authentication types including Active Directory, LDAP, RADIUS, RSA SecurID, and Secure Computing Safeword products. You can enable these authentication types by configuring the Logon Point Properties in the Access Management Console. When you configure a logon point, you select the authentication and authorization methods you want to use. For example, you can select LDAP to authenticate users and Active Directory to authorize users to access certain corporate resources. The following topics discuss how to configure these authentication types: • • • • • “Configuring Advanced Authentication” on page 101 “Configuring RADIUS and LDAP Authentication” on page 102 “Configuring RSA SecurID Authentication” on page 108 “Configuring SafeWord Authentication” on page 110 “Configuring Trusted Authentication” on page 115

Configuring Advanced Authentication
Access Gateway Advanced Edition supports using Active Directory as the only authenticator and group authority as well as with another authentication method such as RADIUS, RSA SecurID, or Secure Computing SafeWord. When you configure advanced authentication, only Active Directory is allowed as the group authority for the logon point you want to use. To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0 must be installed on the Advanced Access Control server. See “RADIUS Requirements” on page 53 for more information.

102

Access Gateway Advanced Edition Administrator’s Guide To configure a logon point with advanced authentication

If you are configuring advanced authentication with RADIUS, ensure you configure a RADIUS authentication profile before you configure the logon point. See “Creating RADIUS Authentication Profiles” on page 102 for more information. 1. In the console tree, select the logon point you want to configure. For more information about creating a new logon point, see “Configuring Logon Points” on page 89. On the Authentication page, under Advanced Authentication select the authentication method you want to use with Active Directory. On the Authorization page, only Active Directory is selected. If you are using a RADIUS profile with Active Directory, select whether or not the RADIUS and Active Directory servers use the same password.

2. 3.

If you are configuring advanced authentication with RADIUS, you need to set the RADIUS authentication credentials for the logon point. For more information, see “Setting Authentication Credentials for Logon Points” on page 106. For more information about configuring advanced authentication for SecurID and SafeWord products, see “Configuring RSA SecurID Authentication” on page 108 and “Configuring Advanced Authentication with SafeWord” on page 111.

Configuring RADIUS and LDAP Authentication
To use RADIUS or LDAP authentication when users log on through a logon point, perform the following tasks: • • • • Install and configure a RADIUS or LDAP server Create RADIUS or LDAP authentication profiles Assign the authentication profile to a logon point Set the authentication credentials for the logon point

To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0 must be installed on the Advanced Access Control server. See “RADIUS Requirements” on page 53 for more information.

Creating RADIUS Authentication Profiles
Authentication profiles allow you to configure RADIUS settings at the farm level and apply them to one or more logon points. Creating a RADIUS authentication profile involves the following tasks:

Chapter 7

Securing User Connections

103

Define RADIUS server authentication to specify the RADIUS servers you want to use, the time-out period, and to configure server load balancing or failover Define RADIUS authorization using the attributes and values configured on your RADIUS server

To define RADIUS authentication

1. 2. 3. 4.

In the console tree, select the access server farm node and click Edit farm properties in Common Tasks. Select Authentication Profiles and then click New under RADIUS profiles. Type a name and description to define the profile. Click New to enter the RADIUS server and corresponding ports. If you have multiple RADIUS servers, select to use the server list for one of the following: • Load balancing of requests to the servers. Requests follow the sequence of the server list so that the initial request goes to the first server in the list, the next request goes to the second server, and so on. Failover sequence of communication if servers become unavailable. In the event connectivity to a server becomes unavailable, connectivity with another server in the list ensures RADIUS authentication services remain available to users.

5. 6.

Use the arrows to change a server’s position in the list. Change the value in the Bypass failed servers for this time interval field if you want to specify the amount of time an unavailable server should be bypassed. The default value is 300 seconds. If you want to audit RADIUS events, select Enable RADIUS auditing. If you want to change the period in which the user authentication process times out for lack of a server response, change the value in the Cancel authentication after this time field. By default, authentication times out after 30 seconds elapse.

7. 8.

To define RADIUS authorization

1. 2.

From the RADIUS Profile Configuration dialog box, click Configure Authorization. In Group attribute name, type the group name that is defined on your RADIUS server.

104

Access Gateway Advanced Edition Administrator’s Guide

3.

Type the Separator you want to use if multiple user groups are included in the RADIUS configuration. A separator can be a period, a semicolon, or a colon. In the Vendor identifier field, type the vendor-specific code number that was entered on your RADIUS server. In the Vendor specified type field, type the vendor-assigned attribute number.

4. 5.

Creating LDAP Authentication Profiles
Authentication profiles allow you to configure LDAP settings at the farm level and apply them to one or more logon points. When using LDAP authentication and Active Directory authorization, group names, including character and case, must be identical.
To create an LDAP authentication profile

1. 2. 3. 4. 5. 6.

In the console tree, select the access server farm node and click Edit farm properties in Common Tasks. Select Authentication Profiles and then click New under LDAP profiles. Type a name and description to define the profile. Type the name or IP address of the LDAP server you want to use. In Port, type the server port number that your LDAP server uses for LDAP requests. In Administrator DN, type the distinguished name of the administrative user that has access to your LDAP server and the rights to look up user entries in the LDAP repository. The following are examples of syntax for this field: “domain/user name” “ou=administrators,dc=ace,dc=com” “user@domain.name” (for Active Directory) “cn=Administrator,cn=Users,dc=ace,dc=com” For Active Directory, the group name, specified as cn=groupname, is required. The group name that is defined in the Access Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname. The Access Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the

Chapter 7

Securing User Connections

105

Access Gateway unbinds the administrator credentials and rebinds with the user credentials. 7. In Base DN, type the distinguished name under which user lookups should begin. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for Base DN include: “ou=users,dc=ace,dc=com” “cn=Users,dc=ace,dc=com” 8. In LDAP attribute for user logon names, type the attribute under which the Access Gateway should look for user logon names for the LDAP server that you are configuring. Depending on the directory service you are using, type one of the following attributes: • • • • 9. For Active Directory, use the default sAMAccountName. For Novell eDirectory or Lotus Domino, use cn. For IBM Directory Server, use uid. For Sun ONE Directory , use uid or cn.

In LDAP group attribute, type the name of the group attribute the Access Gateway should use to obtain the groups associated with a user during authorization. Depending on the directory service you are using, type one of the following attributes: • • • • For Active Directory, use the default memberOf. For Novell eDirectory, use groupMembership. For IBM Directory Server, use ibm-allGroups For Sun ONE Directory, use nsRole.

Assigning Authentication Profiles to Logon Points
After you configure RADIUS or LDAP authentication profiles, you must assign these profiles to a logon point. You can assign authentication profiles in the logon point properties, on the Authentication and Authorization pages. You can use RADIUS profiles as the sole authentication method or as part of advanced authentication with Active Directory. You can use LDAP profiles as the sole authentication method only.

106

Access Gateway Advanced Edition Administrator’s Guide

If you assign an LDAP profile to authenticate users, you can use Active Directory or an LDAP profile to authorize users. If you assign a RADIUS profile for authentication, you can choose the LDAP or RADIUS profile for authorization. When using a RADIUS profile for authentication, you must use the same profile for authorization. When you use RADIUS or LDAP profiles, you can specify how users access resources that require Active Directory credentials. In an advanced authentication scenario where Active Directory is the group authority, you can specify whether the Active Directory and RADIUS servers share the same password. In scenarios where RADIUS or LDAP authenticate and authorize users, you can enable passthrough authentication to Active Directory. This allows users to access resources smoothly, without entering their Active Directory credentials. To do this, you supply the default Active Directory domain. User accounts in the default Active Directory domain match those on your RADIUS or LDAP servers.
To assign authentication profiles to a logon point

1.

In the console tree, select the logon point you want to configure. For more information about creating a new logon point, see “Configuring Logon Points” on page 89. Under Common Tasks, click Edit logon point. On the Authentication page, select the RADIUS or LDAP profile you want to use to identify users in your organization. On the Authorization page, select the RADIUS or LDAP profile you want to use to determine the level of access users receive when they authenticate successfully.

2. 3. 4.

After you assign the authentication profile to the logon point, use the Server Configuration utility to set the authentication credentials for the profile.

Setting Authentication Credentials for Logon Points
Logon point authentication credentials consist of the global or server-specific RADIUS secrets or LDAP passwords that you specify. Before you set the authentication credentials, ensure a RADIUS or LDAP authentication profile has been assigned to the logon point.

Chapter 7

Securing User Connections

107

If your deployment is configured to use RADIUS authentication, and your RADIUS server is configured to use PAP, you can strengthen user authentication at the logon point by assigning a strong shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of upper and lowercase letters, numbers, and punctuation and are at least 22 characters long. If possible, use a random character generation program to create RADIUS shared secrets. To further protect RADIUS traffic, assign a different shared secret to each Access Gateway appliance or each Advanced Access Control server. When you define clients on the RADIUS server, you can also assign a separate shared secret to each client. If you do this, you must configure separately each Access Gateway realm that uses RADIUS authentication. If you synchronize configurations among several Access Gateway appliances in a cluster, all the appliances will be configured with the same secret.
To assign RADIUS shared secrets

1. 2. 3. 4. 5. 6.

On the Advanced Access Control server, click Start > Programs or All Programs > Citrix > Access Gateway > Server Configuration. Click Configured Logon Points and then select the logon point that you have configured to use RADIUS authentication. Click Authentication Credentials. Under RADIUS Servers, select Global secret for all servers or Server specific secrets. Type the global secret in the Authentication secret and Confirm authentication secret boxes. For server-specific secrets, double-click the IP address of the RADIUS server and enter the secret in the Server Credential box.

To assign LDAP server passwords

1. 2. 3. 4. 5.

On the Advanced Access Control server, click Start > Programs or All Programs > Citrix > Access Gateway > Server Configuration. Click Configured Logon Points and then select the logon point that you have configured to use LDAP authentication. Click Authentication Credentials. Under LDAP Servers, select Global password for all servers or Server specific passwords. Type the global password in the Authentication secret and Confirm authentication secret boxes.

108

Access Gateway Advanced Edition Administrator’s Guide

6.

For server-specific passwords, double-click the IP address of the LDAP server and enter the password in the Server Credential box.

Configuring RSA SecurID Authentication
If you use RSA SecurID for authentication, you can configure Access Gateway Advanced Edition to authenticate user access with the RSA ACE/Server. The Advanced Access Control server acts as an RSA Agent Host to authenticate users who attempt to log on. You can configure the Advanced Access Control server to authenticate with RSA SecurID in the following ways: • • With Active Directory, as an advanced authentication method As the only authentication method, where LDAP is used as the group authority

Configuring RSA SecurID authentication consists of the following tasks: • • • • Configure the Advanced Access Control server(s) as an RSA ACE/Agent and generate a Sdconf.rec file Generate an Sdroot certificate file for the Advanced Access Control server(s) and install the RSA ACE/Agent software Test authentication with the RSA SecurID server Configure a logon point for RSA SecurID authentication

If you are using RSA SecurID as the only authentication method, ensure you have performed the following tasks prior to configuring the logon point: • • • Create an LDAP authentication profile Assign the authentication profile to the logon point Set the authentication credentials for the logon point

For more information, see “Creating LDAP Authentication Profiles” on page 104, “Assigning Authentication Profiles to Logon Points” on page 105, and “Setting Authentication Credentials for Logon Points” on page 106.
To configure the Advanced Access Control server as an RSA ACE/Agent

1. 2.

On the RSA ACE/Server computer, open the RSA ACE/Server Database Administration window and click Agent Host > Add Agent Host. In Name, type the fully-qualified domain name (FQDN) of the Advanced Access Control server.

Chapter 7

Securing User Connections

109

3. 4. 5. 6. 7.

In Network Address, type the IP address of the Advanced Access Control server. In Agent Type, select NetSP Agent. From the Database Administration window, click Agent Host > Generate Configuration Files and then click One Agent Host. Double-click the name of the Advanced Access Control server and save the Sdconf.rec file in a folder on the computer. Copy the Sdconf.rec file to the %SystemRoot%/System32 folder on the Advanced Access Control server.

To generate an Sdroot certificate file and install RSA ACE/Agent

1. 2. 3. 4. 5.

On the Advanced Access Control server, install and launch the RSA ACE/ Agent Certificate Utility. In Current Directory, enter the path of the directory in which you want to store the certificate file. Click the New Root Certificate and Keys button. Enter your organization name, country, and key passwords. Install the RSA ACE/Agent for Windows software and select the following installation options: • • In Setup Type, select Custom In Custom Setup, select Local Authentication Client only. All other client options should not be installed.

6. 7. 8.

When prompted, locate the Sdroot certificate file you created. Follow the remaining onscreen instructions to install the RSA ACE/Agent software. Restart the server after installation finishes.

To test authentication with RSA SecurID

1. 2. 3.

On the Advanced Access Control server, click Start > Control Panel > RSA ACE/Agent. From the Main tab, click the Test Direct Authentication with RSA ACE/ Server button. From the RSA ACE/Server Configuration Information window, click the RSA ACE/Server Test Directly button and enter the user ID and token passcode for the user you are testing.

110

Access Gateway Advanced Edition Administrator’s Guide

If the test is successful, the “Successful Authentication” message appears. You can then configure logon points to use RSA SecurID authentication.
To configure a logon point with RSA SecurID authentication

If you are using RSA SecurID as the only authentication method, ensure you create an LDAP authentication profile, assign the profile to the logon point, and set the authentication credentials prior to configuring the logon point. For more information, see “Creating LDAP Authentication Profiles” on page 104 and “Setting Authentication Credentials for Logon Points” on page 106. 1. In the console tree, select the logon point you want to configure. For more information about creating a new logon point, see “Configuring Logon Points” on page 89. Under Common Tasks, click Edit logon point. On the Authentication page, select one of the following options: • • 4. Under Advanced Authentication, select RSA to use SecurID with Active Directory to authenticate users. Under Authentication, select RSA to use SecurID as the only authentication method.

2. 3.

If you are using RSA SecurID as the only authentication method, on the Authorization page, select the LDAP profile you want to use.

Configuring SafeWord Authentication
The SafeWord product line provides secure authentication using a token-based passcode. Once the passcode is used, it is immediately invalidated by SafeWord and cannot be used again. Access Gateway Advanced Edition supports authentication with SafeWord for Citrix and SafeWord PremierAccess. You can configure the Advanced Access Control server to authenticate with SafeWord in the following ways: • • • With Active Directory, as an advanced authentication method As the only authentication method, where LDAP is used as the group authority With RADIUS, where the Advanced Access Control server acts as a RADIUS client to a server configured with Microsoft Internet Authentication Service (IAS)

Chapter 7

Securing User Connections

111

Configuring Advanced Authentication with SafeWord
When you configure advanced authentication, Active Directory works with SafeWord to authenticate users and determines the level of access users have once they log on. To configure advanced authentication with SafeWord, perform the following tasks: • Install and configure the SafeWord for Citrix Secure Access Manager Agent on the Advanced Access Control server. Citrix strongly recommends obtaining the latest version of the agent software from Secure Computing to ensure SafeWord authentication is successful. Refer to the Secure Computing product documentation for information about configuring the agent. Create a logon point and configure authentication and authorization using the Access Management Console.

To configure advanced authentication with SafeWord

1.

On the Advanced Access Control server, install the SafeWord for Citrix Secure Access Manager agent software located on the SafeWord product CD. When prompted, accept the option to use the latest agent software from Secure Computing and then select the Secure Access Manager Agent option. Restart the Advanced Access Control services. You can use the Server Configuration utility to restart all the services simultaneously. Restart the Citrix Access Gateway Server COM+ application from the Component Services console. From the console tree, select the logon point you want to configure and click Edit logon point in Common Tasks. For more information about creating a new logon point, see “Configuring Logon Points” on page 89. On the Authentication page, under Advanced Authentication, select SafeWord.

2. 3. 4.

5.

Configuring Authentication with SafeWord Only
When you configure SafeWord as the only authentication method for users, you must use LDAP as the group authority. If you want to use SafeWord as the sole authentication method, perform the following tasks: • Install and configure the SafeWord for Citrix Secure Access Manager Agent on the Advanced Access Control server. Citrix strongly recommends obtaining the latest version of the agent software from Secure Computing to

112

Access Gateway Advanced Edition Administrator’s Guide

ensure SafeWord authentication is successful. Refer to the Secure Computing product documentation for information about configuring the agent. • • • Create an LDAP authentication profile that you can assign to the logon point as the group authority. Create a logon point and configure authentication and authorization using the Access Management Console. Set the authentication credentials for the logon point.

To configure authentication with SafeWord only

1.

On the Advanced Access Control server, install the SafeWord for Citrix Secure Access Manager agent software located on the SafeWord product CD. When prompted, accept the option to use the latest agent software from Secure Computing and then select the Secure Access Manager Agent option. Restart the Advanced Access Control services. You can use the Server Configuration utility to restart all the services simultaneously. Restart the Citrix Access Gateway Server COM+ application from the Component Services console. Create an LDAP authentication profile. For more information, see “Creating LDAP Authentication Profiles” on page 104. From the console tree, select the logon point you want to configure and click Edit logon point in Common Tasks. For more information about creating a new logon point, see “Configuring Logon Points” on page 89. On the Authentication page, select SafeWord. On the Authorization page, select the LDAP authentication profile you want to use.

2. 3. 4. 5.

6. 7.

To complete the configuration, you need to set the authentication credentials for the logon point to which you assigned the LDAP profile. See “Setting Authentication Credentials for Logon Points” on page 106 for more information.

Configuring RADIUS with SafeWord
To authenticate users, SafeWord uses the RADIUS protocol, Microsoft Internet Authentication Service (IAS), and a user database stored on an Active Directory server. To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0 must be installed on the Advanced Access Control server. See “RADIUS Requirements” on page 53 for more information.

Chapter 7

Securing User Connections

113

If you want to use RADIUS with either SafeWord product, perform the following tasks: • Configure Microsoft Internet Authentication Service (IAS) on a separate server and configure the Advanced Access Control server as a RADIUS client. Create a RADIUS authentication profile for the IAS server. If you want to use LDAP as the group authority instead of RADIUS, you must also create an LDAP authentication profile. For more information, see “Configuring RADIUS and LDAP Authentication” on page 102. Assign the RADIUS authentication profile to the logon point. If you use LDAP as the group authority, you must also assign the LDAP authentication profile to the logon point. For more information, see “Assigning Authentication Profiles to Logon Points” on page 105. Set the RADIUS authentication credentials for the logon point. If you use LDAP as the group authority, you must also set the LDAP authentication credentials. For more information, see “Setting Authentication Credentials for Logon Points” on page 106. On the SafeWord server, install and configure the SafeWord IAS Agent software.

To configure IAS and configure a RADIUS client

Before proceeding, ensure IAS is installed on a server in your environment. You can install IAS using Add/Remove Programs in Control Panel. For more information, see the Windows online help. 1. 2. Open the Microsoft Management Console (MMC) and install the snap-in for IAS. In the left pane, right-click Remote Access Policies and select New Remote Access Policy. The New Remote Access Policy Wizard appears.

114

Access Gateway Advanced Edition Administrator’s Guide

3.

Complete the wizard, using the following settings: • • • • • • • Set up a custom policy and then type a unique policy name. Select Windows Groups for the policy and select the group(s) containing the users to be authenticated with SafeWord Select Grant remote access permission and click Edit Profile. On the Authentication tab, clear the check boxes selected by default and then select only Unencrypted authentication (PAP, SPAP). Click the Advanced tab and remove the attributes that appear by default. Then, add the Vendor Specific RADIUS Standard attribute. In the Vendor-specific Attribute Information box, select Yes to specify that the attribute conforms to the RADIUS RFC specification. Click Configure Attribute and enter the following settings: • • • In Vendor-assigned attribute number, type 0. In Attribute Format, select String. In Attribute value, enter the group name(s) you specified for the policy. For example, if you specified the Sales and Finance groups, you enter CTXSUserGroups=sales;finance.

4. 5. 6.

From the left pane of the MMC, right-click RADIUS Clients and select New RADIUS Client. Type a name for the client and enter the IP address or the FQDN of the Advanced Access Control server. Ensure RADIUS Standard is selected and then provide a shared secret that the Advanced Access Control server can use to authenticate with the RADIUS server.

To configure the SafeWord IAS Agent

1. 2. 3.

Launch the IAS Agent by clicking Start > Programs or All Programs > Secure Computing > SafeWord > IAS Agent > Configure IAS Agent. Click Authentication Engine and enter the host name or IP address of the authentication engine. Click Groups and enter the user group and domain of the users using SafeWord tokens.

Chapter 7

Securing User Connections

115

Configuring Trusted Authentication
To further strengthen your Access Gateway environment, you can ensure that each Access Gateway that connects to an Advanced Access Control server is a trusted device. To do this, you configure each Access Gateway to present a client certificate when prompted. Then, you configure each Advanced Access Control server to request the client certificate from each Access Gateway in your environment.

Configuring the Access Gateway for Trusted Authentication
Before you configure the Access Gateway, ensure that: • The Access Gateway uses SSL to communicate with the Advanced Access Control server. This is required because the virtual directories the Access Gateway must access on the Advanced Access Control server are secured. The Access Gateway trusts the root certificate for the certificate authority that issued the client certificate. If not, you will need to install it as a trusted root certificate. You have obtained a client certificate from a recognized certificate authority so you can install it on the Access Gateway.

To verify the Access Gateway is using SSL

1. 2. 3.

Open the Access Gateway Administration Tool and select the Access Gateway from the Access Gateway Cluster tab. Click the Advanced Options tab. To enable SSL communication, select the Secure server communication check box.

To install the root certificate as a trusted certificate

Before you install the root certificate, check to be sure it conforms to the Base64 file format. Access Gateway does not recognize other formats as valid. 1. 2. 3. 4. 5. From the Administration Tool, select the Access Gateway and then click the Administration tab. In Manage trusted root certificates, click Manage. From Trusted Root Certificate Management, click the Manage tab. Click Upload Trusted Root Certificate. Select the root certificate you want to install.

116

Access Gateway Advanced Edition Administrator’s Guide

6.

Reboot the Access Gateway.

After the Access Gateway reboots, verify the root certificate appears in the Trusted Issuers tab of the Trusted Root Certificate Management window. You can then install the client certificate.
To install the client certificate on the Access Gateway

1. 2. 3. 4.

Open the Administration Tool and select the Access Gateway from the Access Gateway Cluster tab. Click the Administration tab and then click Browse to upload a .pem private key and client certificate. Locate the client certificate and enter the passphrase when prompted. Reboot the Access Gateway.

After you install the client certificate, you can configure the Advanced Access Control server to require the certificate from the Access Gateway.

Configuring Advanced Access Control for Trusted Authentication
To configure the Advanced Access Control server to request the client certificate from each Access Gateway in your environment, you perform the following tasks: 1. 2. 3. Create or assign a server certificate Add the root certificate from the certificate authority that issued the Access Gateway client certificate to the Certificate Trust List on the server Configure the virtual directories that the Access Gateway will access to require client certificates

To create or assign a server certificate

1. 2. 3. 4. 5.

Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. Expand the local computer node and the Web Sites node. Right-click the Default Web Site node and select Properties. Click the Directory Security tab and then click the Server Certificate button under Secure communications. Follow the onscreen instructions in the IIS Certificate Wizard to create a new server certificate or assign an existing certificate.

Chapter 7

Securing User Connections

117

After the server certificate is assigned, you can add the root certificate to the server’s Certificate Trust List and configure the server to require client certificates.
To add the root certificate to the Advanced Access Control server’s Certificate Trust List

1. 2. 3. 4. 5.

Open Internet Information Services (IIS) Manager and locate the Default Web Site node. Right-click the Default Web Site node and select Properties. Click the Directory Security tab and then click the Edit button under Secure communications. Select the Enable certificate trust list check box. Click the New button and follow the onscreen instructions to complete the Certificate Trust List wizard. This wizard allows you to add the root certificate that matches the Access Gateway’s client certificate to the Certificate Trust List.

To configure the server to require client certificates

1. 2. 3. 4. 5. 6. 7. 8. 9.

In Internet Information Services (IIS) Manager, expand the Default Web Site node and locate the CitrixGatewayConfigService node. Right-click the CitrixGatewayConfigService node and select Properties. Click the Directory Security tab and then click the Edit button under Secure communications. Select the Require secure channel checkbox. Under Client certificates, select Require client certificates. In Internet Information Services (IIS) Manager, right-click the CitrixLogonAgentService node and select Properties. Click the Directory Security tab and then click the Edit button under Secure communications. Select the Require secure channel check box. Under Client certificates, select Require client certificates.

118

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 8

Adding Resources

To control your corporate resources with Advanced Access Control, you add them to the console and then create policies for them. Resources include corporate applications, Web sites, portals, file shares, services, servers, email, and email synchronization—essentially any resource that you want to provide for user access. This section describes how and why you configure the following types of resources: • • • Network resources Web resources File shares

For information about configuring email resources, see “Providing Secure Access to Corporate Email” on page 181.

Creating Network Resources for VPN Access
Use network resources to define subnets or servers on the corporate network that users can connect to directly through a VPN tunnel using the Secure Access Client. By default, users are denied access to network resources until you create policies that grant them access permission.
To create a network resource

1. 2. 3.

In the console tree, select Network Resources and click Create network resource in Common Tasks. In the New Network Resource wizard, enter a name and description for the resource. On the Specify Servers and Ports page, click New to add network identification, port, and protocol information for the resource. • To define entire subnets, specify network addresses with subnet masks. For example, to define all servers on the 10.x.x.x network,

120

Access Gateway Advanced Edition Administrator’s Guide

specify a subnet mask of 255.0.0.0. To define a single server, you can define a specified network IP address such as 10.2.3.4 with subnet mask 255.255.255.255. • For Port, you can specify multiple ports or port ranges by separating each port with a comma and hyphenating ranges. For example, the entry “22,80,110-120” means that the resource uses port 22, port 80, and all ports between and including 110-120. The Secure Access Client software listens on the specified port.

• 4.

Specify whether or not to create a default policy. If you create a default policy, you can edit its properties later.

After defining a network resource, you can create policies that control its user access and connection settings. The only access control permission you can grant for a network resource is to allow or deny access. Because users connect directly to the services defined by the specified port or network subnode, the Web proxy is not used. Connecting to resources through the Web proxy is required if you want to tailor the level of access with action controls such as HTML Preview and Live Edit. When users connect with the Secure Access Client they can view a list of their network resources in the client properties.

Using the Entire Network Resource
The Entire Network resource is a built-in resource you can use to grant or deny Secure Access Client access to all servers and services on the secure network. The definition of the “entire network” might be limited in scope if you have enabled split tunneling in the global properties for gateway appliances. If split tunneling is enabled, the Entire Network resource does not override the definition of accessible networks. In other words, when split tunneling is enabled, the Entire Network resource equals the definition you have configured for accessible networks. For more information about split tunneling and accessible networks, see “Configuring Split Tunneling” on page 95. Note: Entire Network includes all resources on the secure network, including servers or subnets you add later. For example, if you create an access policy that includes Entire Network and later add a server to the network, the new server is controlled by the settings of the existing policy. For more information about creating policies that include Entire Network, see “Granting Access to the Entire Network” on page 154.

Chapter 8

Adding Resources

121

Defining Resources to Avoid Conflicts
Because you have multiple choices for configuring your corporate resources, you can create resources that overlap. For example, you can create a file share resource for File Share B on Server A and also create a network resource for Server A. Both of these resources overlap by including File Share B. If you assign overlapping resources to different policies, it is possible to create conflicts between the action controls provided for the same corporate resource. Overlapping definitions arise if you use network resources to provide access to entire servers, networks, or subnets and simultaneously use file shares and Web resources to define parts of the same servers, networks, and subnets. The following bullets describe a scenario in which such an overlap exists: • Server A is a file share server for which you define a network resource. A policy assigned to the network resource allows all company employees remote VPN access to the server when they use a trusted client device and the advanced authentication combination of Active Directory with RSA SecurID. File Share B is a shared folder on Server A. You define File Share B as a file share resource for browser access. You assign this file share to a policy that allows access if users are using a logon point visible only from the internal company network.

• •

Although your intention with the second policy above is to restrict the access to File Share B, the actual result is that the first policy allows users full access to File Share B through a VPN tunnel to the entire server. To avoid conflicts: • • Define network resources so that they do not overlap with browser-based resources (file shares and Web resources). Assign overlapping resources to the same policy.

Creating Web Resources
Web resources define the Web pages, sites, or applications that you want to secure with policies. You can group multiple URLs and define them as a single Web resource. By default, users are denied access to a Web resource until you create policies that grant access permissions.

122

Access Gateway Advanced Edition Administrator’s Guide To create a Web resource

1. 2. 3.

In the console tree, select Resources > Web resources and click Create Web resource in Common Tasks. Enter a name and description for the resource. On the Configure Addresses page, click New for each URL address you want to add and enter the address. Addresses can include: • virtual directories but not individual documents. For example, you can add http://PeopleManagementSystem/Recruiting/ but not http://PeopleManagementSystem/How-to-Interview.html dynamic system tokens, such as http://www.MyCompany.com/users/#<FullName>

Addresses cannot include: • • 4. general regular expressions such as http://www.server[1-0]+.com/[A-Za-z]+(A-Za-z0-9)*/ wildcards such as *.MyURL.com or http://www.*/Dept/MyCompany.com

From the Application type list, select the type of application the URL opens. The application type determines if specialized information is needed in the URL configuration. • Citrix Web Interface 4.2 or later points to a Web Interface site displaying users’ published applications from Citrix Presentation Server. For more information see “Integrating Web Interface” on page 158. SharePoint points to a SharePoint site. SharePoint with Web Interface Web Part points to a Web Part designed to provide Citrix Web Interface as an area on a SharePoint site. Supports SmartAccess features through the Web Interface. Web Application points to a Web site URL that needs no specialized configuration information. This is the default setting. Web Application (requires session cookies) points to Web sites allowed to receive cookies. By default the Web proxy does not forward cookies to redirected URL addresses. The Web proxy does not pass cookies to the default Web application type.

• •

• •

Chapter 8

Adding Resources

123

5.

From the Authentication types supported area of the New URL dialog box, you can enable pass-through authentication to the site by selecting the site’s authentication method. For more information, see “Enabling PassThrough Authentication for Web Resources” on page 124. Select the option to publish in users’ lists of resources if you want this resource to appear on the Access Interface. • The home page must be a page within the exact URL you specify in Step 3. For example, if you enter http://MyCompany.net for the resource address, you can specify a page within that site, such as http://MyCompany.net/Finance.aspx. If your directory service uses the homepage token, you can enter #<HomePage> for the URL home page. For more information about using tokens, see “Using Dynamic System Tokens” on page 128.

6.

Note: If you are enabling Advanced Access Control to display multiple Citrix Access Platform sites within the Access Interface, you must publish the site so you can associate it with a Presentation Server farm. For more information, see “Displaying Multiple Sites and Caching Credentials” on page 160. 7. Select the option to use an interface that is common for all browser types if users are not allowed to use ActiveX controls or use a variety of browser versions. Selecting this option presents users with a generic interface that does not require advanced browser technologies such as ActiveX. Specify whether or not to create a default policy. If you create a default policy, you can edit its properties later.

8.

Including Related Files
For Web sites, make sure when you create the resource that you include all the necessary files required by the pages of the Web site, such as image files that might be stored in a separate location or separate server. For example, if a site such as www.citrix.com uses images stored on www.webimages.site.com, add the URL www.webimages.site.com to the Web resource.

Configuring Sites Secured with SSL
When creating Web resources that contain URL addresses secured with Secure Sockets Layer (SSL), you must ensure that all servers in the access server farm with the role of Web server have the root certificate for the secured URL addresses.

124

Access Gateway Advanced Edition Administrator’s Guide

This requirement does not apply if the Web proxy is bypassed for access to the server hosting the URL address. For more information about bypassing URL rewriting, see “Bypassing URL Rewriting” on page 144.

Web Resources that Keep Sessions Alive
User sessions for Web resources and applications normally time out according to the time-out settings of the logon point through which users connect. Note that when users view a Web resource that uses a keep-alive mechanism, the session remains open until the user closes the window displaying the Web resource. An example of such a resource is Microsoft Outlook Web Access, which performs regular polling to discover new email messages. This polling keeps the user’s session open until the Outlook Web Access window is closed.

Enabling Pass-Through Authentication for Web Resources
You can pass user credentials to Web servers on the secured network configured for Basic, Digest, or Integrated Windows Authentication. This feature avoids requiring users to enter their credentials multiple times to access Web resources. For example, if a team Web site in your organization is configured for Digest Authentication, you can pass the credentials with which users log on to the Access Gateway to that site. If you do not enable the URL address to support Digest Authentication, users might be required to log on to the Web site. Note that the authentication required for a Web site is determined by the settings of the site’s host Web server. When configuring a Web resource, you can enable its URL addresses to use one of the following methods of pass-through authentication: • Basic authentication. Credentials are passed to the Web site in plain text. Important: Because credentials are passed in plain text, consider using SSL for Web sites that use Basic pass-through authentication. • • Digest authentication. Hashed credentials are passed to the Web site using Digest Authentication. Integrated Windows authentication. Hashed credentials are passed to the Web site using Integrated Authentication. NTLM or Kerberos authentication is used, depending on your Web server configuration.

Chapter 8

Adding Resources

125

Caution: When using any of the three pass-through authentication methods, the target Web application is first presented with the credentials with which the user logged on to the Access Gateway. Accessing Web sites that require a second, differing set of credentials through Access Gateway can result in the caching of the second set of credentials.
To specify pass-through authentication for a Web site

1. 2. 3.

In the console tree, select the Web resource and click Edit Web resource in Common Tasks. On the URL Addresses page, select the Web site’s URL and click Edit. In the Authentication types supported area, select the authentication method being used by the Web site.

Configuring Sites with Form-Based Authentication
Web sites that require form-based authentication must be configured with the application type of Web application. Each URL defined in a Web resource is assigned an application type. For URLs that are assigned the application type Web Application, credentials are not passed and users might need to log on to the Web site. This is the default setting. You must use this option for sites that require form-based authentication.

Creating File Shares
File shares are shared directories, folders, and files on your network that you want to secure with policies. You can group multiple shares and define them as a single resource. Grouping file shares requires you to create fewer policies, because each policy you create for the resource applies to all shares in the group. By default, users are denied access to file shares until you create policies that grant them access permission.
To create a file share

1. 2.

In the console tree, select Resources > File Shares and click Create file share in Common Tasks. Enter a name and description for the resource.

126

Access Gateway Advanced Edition Administrator’s Guide

3.

On the Configure Addresses page, click New to add each shared item, for example, \\MyServer\Shared-Files-Folder. • • You can include addresses for specific document files as well as directories. You can use dynamic system tokens, such as #<username>. To use system tokens, the service account in the Server Configuration for Advanced Access Control must be a domain account and not a local machine account.

4. 5.

In the File Share dialog box, select Publish for users in their list of resources if you want this resource to be listed on the Access Interface. Specify whether or not to create a default policy. If you create a default policy, you can edit its properties later.

If you do not select the option to publish a file share, users can still navigate to the share in their browsers as long as a policy allows access to the file share. A file share that a user has access to but which is not published can also be accessed if it appears embedded in a Web page or email.

Uploading Large Documents to File Shares
When users access a published file share through the Access Interface and policies allow them to upload documents, users can upload documents up to 100 MB in size by default. To enable users to upload larger documents, you must edit the Windows Registry. Caution: Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
To enable users to upload documents larger than 100 MB

1. 2. 3. 4.

From Registry Editor, find the following key: HKEY_LOCAL_MACHINE\SOFTWARE\CITRIX\MSAM\FEI Click Edit > New > DWORD Value and type MaxUploadSize in the right pane. Right-click on the new value and select Modify. In Value Data, type the maximum document size in kilobytes (KB). For example, to specify a maximum size of 120 MB, you type 120000.

Chapter 8

Adding Resources

127

5.

Under Base, select Decimal.

128

Access Gateway Advanced Edition Administrator’s Guide

Using Dynamic System Tokens
You can use dynamic token replacement in UNC or URL addresses when defining resources that can retrieve dynamic information from the directory service. Dynamic token replacement provides replacement of strings with user attributes obtained from Active Directory. Note: There is one attribute from Lightweight Directory Access Protocol (LDAP) or NT Directory Services that you can use without Active Directory. This is the #<username> attribute. All other attributes require Active Directory. For example, if an enterprise with thousands of employees provides each user with a unique file share named for the user, it is more efficient to use a token in place of the user name rather than listing each explicit file share to define the resource group. To use system tokens the service account in the Server Configuration for Advanced Access Control must be a domain account and not a local machine account. Use the following syntax for token replacement:
#<Attribute>

Examples:
\\Public-shares\Departments\#<Department>\Reports http://inotes.my-server.com/mail/#<username>.nsf

Chapter 8

Adding Resources

129

Active Directory Attributes
The following attributes can be used with Active Directory.
#<Department> #<displayname> #<Division> #<domain> #<EmployeeId> #<FirstName> #<FirstNameInitial> #<FullName> #<HomeDirectory> #<HomePage> #<Initials> #<LastName> #<LastNameInitial> #<MiddleName> #<OtherName> #<UPN> #<username>

Creating Resource Groups to Ease Policy Administration
Resource groups enable you to group different types of resources into a single entity and apply policies to the group. Using resource groups requires fewer total policies and eases policy administration. The basic steps for bundling resources are: 1. Decide which resources you want to provide to users under a specific access scenario. For example, make a list of all the resources (including email, Web sites, and file shares) that your sales force needs to access from corporate laptops they use on the road. Ensure that each of the resources from Step 1 is configured in the console. For example, if you want to include five corporate Web sites and Webbased email, make sure you configure one or more Web resources that include these sites and configure Web Email before you create the resource group.

2.

130

Access Gateway Advanced Edition Administrator’s Guide

3. 4.

Create a resource group that includes all the resources you listed in Step 1. Create a filter that includes your requirements for the access scenario. For example, you can create a filter that requires users to authenticate with RSA authentication, log on to your Sales logon point URL, and pass specified endpoint analysis scans of the client device. Create a policy for the resource group. Associate the policy with the filter you created in Step 4 and select the action controls you want for each resource.

5.

Resource group names or descriptions do not appear to users in published lists of resources. The name and description you define for a resource group is for administrative use only. If you choose to publish a Web resource or file share, users see the resource’s description (not the description of the resource group) in their lists of resources. Each resource type has a wizard to guide you through adding the resource. These wizards are available from Common Tasks when the Resources node is selected. By default, users are denied access to any resource you define until you create policies that grant access permissions. This includes all resources and resource groups.

Integrating Resource Lists in Third-Party Portals
If you provide users with the lists of Web resources or file shares included with Advanced Access Control, you can integrate these lists into any portal solution. For example, if you are using Microsoft SharePoint as a portal or information aggregation point, you can display for users their list of Web resources or file shares in the SharePoint portal.
To integrate user resource lists with a third-party portal

1. 2.

Configure Web resources and files shares for users. Configure your portal product’s Web site viewer to display one or both of the following: • • The Web resources list at http://servername/CitrixSessionInit/ URLList.aspx The file share list at http://servername/citrixfei/myfiles.asp

where servername is the name of a Web server running Access Gateway Advanced Edition.

C HAPTER 9

Controlling Access Through Policies

Policies provide granular control of access at the resource level. Use policies to control which resources users can get to and what actions they can perform on those resources. You can leverage the power of filters to apply policies based on information detected about the client device, who users are, the strength of their authentication, and where they are logging on. Filters provide the flexibility to match policies with your access scenarios. This section discusses how to implement policies and formulate strategies to control resources according to the user scenario. Policies extend the security of your network environment by enabling you to control: • Access. You can control users’ ability to connect to your resources unless they meet security requirements such as identity, authentication, antivirus, firewall, and client software. Actions. You can control specific actions that users perform on resources accessed through the browser, based on the user scenario. Connections. You can control Secure Access Client connections and apply settings to those connections.

• •

Controlling User Access
Policies help you secure the corporate network even before users log on and allow you to extend that security down to the individual resource level. Policies enable you to: • Provide connection privileges to trusted devices only. When you create policies for the “Allow Logon” resource, you can deny connection privileges unless the client device meets your minimum security requirements verified through endpoint analysis scans. You can use connection policies with continuous scans to monitor Secure Access Client

132

Access Gateway Advanced Edition Administrator’s Guide

connections throughout the user session, disconnecting as soon as the client device fails to meet your requirements. • Allow logon permission only to trusted users and devices. When you configure logon point properties, you can hide the logon page from users with unknown client devices or client devices that do not meet your security requirements. This feature prevents viruses on the client device from stealing the users’ credentials as they type them on the logon page. Allowing or denying individual actions on resources. After users pass your security requirements for connecting, they must be granted explicit permission to a resource before the resource is available to them. You control this access through policies defined for each resource or group of resources. For more information about creating policies, see “Creating Access Policies” on page 135.

By default, users are not provided permission to access or take action on any resources on your networks. You must define your resources for the farm and then create policies that grant access to them and control actions users can perform on them. Advanced Access Control policies extend the operating system security settings and cannot override them. For example, if a user is denied access to a file share in the share’s Windows NT File System (NTFS) security settings, granting access to that file share through Access Gateway policies will not allow access to the file share. Note: Access to applications and resources published by Citrix Presentation Server is not controlled by Advanced Access Control policies. Access to these resources depends on the properties of the logon point through which users log on and the permissions that users are assigned in Citrix Presentation Server.

Integrating Your Access Strategy
The way you define resources and create policies is influenced by your overall strategy for controlling access. The goal is to make sure users get the level of access that you can securely provide given the user situation. Your strategy determines how you pool resources and design policies.

Pooling Resources By Access Needs
Before defining resources and creating policies, pool resources into resource groups that reflect their relative security requirements. When you define resources, group similar resources together.

Chapter 9

Controlling Access Through Policies

133

For example, you might create a resource group that contains several file shares, Web resources, and email that require very restricted access when users are connecting remotely. In another resource group you might add Web resources and file shares and that you want users to have access to at all times, as long as they have a trusted client device.

Designing Policies From User Scenarios
Plan policies according to a basic set of user scenarios, such as the ones presented in the next table. Start with just a few scenarios. Define a few types of resources, pool them into resource groups, and practice creating policies until you have enough policies to cover all the user scenarios needed in your organization. The following table provides a few example scenarios of user situations with different access and actions that might be permitted:

User Device Corporate desktop running required antivirus software

Resources Users Can Access • All corporate networks and file systems • Full email services • Corporate portals and Web applications • Published applications through Citrix Presentation Server • Other applications • Web applications • Synchronized email applications • Published applications through Citrix Presentation Server • Limited access to file systems • Servers or services defined as network resources

Actions Users Can Take • • • • Download files Upload files Edit files on the local client device Edit files on servers running Citrix Presentation Server • Send documents as email attachments

Remote corporate device running required antivirus and firewall software

• Edit and save documents with Live Edit ActiveX control without needing to download and upload • Limited client mapping or printing documents on servers running Citrix Presentation Server • Send documents as email attachments • Connect directly to network resources through VPN using Secure Access Client

134

Access Gateway Advanced Edition Administrator’s Guide

User Device Public kiosk running a required browser

Resources Users Can Access • Web applications • Web-based email only • Limited access to published applications Web-based email only

Actions Users Can Take • Preview documents as HTML • No client mapping or printing documents on servers running Citrix Presentation Server • View Web-based email, which supports refactoring for small devices • Preview documents as HTML, which supports refactoring for small devices • Send documents as email attachments • No application access

Personal digital assistant (PDA)

Full access to individual mission critical Connect directly to network resources through Remote corporate applications defined as network VPN using Secure Access Client laptops for system resources or the Entire Network resource administrators who cover emergencies from home

After you develop an access strategy, you configure resources, policies, and filters in combinations that comply with and extend your corporate security guidelines. Resources and policies define the access control you allow. Filters define when and under what conditions the access is granted.

Differentiating Access Control and Publishing
Allowing access to a resource through policy control is not the same as publishing the resource. When you define file shares and Web resources you can choose to publish the resource, which means it is listed for users on the Access Interface or third-party portals. The built-in file share and Web resource lists can also appear as plug-ins to thirdparty corporate portals. For information about integrating resource lists in thirdparty portals, see “Integrating Resource Lists in Third-Party Portals” on page 130. Enabling the Access permission to a Web resource permits the user to view it with a browser. What the user can do with the item or which application is used to open it depends on the group of policy settings you have defined for the resource. Simply enabling the Access permission for a resource does not provide a navigation to that resource. For example, if you enable the Access permission to a URL address but do not publish it, users can get to the URL only through a link embedded on a Web page or, if the resource is configured to bypass the Web proxy, by typing the URL directly in their browser.

Chapter 9

Controlling Access Through Policies

135

You must create a Web resource or network resource for any application that you want users to have remote access to and you must create policies for these items granting explicit “Access” permission for users. Configuring file share access is slightly different than for Web resources, because you do not choose the “Access” permission in policies for file shares. Users can view a file share resource through their browser if you publish the resource and if the operating system access control list (ACL) allows access permission to the users. Policies for file shares define the users who can view the file share, the actions those users are allowed to take on the documents in those file shares, and the conditions under which they can take the actions.

Creating Access Policies
You must create policies to provide users with access to resources. By default, users have no access privileges to any resource. When you create an access policy, you define who has access, the conditions under which access is granted, and the granular access controls that are allowed or denied.
To create an access policy

1. 2. 3.

In the console tree select Policies and choose Create access policy from Common Tasks. In the New Access Policy wizard, name and describe the policy. On the Select Resources page, select the resource groups and resources for the policy to control. • • Select Network Resources > Entire Network if you want this policy to control access to all visible servers and services on the network. Select the Allow Logon resource if you want this policy to include the conditions under which the users are allowed to log on to the network.

Take care to review selections in the available resources tree. When you select or clear a category of resource, such as File Shares, all items grouped under that category are selected or cleared. Expand nodes to display the selections under each category. 4. On the Configure Settings page, enable each desired setting individually and select Allow or Deny. Take care to review your selections in the settings tree. It is possible to select policy settings on the Configure Settings page for types of resources that you did not select for the policy to control. The policy applies settings only for the resources that are selected for the policy.

136

Access Gateway Advanced Edition Administrator’s Guide

5.

On the Select Filter page, select a filter that defines the conditions to be met for the policy to be enforced. If you have not yet configured filters, you can edit the policy and assign a filter to it later.

6.

On the Select Users page, select the users to whom the policy applies.

Note: If multiple policies apply to a resource, a policy that denies an access permission takes precedence over other policies that allow the access permission.

Naming Policies
All policy names must be unique. Developing a consistent naming convention or practice eases administration of policies. Because policies are defined per resource to provide granular control, you can potentially create many policies. The naming convention you develop should help you quickly identify the resource and, if possible, the level of access you are applying. You can develop a convention that meets your organization’s needs. In general, the policy name should include the resource. One typical naming convention names policies by resource name and an access level phrase that coincides with your access strategy or the permissions allowed. For example: • • • • • Web resource X_full access_all users Web resource X_limited access_field users Web resource X_full access_administrators File share Z_all actions_all users File share Z_restricted actions_unknown devices

You can change the name of default policies.
To change a policy name

1. 2. 3.

Select the policy in the right details pane of the console. At the bottom of the details pane click Edit policy properties. In the policy Properties, change the name and save the policy.

Chapter 9

Controlling Access Through Policies

137

Configuring Policy Settings to Control User Actions
Policies for resources opened through the browser (Web resources, file shares, and email) enable you to control not only access, but also what actions users can perform with the resource. Policy settings enable you to allow or deny specific action controls. Configure policy settings in the policy wizard or policy properties. The policy settings that are available when you create a policy depend on the type of resource you are securing and your environment. For example, if the access server farm is not configured to link to a farm running Citrix Presentation Server, the File Type Association permission setting is not available. Depending on the type of resource and your farm configuration, you can allow or deny the following policy settings:

Policy Setting Access

Description Allows users access to the resource through a Web browser or Secure Access Client connection. For Web-based email, this setting allows all functionality provided by the Web-based email application, such as viewing and sending emails, managing the Calendar, and viewing an address book, but does not allow the ability to access email attachments. Accessing email attachments is allowed through the Email as Attachment setting. For network resources, Access allows a direct VPN connection to the resource using the Secure Access Client. Access is the only permission you can set for network resources. Allows the browser to retrieve a Web resource without the URL address of the resource being rewritten by the Web proxy component of Advanced Access Control. By default, URL addresses are rewritten by the Web proxy. For more information, see “Bypassing URL Rewriting” on page 144. Allows documents or email attachments to be sent to the user’s browser as HTTP content and saved on the local client device. The browser performs its default action depending on the MIME type of the content. Allows users to attach documents to email. You can use this control to allow users to email documents without having other action controls (such as Download) that require sending the document to the client device.

Bypass URL Rewriting

Download

Email as Attachment

138

Access Gateway Advanced Edition Administrator’s Guide

Policy Setting File Type Association

Description Allows users to open documents in applications published through Citrix Presentation Server. You can use this permission to allow users to open and edit documents on servers in the trusted environment and avoid sending the document to the user’s client device. You can use file type association only for document types that are associated with a published application and only if the logon point properties are correctly configured. Allows users to view non-HTML content as HTML in a browser without needing to run additional client software. Supports a wide range of client devices, including small form factors. Users need this access control or Download to view an HTML document in a file share. This feature is available only for document types for which there is conversion software installed on a farm Web server. At least one Web server must have the conversion software installed and must be assigned to perform the HTML Preview server role. Allows users to edit remote documents using the Live Edit Client, an ActiveX control. Users can conveniently edit and save documents without needing to download and upload them. Allows users to save new documents and overwrite existing files in a file share.

HTML Preview

Live Edit

Upload

Allowing Access to Standard Web Content
The only policy setting that applies for standard Web content is the Allow or Deny Access setting. Standard Web content includes those document types that you typically view with a browser. These documents are simply downloaded to the client device as usual for browsing, and do not come under the varying levels of access control (HTML Preview or Live Edit, for example) that you can apply to other document types. The following document types are treated as standard Web content:

Text: Applications: Images:

HTML; CSS; XML; X-component X-Java Script; S-Component GIF; JPEG; PNG

Allowing File Type Association
Allowing file type association for a resource enables users to open the resource with an application running in Citrix Presentation Server. Providing file type association as the only means for editing resource documents can heighten security because it requires that editing occur on the server and not on the client device.

Chapter 9

Controlling Access Through Policies

139

For example, you might choose to grant file type association for a file share where employees post reports of ongoing project meetings, without providing the ability to download or upload. Providing file type association requires that: • • • • Users run Citrix Presentation Server Client software on the client device. Users connect through a logon point configured for Citrix Presentation Server. Users are assigned to the desired applications in Citrix Presentation Server. Citrix Presentation Server is configured to work with Advanced Access Control.

Allowing HTML Preview
HTML Preview enables users to view non-HTML content in a browser without requiring any additional client software. HTML Preview displays documents: • • • For read-only permission On a wide range of devices when the associated application is not available On small form factor devices such as PDAs

HTML Preview is designed primarily for situations in which you want users to be able to view documents even if they don’t have an application installed on the client device that can display the document. For example, you might decide to allow HTML Preview for employees who need to view documents on the road from public kiosks, PDAs, or non-corporate devices. For more information about the requirements of providing HTML Preview in the farm, see “HTML Preview Requirements” on page 46.

Allowing Email Attachments
The Email as Attachment access control is designed to allow users to email documents from a location on a remote server to a recipient, without having to download the document to the client device. You might choose to allow Email as Attachment along with or in similar situations as the HTML Preview. For example, you might provide email attachment capability for employees on the road when they are using unrecognized or untrusted client devices. These employees can view documents, write their comments in a Web-based version of their email program, and attach the document to the email message. Users can take these actions without downloading the document to the client device.

140

Access Gateway Advanced Edition Administrator’s Guide

Allowing Live Edit
Live Edit is a convenience feature that allows users to edit remote documents with an ActiveX control. Users can edit and save documents without needing to download and upload them. The following notes explain how Live Edit works in combination with other action controls you can allow for the same resource: • • Live Edit allowed without other action controls. Users can save the document on the source repository. Live Edit and Email As Attachment allowed. Users can save the document on the local client device and email it from within the Live Edit session. Live Edit and Download allowed. Users can save the document on the local client device. Live Edit and Upload allowed. Users can save the document on the local client device. Users can upload (save) the document to published file shares. Published file shares have the option Publish for users in their list of resources selected in their properties.

• •

For more information the requirements for using Live Edit in your environment, see “Live Edit Requirements” on page 49.

Allowing Logon
The privilege of logging on is treated as a resource so you can secure the privilege through policies, just as you do for other resources. This feature enables you to configure additional requirements, beyond the authentication of credentials, that users must meet to log on to your network. The resource is named Allow Logon. You can select the Allow Logon resource along with other resources when you create an access policy. Users cannot log on until you create an access policy to allow them to do so.

Chapter 9 To allow users to log on

Controlling Access Through Policies

141

1.

Open the properties of an existing access policy or create a new access policy. • To open an existing policy’s properties, select Policies and click Manage policies in Common Tasks. Search for the policy you want, select it, right-click, and choose Edit policy. To create a new access policy, select Policies in the console tree and click Create access policy in Common Tasks.

• 2. 3. 4.

On the Resources page, select Allow Logon. On the Settings page, locate the heading Allow Logon and select from under it Access. Select Enable this policy to control this setting and select Allow, unless denied by another policy.

Setting Conditions for Showing the Logon Page
The logon point sends the logon page to the client device browser, allowing users to enter their credentials. You can make display of the logon page conditional by requiring that users’ client devices pass endpoint analysis scans before displaying the page. This feature adds security to your logon page. For example, you can create an endpoint analysis scan that verifies that the client device is running your required level of antivirus protection. Client devices that are not running the required level of antivirus protection might host a virus or sniffing program to record a user’s keystrokes. Such programs can record and steal credentials as users log on. You can set conditions for showing the logon page in logon point properties. If users do not meet the specified conditions, they receive an Access Denied error when they attempt to open the logon page URL. If you do not set any conditions in the Visibility section of logon point properties, the logon page is visible to any user who is allowed to browse to the URL.
To set conditions for showing the logon page

1. 2. 3. 4.

In the console tree, select the logon point and click Edit logon point in Common Tasks. In the logon point properties, select the Visibility page. Select Show logon page. If you want to show the logon page conditionally, use the logical expression builder to define the conditions to be met by the connecting client device.

142

Access Gateway Advanced Edition Administrator’s Guide

A. B.

Insert the logical operators AND, OR, and NOT and click Endpoint Analysis Output to choose from a list of your configured scans. Review the resulting logical statement in the Expression preview.

Note: The expression builder appears unavailable until you have created endpoint analysis scans. The Root object displayed in the expression builder does not affect expression logic. The root signals the beginning of your expression tree.
Example 1: An Expression Requiring One Scan

To create an expression that requires the client device to be running a required level of McAfee VirusScan, click Endpoint Analysis Output and choose the scan output for the antivirus application. The expression builder contains:
Citrix Scans for McAfee VirusScan.scan_name.Verified-McAfeeVirusScan

where scan_name is the name you assigned to the scan when you created it.
Example 2: Creating a Conditional Expression with OR

Assume that the conditions you want to set are reflected by the following statement: Show the logon page to users with client devices that are running a required level of McAfee VirusScan or McAfee VirusScan Enterprise. Before you build this conditional expression, you must create an endpoint analysis scan for your required versions of McAfee VirusScan and McAfee VirusScan Enterprise. Note: This example requires you to have configured two endpoint analysis scans to verify whether or not the client device is running McAfee VirusScan or McAfee VirusScan Enterprise. For information about creating scans, see “Creating Endpoint Analysis Scans” on page 166. 1. 2. 3. Select the Root object in the tree and click OR. Click Endpoint Analysis Output and choose the scan output for McAfee Virus Scan. Click Endpoint Analysis Output and choose the scan output for McAfee Virus Scan Enterprise.

The result of this example procedure looks like this in the expression tree:
ROOT OR Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan

Chapter 9

Controlling Access Through Policies

143

Citrix Scans for McAfee VirusScan Enterprise.scan_ name.Verified-McAfee-VirusScan-Enterprise

where scan_name is the name you assigned to the scans.
Example 3: Creating a Complex Conditional Expression with NOT

The following example shows a conditional expression using the NOT operator. To pass this complex condition, the client device must have your required version of McAfee VirusScan or McAfee VirusScan Enterprise, but the device cannot be connecting with the Mozilla Firefox browser. Note: This example requires you to have configured three endpoint analysis scans to verify whether or not the client device is running McAfee VirusScan or McAfee VirusScan Enterprise, and to also verify if the client device is connecting with the Mozilla Firefox browser. For information about creating scans, see “Creating Endpoint Analysis Scans” on page 166. 1. 2. 3. 4. 5. 6. Select the Root object in the tree and click AND. Click OR. Click Endpoint Analysis Output and choose your scan output for McAfee VirusScan. Click Endpoint Analysis Output and choose your scan output for McAfee VirusScan Enterprise. Select the AND object that you created in Step 1 and click NOT. Click Endpoint Analysis Output and choose your scan output for Mozilla Firefox.

The result of the example looks like this in the expression tree:
ROOT AND OR Citrix Scans for McAfee VirusScan.scan_name. Verified-McAfee-VirusScan Citrix Scans for McAfee VirusScan Enterprise. scan_name.Verified-McAfee-VirusScan-Enterprise NOT Citrix Scans for Mozilla Firefox.scan_name. Verified-Mozilla-Firefox-Connecting

where scan_name is the name you assigned to the scans. The Expression preview shows the following logical statement:
((Citrix Scans for McAfee VirusScan.scan_name.VerifiedMcAfee-VirusScan OR Citrix Scans for McAfee VirusScan Enterprise.scan_name.Verified-McAfee-VirusScan-Enterprise)

144

Access Gateway Advanced Edition Administrator’s Guide
AND (NOT Citrix Scans for Mozilla Firefox.scan_name. Verified-Mozilla-Firefox-Connecting))

where scan_name is the name you assigned to the scans. Note the following about this example: • Inserting the NOT operator results in an OR NOT logic by default. If you want logic for AND NOT, insert the AND operator before the NOT operator in your tree, as you did in the above example. The Mozilla Firefox scan package verifies a minimum version number. In this example, we want to verify any known version. To detect all known versions, we can create the scan to verify that the client device is connecting with a minimum of version 0.1.

Bypassing URL Rewriting
By default, Access Gateway rewrites the URL addresses of Web resources using a built-in Web proxy component. Web servers in the farm proxy the URL addresses of these internal resources. If you select the policy setting to bypass URL rewriting, you decrease your ability to set differing levels of access. This occurs because some action controls (policy settings) are not available for the resource unless Web proxy URL rewriting is used. In some documentation, this feature is referred to as bypassing the Web proxy. You might decide to bypass URL rewriting to: • • • • Increase performance among the farm’s Web servers Provide end-to-end SSL connections between the client device browser and the destination Web server hosting the resource Provide access to internal Web sites that do not allow or work well when their URLs are rewritten. Provide access to Web resources that are stored on a Web server hosting Advanced Access Control.

Considerations about URL Rewriting
Note the following considerations when deciding to use or bypass the URL rewriting feature: • If you select Bypass URL rewriting for a Web resource, all URL addresses for the host name are subject to the option and bypass the Web proxy. For example, if you select the option for the address “http://www.server1.company.com/folder1/folder2/”, all URL addresses

Chapter 9

Controlling Access Through Policies

145

hosted on server1.company.com bypass the Web proxy, even if those addresses are not specified within the Web resource. • Users cannot access Web resources stored on a Web server hosting Advanced Access Control unless URL rewriting is bypassed. If you want to provide such access, you must create a policy for the Web resources and select Bypass URL Rewriting in the policy settings. Ensure that the Web sites you make accessible are secure from vulnerabilities such as cross-site scripting and SQL injection. When the Web proxy is used to rewrite Web resource URLs (the default case), all resources appear to reside on the Web proxy server. In such cases you cannot rely upon protection by the JavaScript “same origin” policy to prevent malicious scripts from one server accessing properties of resources on another server, because resources from all servers appear to share the same origin.

To bypass URL Rewriting

Select Bypass URL rewriting in the policy settings of the policy that controls access to the Web resource. Important: When defining resources that bypass URL rewriting, you must specify entire servers, such as //server/. All URL addresses hosted on the specified server are bypassed by the Web proxy, even if those URL addresses appear in the properties of other Web resources that are supposed to be routed through the Web proxy.

Limitations of Browser-Only Access
If your Advanced Access Control deployment does not require any client software on client devices, your deployment is considered to provide browseronly access. In this scenario, users need only a Web browser to access corporate resources. Browser-only access to Web resources depends on the URL rewriting function of the Web proxy. Some Web applications do not handle URL rewriting well or do not allow the cookie management needed for browser-only access. Such applications are better suited for the simplified functionality of a common browser interface or client access through the Access Gateway. For example, the more a Web application uses the following advanced technologies, the less likely it is to work smoothly with proxied URL rewriting: • Flash animations

146

Access Gateway Advanced Edition Administrator’s Guide

• • •

Shockwave multimedia objects ActiveX controls Advanced Java scripting languages

Test the behavior of those Web applications that you plan to provide only through a browser. If the applications do not behave as expected, consider the following alternatives: • Bypass the Web proxy. You can choose for users to bypass the Web proxy. For remote users (and possibly internal users in deployments of secure enclaves), this means using the Access Gateway with the Secure Access Client. For more information about bypassing the proxy, see “Bypassing URL Rewriting” on page 144. Network resources. You can create a network resource to provide users direct access to the application using the Secure Access Client. Network resources do not appear in published lists of users’ resources such as the Access Interface. Common browser interface. You can choose to use a basic browserindependent interface that suppresses use of enhanced display or functionality. To implement the common interface, open the Properties for the Web resource, choose the URL Addresses page, and select Use the interface that is common for all browser types. Note: You cannot incorporate the failover feature for Access Gateway appliances for users accessing Web resources only with a browser.

Creating Connection Policies
Connection policies control connections that use the Secure Access Client. You can assign filters to connection policies to define when the policy applies. Take care not to confuse connection policies with access policies: • Connection policies allow Secure Access Client connections and applies settings to those connections. You must allow use of the Secure Access Client to establish connections to any network resource and for email synchronization, because these types of resources do not allow browseronly access. Access policies define access permissions that specified users have to resources under specified conditions. For example, an access policy

Chapter 9

Controlling Access Through Policies

147

determines whether or not a group of users can access a certain file share and whether they can preview files in HTML or use Live Edit to modify the file. One of the filters you can apply to a connection policy is a continuous scan filter. A continuous scan filter comprises a set of scans that continue to monitor the connection during the entire user session. As soon as the client device ceases to meet the requirements defined in the continuous scan filter, the connection is disconnected.
To create a connection policy

1. 2. 3.

In the console tree, select Policies > Connection Policies and choose Create connection policy from Common Tasks. Name and describe the policy. Configure the connection settings you want to apply by selecting each setting and choosing Yes or No to allow or deny it. You must allow the setting Launch Secure Access Client if access allowed to make additional settings available. Select from among the following settings: • • • Authenticate after system resume forces authentication after the client device goes into standby or hibernate mode. Authenticate after network interruption forces authentication if the network connection is interrupted. Enable split DNS allows failover to a user’s local DNS if the remote DNS is not available. By default, Access Gateway checks a user’s remote DNS only. Execute logon scripts runs Windows logon scripts when the connection is established. Desktop sharing allows users to share their desktop with other users who are logged on to the Access Gateway from a Secure Access Client. Users can then share their desktop by right-clicking the Secure Access Client icon in the Windows notification area and selecting Share Desktop.

• •

148

Access Gateway Advanced Edition Administrator’s Guide

4.

If you want to give client devices a unique IP address, add and define the address pools from which address aliases are assigned. On the Define IP Pool Configuration page, click New to add each available IP pool. • • • • For Access Gateway, enter the IP address of the Access Gateway appliance. For Gateway, enter the IP address of the default gateway if you use one. If you do not use a default gateway, you can leave this box blank. Each IP range should be valid but unused on the network. To avoid conflicting assignments, ensure that you configure a unique IP range or ranges for each gateway appliance. You should not assign the same IP range or ranges to multiple gateway appliances. Note: If you add address pools, you must restart each Access Gateway appliance in the farm before the IP pool becomes available. You might want to schedule IP pool configuration for a convenient time.

5.

Select filters that define the conditions for policy enforcement. You can select two types of filters: • A filter defines requirements for logon points, endpoint analysis, authentication, and client certificates. This type of filter checks for your requirements once during logon. A continuous scan filter defines requirements of registry entries, files, or processes that must be verified on the client device. This filter checks its requirements throughout the user session.

6.

Select users and user groups to whom the policy applies.

Creating Policies for Presentation Server Connections
If you create policies for Secure Access Client connections to Citrix Presentation Server, you must: • • Define at least one IP pool in the connection policy properties Create a network resource that includes the server or servers running Presentation Server

Chapter 9

Controlling Access Through Policies

149

If no IP pools are defined, the client device is identified by the IP address of the Access Gateway appliance and connects directly to the server running Presentation Server without being controlled by policies assigned to the network resources defined for the servers running Presentation Server.

Prioritizing Connection Policies
Because multiple connection policies can apply to the same user, you can prioritize connection policies. The settings in policies with a higher ranking priority take precedence over those in lower ranking policies.
To prioritize connection policies

1. 2.

In the console tree, select Connection Policies and choose Set connection policy priority from Common Tasks. Select a policy and use the arrow buttons to move its position in the ordered list. The highest priority policy appears at the top of the list.

Creating Policy Filters
Filters define the conditions under which the policy applies. Consider the following example of a policy statement: Allow access and HTML Preview permission only to the Quarterly Sales Reports file share for Sales department users when they log on from outside the secure network using an SSL client certificate. The filter part of the above policy statement is “when they log on from outside the secure network using an SSL client certificate.” If you authenticate remote workers through a specific logon point, you can filter by the logon point and you can require the use of a client certificate. You can configure four types of conditions for a filter: • • Logon point. Applies the policy based on the URL with which the user connects to the network. Authentication strength. Applies the policy based on the authentication being used. The options available in the filter depend on the authentication configurations you have set up. For more information see “Securing User Connections” on page 101. Endpoint analysis scan outputs. Applies the policy based on information gathered by endpoint analysis scans of the client device. You must configure scans before any scan outputs are available to integrate into a filter.

150

Access Gateway Advanced Edition Administrator’s Guide

Client certificate requirements. Applies the policy based on the presence of specified criteria in the SSL client certificate.

Filters are designed so you can name them and use the same filter for multiple policies. Each policy uses one filter only. To achieve the effect of using multiple filters, you can use the custom filter feature to create complex filters that contain other filters.
To create a policy filter

You can create a filter before, at the same time, or after you create the policies you want to associate with it. 1. Open the New Filter wizard from one of the following locations: • • 2. 3. 4. 5. 6. 7. In the console tree, select Policies > Filters and click Create filter in Common Tasks. On the Select Filters page of a policy wizard, click New.

Enter a name and description for the filter. Select the option Create a typical filter. If you want the policy to apply when users enter through specific logon points, select those logon points. If you want the policy to apply based on the authentication used, select the authentication. If you want the policy to apply based on endpoint analysis scans of the client device, select the appropriate scan outputs. If you want the policy to apply based on required information in an SSL client certificate, select Specify SSL client certificate matching criteria. You can require that the certificate contain specified values for common name, organization, or organizational unit. • You cannot specify SSL client certificate values for filtering unless the option to require client certificates is selected in Access Gateway Global Properties (Gateway Appliances > Edit gateway appliances properties > Client Properties). Do not add quotation marks around the values you enter for common name, organization, or organizational unit.

Each type of filter condition is optional. For example, you can configure a filter based on logon point only. Logically, the conditions defined in a filter are combined with the AND logical operator, and within a condition type, the settings are combined with an OR operator. For example, if your filter settings specify Logon Point A, Logon Point B, and Scan Output C, the policy is applied with the following logic:

Chapter 9

Controlling Access Through Policies

151

(Logon Point A or Logon Point B) and Scan Output C

Creating Custom Filters
You can create custom filters that use logical expressions with the operators AND, OR, and NOT, allowing you to create filters of greater complexity than you can with typical filters. With typical filters you are limited to selecting conditions that the wizard combines with AND logic only. Because they are made from logical expressions, custom filters provide more complexity and flexibility, but they are harder to create. Using custom filters is optional and not required for common configurations. For ease of administration, use typical policy filters.
To build a custom filter with logical expressions

1. 2. 3. 4.

In the console tree, select Policies > Filters and click Create filter in Common Tasks. The New Filter wizard opens. Enter a name and description for the filter. Select the option Create a custom filter. On the Build Custom Filter page, use the logical expression builder to create an expression that reflects the conditions you want met before the policy is enforced. • Insert the logical operators AND, OR, and NOT along with elements for logon point, authentication, endpoint analysis output, client certificate, or another filter to create the logical expression. Note that the Root object displayed in the expression builder does not affect expression logic. The root signals the beginning of your expression tree.

Example: Creating a Custom Filter

Assume for this example that your network security strategy is to deny logon privileges to client devices running Windows 2000 unless those devices have Windows 2000 Service Pack 4 installed OR are running Internet Explorer 6.0. You want to build a filter for this scenario that you can assign to a policy that includes the Allow Logon privilege. Before creating the custom filter, create two scans as follows:

152

Access Gateway Advanced Edition Administrator’s Guide

1.

Use “Citrix Scans for Windows Service Pack” to create a scan with these settings: • • Rule conditions: operating system = Windows 2000; client device regional locale = all Property value to verify: Service Pack 4

2.

Use “Citrix Scans for Internet Explorer” to create a scan with these settings: • • Rule conditions: operating system = Windows 2000; client device regional locale = all Property value to verify is the minimum required version: 6.0

On the Build Custom Filter page of the New Filter wizard, follow these steps to create the logical expression: 1. 2. 3. Click OR from the Insert group box. Click Endpoint Analysis Output and choose the scan output for Service Pack 4. Select OR in the expression builder and click Endpoint Analysis Output again to choose the scan output for Internet Explorer Version 6.0.

The result in the expression builder appears as:
OR Citrix Scans for Windows Service Pack.scan_name.Verified-WindowsService-Pack Citrix Scans for Internet Explorer.scan_name.Verified-InternetExplorer

where scan_name is the name you assigned to the scans. For more examples of using an expression builder, see “Setting Conditions for Showing the Logon Page” on page 141.

Creating Continuous Scan Filters
Continuous scan filters define the continuous scan requirements for a connection policy. A continuous scan verifies one item (a file, registry entry, or process) on the client device. The filter can include one or more continuous scans for verification. When associated with a connection policy, the filter defines all the requirements to be verified by continuous scans for the connection policy to take effect. Note that continuous scan filters, unlike regular policy filters, cannot be used by Citrix Presentation Server policies. For more information, see “Integrating Citrix Presentation Server” on page 157.

Chapter 9

Controlling Access Through Policies

153

For information about continuous scans, see “Creating Continuous Scans” on page 178.
To create a continuous scan filter

1. 2. 3.

In the console tree, select Policies > Continuous Scan Filters and click Create filter in Common Tasks. Enter a name and description for the filter. On the Configure Requirements page, use the logical expression builder to create an expression that reflects the conditions you want the client device to meet. • Insert the logical operators AND, OR, and NOT and click File Scan, Process Scan, or Registry Scan to choose from your configured scans. Note that the Root object displayed in the expression builder does not affect expression logic. The root signals the beginning of your expression tree.

Example 1: Conditional Expression Requiring One Scan

Assume that you want to create an expression that requires an antivirus program's executable file to be installed on the client device and that you configured a file scan to verify this file. From the Configure Requirements page of the continuous scan filter wizard, click File Scan and choose the file scan. The result of this example procedure looks like this in the expression tree:
ROOT scan_name

where scan_name is the name you assigned to the scan when you created it.
Example 2: Conditional Expression Requiring One of Two Scans

Assume that the conditions you want to set are reflected by the following statement: Client devices must be running the process for a personal firewall from either Company A or Company B. Before you build this conditional expression, you must create a process scan for Company A's personal firewall process and another process scan for Company B's personal firewall process. 1. 2. 3. Click OR. Click Process Scan and choose the scan for Company A’s personal firewall process. Click Process Scan and choose the scan for Company B’s personal firewall process.

The result of this example procedure looks like this in the expression tree:

154

Access Gateway Advanced Edition Administrator’s Guide
ROOT OR scan_name_CompanyA_process scan_name_CompanyB_process

where scan_name_CompanyA_process and scan_name_CompanyB_process are the names you assigned to the scans. For more examples of using an expression builder, see “Setting Conditions for Showing the Logon Page” on page 141.

Granting Access to the Entire Network
The Entire Network resource represents all visible servers and services on your secure network. If policies allow connections and access to this resource, Secure Access Client users can access these servers or services through an SSL virtual private network tunnel created between the client device and the network. The Entire Network resource is a built-in network resource, the properties of which cannot be edited or deleted. To control the conditions under which the Entire Network resource is accessed, you must create access policies just as you do for all other types of resources. You can use the Entire Network resource to: • • • Quickly set up your deployment and test access Provide unlimited access to a special class of user, such as administrators who need wide access for disaster recovery or emergency operations Provide open access by default and later develop policies that deny access to specified resources according to your security plan Create an access policy for the Entire Network resource allowing access to selected users. Create a connection policy allowing user connections. Filter the policies according to the conditions or requirements you want to impose.

The general steps involved in granting access to the Entire Network include: 1. 2. 3.

Because the Entire Network resource includes all visible servers on the network, take care to allow access to this resource only under the conditions you intend. Access to this resource is a powerful level of access.

Chapter 9

Controlling Access Through Policies

155

Reviewing Policy Information with Policy Manager
Policy Manager enables you to search your policies by resource, users, and filters. You can use keywords for your searches. The search results can assist with quick policy planning, management, or troubleshooting. The following are only a sample of the types of information you can find quickly with Policy Manager: • • • • Find all the policies that affect a specified user or user group View all the policy settings that pertain to a specified resource List all policies that use a specified filter Find all policies that control the permission to logon

To search for policies and settings

1. 2.

Open Policy Manager by selecting Policies in the console and choosing Manage policies from Common Tasks. Use a mixture of keywords in the Resource, User, and Filter text boxes and click Search. For example, to find every policy assigned to “All authenticated users,” type all in the User text box. • By default all policies are shown when you open the Policy Manager. Clicking Clear at any time empties the search criteria boxes and returns to a view of all policies. Double-click a filter to open the filter’s properties. Double-click in any other column to open the policy’s properties. Click a column heading to sort results alphabetically by that column’s entries. Click the same column again to reverse the sort order.

• •

Note: Policy Manager does not present information about the filtered results of policy control with live connecting clients, such as the resulting set of access permissions after endpoint analysis scans or continuous scans are taken into consideration.

156

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 10

Integrating Citrix Presentation Server

You can integrate Advanced Access Control and Citrix Presentation Server so that users can easily access all of their resources, including published applications, from a common interface. For example, you can embed a Citrix Access Platform site within the Access Interface. The Access Interface is a navigation page shipped with Advanced Access Control that can list available published applications alongside other available resources such as Web resources, file shares, and so on. In addition, you can share information collected by Advanced Access Control to extend the policy-based access control capabilities of Citrix Presentation Server. By integrating Advanced Access Control filters within Citrix Presentation Server policies, you can control which published applications users can access and what they can do within those applications once they get access. This allows you to create Citrix Presentation Server policies to accommodate different access scenarios based on a variety of factors such as authentication strength, logon point, and client device information such as endpoint analysis. For example, you can include endpoint analysis information collected by Advanced Access Control within a Citrix Presentation Server policy to determine access to a published application. In addition, you can selectively enable clientside drive mapping, cut and paste functionality, and local printing based on the logon point used to access the published application. The next section discusses the supported deployments as well as the procedures required to integrate Citrix Presentation Server and Advanced Access Control. If you are passing Advanced Access Control information into Citrix Presentation Server for policy evaluation, you must complete the following steps as well: • • Create one or more filters within Advanced Access Control. See “Creating Policy Filters” on page 149 for more information about creating filters. Create policies within Citrix Presentation Server that reference Advanced Access Control filters. See the Citrix Presentation Server Administrator’s Guide for more information about creating policies.

158

Access Gateway Advanced Edition Administrator’s Guide

Note: Continuous scan filters, unlike regular policy filters, cannot be used by Citrix Presentation Server policies.

Linking from Advanced Access Control to Citrix Presentation Server
Complete the steps below to enable Citrix Presentation Server to allow connections from Advanced Access Control. 1. 2. Ensure that published resources are assigned to the same user groups assigned to resources in the access server farm. In Citrix Presentation Server: • Enable Allow connections made through MetaFrame Secure Access Manager for each published resource. This option appears in the access control settings of the published resource properties. In each server's properties, select the option Trust requests sent to the XML Service.

• 3.

Complete the steps required to integrate published applications within your deployment. Integration options include: • Citrix Access Platform site created by Web Interface. Display published applications within a Citrix Access Platform site. For more information, see “Integrating Web Interface” on page 158. File type association. Documents are launched in an associated application running on a server in a Citrix Presentation Server farm. For more information, see “Configuring File Type Association” on page 163. Third-party portals. Embed a Citrix Access Platform site within a third-party portal such as Microsoft SharePoint. For more information, see “Integrating Third-Party Portals” on page 163.

Integrating Web Interface
Advanced Access Control provides several methods for integrating Citrix Access Platform sites created with Web Interface including: • Citrix Access Platform site embedded within the Access Interface. When the Access Interface is selected as the default home page, a Citrix Access

Chapter 10

Integrating Citrix Presentation Server

159

Platform site is displayed alongside file shares and Web applications. You can also configure the Access Interface to display up to three Presentation Server sites in a separate tab. • Citrix Access Platform site configured as the default home page for a logon point. Once logged on, users are presented the Citrix Access Platform site.

Note: Web Interface and its accompanying documentation is available for download from the Citrix Web site at www.citrix.com/.
To integrate a Citrix Access Platform site

This procedure requires that you use Version 4.2 of the Access Management Console to create and manage Citrix Access Platform sites integrated with Advanced Access Control. Version 4.0 of the console or command-line tool cannot be used to manage sites created with later versions of the console. In addition, once a Citrix Access Platform site is configured with the Advanced Access Control access method, users can access this site only through Advanced Access Control. Attempts to directly access the site are denied. Complete the following steps in Advanced Access Control. 1. Configure Citrix Presentation Server to communicate with Advanced Access Control. See “Integrating Citrix Presentation Server” on page 157 for more information. Create a Web resource for the Citrix Access Platform site with the following settings: • • 3. 4. Select Citrix Web Interface 4.2 or later as the application type Select the Publish for users in their list of resources check box

2.

Specify the appropriate policy settings for the Web resource referencing the Citrix Access Platform site. Provide access to the Citrix Access Platform site in one of the following ways: • Display the Citrix Access Platform site as the default home page. Configure a logon point to display the application with the highest display priority as the home page. Then, configure the Citrix Access Platform site as the application with the highest priority. Embed a Citrix Access Platform site within the Access Interface. Configure a logon point to display the Access Interface as the home page. The Citrix Access Platform site is embedded as a frame within the Access Interface.

160

Access Gateway Advanced Edition Administrator’s Guide

See “Configuring Logon Points” on page 89 for more information. In Web Interface, complete the following steps. For additional information about configuring Web Interface, see the Web Interface Administrator’s Guide. 1. 2. Select Using Advanced Access Control when specifying an access method for the site. Enter the URL of the Advanced Access Control authentication service.

In both Web Interface and Advanced Access Control, ensure the Workspace Control, Java Client fallback, and session time-out settings are configured properly. For more information, see “Coordinating Advanced Access Control and Web Interface Settings” on page 162.

Displaying Multiple Sites and Caching Credentials
You can embed multiple Citrix Access Platform sites within the Access Interface and cache the credentials used to log on to those sites. You can display up to three Access Platform sites as well as enable each site to “remember” and “forget” users’ logon credentials.

Using Multiple Access Platform Sites from the Access Interface
By enabling multiple Access Platform sites to display within the Access Interface, you can provide access to published applications from multiple Presentation Server farms. To enable Advanced Access Control to display these sites, you create and run a Visual Basic script that modifies the values of the CredentialCachingEnabled and MultipleWebInterfaceEnabled fields in the FarmSettings table of the configuration database. When you do this, the layout of the Access Interface changes to accommodate up to three sites. Access Platform sites appear in the Applications tab while Web email appears on the Email tab. File shares and published Web sites appear on the Home tab.

Using Credential Caching
When users log on to Advanced Access Control, their credentials are passed through to the Access Platform sites. If the credentials for Advanced Access Control match the credentials for the Access Platform site, users are automatically logged on to the site. Additionally, if Workspace Control is enabled at the logon point, published applications that were disconnected in the previous session are automatically reconnected. If these credentials differ, users are prompted to provide the correct credentials. After logging on, users can select the Remember my logon check box to avoid re-entering their Access Platform site credentials. Users can also delete their cached credentials by clicking the Forget My Logon icon.

Chapter 10

Integrating Citrix Presentation Server

161

Note: If users choose to store credentials for an Access Platform site and their credentials for logging on to Advanced Access Control are later changed, Advanced Access Control automatically deletes the stored credentials the next time the users log on. The users are then prompted to re-enter their credentials for the Access Platform site. When you enable credential caching, Advanced Access Control stores the Access Platform site credentials in the UserData table in the configuration database. When a user logs on, the Web proxy reads the encrypted credentials from the configuration database and forwards them to the Citrix Access Platform site. If credential caching is disabled or the cached credentials for the site are incorrect, users are prompted to enter the correct credentials to log on to the Access Platform site.

Preserving Workspace Control
When users log on to Advanced Access Control, the credentials they enter are used to provide Workspace Control with the Presentation Server farms specified in the access server farm properties. If users enter one set of credentials to log on to Advanced Access Control and a different set of credentials to log on to the Access Platform site, they may not be able to disconnect or reconnect their applications when you enable multiple sites to be displayed. To preserve Workspace Control for users with differing sets of credentials, you perform the following tasks: • • Associate each Citrix Access Platform site with its corresponding farm configured in Advanced Access Control. Define a Secure Ticket Authority (STA) so the Access Gateway can authenticate users to the farm. For more information about defining the STA, see “Configuring Authentication with Citrix Presentation Server” on page 100.

To enable the display of multiple Citrix Access Platform sites and enable credential caching

1.

On the Advanced Access Control server, create a .vbs file that contains the following script:
Dim object Dim farmsetting Set object = WScript.CreateObject("Citrix.Msam.Amc.BusinessObjects.FarmSett ingManager") Set farmsetting = object.GetFarmSetting () farmsetting.CredentialCachingEnabled = 1

162

Access Gateway Advanced Edition Administrator’s Guide
farmsetting.MultipleWebInterfaceEnabled = 1 obj.UpdateFarmSetting (farmsetting)

2. 3.

Save and close the file. Double-click the file to run the script.

To associate a Citrix Access Platform site with the corresponding farm

Before you can associate an Access Platform site with a Presentation Server farm, you must configure the site as a Web resource and publish it for users to access from the Access Interface. If you do not select Publish for users in their list of resources when you configure the Access Platform site as a Web resource, the site is not available to associate with a Presentation Server farm. 1. 2. 3. In the console tree, select the access server farm node and click Edit farm properties in Common Tasks. From the Presentation Server Farms page, select the farm and click Edit. On the Web Interface page, select the site you want to associate with the farm.

To ensure Workspace Control functions for all users, you must define a STA in the gateway properties. For more information, see “Configuring Authentication with Citrix Presentation Server” on page 100.

Coordinating Advanced Access Control and Web Interface Settings
Certain Citrix Presentation Server settings are available for configuration within Advanced Access Control and Web Interface. However, because a Citrix Access Platform site integrated with Advanced Access Control can be referenced by more than one logon point, it is possible for one logon point to embed a Citrix Access Platform site within its Access Interface page while another logon point displays the site as its default home page. This can cause conflicts with certain published application settings. To ensure your settings work as intended, follow the instructions below. • Workspace Control. Disable all Advanced Access Control Workspace Control settings for all logon points that have a Citrix Access Platform site as their home page. This ensures that the settings configured within Web Interface are used. All other logon points can have Workspace Control configured as desired. Java Client Fallback. Ensure that logon points using the Access Interface as their home page have the same Java Client fallback settings as the Citrix Access Platform site.

Chapter 10

Integrating Citrix Presentation Server

163

Session time-out. Ensure all logon points use the same settings as the Citrix Access Platform site.

Configuring File Type Association
When file type association is allowed, users opening a document launch it in an associated application running on servers in Citrix Presentation Server farms. For example, if a user opens a document within a file share configured with file type association, the document opens within a published application. File type association is available to Web resources, file shares, and Web-based email.
To configure file type association for file shares, Web resources, and Webbased email

Before you configure file type association, verify that published application settings in Citrix Presentation Server specify the associations you want. For example, if you want a published application to be launched for users when they open a bitmap image (.bmp) file, make sure that the application’s settings associate it with .bmp files. 1. Configure Citrix Presentation Server to communicate with Advanced Access Control. See “Integrating Citrix Presentation Server” on page 157 for more information. Specify the farm(s) you want to link to your access server farm. See “Specifying Server Farms” on page 85 for more information. Specify the Citrix Presentation Server farms available to the logon point. See “Configuring Logon Points” on page 89 for more information. Create an access policy for the file share, Web resource, or Web-based email application and enable and allow the File Type Association action control. See “Configuring Policy Settings to Control User Actions” on page 137 for more information.

2. 3. 4.

Integrating Third-Party Portals
You can incorporate a Citrix Access Platform site into a third-party portal such as SharePoint to provide convenient access to published applications next to other Web applications and content. You can integrate Advanced Access Control within this deployment to provide granular policy-based control over files, Web content and applications, and published applications.

164

Access Gateway Advanced Edition Administrator’s Guide

Important: Web Interface for Microsoft SharePoint is a Web Part that allows the integration of a Web Interface within SharePoint. For more information about Web Interface for Microsoft SharePoint, see the Citrix Web site. Generic thirdparty portals must support the display of IFRAME-based Web content to properly integrate a Citrix Access Platform site.
To display a Citrix Access Platform site in a portal

1.

Configure Citrix Presentation Server to communicate with Advanced Access Control. See “Integrating Citrix Presentation Server” on page 157 for more information. Create a Web resource for the Citrix Access Platform site with the following settings: • • When integrating with SharePoint, select SharePoint with Web Interface Web Part application type When integrating with a generic third-party portal, select Citrix Web Interface 4.2 or later application type

2.

3. 4. 5.

Enable the Publish for users in their list of resources check box. Specify the appropriate policy settings for the Web resource referencing the Citrix Access Platform site. Create a Web resource for the SharePoint site or third-party portal containing the Citrix Access Platform site and specify the appropriate policy settings. In Web Interface, configure a Citrix Access Platform site to use Advanced Access Control as its access method by: A. B. Selecting Using Advanced Access Control when specifying an access method for the site Entering the URL of the Advanced Access Control authentication service

6.

7.

In both Web Interface and Advanced Access Control, ensure the Workspace Control, Java Client fallback, and session time-out settings are configured properly. For more information, see “Coordinating Advanced Access Control and Web Interface Settings” on page 162.

C HAPTER 11

Verifying Requirements on Client Devices

Endpoint analysis is a process that scans a client device and detects information such as the presence and version level of operating system, antivirus, firewall, or browser software. Use endpoint analysis to verify that the client device meets your requirements before allowing it to connect to your network. You can monitor files, processes, and registry entries on the client device throughout the user session to ensure that the device continues to meet requirements. You can use two types of scans: • Endpoint analysis scans detect information about the client device, such as the presence and version level of operating system, antivirus, firewall, or browser software. This information can be included as a filter within an access policy or a connection policy. Endpoint analysis scans are run once, during logon. Continuous scans are scans of the client device that occur repeatedly throughout the session to ensure that the client device continues to meet requirements. The feature prevents, for example, users from changing the status of a client device requirement after establishing the connection. Types of continuous scans include file scans, process scans, and registry scans. For more information, see “Creating Continuous Scans” on page 178.

You can incorporate detected information into policies, enabling you to grant different levels of access based upon the client device. For example, you can provide full access with download permission to users who connect from the field using corporate laptops that are up-to-date with antivirus and firewall software requirements. For users connecting from kiosks or untrusted home computers, you can provide a more restricted level of access that allows previewing documents only or editing the documents on remote servers without downloading them. Endpoint analysis performs these basic steps: • Examines an initial set of information about the client device to determine which scans to apply

166

Access Gateway Advanced Edition Administrator’s Guide

• • •

Runs all applicable scans Compares property values detected on the client device against desired property values listed in your configured scans Produces an output verifying if desired property values are found

When a user tries to connect through a logon point, endpoint analysis checks the scans that are filtered for the logon point. All scans with conditions met by the client device are run on the client device using the Endpoint Analysis Client software. These scans return results (called scan outputs) of detected information or True or False results of required property values. Note: The Citrix Scans for Macintosh and Citrix Scans for Browser Type do not require that the Endpoint Analysis Client software run on the client device. These scans can gather their results from information provided to the server from the client device directly, without using Endpoint Analysis Client software. Note that scans with conditions not matching the client device do not run on the client device; however, even these scans receive a default output defined by the scan package, such as False. Endpoint analysis completes before the user session consumes a license.
To configure endpoint analysis

Follow these general steps to configure endpoint analysis: 1. 2. 3. 4. 5. Identify the scan packages that check the properties you want to verify. Create scans, configuring the conditions under which they run and the properties they verify. Add additional rules if you want a scan to apply to multiple scenarios. Use scan outputs in policies when you configure policy filters. Deploy client software to users.

You can log endpoint analysis events through the system Event Viewer. For more information about auditing such events, see “Auditing Access to Corporate Resources” on page 225.

Creating Endpoint Analysis Scans
Scans verify specific properties of client devices connecting to your network, such as the installed version of an antivirus software product or verification that the machine belongs to a required domain.

Chapter 11

Verifying Requirements on Client Devices

167

Scans have rules that define when the scan is applied to a client device. Each rule includes a set of conditions, which are required attributes of the client device that must all be met for the scan to be applied. Creating a scan includes defining the prerequisite conditions under which the scan runs and configuring the properties to verify. Note: For detailed information about the configurable properties of a specific scan, see the “Scan Properties Reference” on page 239.
To create a scan

1. 2. 3. 4. 5. 6.

In the console tree, select the scan package for the properties you want to scan. From the Common Tasks area, click Create scan. Name the scan. Select the conditions that will define when the scan runs. Provide a rule name for the set of conditions and properties you are configuring. Select all acceptable values for each condition. • • The condition is met if the client device matches any of the values you select The wizard presents a separate page for each condition

7.

Configure the property values to verify. • For example, to verify that a minimum version of an antivirus program is running on the client device, enter the minimum version number. The wizard presents a separate page for each property value the scan verifies. If the scan verifies multiple property values, the client device must meet the requirements for all specified values. Version numbers follow the typical syntax for the specific product and require at least one decimal point; for example, 2.1 or 2.1.1.

For information about individual scan packages and the properties you can set for them, see “Scan Properties Reference” on page 239. After creating a scan, you can add more rules to make the scan apply to multiple user scenarios.

168

Access Gateway Advanced Edition Administrator’s Guide

Using Scan Outputs to Filter Policies
You can use endpoint analysis scan outputs to filter policy enforcement. Filtering with scan outputs allows you to secure access to your network and resources based on properties of the client device, such as whether or not it is running required minimum levels of antivirus or firewall software.
To use a scan output in a policy

The following steps describe the general process for using scan outputs in policies. 1. 2. 3. Create a scan that verifies the properties you require. Create a policy filter that uses the scan output from Step 1. Create a policy and assign to it the filter you created in Step 2.

Steps 2 and 3 above can be combined in the policy wizard.

Using Scan Outputs to Filter Logon Page Visibility
You can use the scanned information you discover about the client device to filter users’ ability to see the logon page. For more information, see “Setting Conditions for Showing the Logon Page” on page 141.

Scan Packages
Scan packages enable you to create scans to verify the properties of a client device, such as the installed version of an antivirus software product. Each package is designed to verify specific properties or software products. Scan packages are listed in the console under the Endpoint Analysis node. You can view individual properties of a scan package in the console, including a description of its scan outputs. Look at the scan output descriptions when you want to know which information about the client device is retrieved or verified. A scan output can take two forms: • Information about the client device. For example, the scan package Citrix Scans for Trend OfficeScan detects and retrieves a value that is the product version of Trend OfficeScan running on the client device, if any. A true/false Boolean verification indicating if the scan’s required property values were detected.

To view the scan outputs produced by a scan package

1.

In the console tree, select the scan package.

Chapter 11

Verifying Requirements on Client Devices

169

2.

From the details pane on the right, select Properties from the display menu. The scan output table describes each output produced by the package.

Adding Rules to Scans
Rules are sets of conditions that define when to apply a scan and which property values to check. Multiple rules can apply to a single scan. The first rule of a scan is defined when you create the scan. After creating the scan, you can add more rules to make the scan apply to multiple scenarios. For example, the same scan can check for version X of an antivirus program on devices running Windows NT-based operating systems. You can create a different rule to check for version Y of the same antivirus program on devices running earlier Windows operating systems.
To add a rule

1. 2.

Select the scan in the console tree and click Create rule in Common Tasks. Follow the wizard prompts to define the rule’s name, condition settings, and property value settings.

Example: Adding Multiple Rules to a Scan

Assume that your network security policy is to prevent access to client devices unless they have Service Pack 4 installed for Windows 2000 and Service Pack 2 installed for any machines running Windows XP. You have an exception for employees in the Tokyo office, because the Tokyo IT department decided not to upgrade Windows XP to Service Pack 2 until further testing takes place. You can use the same scan with different rules to verify the correct service pack for all three of these scenarios. Your environment includes a logon point named “Tokyo” that is used by your Tokyo office users. Logon points apply settings to the connections that initiate through their URLs. The following steps create a scan that verifies these three service pack requirements. 1. Create a scan with the Citrix Scans for Windows Service Pack, selecting the Logon Point condition to configure.

170

Access Gateway Advanced Edition Administrator’s Guide

2.

Create the first rule during scan creation with these settings: • • Conditions: set the Operating system to Windows 2000 and set the Logon point to all Property value to verify: set the minimum required service pack to Service Pack 4

3.

Add a second rule to the same scan with these settings: • • Conditions: set the Operating system to WindowsXP and set the Logon point to all except Tokyo Property value to verify: set the minimum required service pack to Service Pack 2

4.

Add a third rule to the same scan with these settings: • • Conditions: set the Operating system to WindowsXP and set the Logon point to Tokyo Required property value: set the minimum required service pack to Service Pack 1

Using Scan Outputs in Other Scans
You can use scan outputs as conditions in other scans. This feature allows you to make the result of one scan a condition for another scan to run.
To create conditions from scan outputs

You can create conditions from scan outputs in the following three ways: • • • Select Endpoint Analysis or select a specific scan in the console tree and click Edit available conditions list in Common Tasks On the Select Conditions page of the Create Scan wizard, select Use Another Scan’s Output as a Condition Select a scan output in the Properties view for a specific scan and click Create condition

Example: Using a Scan Output as a Condition

Assume that you have two divisions, Sales and Finance, that are assigned their own domain. The Sales group requires all of its client devices connecting remotely to run Antivirus Program A, but the Finance group requires its client devices to run Antivirus Program B.

Chapter 11

Verifying Requirements on Client Devices

171

Follow the steps below to verify that these client devices are running the required antivirus program version. 1. Create two scans using Citrix Scans for Domain Membership: • • 2. A Sales domain scan to verify that client devices belong to the Sales domain A Finance domain scan to verify that client devices belong to the Finance domain

Create a scan to check only Sales domain client devices for Antivirus Program A: • On the Select Conditions page of the Create Scan wizard, select Use Another Scan’s Output as a Condition and follow the prompts to identify the scan output for the Sales domain scan you created in Step 1 Use the scan output “Verified-domain” from the Sales domain scan as your new condition and require it to have a value of “True”

• 3.

Create a scan to check only Finance domain client devices for Antivirus Program B: • On the Select Conditions page of the Create Scan wizard, select Use Another Scan’s Output as a Condition and follow the prompts to identify the scan output for the Finance domain scan you created in Step 1 Use the scan output “Verified-domain” from the Finance domain scan as your new condition and require it to have a value of “True”

You can use scan outputs in custom filters to achieve similar results for complex scenarios.

Editing Conditions and Rules
Editing the Available Conditions
All rules for a scan share the scan’s list of available conditions. The available conditions are the conditions that you can configure for the scan’s rules. Interdependencies exist between the various rules and conditions of a scan. If you edit the list of available conditions, be aware of the following considerations: • If you add to a scan’s list of available conditions, all existing rules for the scan receive the new condition with all possible values selected for use. To

172

Access Gateway Advanced Edition Administrator’s Guide

make sure you do not change the conditions of existing rules in unexpected ways, check the properties for the scan’s rules after you add to the list of available conditions. • To remove a condition from a scan’s available conditions list, you must first remove all rules that use the condition or select all possible values for the condition in every rule that uses it.

Editing Rules
You can view all condition settings for a rule in the Properties display for the rule. For example, if you add to the conditions that are available for a scan, all existing rules of that scan receive the condition you added with all the settings selected. You might need to adjust the settings that are automatically copied to existing rules. To edit the condition settings for a rule, select the rule in the console tree and click Properties from the display menu in the details pane on the right.

Using Data Sets in Scans
Some scans reference a data set of values to compare against values detected on the client device. For example, you might require multiple operating system updates on the client device and need to verify that the entire set of updates are present. Such a list of required updates is an example of a data set. Data sets are stored in the farm database. You can create a data set by importing a commaseparated values (.csv) file or by entering individual values.

Lists
Lists are single-column data sets that indicate multiple required values for a single property. Scan packages that use lists include: • • Citrix Scans for Windows Update verifies that client devices are running all of the updates you list in a data set Citrix Scans for Internet Explorer Update verifies that client devices are running all of the updates you list in a data set

Maps
Maps, or double-column data sets, detect a value on the client device and map it to another value used in the scan.

Chapter 11

Verifying Requirements on Client Devices

173

For example, Citrix Scans for MAC Address detects the MAC address for each network interface card (NIC) or network adapter on the client device. The scans reference a double-column data set to map the address (the first column value) to a group name (the second column value). Scans use this mapping to verify the logical group to which the client device belongs.

Creating Data Sets
Follow the procedure below to create a named data set and then enter data into it. For a list (single-column data set), you can enter data manually or import it from a .csv file. For a map (double-column data set), you must import initial data from a .csv file. Important: Data set values can be treated as case-sensitive, depending on the scan package using the data set. If you are using such a package, avoid creating conflicting entries that differ in case. For example, with the Citrix Scans for MAC Address package, it is possible to create an entry for the same address and map it to two different groups. One entry might map the address 00:50:8b:e8:f9:28 to the Finance group. Another entry can map the same address with different case lettering, 00:50:8B:E8:F9:28, to the Sales group. Such entries make scan results unreliable.
To create a data set

1. 2. 3. 4.

Select Endpoint Analysis in the console tree and click Manage data sets in Common Tasks. Select New. Enter a name for the new data set. Enter data in one of the following two ways: • • Enter a path to a .csv file containing initial data to import. You must use this method to create a double-column set. Leave the file path blank to create an empty single-column data set. Add values by editing the data set after you create it.

You can edit an existing data set from the Data Sets dialog box. To open Data Sets, select Endpoint Analysis in the console tree and click Manage data sets in Common Tasks.
Example: Verifying a Set of Required Updates

This example describes the steps for creating a scan to verify that client devices are running required updates for Version 6.0 of Internet Explorer.

174

Access Gateway Advanced Edition Administrator’s Guide

1.

Use the Citrix Scans for Internet Explorer scan package to create a scan that verifies whether or not the client device is running Version 6.0 of Internet Explorer. Create a single-column data set listing the Internet Explorer updates you require if the client device is running Version 6.0. Example values for such a data set might be KB834707, KB867232, and KB889293. Use the Citrix Scans for Internet Explorer Update scan package to create a scan to check for your required updates on client devices running Internet Explorer Version 6.0. A. On the Select Conditions page of the Create Scan wizard, click Use Another Scan’s Output as a Condition and identify the scan output that identifies product version from the scan you created in Step 1. In the Define Values dialog box, name this new condition and add the allowed value of 6.0. When prompted for the property values of the required updates, select the data set you created in Step 2.

2.

3.

B.

Adding Scan Packages
Each scan package is designed to examine a set of properties for a specific software product. You can expand the default set of scan packages by importing new ones. Citrix, partners, or developers in your organization can develop additional scan packages using the Endpoint Analysis Software Development Kit (SDK) available on your product CD or the Citrix Web site at www.citrix.com.
To import a scan package

1.

In the console tree, select a scan group or Endpoint Analysis and click Import scan package in Common Tasks. • • If you want the package to appear in a scan group, you must select that scan group. If you select Endpoint Analysis during the importing, the scan package does not appear under a scan group and appears directly under the Endpoint Analysis node.

2.

Browse to the scan package file and click OK.

Chapter 11

Verifying Requirements on Client Devices

175

Grouping Scans
Default scan groups for such categories as antivirus, firewall, and operating system software are provided in the console tree to help organize scan packages and their scans. Scan groups can help you find scan packages or scans more quickly. You can create and name your own groups. Scan groups exist to organize items within the console tree only and have no effect on how scans run. To create a scan group, select Endpoint Analysis in the console tree and click Create scan group in Common Tasks.

Adding Language Packs
A scan package developer can create language packs to expand the languages in which the package creates scans. For example, a developer can first develop a scan package for English and decide later to add language packs for French, German, or Spanish as development proceeds. Language packs are typically distributed as .cab files.
To import a language pack for a scan package

Select Endpoint Analysis in the console tree and click Import language pack in Common Tasks.

Scripting and Scheduling Scan Updates
Two command utilities are available to assist you in writing scripts or scheduling scan updates. You can run these utilities from a command prompt in the following default location on the server:
\\Program Files\Citrix\Access Gateway\MSAMExtensions\

Note: You must run discovery after using these utilitiesfor the console to find and display the new values. The next two sections describe each utility.

176

Access Gateway Advanced Edition Administrator’s Guide

Updating Property Values in Scans
You can use the CtxEpaParamUpdate utility to update the required property values for a scan. For example, if you require client devices to have a specified pattern version level of antivirus software, you can create a script to update the scan when you need to change which pattern file is being detected. This command is designed for use as a scheduled task on a server with the Access Management Console installed. Use the following syntax, including quotation marks:
“ctxepaparamupdate” package_uri package_version “scan_name” “rule_name” “param_name” “new_value”

where the parameters are:

Parameter package_uri

Description URI of the scan package to which the scan belongs. You can find the URI information for a scan package in the management console Properties view for the scan package. Version of the scan package to which the scan belongs. You can find the version information for a scan package in the management console Properties view for the scan package. Name of the scan in which the property is set. Name of the rule in which the required property value is set. Parameter name for the required value. You can find the parameter name and its current setting in the management console in the Properties view for the scan rule. The new value. If the required property has a restricted value range, this new value must be within that range.

package_version

scan_name rule_name param_name

new_value

Example: To update a scan with the CtxEpaParamUpdate utility

Let us assume you want to update an existing scan from the scan package Citrix Scans for McAfee VirusScan Enterprise. To update the required engine version to 4.4 and the pattern version to 4641, type:
“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\ CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\ Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name” “PatternVersion” “4641”

and also type:
“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\ CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\ Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name” “EngineVersion” “4.4”

Chapter 11

Verifying Requirements on Client Devices

177

where scan_name and rule_name are the existing scan name and rule name.

Updating Data Sets
You can use CtxEpaDataSetUpdate to script or schedule updates to data sets. For example, you might prefer to create your own script to automate a task such as updating the pattern file number required for an antivirus program. Use the following command options (switches) with this utility:

Switch option /import /reimport

Description Creates a new data set by importing a .csv file

Syntax ctxepadatasetupdate /import file_name.csv dataset_name

Replaces all contents of an ctxepadatasetupdate /reimport existing data set by importing file_name.csv dataset_name a new .csv file Exports the data set in a .csv ctxepadatasetupdate /export file file_name.csv dataset_name Deletes the data set Adds an additional value to the specified data set Replaces an entry in a mapping (double-column) data set ctxepadatasetupdate /destroy dataset_name ctxepadatasetupdate /add dataset_name key [value] ctxepadatasetupdate /overwrite dataset_name key value

/export /destroy /add /overwrite

/remove

Deletes an entry in a data set ctxepadatasetupdate /remove dataset_name key

Use the following parameters in the command options above:

Parameter file_name.csv dataset_name key

Description The name of the .csv file that contains the data set The name for the data set If the data set is a list (single-column data set), this is a value in the list. If the data set is a map (double-column data set), this is the first column value. If the data set is a map (double-column data set), this is the second column value. If the data set is a list (single-column data set), this parameter does not exist.

value

178

Access Gateway Advanced Edition Administrator’s Guide

For more information about data sets, see “Using Data Sets in Scans” on page 172.
To locate official parameter names in scans

You can find parameter names from the scan properties in the console. 1. 2. In the console tree select a rule associated with the scan and choose the Properties view in the right details pane. Select the row that displays the property and look in the Parameter Name column.

Creating Continuous Scans
Continuous scans verify required files, processes, or registry entries on client devices connecting to your network. These scans run repeatedly during the user session to ensure that the client device continues to meet your requirements. You use continuous scans to define requirements for connection policies. If a file, process, or registry scan required by a connection policy ceases to be verified, the connection is disconnected. Each continuous scan checks a single file, process, or registry entry on the client device. You can bundle multiple scans together when you create a continuous scan filter. When assigned to a connection policy, the filter represents the requirements that are checked continuously during a connection. Unlike continuous scan filters, other filters attached to policies verify their requirements only at logon.
To create a file scan

1. 2. 3. 4.

In the console tree, select Policies > Continuous Scans > File Scans and click Create file scan from Common Tasks. Name the scan. Enter the file path. Enter the following optional information you can require the scan to find: • • For Date on or after, enter a date to be verified against the file’s creation date. The MD5 digital signature is added automatically from the entered file path. You can modify this value if a different signature is required on the client device. Because the MD5 signature for an executable file can differ among different machine platforms, verify that the signature you enter is used by your client devices.

Chapter 11 To create a process scan

Verifying Requirements on Client Devices

179

1. 2. 3. 4.

In the console tree, select Policies > Continuous Scans > Process Scans and click Create process scan from Common Tasks. Name the scan. Type the name or browse to the process. The MD5 digital signature is added automatically from the entered file path. You can modify this value if a different signature is required on the client device. The MD5 digital signature is not required and can be left blank. Because the MD5 signature for an executable file can differ among different machine platforms, verify that the signature you enter is used by your client devices.

To create a registry scan

1. 2. 3.

In the console tree, select Policies > Continuous Scans > Registry Scans and click Create registry scan from Common Tasks. Name the scan. Type the Registry path, Registry type, Entry name, and Entry value.

180

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 12

Providing Secure Access to Corporate Email

Use Advanced Access Control to provide policy-based access to data on internal servers, including email servers. When you configure your content aggregation point—your intranet or corporate portal—you can provide your users with secure access to their email accounts. Using access policies, you can determine what level of access to give users and then what actions users can take after they are granted access. With Advanced Access Control, you can: • Integrate the email solution you are already using with the secure remote access Advanced Access Control provides. For example, if you are already using Microsoft Outlook Web Access or Lotus iNotes/Domino Web Access to allow users to access their email over the Web, you can integrate either of those front ends with a content aggregation point such as your intranet or corporate portal. Users then get remote access to their email from this aggregation point, whether you decide to use the Access Interface provided with Advanced Access Control or another portal solution you have in place. If you do not already use Outlook Web Access or iNotes/Domino Web Access to allow your users to access their email over the Web, you can use the Web-based email interface provided with Advanced Access Control. • Provide access to any email applications you publish with Citrix Presentation Server. You can include the links to published applications in a Presentation Server Web site. Provide users with the ability to securely connect to their email accounts on Microsoft Exchange or Lotus Notes/Domino servers. Users can access all email functions as well as synchronize their email data to their client devices for offline use. Provide users of small form factor devices, such as Personal Digital Assistants (PDAs), with secure remote access to email. Allow users to attach to email message files stored on network shares without having to download the file to their local client device.

• •

182

Access Gateway Advanced Edition Administrator’s Guide

Similar to other resources accessible through Advanced Access Control, you control access to email through policies. For example, you can create a policy to grant specific user groups access to Web-based email and create another policy to prevent specific user groups from synchronizing the data in their email accounts to their client devices. Additionally, you can create a policy that allows a specific user group to download attachments they receive using Web-based email and another policy that prevents a different user group from performing this action. Note: If recipients access their email through Advanced Access Control and it contains an embedded link to a file share or Web resource, a policy allowing the recipients access to that resource is also required. However, if the email is sent to recipients not using Advanced Access Control to access their email, no additional permissions are required. These users can view the attachment without policy restrictions.

Choosing an Email Solution
To decide which email solution to provide, look at what type of access your users need, what resources you already have in use in your network, and how much control you want to have over user actions after they are granted access. For example, if you want to allow users to securely access their email accounts over the Internet and you are already using Outlook Web Access, you can integrate the Outlook Web Access interface into the Email tab of the Access Interface included with Advanced Access Control. Conversely, if you want to allow remote access to email and are not already using a Web front-end to your email servers, you can use the Web-based email interface included with Advanced Access Control. The following table lists the types of access to email and what you should consider when deciding whether or not to choose each option. For information about the minimum requirements for each email solution presented in this chapter, see “Feature Requirements” on page 46.

Chapter 12

Providing Secure Access to Corporate Email

183

Client Device Requirements Web-based email with Outlook Web Access or iNotes/ Domino Web Access Web-based email with the Access Interface Synchronization of email data to client devices Email application published with Citrix Presentation Server Compatible browser; see product documentation for additional requirements Compatible browser only (no other client software required) Email software (Microsoft Outlook or Lotus Notes) and Secure Access Client Presentation Server Client

Server Requirements Email server (Microsoft Exchange or Lotus Notes/Domino)

Small Form Factor Policy Enforcement Support When Accessing File Attachments No Yes

Microsoft Exchange Yes (Notes/Domino not supported in this configuration) Email server (Microsoft Exchange or Lotus Notes/Domino) Citrix Presentation Server No

Yes

No

No

No

Providing Access to Published Email Applications
If you are using Citrix Presentation Server to provide access to email applications published on internal servers, you can easily integrate access to these applications with your Advanced Access Control deployment. Providing access to email through published applications extends the SmartAccess capabilities of Advanced Access Control to Presentation Server by incorporating Advanced Access Control policy information such as endpoint analysis within Presentation Server policies. In addition, requiring users to access email by launching applications published with Presentation Server is the most secure method of providing email access because data never leaves the corporate network. Note: You can combine email access methods if you want to provide more than one method of remote access. For example, in addition to providing access to published email applications, you can also configure a Web-based email solution.
To provide access to published email applications

1.

Publish and configure your email application for SmartAccess in Presentation Server.

184

Access Gateway Advanced Edition Administrator’s Guide

2.

Configure a Presentation Server Web site

Providing Users with Secure Web-Based Email
With Advanced Access Control, you can provide access to email accounts using the following Web-based interfaces. • The Web-based email interface included with Advanced Access Control allows users to access email accounts on Microsoft Exchange servers. Users do not need to download or install client software to access their email using this interface; they need to run only a supported browser. Additionally, the Web-based email user interface included with Advanced Access Control is the only way to provide Web-based email access to PDAs and other small form factor devices. • • Microsoft Outlook Web Access allows users to access email accounts on Microsoft Exchange servers. Lotus iNotes/Domino Web Access allows users to access email accounts on Lotus Notes/Domino servers.

Important: Advanced Access Control supports one back-end cluster— Notes/ Domino or Exchange—per access server farm. However, you can configure multiple Outlook Web Access servers when using Exchange or multiple iNotes/ Domino Web Access servers when using Lotus Notes/Domino. If you are using a portal solution, you can integrate the Web-based email interface included with Advanced Access Control with these portal products. See “Integrating Web-Based Email Access with a Third-Party Portal” on page 187 for more information. When you configure Web-based email access, users access their email from the Email tab on the Access Interface. If you prefer, you can configure Advanced Access Control so that the Web-based email interface is the default interface users see when they log on to Advanced Access Control. See “Configuring Logon Points” on page 89 for more information about how to achieve this configuration.

Enabling Access to Web-Based Email
The basic steps to follow to enable access to Web-based email are: • • Configure Web-based email in Advanced Access Control Create policies to allow access to the email resource

Chapter 12

Providing Secure Access to Corporate Email

185

Each of these steps is discussed in more detail below.
To configure Web-based email for Microsoft Exchange

Use the following procedure to allow users to send and receive Web-based email with Microsoft Exchange. 1. 2. 3. 4. In the console tree, select Web Email and click Configure Web email in Common Tasks. Select Microsoft Exchange. Select the Enable Web-based access check box. Select one of the following Web-based interfaces: • Email interface included with Advanced Access Control. Allows access to email without the need for users to download or install client software; they need to run only a supported browser. • • Specify the IP address, FQDN, or NetBIOS name of your Microsoft Exchange server. Display email as HTML to support advanced text formatting features including numbering, bullets, alignment, and linking to file shares and Web pages. Only enable this option when email messages originate from trusted sources within your corporate network.

Caution: If email messages originate from outside your corporate network, configure Web email to display messages in plain text. Failure to do so may expose your Advanced Access Control servers and client devices to attacks using embedded malicious code within HTML-formatted messages. Displaying messages as plain text mitigates these types of attacks. Therefore, Citrix recommends configuring Web email to display messages in plain text when any email messages originate from outside your corporate network. • Use Microsoft Outlook Web Access. Allows access to email using Outlook Web Access. • Specify the application’s start page as well as the URLs for which the application requires access. The start page should resemble http://servername/exchange, where servername is the IP address, FQDN, or NetBIOS name of your Exchange server. If you use a load balancer to manage Outlook Web Access servers, enter the URL of the load balancer as the start page and

186

Access Gateway Advanced Edition Administrator’s Guide

add the Outlook Web Access servers as URLs accessible by the application. Note: To allow access to an entire server, add http://servername to the URL list, where servername is the IP address, FQDN, or NetBIOS name of your Exchange server. This configuration is useful when providing access to dedicated Microsoft Exchange servers. • Enable the interface common for all browser types option to suppress the presentation of browser-specific ActiveX controls and other advanced display types. Citrix recommends this option if you have users who cannot download ActiveX controls or who use a variety of browser versions.

Note: Citrix recommends that you first test your Web-based email application with this option disabled. If your testing reveals that the application displays improperly, enable this option and verify that the issue no longer exists.
To configure Web-based Email for Lotus Notes/Domino

Use the following procedure to allow users to send and receive Web-based email with Lotus Notes/Domino. 1. 2. 3. 4. In the console tree, select Web Email and click Configure Web email in Common Tasks. Select Lotus Notes/Domino or other email applications. Select Enable Web-based access. Specify the application’s start page as well as URLs for which the application requires access. If you use a load balancer to manage iNotes servers, enter the URL of the load balancer as the start page and add the iNotes servers as URLs accessible by the application. You can use dynamic token replacement to accommodate explicit links to individual user database files. For example, enter http://servername/mail/#<username>.nsf, where servername is the NetBIOS name, IP address, or FQDN of your Lotus Notes/Domino server and the username token is replaced with the user’s user name obtained from Active Directory or Windows NT Directory Services. For a complete list of tokens supported by Advanced Access Control, see “Using Dynamic System Tokens” on page 128.

Chapter 12

Providing Secure Access to Corporate Email

187

Note: To allow access to an entire server, add http://servername to the URL list, where servername is the IP address, FQDN, or NetBIOS name of your Lotus Notes/Domino server. This configuration is useful when providing access to dedicated Lotus Notes/Domino servers. 5. Enable the interface common for all browser types option to suppress the presentation of browser-specific ActiveX controls and other advanced display types. Citrix recommends this option if you have users who cannot download ActiveX controls or who use a variety of browser versions. Note: Citrix recommends that you first test your Web-based email application with this option disabled. If your testing reveals that the application displays improperly, enable this option and verify that the issue no longer exists. 6. Select the appropriate version of Lotus iNotes/Domino Web Access from the available email application types.

When you are done configuring Web-based email, you must create a policy that allows users to access email. To allow user access to email, create a policy following the steps in “Creating Access Policies” on page 135. Note: For a recipient to access an email attachment through Advanced Access Control, an email policy enabling the recipient at least one of the following is required: download, HTML Preview, or Live Edit. Web-based email attachments cannot be accessed through file type association.

Integrating Web-Based Email Access with a Third-Party Portal
If you are using the Web-based email interface included with Advanced Access Control to provide users with access to their email, you can integrate this interface into any portal solution. For example, if you are using Microsoft SharePoint as your corporate portal or information aggregation point, you can display the Web-based email interface included with Advanced Access Control in the SharePoint portal.

188

Access Gateway Advanced Edition Administrator’s Guide To integrate the Web-based email interface with a third-party portal

1.

Configure the Web-based email interface included with Advanced Access Control. See “Providing Users with Secure Web-Based Email” on page 184 for instructions about how to do this. Configure your portal product’s Web site viewer to display the Web-based email interface at http://servername/citrixfei/classic.asp, where servername is the name of a Web server running Advanced Access Control.

2.

Providing Users with Secure Access to Email Accounts
Use Advanced Access Control to allow users to securely access their email accounts on Microsoft Exchange servers or Lotus Notes/Domino servers. Important: To securely connect to email accounts and synchronize email to client devices, users must have the Secure Access Client installed on their client device. When you configure this feature, roaming workers—whether connected over the Web or within the enterprise—can securely connect to their email accounts on the Exchange or Lotus Notes/Domino server and synchronize their locally installed email application with the data stored on the corporate email server. This allows users to work with their calendars, tasks, and contacts in real time when working online, and then to synchronize their folders in preparation for working offline. Use this feature if you want remote users with laptops to be able to securely access and synchronize email as they move between office workstations, laptops, and home workstations. Important: Advanced Access Control does not control access to any attachments users receive when they connect to their email accounts through the Secure Access Client. If you enable and configure the email synchronization feature, users can access any attachments they receive without policy-based restrictions. The basic steps involved in allowing users to work with and synchronize their email accounts to their client devices are: • • • Configure the email synchronization feature Create a policy to allow users to use the email synchronization feature Open the appropriate ports on the firewall between the Access Gateway and internal mail servers

Chapter 12

Providing Secure Access to Corporate Email

189

Each of these steps is discussed in more detail below.
To configure email synchronization

1. 2. 3.

In the console tree, select Email Synchronization and choose Configure email synchronization from Common Tasks. Select Enable Email Synchronization. Select the appropriate email server for your environment. • If you select Microsoft Exchange, click New to enter the NetBIOS name, IP address, or FQDN of your Exchange server. Add additional Exchange servers if users will be connecting to more than one server. When you add an Exchange server, Advanced Access Control connects to the specified host and determines the secondary port required for Messaging Application Programming Interface (MAPI). Because this information is stored and not dynamically updated, consider configuring your Exchange servers so that all MAPI ports remain static. If you do not configure your Exchange servers this way, you will need to reconfigure email synchronization in Advanced Access Control each time the Exchange server restarts. • If you select Lotus Notes/Domino, enter the NetBIOS name, IP address, or FQDN of your Lotus Notes/Domino server. Port 1352 is used by default. Modify the port if necessary.

Note: If you are using a TCP/IP-based email application other than Exchange or Notes/Domino, you can use network resources to provide the same level of functionality available with the email synchronization feature. For more information about configuring network resources, see “Creating Network Resources for VPN Access” on page 119. When you are done configuring email synchronization, you must create a policy that allows users to access this resource.
To create a policy to allow email synchronization

Create a policy to allow users to synchronize their email data to their client devices following the steps in “Creating Access Policies” on page 135. When you are done creating a policy to allow users to synchronize their email data to their client devices, you must configure your firewall ports to allow users to connect.

190

Access Gateway Advanced Edition Administrator’s Guide To configure your firewall for email synchronization

1. 2.

Open your firewall application. Set the port status as required for your environment. If the traffic between your email server and the Access Gateway is secured, the data runs over port 443.

Enabling Users to Attach Files to Web-Based Email
You can configure Advanced Access Control to allow users to attach documents to new email messages directly from Web resources and file shares. When you enable this feature, users can see and use the Send as attachment option from configured Web resources and file shares. In addition, users can send files as email attachments when using the Live Edit feature. When a user selects this option, the file is attached to the Web-based email interface configured for your environment.
To configure Web email to support sending email attachments

1. 2. 3.

In the console tree, select Email and choose Configure Web email from Common Tasks. On the Enable Web-based Email page, select the Enable Send as Attachments for file shares check box. Additional configuration depends on the email application server selected. • Microsoft Exchange. Specify the NetBIOS name, IP address, or FQDN of your Microsoft Exchange server. Advanced Access Control uses the Microsoft Exchange server configuration information to determine the MAPI server. Lotus Notes/Domino. Specify the name or IP address of the SMTP (Simple Mail Transfer Protocol) and LDAP (Lightweight Directory Access Protocol) servers.

Note: If you are using Notes/Domino servers, ensure SMTP port relay outbound restrictions do not prevent users outside of the corporate network from sending emails. For example, you can configure Notes/Domino servers to allow all authenticated users to send outgoing email. Refer to your Notes/Domino product documentation for additional information about configuring SMTP port relay outbound restrictions.

Chapter 12

Providing Secure Access to Corporate Email

191

4.

Create a file share policy permitting the emailing of files as attachments. For more information about the email as attachment permission, see “Allowing Email Attachments” on page 139.

Restricting File Attachment Types
The Web-based email interface included with Advanced Access Control provides two levels of security for file attachments. The first level of security includes file types blocked by Advanced Access Control. The second level of security includes file types that can be downloaded only to the user’s client device and cannot be accessed using HTML Preview, Live Edit, or file type association. The default file types included in each level of security are defined in the table below.

File Type Level 1 (Blocked File Types) .ade .adp .app .asx .bas .bat .chm .cmd .com .cpl .crt .csh .exe .fxp .hlp .hta .inf .ins .isp .js .jse .ksh .lnk .mda .mdb .mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif .prf .prg .reg .scf .scr .sct .shb .shs .url .vb .vbe .vbs .wsc .wsf .wsh .ade .adp .asx .bas .bat .chm .cmd .com .cpl .crt .dcr .dir .exe .hlp .hta .htm .html .htc .inf .ins .isp .js .jse .lnk .mda .mdb .mde .mdz .mht .mhtml .msc .msi .msp .mst .pcd .pif .plg .prf .reg .scf .scr .sct .shb .shs .shtm .shtml .spl .stm .swf .url .vb .vbe .vbs .wsc .wsf .wsh .xml

Level 2 (Download Only File Types)

You can add and remove file types from either security levels by using Registry Editor. If a file type is added to both levels, it is treated as a Level 1 file type. Caution: Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
To modify file attachment type security lists

1. 2.

In Registry Editor, find the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MSAM\FEI\FileExt Edit the NoActivations value to modify Level 1 (blocked) file types and the DownloadOnly value to modify Level 2 (download only) file types.

192

Access Gateway Advanced Edition Administrator’s Guide

Note: New file types must be separated by a new line with no additional spaces and contain the preceding dot.

Enabling Access to Email on Small Form Factor Devices
Using the Web-based email interface included with Advanced Access Control, you can provide email access to users of specific PDAs and other small form factor devices. For a list of supported small form factor devices, see “Client Requirements” on page 58. To allow users of small form factor devices to access their email, choose one of these options: • Configure the Web-based email interface included with Advanced Access Control as the default Web-based email interface. If you configure the Advanced Access Control Web-based email interface as the default, all users access this interface for their Web-based email, regardless of the type of device from which they connect. See “Providing Users with Secure WebBased Email” on page 184 for information about how to make the Advanced Access Control Web-based email interface the default interface. Configure the Web-based email interface included with Advanced Access Control to be displayed specifically to users connecting from small form factor devices. Use this configuration if you want users to see the Outlook Web Access interface when they connect from other device types. If you configure the Web-based email interface included with Advanced Access Control to be displayed specifically to users connecting from small form factor devices, the logon point detects that the connection is from a small form factor device and automatically presents the Advanced Access Control Web-based email interface. To configure the Web-based email interface included with Advanced Access Control to be displayed specifically to users connecting from small form factor devices, follow the instructions below. Note: This feature is not available to Lotus iNotes/Domino Web Access users.

Chapter 12

Providing Secure Access to Corporate Email

193

To configure the Web-based email interface for use with small form factor devices

When configuring Web-based access to Exchange as described in “Providing Users with Secure Web-Based Email” on page 148, select one of the following options: • Email interface included with Advanced Access Control. Displays the email interface included with Advanced Access Control for all users, regardless of the type of connecting device's form factor. Advanced Access Control detects the form factor of the connecting device and presents the appropriate interface for that connection. For example, Advanced Access Control displays a small interface for users connecting with a small form factor device. Microsoft Outlook Web Access and enable the Provide support for small form factor devices feature. Advanced Access Control detects the form factor of the connecting device and displays the email interface included with Advanced Access Control for users connecting with small form factor devices. Microsoft Outlook Web Access is provided for standard form factor devices such as workstations and home computers.

Updating the Mapisvc.inf File
If you are using Microsoft Exchange 2000 and you want to use the default Email Interface, install Microsoft Exchange System Management Tools before you install Advanced Access Control. Then, update the mapisvc.inf file. If you are using Microsoft Exchange 2003, you do not need to change the mapisvc.inf file.
To update the mapisvc.inf file

1. 2.

Save a copy of the mapisvc.inf file. Insert the following lines:
[SERVICES] MSEMS=Microsoft Exchange Server [MSEMS] PR_DISPLAY_NAME=Microsoft Exchange Server Sections=MSEMS_MSMail_Section PR_SERVICE_DLL_NAME=emsui.dll PR_SERVICE_ENTRY_NAME=EMSCfg PR_RESOURCE_FLAGS=SERVICE_SINGLE_COPY WIZARD_ENTRY_NAME=EMSWizardEntry Providers=ems_dsa, ems_mdb_public, ems_mdb_private PR_SERVICE_SUPPORT_FILES=emsui.dll, emsabp.dll, emsmdb.dll [Default Services] MSEMS=Microsoft Exchange Server [EMS_MDB_public]

194

Access Gateway Advanced Edition Administrator’s Guide
PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER PR_PROVIDER_DLL_NAME=EMSMDB.DLL PR_RESOURCE_FLAGS=STATUS_NO_DEFAULT_STORE 66090003=06000000 660A0003=03000000 34140102=78b2fa70aff711cd9bc800aa002fc45a PR_DISPLAY_NAME=Public Folders PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store [EMS_MDB_private] PR_PROVIDER_DLL_NAME=EMSMDB.DLL PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER PR_RESOURCE_FLAGS=STATUS_PRIMARY_IDENTITY|STATUS_DEFAULT_STORE |STATUS_PRIMARY_STORE 66090003=0C000000 660A0003=01000000 34140102=5494A1C0297F101BA58708002B2A2517 PR_DISPLAY_NAME=Private Folders PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store [EMS_DSA] PR_DISPLAY_NAME=Microsoft Exchange Directory Service PR_PROVIDER_DISPLAY=Microsoft Exchange Directory Service PR_PROVIDER_DLL_NAME=EMSABP.DLL PR_RESOURCE_TYPE=MAPI_AB_PROVIDER [MSEMS_MSMail_Section] UID=13DBB0C8AA05101A9BB000AA002FC45A 66000003=01050000 66010003=04000000 66050003=03000000 66040003=02000000

3.

Restart the Access Gateway Server COM+ application. For more information, see “Restarting COM+ Applications” on page 216.

C HAPTER 13

Rolling Out Advanced Access Control to Users

The last step in deployment is providing users with the information and tools necessary to access corporate resources. This process includes determining if your implementation requires the distribution of client software and if so, developing a strategy for deploying this software. In addition, training and other forms of communication detailing how your deployment impacts the workplace assist users as they transition to their new environment. The topics in this section discuss the issues to consider when developing an overall plan for rolling out Access Gateway Advanced Edition to users. • • • • • • • “Developing a Client Software Deployment Strategy” on page 195 “Managing Client Software Using the Access Client Package” on page 200 “Downloading Client Software on Demand” on page 203 “Ensuring a Smooth Logon Experience with the Secure Access Client” on page 205 “Ensuring a Smooth Rollout” on page 208 “Browser Security Considerations” on page 209 “Customizing the Logon Error Message” on page 211

Developing a Client Software Deployment Strategy
Software deployment is the process of distributing and installing software on client devices. If your corporation already uses a software deployment solution, consider deploying Advanced Access Control clients using the same technique. However, if you need to develop a strategy, you must determine who is responsible for installing client software and then create a solution that supports this decision.

196

Access Gateway Advanced Edition Administrator’s Guide

The following sections discuss issues to consider when determining who is responsible for installing client software as well as deployment methods supporting these use cases.

Determining Responsibility for Installing Client Software
There are several methods of deploying client software ranging from automated solutions that download and install the software from a centralized location to posting an installation package to a network share and instructing users to manually install the software on their client device. Before you can determine how to deploy client software, you must determine who is responsible for installing the software on the client device. Depending on your corporate needs, you, support personnel, users, or a combination thereof may be responsible for this task. This decision is a result of several factors including: • User needs and administrative costs. Consider the needs of your users because their collective experience is critical to the adoption of access control in your corporation. If the needs of your users greatly outweigh the administrative costs associated with managing a deployment strategy, consider a plan that places the responsibility of installing client software on a team specializing in this area. Conversely, if the administrative costs associated with managing a deployment solution is too great for your organization, consider shifting this responsibility to individual users. The technical abilities of your users. If your user base is not technically savvy, consider installing the software for them. In this scenario, a support department such as IT or Technical Support is responsible for installing the software. When deciding whether or not users should be responsible for their own installations, consider the possible support issues as well. Depending on the technical abilities of your users, the support costs associated with users installing their own software could justify the implementation of a centrally managed deployment strategy. However, if your users are technically savvy, it may be more efficient for you to post the software to a network share and allow users to install the software from this location. Number of client devices in your corporation. Larger companies benefit from centrally managed deployment strategies because they tend to scale well and yield a higher return on investment as compared to manual solutions. For this reason, medium to larger sized corporations should consider using their Microsoft Active Directory infrastructure or a standard third party deployment tool such as Systems Management Server.

Chapter 13

Rolling Out Advanced Access Control to Users

197

However, for smaller companies, the costs associated with planning and preparing an automated deployment could outweigh the benefits. These companies should consider alternative deployment methods such as posting client software to a network share or an on-demand deployment solution. Both of these methods are described in detail in later sections. • Corporate security requirements. If your corporation configures client devices so that users do not have installation rights on their machines, you must develop a strategy that allows someone with administrative rights to perform the installation. In this scenario, larger companies should consider a corporate deployment tool such as Systems Management Server. Smaller companies should consider posting client installation packages to a file share and having someone with administrative rights manually install the software on each client device. Corporate management practices. If your organization maintains strong centralized control over client software deployment—for example, if you use Microsoft Systems Management Server to help control software distribution—you can more reliably update client devices. Therefore, if your goal is to ensure that all users have the most up-to-date software, allowing them to install their own client software is not a recommended option. Rather, a team dedicated to maintaining client software should be responsible for ensuring client software is installed and updated properly. Cost factors. Consider the overall cost associated with each deployment option including planning, preparation, and training costs. In addition, determine if some of these costs are justifiable because of the return on investment over a period of time. For example, the return on investment of a centrally managed solution is usually much better than that of a manual solution over time. Access to client devices. If your corporation supports remote access scenarios such as using an Internet kiosk to check email, you will not have the ability to install client software on these devices before users access the corporate network. In these cases, consider an on-demand deployment strategy where you configure Advanced Access Control so that client software is automatically downloaded to the client device only when required. However, if access to client devices is readily available, consider deploying the client software prior to the user accessing Advanced Access Control.

Weigh all of these factors when determining who should be responsible for installing the client software on the client device. Then, select the deployment solution that makes the most sense for your corporation.

198

Access Gateway Advanced Edition Administrator’s Guide

Supported Deployment Options
Advanced Access Control supports the following client deployment options: Integration with enterprise software deployment tools. Deploy client software using a Microsoft Active Directory infrastructure or a standard third party MSI deployment tool such as Systems Management Server. If you use a tool that supports Windows Installer packages, you can use the Access Client package to create a single installation package containing the Advanced Access Control clients required for your environment. Then, use your client deployment tool to deploy and install the software on the appropriate client devices. Advantages of using a centralized deployment tool include: • Ability to adhere to corporate security requirements. For example, you can install client software without enabling software installation privileges for non-administrative users. Control over software versions. You can deploy an updated version of client software to all users simultaneously. Scalability. Easily scales to support additional users. Positive user experience. You can deploy, test, and troubleshoot installation-related issues without involving users in this process.

• • •

Citrix recommends this option when administrative control over the installation of client software is preferred and access to client devices is readily available. Network share point. Post installation packages on a network share point. For example, you can use the Access Client package to create an installation package containing the clients required for your environment and post it to a network share. In addition, the Server CD contains installation packages for certain client software. Citrix recommends posting installation packages to a share point when software is manually installed on client devices. For example, you can post client software installation packages to an FTP site for remote users responsible for installing client software on their home computers. On demand. Configure the deployment of client software only when required. Users connect to their network and clients are automatically downloaded on an “as needed” basis. This option is preferable when access to client devices is not readily available such as an Internet kiosk. You can combine deployment options to create your deployment strategy. For example, you can post installation packages on a network share point for users within the corporate network and also enable on-demand deployment of clients for those users connecting from an Internet kiosk. The table below summarizes the deployment options supported for each client.

Chapter 13

Rolling Out Advanced Access Control to Users

199

Client Software

Supported by Access Client package Yes Yes Yes No Yes

On-demand

Network Share Point Yes Yes No No No

Secure Access Client Endpoint Analysis Client Live Edit Client Client for Java Web Client

Yes Yes Yes Yes Yes

Note: The Endpoint Analysis Client is available as a stand-alone MSI and EXE on the Server CD in the \Setup\EndpointAnalysisClient\lang directory. In addition, individual installation packages can be created for all client software components supported by Access Client package. For more information, see “Managing Client Software Using the Access Client Package” on page 200.

Determining Which Clients to Deploy
If your Advanced Access Control deployment does not require any client software on client devices, your deployment is considered to provide browseronly access. In this scenario, users need only a Web browser to access corporate resources. However, there are certain features that require client software on the user’s device. To determine if client software is required for your access strategy, use the matrix below. For additional information about feature-specific requirements, see “Feature Requirements” on page 46. For additional information about client software minimum requirements, see “Client Requirements” on page 58. Note: Small form factor devices are not compatible with the Advanced Access Control client software. Therefore, features requiring client software are not available on small form factor devices.

200

Access Gateway Advanced Edition Administrator’s Guide

Feature Verifying requirements on client devices Convenient editing and saving of remote files Access email accounts and synchronize email to client devices TCP access to services on corporate servers

Client Software

For more information, see...

Endpoint Analysis “Verifying Requirements on Client Client Devices” on page 165 Live Edit Client Secure Access Client Secure Access Client “Allowing Live Edit” on page 140 “Providing Users with Secure Access to Email Accounts” on page 188 “Creating Network Resources for VPN Access” on page 119

Accessing published Citrix Presentation “Configuring File Type Association” applications through file type Server Client for on page 163 association Java or Web Client Bypassing the Web proxy to Secure Access access resources Client “Bypassing URL Rewriting” on page 144

Managing Client Software Using the Access Client Package
If you decide that you will control the deployment of client software, consider using the Access Client package to create a Windows Installer package of specific client software. After creating the package, you can deploy it using your Microsoft Active Directory infrastructure or a standard third party MSI deployment tool such as Systems Management Server. The Access Client package contains a number of the client-side pieces of the Citrix Access Suite, allowing you to quickly and easily deploy and maintain the client-side software to your users using one convenient Windows Installer package. After you deploy your client software, you can update your installations simply by creating and deploying an updated installation package using the latest version of the Access Client package. The Access Client package is available in the Download section of the Citrix Web site, www.citrix.com, and contains up-to-date client software and hotfixes for a number of the client-side pieces of the Citrix Access Suite.

Chapter 13

Rolling Out Advanced Access Control to Users

201

Client Software Available for the Access Client Package
Access Suite Component Citrix Presentation Server Access Gateway Citrix Password Manager Client-Side Software Program Neighborhood, Program Neighborhood Agent, Web Client Secure Access Client, Live Edit Client, Endpoint Analysis Client Citrix Password Manager Agent

Creating a Client Distribution Package
You can run the Access Client package in administrative mode to select the client-side software pieces you want to package together. Enter the following command at a command prompt to run in administrative mode: msiexec.exe /a [path to msi file] Select your client components and optionally customize the installation process of each client. To create an installation package for a specific piece of client component, select only that client. Additionally, you can choose to reduce the overall size of the final distribution package by selecting the option to remove unused files. Note: Each client installation that includes a Citrix Presentation Server Client includes the Program Neighborhood Connection Center, allowing users to see information about their current ICA connections.

Distributing and Installing Your Client Software Package
After you create your client software package, you can make it available to your users on a network share point or distribute it using your Active Directory infrastructure. Client devices must meet the requirements of each client software component within your package. For example, if you attempt to install a package that includes the Web Client and the Secure Access Client on a device that does not meet the requirements for the Secure Access Client, only the Web client is installed.

202

Access Gateway Advanced Edition Administrator’s Guide

The Access Client package installs and upgrades all available clients, as specified when you build your software package. Every item included in your original client software package should be included in any subsequent upgrade packages you create. For example, if you create a software package that includes the Endpoint Analysis Client and the Web Client, subsequent upgrade packages must include both client software packages. If you create an upgrade package that includes only the Endpoint Analysis Client, the Access Client package uninstalls the Web Client. Important: The Gateway Client and Advanced Gateway Client are no longer supported by Advanced Access Control and therefore, are removed from the Access Client package. However, the Access Client package now includes the Secure Access Client, the client software component that replaces the Gateway Client and Advanced Gateway Client. As a result, the Access Client package uninstalls the Gateway Client and Advanced Gateway Client from all client devices. If users require the functionality previously available with these clients, include the Secure Access Client in your package. Conversely, if you later want to add the Secure Access Client to your environment, rebuild your package to include the Endpoint Analysis, Web, and Secure Access Clients. When this installation package is run on client devices that have your original package installed, the Secure Access Client is installed, while the Endpoint Analysis and Web clients will simply be verified as installed and not changed in any way. To uninstall a client that was installed or upgraded using a Windows Installer package, users must run the Add/Remove Programs utility from the Control Panel or run the installer package again and select the Remove option. Important: To install the client software using the Windows Installer package, the Windows Installer Service must be installed on the client device. This service is present by default on Windows 2000 systems. To install clients on client devices running earlier versions of the Windows operating system, you must use the self-extracting executable or install the Windows Installer 2.0 Redistributable for Windows, available at http://www.microsoft.com/. For more information about the Access Client package, including a full list of included clients, see the Download section of the Citrix Web site at www.citrix.com.

Chapter 13

Rolling Out Advanced Access Control to Users

203

Posting Client Software to a Share Point
You can post available client software on a network share point so users or support personnel can install the client software at their convenience. You can use the Access Client package to create installation packages for each client software component or a single installation package containing all of your Advanced Access Control clients following the instructions above. Alternatively, for the Endpoint Analysis Client, you can use the installation package available as an EXE or MSI in the \Setup\EndpointAnalysisClient\lang directory of the Server CD.

Downloading Client Software on Demand
You can configure client software so that it downloads and installs on the client device on an “as needed” basis. Advanced Access Control supports this type of deployment for the Secure Access Client, Endpoint Analysis Client, Web Client and Client for Java. Use this deployment option when non-corporate devices such as Internet kiosks are used to access the corporate network. On-demand deployment of the Secure Access Client is configured within connection policies. If a connection policy is configured to launch the Secure Access Client, Advanced Access Control detects whether the Secure Access Client is already installed on the client device. If the Secure Access Client is detected, it is launched. If the Secure Access Client is not detected, it is downloaded to the client device and then launched. If the client software cannot be downloaded to the client device, Advanced Access Control attempts to connect to resources using browser-only access. Important: Access to Web applications configured to bypass the Web proxy, email synchronization, and network resources require the Secure Access Client. If you integrated Advanced Access Control with a farm running Presentation Server, you can specify which Presentation Server Client to deploy for each logon point. This allows you to configure the deployment of Presentation Server Clients based on specific access scenarios. For example, you could configure on-demand client downloads for the logon point available to users logging on over the Internet. However, you could disable this feature for the logon point available to users from an enclave within the corporate network.

204

Access Gateway Advanced Edition Administrator’s Guide

The requirements for installing on-demand clients include configuring the client browser to accept client software such as ActiveX controls, plug-ins, and Java applets. In addition, users running Windows XP or Windows 2000 must be members of the Power Users or Administrators group to install the software on their devices. For additional information about client software minimum requirements, see “Client Requirements” on page 58. You cannot configure the on-demand deployment of the Endpoint Analysis Client. Rather, Advanced Access Control determines if, based on policies associated with that logon point, an endpoint analysis scan is required. If a scan is required, Advanced Access Control detects if the Endpoint Analysis Client is present on the client device. If the client software is detected on the client device, the Endpoint Analysis Client performs the appropriate scans. However, if the software is not detected, users are prompted to download and install the Endpoint Analysis Client as an ActiveX control when running Internet Explorer or a plugin when running Netscape Navigator or Firefox. If users refuse to allow the Endpoint Analysis Client to install and scan the client device, they receive the same level of access they would if the policies associated with the scans were denied. This level can be limited or no access. Consider deploying the Endpoint Analysis Client in advance if you want to avoid the ondemand downloading of this client. Note: Some endpoint analysis information is cached on the client device. Users can empty this cache through the Manage Endpoint Analysis tool (Start > Programs > Citrix > Endpoint Analysis Client).
To configure on-demand client deployment of Presentation Server Clients

1. 2.

In the console tree, select the appropriate logon point and choose Edit Logon Point from Common Tasks. On the Clients page, select the clients you want to deploy to users ondemand from the options below. • Web Client (ActiveX or Netscape plug-in). Select this option if your users do not already have a Presentation Server Client installed on their client device. Select Use the Client for Java if the Web Client cannot be used to deploy the Client for Java if the Web Client cannot be used or the user chooses not to allow its download. In addition, you can configure the automated update of the Web Client at logon (available for ActiveX only). This option provides an automated method of updating client

Chapter 13

Rolling Out Advanced Access Control to Users

205

software. Clear this option if you do not want to upgrade existing installations of the client on each user’s computer. • Client for Java. Deployed in applet mode, this client does not require the user to install any software. The user’s browser caches the Java applet for the duration of the browser session. Select the Client for Java as an alternative for users who cannot use the Web Client software. None (use installed client). Select this option if you already deployed the required client software to client devices.

To configure on-demand client deployment of Secure Access Client

1. 2. 3.

In the console tree, select Connection Policies. Double-click the connection policy you want to edit. On the Settings page, click Launch Secure Access Client and click Yes to allow this setting for the connection.

See the Access Gateway Standard Edition Administrator’s Guide for additional information on configuring the deployment of the Secure Access Client.

Ensuring a Smooth Logon Experience with the Secure Access Client
If users do not have the Secure Access Client installed when they log on, they must download and install it. However, if the Secure Access Client does not install and connect to the Access Gateway promptly, users will experience difficulty in accessing the home page you designate for the logon point. To avoid this, you can perform the following tasks: • • • Enable the Web browser to redirect users to a URL outside of the internal network Modify the browser delay setting Modify the ticket lifetime setting

206

Access Gateway Advanced Edition Administrator’s Guide

Modifying the Logon Point Redirect URL
When a user logs on to the Access Gateway, the Logon Agent verifies that the user is allowed to log on and, if required by policies, the user’s Web browser attempts to launch the Secure Access Client. Afterward, the Web browser redirects the user to the home page designated for the logon point. By default, the Web browser redirects the user to the SessionInit.aspx page using an internal URL after 10 seconds elapse. If the Secure Access Client does not launch successfully during this time, the user cannot access resources on the internal network. To ensure users can access resources in this case, you can enable the Web browser to redirect users to an external URL. When you do this, users are redirected to the SessionInit.aspx page using the URL for the Access Gateway appliance (for example, https://AccessGatewayFQDN).
To modify the redirect URL

1.

In Windows Explorer, navigate to the logon point’s virtual directory. For example, C:\inetpub\wwwroot\CitrixLogonPoint\logonpointname, where logonpointname is the name of the logon point. Open the web.config file in a text editor and add the following line to the appSettings section:
<add key=”AlwaysUseClientLessURL” value=”true”/>

2.

3.

Repeat steps 1-2 for all logon points you want to modify.

Modifying Browser Delay Settings
When a user launches the Secure Access Client and logs on to the Access Gateway, the user’s Web browser delays displaying the home page while the Secure Access Client establishes a connection with the Access Gateway. When using Mozilla Firefox or Netscape Navigator, the Secure Access Client connects after the default time period elapses. By default, this delay lasts 10 seconds. If the Secure Access Client does not connect within this time period, the Web browser will not display the home page unless the user refreshes the Web browser. To ensure the Secure Access Client has sufficient time to connect and the home page appears for Mozilla Firefox and Netscape Navigator, you can increase the time period that the Web browser delays displaying the home page. To do this, you modify the AdvancedGatewayClientActivationDelay key of the logon point’s web.config file. If you choose to make this change on one server running Advanced Access Control, you must make the same change on all servers in your access server farm.

Chapter 13

Rolling Out Advanced Access Control to Users

207

To modify browser delay settings

1.

In Windows Explorer, navigate to the logon point’s virtual directory. For example, C:\inetpub\wwwroot\CitrixLogonPoint\logonpointname, where logonpointname is the name of the logon point. Open the web.config file in a text editor and locate the following line:
<add key=”AdvancedGatewayClientActivationDelay” value=”18” />

2. 3.

Change the key value to the length of time, in seconds, you want to allow the Secure Access Client to establish a connection with the Access Gateway. Repeat steps 1-3 for all remaining servers running Advanced Access Control.

4.

Modifying Ticket Lifetime Settings
When a user launches the Secure Access Client and logs on to the Access Gateway, the user’s Web browser receives a ticket from the Citrix Authentication Service which must be used within a certain period of time. The default time period is 85 seconds. When the ticket is used within this time period, the home page appears in the user’s Web browser. If the Secure Access Client does not connect within this time period, the ticket expires and the home page does not appear. The user must access the logon point again and receive a new ticket. To ensure the Secure Access Client has sufficient time to connect and tickets are presented promptly, you can increase the lifetime of tickets issued to users. To do this, you modify the Ticket Profile keys located in the web.config file of the Citrix Authentication Service. If you choose to make this change on one server running Advanced Access Control, you must make the same change on all servers in your access server farm.
To modify the ticket lifetime settings

1. 2.

In Windows Explorer, navigate to the Citrix Authentication Service Web directory (C:\inetpub\wwwroot\CitrixAuthService). Open the web.config file in a text editor and locate the following lines:
<add key=”TicketProfile_SGC_CGP” value=”MULTIUSE,85,1200,true,true” /> <add key=”TicketProfile_ASGC_CGP” value=”MULTIUSE,85,1200,true,true” />

3. 4.

Change the first numeric value in both keys to the length of time, in seconds, in which you want tickets to remain valid from the time of issue. Repeat steps 1-3 for all remaining servers running Advanced Access Control.

208

Access Gateway Advanced Edition Administrator’s Guide

Ensuring a Smooth Rollout
After your client software deployment strategy is implemented and tested, you are ready to provide users with the information they need to access corporate resources through Advanced Access Control. To ensure all users are aware of the upcoming deployment of Advanced Access Control, consider a formal method of communication such as posting information on your corporate intranet, training sessions, and email. If there are budgetary restrictions, determine if some of the costs of your deployment strategy actually improve the company’s bottom line. For example, the costs associated with user training could be justified if there is a significant savings as a result of fewer support calls. Topics to consider providing additional information to users include: • Client software. Depending on your client deployment strategy, users may need to install client software on their own device. In this scenario, provide users with the location of the file share from which they can access the installation packages. If you implemented an on-demand client software strategy, instruct users to accept these clients when prompted. In addition, inform users that failure to accept the installation of on-demand clients results in reduced functionality for that session. Logon points. If users can access the corporate network from multiple logon points, you must provide users with the URLs for these logon points. For example, if you created two logon points—one for access from a network enclave and another for external access through the Internet— users will need the URLs for both logon points. Additional information about providing logon information to users is discussed in the next section. Policy-based access. Inform users if you developed an access strategy that includes different levels of access to corporate resources based on factors such as endpoint analysis results, authentication type, or logon point. For example, you may create a policy that allows users to download a document when accessing it from within a network enclave and create another policy that denies this level of access when accessing the document from their home computer. Informing users of this type of access control reduces user confusion as well as unnecessary support calls.

Providing Logon Information to Users
Users can access a specific logon point by navigating to the following URL: https://GatewayApplianceFQDN/CitrixLogonPoint/LogonPointName/

Chapter 13

Rolling Out Advanced Access Control to Users

209

where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of the Access Gateway server on which you deployed the logon point and LogonPointName is the name of the logon point. For example, if the FQDN of the Access Gateway server is “companyserver.mydomain.com” and the logon point is “remote,” the URL for logging on is https://companyserver.mydomain.com/CitrixLogonPoint/remote. Alternatively, users can access the default logon point by navigating to the following URL: https://GatewayApplianceFQDN/ where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of the Access Gateway server on which you deployed the logon point.

Browser Security Considerations
Certain custom Web browser security settings can prevent users from accessing Advanced Access Control. Therefore, follow the guidelines below to ensure users can access the appropriate servers within your network. • For users to properly access corporate resources through Advanced Access Control, the following browser settings must be enabled. • Cookies. Advanced Access Control uses per-session cookies that are not stored on disk. Therefore, third parties cannot access the cookies. Disallowing per-session cookies prevents connections to Advanced Access Control. Users cannot log on to Advanced Access Control because logging on requires a session cookie. File download. Disabling “File download” prevents the downloading of files from the corporate network, the launching of any seamless ICA sessions, and access to internal Web servers outside the access server farm. Scripting. Disabling active scripting makes Advanced Access Control inaccessible. Disabling Java applet scripting prevents users from launching published applications with the Client for Java.

Change the security settings only for zones that contain resources accessed through Advanced Access Control. If you fully trust the sites on your company’s intranet, you can set the Local Intranet zone security level to Low. If you do not fully trust the sites on your intranet, keep the Local Intranet zone set to Medium-Low or Medium. Several browser security settings required to access Advanced Access Control servers are disabled under the High security settings. Therefore, if

210

Access Gateway Advanced Edition Administrator’s Guide

the security level for the Local Intranet zone is set to High, customize the browser security settings as described in the next section. • If you want to keep the default security settings but also customize individual security settings of your Advanced Access Control servers, you can configure each server in the access server farm as a “trusted site.” Configuring servers as trusted sites lets you customize their security settings without affecting the Internet and Local Intranet settings.

Important: If your access server farm requires SSL, make sure that SSL is required for all sites in the Trusted Site zone.

Customizing Browser Security Settings
The following table lists additional Internet Explorer browser security settings required for those deployment scenarios requiring client software. Most of these settings are available from the Security tab of the Internet Options dialog box.

Deployment Scenario Endpoint Analysis Client

Required Settings • Run ActiveX controls and plug-ins (Enable) • Script ActiveX controls marked safe for scripting (Enable) • File download (Enable) • Run ActiveX controls and plug-ins (Enable) • Script ActiveX controls marked safe for scripting (Enable) • File download (Enable) • Run ActiveX controls and plug-ins (Enable) • Script ActiveX controls marked safe for scripting (Enable) • File download (Enable) • Do not save encrypted pages to disk (Disable) • Java Permissions (High safety or Custom) If you select Custom, set the following options: • Run Unsigned Content (Run in sandbox) • Run Signed Content (Prompt or Enable) • Do not save encrypted pages to disk (Disable) • All Additional Signed Permissions must also be set to Prompt or Enable

Live Edit Client

Web Client

Client for Java

Chapter 13

Rolling Out Advanced Access Control to Users

211

Customizing the Logon Error Message
Users may see an “Access Denied” page when attempting to access the logon page. This can occur if users do not meet the requirements in a policy controlling the Allow Logon permission or do not meet the requirements configured in logon point properties for displaying the logon page. You can modify the “Access Denied” page to provide users with troubleshooting information or redirect them to a different Web page that contains remedies for a specific problem that is detected. In addition, because each logon point is associated with its own “Access Denied” page, you can customize this message to accommodate the specific access scenarios associated with each logon point. For example, you can customize a logon point’s “Access Denied” page with frequently asked questions and technical support contact information. Another possible “Access Denied” page customization is to redirect users to a Web page containing links to client software installation packages. You can create and deploy a logon point for the sole purpose of testing your modifications to the “Access Denied” page. Then, when you are ready to incorporate the customized page into your production environment, copy the page to the appropriate location on the Logon Agent server. The “Access Denied” message is generated by an ASP.NET user control that can be modified using any text editor that supports ASCX files.
To edit the “Access Denied” message

1.

On an Advanced Access Control server, navigate to: %systemdrive%:\Inetpub\wwwroot\Citrixlogonpoint\logon point name where logon point name represents the name of the logon point associated with the page you want to customize.

2. 3.

Make a backup copy of the disallowed.ascx file. Edit disallowed.ascx. For example, if you have a troubleshooting site named www.gotoassist.com, add the following syntax to the end of disallowed.ascx:
<a href=”http://www.gotoassist.com/ph/button”>Click here to launch GoToAssist</a>

Caution: Do not modify the logic contained in the page because doing so can yield undesirable results.

212

Access Gateway Advanced Edition Administrator’s Guide

4. 5.

Repeat Steps 1 - 3 to customize the “Access Denied” message for other logon points. Update logon page files on the Access Gateway as described in “Updating Logon Page Information” on page 93.

C HAPTER 14

Managing Your Access Gateway Environment

After configuring the servers in your access server farm, you perform a variety of tasks to manage your deployment. These tasks help you ensure your deployment runs smoothly and efficiently. This section describes how to: • • • • • • • Administer your access server farm using multiple Consoles Secure the Access Management Console with COM+ Add and remove farms and servers Change the service account or database credentials Change the server roles Minimize downtime of your access server farm Monitor user sessions

Managing Access Server Farms Remotely
You can use the Access Gateway Administration Tool and the Access Management Console on remote workstations to manage your access server farm. You can install the Administration Tool from the Access Gateway Administration Portal. Use the Advanced Access Control Server CD to install the Access Management Console.
To download and install the Administration Tool

1. 2. 3.

In a Web browser, type the URL of the Access Gateway and enter your administrator credentials. In the Access Gateway Administration Portal, click Downloads. Under Administration, click Download Access Gateway Administration Tool Installer.

214

Access Gateway Advanced Edition Administrator’s Guide

4. 5. 6. 7.

Select a location to save the installation application and click Save. The installation tool is downloaded to your computer. After downloading the file, navigate to the location it was saved and then double-click the file. To install the Administration Tool, follow the instructions in the wizard. To start the Administration Tool, click Start > Programs > Citrix Access Gateway Administration Tool > Citrix Access Gateway Administration Tool. In Username and Password, type the Access Gateway administrator credentials. The default user name and password are root and rootadmin.

8.

To install the Access Management Console

1. 2. 3. 4. 5.

Insert the Server CD or start AutoRun.exe from the CD image. Select Product Installations and Advanced Access Control to open Setup. Accept the license agreement and proceed to the Components Selection page. Select Management console and clear the selection of any other components selected by default. Proceed through the remainder of the wizard.

Controlling Access by Multiple Consoles
When a Console connects to an access server farm, other Console instances can actively manage the server farm at the same time. If any changes are made to the same configuration settings, Advanced Access Control writes the first change saved to the database based on the timestamp at which the change occurred. If two changes are saved simultaneously, the change with the earlier timestamp prevails. You are notified if an instance of the console connects to a farm and another instance is detected. If you make any configuration changes, they may be overridden depending on when each Console instance saves each change. Choose Yes to acknowledge and close the message. Important: Administering Advanced Access Control using multiple Console instances simultaneously can result in data corruption and inconsistent server performance. Citrix recommends you use only one Console instance at a time to administer access server farms.

Chapter 14

Managing Your Access Gateway Environment

215

Using Groups in Policy Assignments
It is generally good practice to assign policies to domain user groups or account authority groups only. If, however, you use the console on a remote workstation and assign the workstation’s local users to a policy, you may receive an error message when editing the policy from another Console. You can remove or edit such a policy using the console on the server running Advanced Access Control.

Securing the Access Management Console Using COM+
Depending on your organization’s needs, you may allow other administrators to manage your access server farm. Using COM+ role-based security, you can specify the users who can make changes to your access server farm using the Access Management Console. During installation, Advanced Access Control creates the following security roles for the Access Gateway Server COM+ application: • • Administrators. Users in this role are allowed to make changes to the Advanced Access Control environment using the console. Non Appliance Administrators. Users in this role are allowed to make changes to resources and policies only. Users assigned to this role are not allowed to modify gateway appliance settings. Users assigned to this role must not be assigned to the Administrators role as well. If the user is assigned to both roles, the Non Appliance Administrators role is not enforced. System. This role includes the service account and other local accounts that require access to the Access Gateway Server COM+ application.

If you add users to the Administrators or Non Appliance Administrators roles, they may have access to the API published by the application in addition to the console. Consider all risks carefully before adding other users to the Administrators role. Important: The accounts appearing in the System role are required for Advanced Access Control to function. You must also close the Access Management Console before adding users to the Administrators or Non Appliance Users role. If these System accounts are modified or if the console is open when COM+ security is applied, your access server farm may stop functioning and you may lose data.
To allow administrators to use the Access Management Console

1.

Close the Access Management Console if it is open.

216

Access Gateway Advanced Edition Administrator’s Guide

2. 3. 4.

Click Start > Programs or All Programs > Administrative Tools > Component Services. In the console tree, expand Component Services > Computers > My Computer > COM+ Applications. Expand Access Gateway Library > Roles and select the role that is appropriate for the user(s) you want to add: • • To allow administrators to access appliance and farm settings with the console, expand Administrators. To allow administrators to access farm settings only, expand Non Appliance Administrators.

5. 6. 7. 8.

Right-click Users and select New. Enter the user account(s) you want to add and click OK. Restart the Access Gateway Library COM+ application. Repeat steps 4-7 for the Access Gateway Server COM+ application.

Restarting COM+ Applications
Restart the Access Gateway Server COM+ application when: • You add users to the Administrators or Non Appliance Administrators role so they can make changes to your deployment using the Access Management Console. Components such as logon points or the Web proxy function incorrectly, as a preliminary troubleshooting measure. You modify components that access the Access Gateway Server COM+ application, such as Web email. For example, if you modify mapisvc.inf to enable Microsoft Exchange 2000 to work with the default Email Interface, you restart the Access Gateway Server COM+ application to ensure the modifications are recognized at runtime.

• •

To restart the Access Gateway Server COM+ application

1. 2. 3. 4.

Click Start > Programs or All Programs > Administrative Tools > Component Services. From the Component Services window, expand Computers > My Computer > COM+ Applications. Right-click Access Gateway Server and select Shut down. Right-click Access Gateway Server and select Start.

Chapter 14

Managing Your Access Gateway Environment

217

Adding and Removing Farms
If your deployment consists of multiple access server farms, you can manage them using a single Console. To do this, you add the other access server farms to the console tree.
To add access server farms

1. 2. 3. 4.

In the console tree, select the Access Gateway node. Under Common Tasks, click Add access server farm. In the Server box, type the machine name or the IP address of any server in the farm you want to add. Click OK. The Access Management Console connects to the access server farm and displays the farm node in the console tree.

Note: To manage multiple access server farms from Console instances running on other machines, you must add the farms to each Console.
To remove access server farms

1. 2.

In the console tree, expand the Access Gateway node and select the farm you want to remove. Under Common Tasks, click Remove farm.

Adding and Removing Gateway Appliances
To add gateway appliances to your access server farm, perform the following tasks: 1. 2. Install and configure the appliance as described in the Getting Started with Citrix Access Gateway Standard Edition. In the Access Gateway Administration Tool, enable the Advanced Access Control to administer the appliances. For more information, see “Enabling Advanced Access Control” on page 80. In the console, run discovery.

3.

To remove gateway appliances from your access server farm, perform the following tasks: 1. In the Access Gateway Administration Tool, disable gateway administration with the Advanced Access Control and remove all access server farm information.

218

Access Gateway Advanced Edition Administrator’s Guide

2.

In the console, remove the gateway appliance.

When you remove a gateway appliance from the console, you remove only the registration information from the access server farm database. If you do not remove all access server farm information from the Access Gateway Administration Tool before removing the appliance from the console, the Advanced Access Control registers the appliance again and displays it in the Gateway Appliances node when you run discovery.
To disable Access Gateway administration with the console

1. 2. 3. 4. 5.

Launch the Access Gateway Administration Tool and select the gateway appliance you want to remove. Click the Advanced Options tab and then clear the Advanced Access Control - includes an access server farm check box. In Server running Advanced Access Control, remove the name of the server running Advanced Access Control. Click Submit to save your changes. Restart the Access Gateway.

To remove a gateway appliance from the console

1. 2.

In the console tree, expand Gateway Appliances and select the gateway appliance you want to remove. Click Remove appliance and then click Yes to remove the gateway appliance from the farm.

Changing Service Account and Database Credentials
You can change the credentials of the service account or SQL access account if either of these accounts is deleted, is disabled, or changes passwords. If the credentials are not changed, Advanced Access Control does not function. Use the Server Configuration utility to change the credentials of these accounts. You can run the Server Configuration utility at any time without interrupting farm operations. However, the console must be closed on the machine on which it is running. If the console is running remotely and the account credentials are changed, the console displays an error message. Close and reopen the console to correct the problem. The Server Configuration utility and the account information are stored on each server running Advanced Access Control. To use the Server Configuration utility, you must log on to the server as an administrator.

Chapter 14 To change account credentials

Managing Your Access Gateway Environment

219

1.

On the server running Advanced Access Control, choose Start > Programs or All Programs > Citrix > Advanced Access Control > Server Configuration. Click Service Account to change the user name, password, or domain of the service account. For information about requirements for valid service accounts, see “Service Account Requirements” on page 44. Click Server Farm Information to change the farm database server, farm name, or database authentication method.

2.

3.

Modifying Server Roles
Each server running Advanced Access Control is assigned the HTML Preview server role by default. If you do not want all servers in your farm to perform this role, you can enable or disable it on a per-server basis.
To modify server roles

1. 2. 3.

In the console tree, select Servers. Under Common Tasks, click Manage server roles. Select or clear the check boxes for each server you want to assign to or remove from the HTML Preview role.

Removing Servers from the Farm
When you remove servers from the farm, the services the server provided to your farm are no longer available. If you want to keep these services, ensure they are enabled on other servers in your farm.
To remove servers from an access server farm

1. 2. 3. 4.

Run discovery to ensure Advanced Access Control detects all servers in the farm. In the console tree, expand the Servers node. Select the server you want to remove. Under Common Tasks, click Remove server.

220

Access Gateway Advanced Edition Administrator’s Guide

Maintaining Availability of the Access Server Farm
Advanced Access Control maintains all configuration, session, and user data for the access server farm in a SQL database on the database server. If the database server becomes unavailable, Advanced Access Control cannot retrieve data in response to user or server requests. If the Advanced Access Control server becomes unavailable, users cannot log on to the server or access resources. This section describes how you can maximize the availability of your access server farm. • Create a backup of the SQL database. After you create the initial backup, you should ensure the database is backed up regularly at appropriate intervals. Additionally, you should verify the data can be restored from the backups. • Cluster the database server. This allows another database server to continue farm operations in the event the first database server becomes unavailable. The clustered servers appear to Advanced Access Control as a single database server. • Cluster the Advanced Access Control server. As with the database server, clustering allows another Advanced Access Control server to continue operations for an unavailable server. Users can continue to log on to the server and access resources.

Exporting and Importing Configuration Data
You can export and import your farm configuration data using the Access Management Console. This can be helpful when, for example, you want to save the configuration data from a farm in a staging environment and copy it to a farm in a production environment. When you export your farm configuration, a .cab file is created which consists of compressed XML files containing the following data: • • • • • • Global farm settings such as display order of home page applications, license server, and authentication profiles Presentation Server farm settings Network and Web resource settings Logon point settings Policy settings Endpoint analysis settings

Chapter 14

Managing Your Access Gateway Environment

221

• •

Continuous scan settings Gateway appliance settings

Data that is not exported includes: • • • Access server farm name Data that is valid only when the Advanced Access Control server is running, such as user session data. Server information such as computer names.

After you export your farm configuration, you can import the .cab file to restore the configuration on another server running the same version of Advanced Access Control. Before you export your farm configuration, be aware of the following conditions: • You can import only .cab files that were exported using the same version of Advanced Access Control. For example, if you export the configuration of a farm running Version 4.5 of Advanced Access Control, you can import the configuration data only on another Advanced Access Control server running Version 4.5. If you import the configuration data on a server running a different version of Advanced Access Control, the import fails. Note: If you want to import configuration data from a previous version of Advanced Access Control, you must first use the Migration Tool to prepare your data for import into a farm running Version 4.5. For more information about migrating to Version 4.5 from a previous version of Advanced Access Control, see the Access Gateway Advanced Edition Upgrade Guide. • • Incremental export or import of farm configuration data is not supported. You can export or import only entire farm configurations. When you import farm configuration data, the existing farm configuration is deleted and replaced with the imported data.

Important: Before you import farm configuration data, Citrix recommends creating a backup of the SQL database for the farm.
To export your access server farm configuration

1. 2.

From the console tree, select the farm node and then click Export Farm in Other Tasks. Enter the location where you want to create the .cab file.

222

Access Gateway Advanced Edition Administrator’s Guide

When you click Next, the XML files are compressed into a .cab file and saved to the location you specified.
To import your access server farm configuration

1. 2.

From the console tree, select the farm node and then click Import Farm in Other Tasks. Enter the location of the .cab file you want to import.

When you click Next, the .cab file is decompressed and the existing configuration data is replaced with the imported data.

Monitoring Sessions
The Access Gateway Advanced Edition Session Viewer is a session monitoring tool that allows administrators to review user access to the access server farm and terminate user sessions. Note: You must have administrative privileges to run the Session Viewer. An Advanced Access Control session is not required to run the Session Viewer. Session Viewer displays data from the server on which you are logged or from other Advanced Access Control servers. This data includes: • • • • • Client IP address User name used to log on Installed clients Logon point accessed and default home page Name of the Advanced Access Control server the user is accessing

When you select a session from the Sessions pane, the data for that session displays in the Session Values pane. You can sort sessions by clicking the column headings in the Sessions pane.
To access the Session Viewer

Click Start > All Programs > Citrix > Access Gateway > Session Viewer.
To terminate sessions

1. 2.

From the Sessions pane, select the user session(s) you want to terminate. Click Delete.

Chapter 14

Managing Your Access Gateway Environment

223

If the user attempts to access resources after you terminate the session, an error page appears and the user must log on again.

224

Access Gateway Advanced Edition Administrator’s Guide

C HAPTER 15

Auditing Access to Corporate Resources

The event logging capabilities in Advanced Access Control ensure you collect the information needed to monitor access to corporate resources. Event logs allow you to: • • • Prove compliance with regulatory requirements Prove compliance with internal, corporate-specific requirements Take proactive measures to address existing vulnerabilities such as evaluating incidents circumventing intended access and modifying your access strategy to resolve these issues Assist support personnel in troubleshooting issues related to accessing corporate resources

Configuring Audit Logging
You can configure Advanced Access Control to record specific user activities for auditing purposes. For example, you can monitor endpoint analysis scan results; successful logon attempts; and unsuccessful attempts to access resources such as Web email, file shares, and so on. Before configuring event log settings, determine the information you need to collect and enable logging only for the associated events. This approach ensures logging does not impact system performance or use unnecessary hard disk space. In addition, limiting logging to only the information relevant to the auditing process streamlines the evaluation of this data. The table below describes the events available for logging.

226

Access Gateway Advanced Edition Administrator’s Guide

Event

Description

Endpoint analysis scan results Logs all endpoint analysis scan results. Three events are generated for each scan. The first event contains the raw endpoint analysis data from the client device. The second event contains the scan results (true/false) based on analysis within Advanced Access Control. The third event contains the scan results (true/false) specific to the requirements for displaying the logon page. Logon page denied Logon allowed Logs an event when a logon page is not displayed to the user due to your configured requirements. Logs an event when a successful Windows NT authentication is passed to the domain controller. Events are not logged when a user sends valid credentials but is denied access due to policy restrictions. Logs an event when an unsuccessful Windows NT authentication is passed to the domain controller or when the Allow Logon policy denies a user access to the logon page. Logs an event when a user terminates a session. Logs an event when a session times out. The session time-out value is configured as a logon point setting.

Logon denied

User logged off Session timed out

Web resources - HTML MIME Logs an event for successful access to HTML content within a Web resource such type as HTML and ASP pages. Web resources - other MIME type Logs an event for successful access to non-HTML content within a Web resource such as JavaScript, Flash, XML, and so on.

Web resources - image MIME Logs an event for successful access to images referenced within a Web resource type such as a GIF or JPEG file. File shares Web email Logs an event for successful access to file shares or documents within a file share. Logs an event for successful access to Web-based email including Outlook Web Access, iNotes, and Advanced Access Control’s Web email interface. Outlook Web Access and iNotes use the same event ID (304) while Advanced Access Control’s Web email interface uses event ID (306). Logs an event for unsuccessful access to any resource within an access server farm. For Web resources, only unsuccessful access to the HTML MIME type is logged. Unsuccessful access to other or image MIME types is not logged.

Resource access denied

Important: Audit log configuration is set at the access server farm level and applies to all resources within the farm. Therefore, if your access server farm is distributed across multiple servers, audit logs are written to each server within the farm. The general steps involved in configuring event logging are:

Chapter 15

Auditing Access to Corporate Resources

227

Specify the events to log for the access server farm. Use the Access Management Console to specify the type of events logged by servers within an access server farm. Configure log settings for each server within the farm. Use the Windows Event Viewer to configure log settings for each server including specifying the maximum log size, determining when to overwrite events, and so on. By default, the maximum size of the CitrixAGE Audit log is 5120KB and is retained for seven days before being overwritten. New events are not added if the maximum log size is reached and there are no events older than this period. If this configuration does not meet your auditing needs, consider increasing the size of the log file as well as modifying the event overwrite settings. Consolidate event logs into a single view. Each server within an access server farm maintains its own event log. Use the Event Log Consolidator in Advanced Access Control to collect event log data from all servers within the farm and display this data in a single, consolidated view. After the data is collected by the Event Log Consolidator, you can perform additional analysis by running a variety of reports based on user access, resource access, and so on.

To select events to be logged for an access server farm

1. 2.

In the console tree, select the access server farm you want to audit and click Edit farm properties in Common Tasks. On the Event Logging page, select from among the auditing options described below. For detailed descriptions of these events, see the table in “Configuring Audit Logging” on page 225. • • • Endpoint analysis scan results Allowed and denied access to resources (Web resources, file shares, and Web email) Logon point data including logon page denial, logon denial, logon allowed, user log off, and session time-out

Note: To generate session-based reports in the Event Log Consolidator, you must enable the “Logon allowed” event.
To configure log settings for Advanced Access Control servers

You must be logged on as an administrator or as a member of the Administrators group to configure Advanced Access Control auditing information within the Windows Event Viewer.

228

Access Gateway Advanced Edition Administrator’s Guide

After auditing is enabled and configured within Advanced Access Control, you can use the Windows Event Viewer to configure audit log settings including: • • Specifying the maximum log size Determining when to overwrite events

Important: By default, the maximum size of the CitrixAGE Audit log is 5120KB and is retained for seven days before being overwritten. New events are not added if the maximum log size is reached and there are no events older than this period. If this configuration does not meet your auditing needs, consider increasing the size of the log file as well as modifying the event overwrite settings. 1. 2. 3. 4. Open the Windows Event Viewer of a server running Advanced Access Control. Select CitrixAGE Audit from the console tree. Configure logging properties as appropriate. Repeat this step for all servers in the farm.

For help using the Windows Event Viewer, refer to the topic “Event Viewer” in the Windows online Help.
To consolidate event logging results

1. 2. 3.

In the console tree, select Access Gateway and click View Events in Common Tasks. In the Event Log Consolidator, click File > Configure. In the Polling Interval box, specify the time interval (in seconds) at which the Event Log Consolidator collects audit log data from Advanced Access Control servers. Under Available Farms, select the access server farm for which you want to view auditing data. Click File > Collect to begin polling Advanced Access Control servers.

4. 5.

Important: Excessive logging and polling can impact a system’s performance. Therefore, avoid logging unnecessary events for an access server farm. In addition, avoid unnecessary polling of audit log data by the Event Log Consolidator.

Chapter 15

Auditing Access to Corporate Resources

229

Interpreting Audit Events
Audit information is written to the Windows Event Viewer and contains information specific to the audit event as described in the table below.

Field DateTime UserName ServiceName Status Machine Name Session ID

Description Date and time of the request. Name of the authenticated user accessing the resource. Name of the Advanced Access Control component logging the request. Status of the request (accepted, denied, or completed). Name of the server logging the event. Reference number assigned to a session upon successful user authentication and license validation. This number is used to track session events such as logon allowed, user logged off, and session timed out. Reference number for denied attempts. This number is also displayed to users when access is denied. Reference number for endpoint analysis scans. This number is referenced by endpoint analysis before a user is authenticated to associate a session ID with scan results. Name or URI (Uniform Resource Identifier) of the resource requested. Additional data specific to a message.

PolicyReference EPAReference

Resource Data

Although logging is enabled at the access server farm level, each server maintains its own log file. To gather logging information from all servers within the farm into a single view, use the Event Log Consolidator.
To view logging results

1. 2.

In the console tree, select Access Gateway and click View Events in Common Tasks. Sort events or generate reports to assist in the evaluation of this data.

230

Access Gateway Advanced Edition Administrator’s Guide

Troubleshooting User Access to Resources
There are a variety of reasons why a user may not be able to access a corporate resource ranging from failed endpoint analysis scans, incorrect authentication credentials, policy-based restrictions, and so on. Often, it is not possible for users to know why access was denied and therefore, they rely on support personnel for assistance in troubleshooting these issues. For each denial of access to a resource or failed endpoint analysis scan, a unique value is displayed in the user’s browser. This information is also written to the event log as the PolicyReference or EPAReference value, respectively. For this reason, consider instructing users to record reference numbers and provide this information to support personnel because it expedites the troubleshooting process. Support personnel can use this information to quickly search and identify the specific event and begin troubleshooting the problem. In addition, support personnel can use the table from the section “Interpreting Audit Events” on page 195 as a resource when evaluating events.

Performing Audit Log Maintenance
Several third-party tools provide advanced maintenance of Windows event logs. For example, the Windows Event Viewer and Event Log Consolidator do not support automatic rotation of logs without overwriting existing log data. If your corporation requires archiving of log data on a regular basis, consider a thirdparty tool that automates this process. However, there may be situations when using the Event Log Consolidator or Windows Event Viewer to perform basic maintenance tasks is appropriate. For example, you may need to reimage a server within your access server farm. To ensure no audit data is lost, you can use the Windows Event Viewer to save the audit log prior to reimaging the server. The decision regarding how to manage and maintain audit logs depends on your corporate needs. Therefore, when determining how to manage audit data, evaluate the auditing needs of your corporation and ensure that your solution satisfies these needs.

A PPENDIX

A

Glossary

Access Client package. The tool administrators use to manage the distribution and upgrade of Access Suite clients. Allows administrators to quickly and easily deploy client-side software to end-users with one convenient Windows Installer package. Access Gateway Administration Desktop. A window where administrators can monitor Access Gateway network activity. Tools included in the Administration Desktop include the Citrix Real-Time Monitor, Ethereal Network Analyzer, xNetTools, My traceroute, fnetload, Gnome System Monitor, and the Workplace Switcher. Access Gateway Administration Portal. A Web-based interface for performing administration tasks for Access Gateway appliances. From the Administration Portal you can download other administration tools for remote use, such as the Administration Desktop and the Access Gateway Administration Tool. Access Gateway Administration Tool. A 32-bit management console downloaded from the Administration Portal and installed on a Windows computer in the secure network. The Administration Tool can administer individual settings for all gateway appliances in a cluster. Access Gateway Real-Time Monitor. A console window listing current users and their related information. You can close the VPN connection for any user from the Real-Time Monitor. The Real-Time Monitor is accessed using the Administration Desktop. Access Interface. The user-facing Web page that displays the available corporate resources, including URLs, email, and files. access policy. A policy that enforces configuration settings for user access under specified conditions. See also connection policy. access scenario. The access scenario includes all the information about the user and the user’s client device used to apply policies. Depending on the type of policy being evaluated, the access scenario can include the user identity, the client device, client device details discovered through endpoint analysis scans, the authentication method employed, the logon point used to enter the network, and so on.

232

Access Gateway Advanced Edition Administrator’s Guide

access server farm. A logical grouping of servers on which Advanced Access Control Services run. An access server farm consists of one or more networked computers that run Advanced Access Control components such as the Web Server, database server, and so on. These components work together to provide access to corporate resources such as Web sites, file shares, and email. See also server farm. accessible networks. The IP addresses of the computers in the secure network to which the Access Gateway is allowed to connect. action controls. The permissions that users are granted for working with files through Access Gateway Advanced Edition such as Download, Send as Email, and file type association. activation server. A server that performs file activation services such as HTML Preview, Download, and Live Edit. It houses the Activation Host Service and Activation Engine Service; the Activation Host Service acts as a “sandbox” for the Activation Engine Service to activate a file. activation services. A service that provides stateless load balanced file activation including HTML Preview, Download, and Live Edit. Advanced Access Control. Software components and features in Access Gateway Advanced Edition which enable granular policy-based access control. Advanced Access Control allows you to control user access based on such factors as user location and authentication, endpoint analysis, and verification of the client device. Allow Logon. A permission (the ability to log on) that is controlled by policy. The Allow Logon permission is treated as a resource to enable administrators to add criteria for users to meet in addition to the usual authentication process. application policy. A policy that can be configured for any software program, including Web applications, when you are using the Access Gateway appliance. Application policies allow you to restrict applications to a specified network path and to make access to the application dependent upon endpoint policies. authentication profile. An authentication profile contains configuration settings that define the authentication to be used with a logon point. authentication type. The type of authentication being used, such as RADIUS, LDAP, SafeWord, and so on. authorization rejection page. The user-facing Web page that displays when a client environment does not possess the baseline requirements for accessing corporate network resources. browser-only access. The ability to access corporate network resources without requiring any client-side software other than a Web browser. Citrix Activation System (CAS). The Citrix license management system available from a secure area of the Citrix Web site that allows customers to generate license files for Access Suite products. CAS stores a downloadable copy of all license files generated and can display a list of licenses registered to an organization.

Appendix A

Glossary

233

Citrix administrator. System administrator responsible for installing, configuring, and maintaining computers running any product in the Citrix Access Suite. Citrix XML Service. A Windows service that provides communication between Citrix Presentation Server and Access Gateway, Web Interface, and some Presentation Server Clients. client device. Any hardware device used to access corporate resources. Client for Java. A Java applet that supports the launching and embedding of published applications. cluster. A group of like hardware components (such as Access Gateway appliances or Advanced Access Control servers) that can be managed as a single entity. condition. (1) In general terms, a condition is any configurable requisite for the enforcement of a policy. Policies can have multiple types of conditions, such as endpoint analysis or logon point or authentication conditions. (2) In endpoint analysis, a condition is a single required attribute of the client device evaluated during endpoint analysis, such as the operating system or browser being used. A rule is a set of conditions that are evaluated against the client device. If the client device meets all the conditions in a scan’s rule, the scan is applied and run on the client device. connection policy. A policy that allows Secure Access Client connections and applies settings to those connections. You must allow use of the Secure Access Client to establish connections to any network resource and for email synchronization, because these types of resources do not allow browser-only access. continuous scan. Scans of the client device that occur repeatedly throughout the session to ensure that the client device continues to meet requirements. The feature prevents, for example, users from changing the status of a client device requirement after establishing the connection. Types of continuous scans include file scans, process scans, and registry scans. continuous scan filter. A filter that defines the continuous scan requirements for a connection policy. A continuous scan verifies one item (a file, registry entry, or process) on the client device. The filter can include one or more continuous scans for verification. When associated with a connection policy, the filter defines all the requirements to be verified by continuous scans for the connection policy to take effect. device-specific presentation. The automatic display of content that is appropriate to the device when a user uses a non-PC device, such as a PDA. disconnected session. A client session in which the client is no longer connected to an application on Citrix Presentation Server, but the user’s applications are still running. A user can reconnect to a disconnected session. If the user does not do so within a specified time-out period, the server automatically terminates the session.

234

Access Gateway Advanced Edition Administrator’s Guide

email synchronization. A comparison of separate email account instances resulting in both instances containing the same information. This feature allows remote users to access email in real time when working online and synchronize their folders in preparation for working offline. email synchronization group. A list of email servers that can be accessed for email synchronization. enclave deployment. A deployment scenario in which a network is segmented or fragmented in a manner (such as with firewalls) that forces users to log on through a specific logon point. endpoint analysis. A process that scans a client device and detects information such as the presence and version level of operating system, antivirus, firewall, or browser software. Endpoint analysis can verify that the client device meets your requirements before allowing it to connect. This information can be included as a filter within a policy to determine the appropriate level of access to corporate resources. Endpoint analysis scans are run against the client device once, during logon. See also continuous scan. Endpoint Analysis Client. An ActiveX control or browser plug-in used to discover information about a device’s configuration (such as the operating system, antivirus pattern, and so on). Endpoint Analysis SDK. The software development kit that allows customers and partners to modify and create endpoint analysis packages. endpoint policy. An endpoint policy is a Boolean expression that defines the files, processes, or registry entries that must be on the client computer before users can connect to corporate resources through the Access Gateway appliance. You can create and use endpoint policies on the appliance only. If you are using Access Gateway Advanced Edition, this functionality is configured through the logon point properties, where you can specify the requirements to be met by the client device before the user is shown the logon page. endpoint requirement. A file, process, or registry entry that must be on the client device. An endpoint requirement is configured with Access Gateway Standard Edition administration and then used to create an endpoint policy that is then added to one or more user groups. endpoint resource. A file, process, or registry entry that must be on the client device to log on. In the Access Gateway Standard Edition, a group of endpoint resources is used to create an endpoint policy. file activation. The actions a user can take on a file including HTML Preview, Live Edit, downloading, opening in a published application through file type association, and sending the file as an email attachment. file scan. A type of continuous scan that validates a specified file on the client device. file share. A directory (UNC) on a file server that is shared among a group of users. In Access Gateway Standard Edition, file shares are one of the corporate resource types available to users when they are logged on in kiosk mode. In Access Gateway Advanced Edition, file shares are available to users when an administrator publishes them to the Access Interface and configures policies allowing access.

Appendix A

Glossary

235

file type association. A method that allows a document to be opened with an application published in Citrix Presentation Server that is registered to open documents of that type. filter. Configured criteria, including endpoint analysis, logon point, and authentication type, that can be used by policies to determine access to corporate resources. A filter is a single named entity that can be used in multiple policies. A filter may include another filter as part of its criteria. An access policy may have only one filter, but each filter can be associated with multiple access policies. In addition, filters created in Access Gateway Advanced Edition can be used in Citrix Presentation Server, which extends the SmartAccess capabilities to published applications. home page. The page the user sees after authentication. This page could be the default Access Interface, a third-party portal, or email access interface, such as iNotes or Outlook Web Access. HTML Preview. The name of the service that allows documents to be previewed in HTML rather than downloaded in their native format. This feature also refers to the role that an administrator can assign to a server for performing this service. Independent Computing Architecture (ICA). The architecture that Citrix uses to separate an application’s logic from its user interface. With ICA, only keystrokes, mouse clicks, and screen updates pass between the client and server on the network, while all the application’s logic executes on the server. intellectual property control. The protection of corporate intellectual property or sensitive information using features such as HTML Preview, file type association, and client drive mapping. The goal of intellectual property control is to prevent the exposure of sensitive corporate data. kiosk mode. Used in Access Gateway Standard Edition to describe a type of limited access to corporate resources from public computers, such as those found in airports or hotels. Live Edit. The feature that allows users to edit remote documents using the Live Edit Client. Users can conveniently edit and save documents without needing to download or upload them. Live Edit Client. The ActiveX control that integrates with a user’s local editing application to support the Live Edit feature. local users. Users who are created in Access Gateway Standard Edition. Local users are configured when they do not require authentication using other authentication types such as RADIUS, SafeWord, RSA SecurID, or LDAP. A realm for local authentication must be configured on the Access Gateway appliance for local users to connect. Authentication credentials are checked against the local user list if the user name does not match the authentication server’s list of users.

236

Access Gateway Advanced Edition Administrator’s Guide

logon point. The URL from which users access corporate resources. The logon point settings determine access to server farms, Access Interface configuration, and other session-specific settings. In addition, a logon point can be used as a filter within policies. Microsoft SQL Server Desktop Engine (MSDE). A fully SQL Server-compatible data engine. SQL Server Express 2005, the newest version of MSDE, can be used in Access Gateway Advanced Edition for data storage in place of Microsoft SQL Server. See also SQL Server Express. network resource. A network resource defines subnets or servers on the corporate network that users can connect to through the Access Gateway using the Secure Access Client over specified ports. After defining network resources, you can create policies that control their user access and connection settings. pass-through authentication. The ability for Access Gateway to pass the user’s authentication information to another corporate resource requiring this information. Pass-through authentication is used for single sign-on to the Web Interface in an Access Gateway deployment. policy-based access control. The ability to grant granular access to users based on their access scenario. policy priority. A ranking system that allows you to prioritize policies to resolve conflicts when multiple policies apply to the same situation. The settings of a higher priority policy take precedence over conflicting settings in a lower priority policy. pre-authentication policy. A policy that allows users to log on if a set of scans validate the client device. Pre-authentication policies can be created only using the Access Gateway Administration Tool. If you are using Access Gateway Advanced Edition, you can create a logon policy for similar functionality. Presentation Server Client. Citrix software that enables users from a variety of client devices to connect to computers running Presentation Server. process scan. A type of continuous scan that verifies that a specified process is running on the client device. published application. An application installed on a server or server farm that is configured for multiuser access from clients through Citrix Presentation Server. realm. A realm is used in Access Gateway Standard Edition to specify the logical area of access granted through a specified type of authentication. Realms are replaced in the Advanced Edition by authentication profile settings. The Default realm authenticates against the local user list on the Access Gateway. Additional realms for LDAP, SafeWord, RADIUS, and RSA SecurID can be created or can be used as the Default realm.

registry scan. A type of continuous scan that validates a registry setting on the client device. resource group. A resource group combines multiple resources of differing types into one named resource so that policies can be applied to the aggregate.

Appendix A

Glossary

237

resources. The file shares, Web resources, email, and applications available through the Access Gateway. rule. In endpoint analysis, a rule is a set of conditions that define when to apply a scan and which property values to check. Multiple rules can apply to a single scan. The first rule of a scan is defined when you create the scan. After creating the scan, you can add more rules to make the scan apply to multiple scenarios. A process that verifies specific properties of client devices connecting to your network, such as the installed version of an antivirus software product or verification that the device belongs to a required domain.

scan.

scan output. A result of an endpoint analysis scan run on a connecting client device to detect or verify information about the client device. There are two types of scan outputs. One type is a property value that is detected and reported about the client device, such as the version number of an antivirus program running on the device. Another type is a simple Boolean (True or False) result indicating whether or not the client device passed the requirements of the scan. scan package. A package of code that allows administrators to configure endpoint analysis scans. Each scan package is designed to examine a set of properties for a specific software product. You can expand the default set of scan packages by importing new ones. Citrix, partners, or developers in your organization can develop additional scan packages using the Endpoint Analysis Software Development Kit (SDK). Secure Access Client. Citrix software used to connect users to network resources. In the Standard Edition, users access a secure URL to download the software and authenticate to the Access Gateway appliance. In the Advanced Edition, administrators create a connection policy to require use of the software when users access specific logon points. Users may download the software after they authenticate. Secure Sockets Layer (SSL). A standards-based security protocol for encryption, authentication, and message integrity. It is used to secure the communications between two computers across a public network, authenticate the two computers to each other based on a separate trusted authority, and ensure that the communications are not tampered with. SSL supports a wide range of ciphersuites. The most recent version of SSL is Transport Layer Security (TLS). server farm. A group of computers running Citrix Presentation Server and managed as a single entity, with some form of physical connection between servers and a database used for the farm’s data store. See also, access server farm. session reliability. Part of the collection of features that comprise SmoothRoaming, Session Reliability enables ICA sessions to remain active and on the user’s screen when network connectivity is interrupted. Session Reliability incorporates Common Gateway Protocol (CGP) which restores the user’s session quickly and transparently. small form factor device. A client device, such as a PDA, with limited display capabilities.

238

Access Gateway Advanced Edition Administrator’s Guide

SmartAccess. A feature that allows organizations to control which resources users get access to, based on their access scenario, and what they can do with those resources when they get access. In addition, this functionality integrates with Citrix Presentation Server to give organizations this same level of granular control over published applications. SmoothRoaming. The ability to access information continuously across devices, locations, and networks. This feature includes Workspace Control, session reliability, and dynamic display reconfiguration. split DNS. A feature that enables failover to a user’s local DNS if the default remote DNS is unavailable. split tunneling. A feature enabling the client device to send only the traffic destined for the secured network through the VPN tunnel. With split tunneling, groupbased policies apply to the internal network interface only. For connections from inside of the firewall, group-based policies do not apply to traffic to external resources or resources local to the network; that traffic is not encrypted. SQL Server Express. The newest version of MSDE. See Microsoft SQL Server Desktop Engine (MSDE) for more information. Transport Layer Security (TLS). See Secure Sockets Layer (SSL). trusted. Refers to a user, service, or resource that is specifically allowed to access the corporate network. untrusted. Refers to a user, service, or resource that is specifically disallowed from accessing the corporate network. user groups. In Access Gateway Standard Edition, a user group consists of a collection of users, policies, and resources. User groups can be configured to correspond with user groups configured on authentication servers. All local users are automatically added to the Default user group. Users can also be added to other user groups you have configured. Web-based email. A method of receiving, composing, and sending email using a Web browser instead of a local email application. Web client. An ActiveX control that supports the launching and embedding of published applications. Web proxy. The URL rewriting component of Access Gateway Advanced Edition. Web resource. A set of URLs or Web applications that consists of virtual directory paths such as http://mycompany/mydocument. A Web resource is one of the corporate resources available to users through the Access Gateway. Web server. A computer that delivers Web pages to browsers and other files to applications using HyperText Transfer Protocol (HTTP).

A PPENDIX

B

Scan Properties Reference

Scan packages contain the software you need to create scans to detect information about client devices. When creating scans, you typically specify one or more property values that you’re looking for, such as an operating system version or service pack level. This reference topic lists the properties you can configure for Citrix scan packages. For information about creating scans, see “Creating Endpoint Analysis Scans” on page 166. Note: This topic is available from the online help system of any server running the Advanced Access Control software. If you need information about specific properties while creating scans, use your online help to locate this reference topic. Scan packages are organized alphabetically within the following groups by the type of product or properties being scanned: • • • • • • “Antivirus Scan Packages” on page 240 “Browser Scan Packages” on page 245 “Firewall Scan Packages” on page 248 “Machine Identification Scan Packages” on page 253 “Miscellaneous Scan Packages” on page 255 “Operating System Scan Packages” on page 256

240

Access Gateway Advanced Edition Administrator’s Guide

Antivirus Scan Packages
Citrix Scans for McAfee VirusScan
Detects if the required version of McAfee VirusScan software (personal edition) is running on the client device.

Supported Versions
• At least up to VirusScan 2006 v.11.0.209

Properties You Can Specify
Property Name Minimum required build version Description/Format Note that this property is mislabelled and appears incorrectly as “Minimum required engine version.” Use format N.N, where N is an integer. You can find the build version number in the “About” information box for the installed application.

Scan Outputs
Scan Output Name Program Version Description This is the version of the key program executable file. The major and minor version numbers are the same as those displayed in the program user interface. The rest of the version number may be ignored when reported. This Boolean output indicates if the required minimum version of the application is running on the client device.

Verified-McAfeeVirusScan

Citrix Scans for McAfee VirusScan Enterprise
Detects if McAfee VirusScan software (Enterprise edition) is running on the client device.

Supported Versions
• At least up to VirusScan Enterprise v.8.0i Pattern 4825

Appendix B

Scan Properties Reference

241

Properties You Can Specify
Property Name Minimum required engine version Description/Format Use format N.N. For example, 4.4. Note that the application user interface and registry may display the engine version number in different formats. For example, engine version 4.4 may display in the user interface as 4400 and the same engine version may display in the registry as 4.4.00. However, in both cases, you should enter the “minimum required engine version” as 4.4 when you create a scan.

Minimum required pattern Use format N, where N is an integer. file version number

Scan Outputs
Scan Output Name Verified-McAfee-VirusScan-Enterprise Engine Version Description This Boolean output indicates if this application is running on the client device. Indicates the On-Access scan engine version running on the client device. If this product is not installed or is not executing, the version defaults to 0.0.0.0. Indicates the pattern file version running on the client device. If this product is not installed or is not executing, the version defaults to 0.

Pattern Version

Citrix Scans for Norton AntiVirus Personal
Detects if Norton AntiVirus software (personal edition) is running on the client device.

Supported Versions
• At least up to Norton AntiVirus 2006 v.12.2.0.13 Pattern 2006 0809.018

242

Access Gateway Advanced Edition Administrator’s Guide

Properties You Can Specify
Property Name Days between required virus scans Description/Format This is the number of days within which a full-system antivirus scan must have run. Zero (0) indicates that any or no scan is acceptable. Use an integer between 0 and 365.

Minimum required product Use the format N.N.N, where N is an integer. version Minimum required pattern Use the format YYYYMMDD.NNN, where YYYY is the file version number four-digit year, MM is the two-digit month, DD is the twodigit day, and NNN is a three-digit integer.

Scan Outputs
Scan Output Name Verified-Norton-Antivirus Product version Description Indicates if this application is running on the client device. Indicates the software version running on the client device. If this product is not installed or is not executing, the version defaults to 0.0.0.0. Indicates the pattern file version running on the client device. If this product is not installed or is not executing, the version defaults to 0.0.0.0.

Pattern version

Citrix Scans for Symantec AntiVirus Enterprise
Detects if Symantec AntiVirus Enterprise software is running on the client device.

Supported Versions
• At least up to Symantec AntiVirus Enterprise v10.0.0.359 Pattern 2006 0809.018

Appendix B

Scan Properties Reference

243

Properties You Can Specify
Property Name Description/Format

Minimum required product Use the format N.N.N, where N is an integer. version Minimum required pattern file version number Use the format YYYYMMDD.NNN, where YYYY is the four-digit year, MM is the two-digit month, DD is the twodigit day, and NNN is a three-digit integer.

Scan Outputs
Scan Output Name Verified-Symantec-AVEnterprise Product version Description Indicates if this application is running on the client device. Indicates the software version running on the client device. If this product is not installed or is not executing, the version defaults to 0.0.0.0. Indicates the pattern file version running on the client device. If this product is not installed or is not executing, the version defaults to 0.0.0.0.

Pattern version

Citrix Scans for Trend OfficeScan
Detects if Trend OfficeScan antivirus software is running on the client device.

Supported Versions
• At least up to Version 7.3 Pattern 3.645.00

Properties You Can Specify
Property Name Description/Format

Minimum required product Use the format N.N, where N is an integer. version Minimum required pattern The three-digit short form of the pattern file version running file version number on the client device. Use the format N, where N is an integer. For example, for version 2.763, 763 is the short form you enter.

244

Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs
Scan Output Name Description

Verified-Trend-OfficeScan Indicates if this application is running on the client device. Product Version Indicates the software version running on the client device. If this product is not installed or is not executing, the version defaults to 0.0.0.0. Indicates the pattern file version running on the client device. If this product is not installed or is not executing, the version defaults to -1.

Pattern Version

Citrix Scans for Windows Security Center Antivirus
Detects if the Windows Security Center reports that the client device is using antivirus software. There are no properties for you to specify in this scan beyond specifying the conditions under which the scan is applied. Note that accurate scan results require that antivirus software be monitored through the Windows Security Center. If an antivirus software product does not register properly with the Windows Security Center, it is possible for the scan to indicate incorrectly that the client device has no antivirus software enabled. Test to ensure that Windows Security Center correctly registers the antivirus software products you deem acceptable or check the Windows Security Center documentation for details of the products it supports.

Supported Versions
• Windows XP SP2 - Security Center

Scan Outputs
Scan Output Name Antivirus Enabled Description Indicates (True/False) if the Windows Security Center reports that the client device is using antivirus software.

Appendix B

Scan Properties Reference

245

Browser Scan Packages
Citrix Scans for Browser Type
Detects if specified browser software is being used to connect from the client device. You can scan for Microsoft Internet Explorer, Mozilla Firefox, Netscape Navigator, Safari, or other software. Scans from this package do not require client-side software to run on the client device. Scan outputs are determined by examining the communication sent by the user’s browser.

Supported Versions
• • • • At least up to Microsoft Internet Explorer 6.0 At least up to Mozilla Firefox 1.5.06 At least up to Netscape Navigator 8.1 At least up to Safari 2.0

Properties You Can Specify
Property Name Expected browser type Description/Format This is the browser you want to check for on the client device. Select Microsoft Internet Explorer, Mozilla Firefox, Netscape Navigator, Safari, or Other.

Scan Outputs
Scan Output Name Verified - Browser Type Browser Type Description Indicates whether (True or False) the browser type you specified is being used to connect from the client device. Returns the type of the client browser. “Other” is returned if a browser other than Microsoft Internet Explorer, Mozilla Firefox, Netscape Navigator, or Safari is being used.

Citrix Scans for Internet Explorer
Detects if the specified version of the browser software exists on the client device.

246

Access Gateway Advanced Edition Administrator’s Guide

Supported Versions
• At least up to Internet Explorer Version 6.0 Service Pack 2

Properties You Can Specify
Property Name Description/Format

Minimum required version Use the format N.N.N.N, where N is an integer. However, you can specify a version as simple as N.N or as detailed as N.N.N.N (for example, 6.0.3790.1830).

Scan Outputs
Scan Output Name Product Version Description The version of the key program executable file. The major and minor version numbers are the same as those displayed in the program user interface. The rest of the version number may be ignored when reported.

Verified-Internet-Explorer- This Boolean output indicates if the minimum or later Installed required version of the application is running on the client device. Verified-Internet-Explorer- This Boolean output indicates if the minimum or later Connecting required version of the application is being used to perform the connection.

Citrix Scans for Internet Explorer Update
Detects if the specified version (including update or hotfix version level) of the browser software exists on the client device.

Supported Versions
• At least up to Internet Explorer Version 6.0 SP2

Properties You Can Specify
Property Name Data Set Description/Format Provide the name of a data set file containing the specified updates or hotfix version levels required. See “Using Data Sets in Scans” on page 172 for more information.

Appendix B

Scan Properties Reference

247

Scan Outputs
Scan Output Name Description

Verified-Internet-Explorer- Indicates if the updates specified in the data set are present on Patch the client device.

Citrix Scans for Mozilla Firefox
Detects if the specified version of the Mozilla Firefox browser exists on the client device. The scan package uses the published Windows registry settings.

Supported Versions
• At least up to Firefox Version 1.5.06

Properties You Can Specify
Property Name Description/Format

Minimum required version Use the format N.N.N.N, where N is an integer. However, you can specify a version as simple as N.N or as detailed as N.N.N.N (for example, 1.0.3.3).

Scan Outputs
Scan Output Name Product Version Description The version of the key program executable file. The major and minor version numbers are the same as those shown in the program user interface. The rest of the version number may be ignored when reported. This Boolean output indicates if the minimum or later required version of the application is running on the client device. This Boolean output indicates if the minimum or later required version of the application is being used to perform the connection.

Verified-Mozilla-FirefoxInstalled Verified-Mozilla-FirefoxConnecting

Citrix Scans for Netscape Navigator
Detects if the specified version of the Netscape Navigator browser exists on the client device. The scan package uses the published Windows registry settings.

248

Access Gateway Advanced Edition Administrator’s Guide

Supported Versions
• At least up to Netscape Navigator Version 8.1

Properties You Can Specify
Property Name Minimum required version Description/Format Use the format N.N.N.N, where N is an integer. However, you can specify a version as simple as N.N or as detailed as N.N.N.N (for example, 8.0.3.3).

Scan Outputs
Scan Output Name Product Version Description The version of the key program executable file. The major and minor version numbers are the same as those shown in the program user interface. The rest of the version number may be ignored when reported. This Boolean output indicates if the minimum or later required version of the application is running on the client device. This Boolean output indicates if the minimum or later required version of the application is being used to perform the connection.

Verified-NetscapeNavigator-Installed Verified-NetscapeNavigator-Connecting

Firewall Scan Packages
Citrix Scans for McAfee Desktop Firewall
Detects if the specified version of the firewall software exists on the client device.

Supported Versions
• At least up to McAfee Desktop Firewall 8.5 Build 260

Appendix B

Scan Properties Reference

249

Properties You Can Specify
Property Name Description/Format

Minimum required version To specify the version number, use the format N.N, where N number or combined is an integer. To specify the version and build number, use the version and build number format N.N.NNN, where N is an integer.

Scan Outputs
Scan Output Name Version Description The version of the key program executable file. The major and minor version numbers are the same as those displayed in the program user interface. The rest of the version number may be ignored when reported.

Verified-McAfee-Desktop- This Boolean output indicates if the required minimum Firewall version of the application is running on the client device.

Citrix Scans for McAfee Personal Firewall Plus
Detects if the specified version of the firewall software exists on the client device.

Supported Versions
• At least up to McAfee Personal Firewall Plus 2006 Version 7.1.113

Properties You Can Specify
Property Name Description/Format

Minimum required version N.N, where N is an integer. number

250

Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs
Scan Output Name Version Description The version of the key program executable file. The major and minor version numbers will be the same as those displayed in the program user interface. The rest of the version number may be ignored when reported.

Verified-McAfee-Personal- This Boolean output indicates if the required minimum Firewall-Plus version of the application is running on the client device.

Citrix Scans for Microsoft Windows Firewall
Detects if the specified version of the Microsoft Windows Firewall or Internet Connection Firewall (ICF) exists on the client device.

Supported Versions
The scan can detect the following firewalls on these operating systems: • • • • Microsoft Windows XP Home and Professional: ICF Microsoft Windows XP Home and Professional Service Pack 1: ICF Microsoft Windows XP Home and Professional Service Pack 1: Windows Firewall Microsoft Windows 2003: ICF

Properties You Can Specify
Property Name Description/Format

Windows Firewall without Select True if you require Windows Firewall to be active exceptions is required without exceptions. Select False if you require ICF to be active on all connections or if you require Windows Firewall to be active (with exceptions). See “Adding Rules to Scans” on page 169 for an example showing how to add multiple rules with exceptions to a scan.

Scan Outputs
Scan Output Name Description

Verified-Windows-Firewall This Boolean output indicates if the required minimum version of the application is running on the client device.

Appendix B

Scan Properties Reference

251

Citrix Scans for Norton Personal Firewall
Detects if the specified version of Norton Personal Firewall exists on the client device.

Supported Versions
• At least up to Norton Personal Firewall 2006 Version 9.1.0.33

Properties You Can Specify
Property Name Minimum required version number Description/Format Use the format N.N, where N is an integer.

Scan Outputs
Scan Output Name Version Description The version of the key program executable file. The major and minor version numbers are the same as those displayed in the program user interface. The rest of the version number may be ignored when reported. This Boolean output indicates if the required version of the application is running on the client device.

Version-Norton-PersonalFirewall

Citrix Scans for Windows Security Center Firewall
Detects if the Windows Security Center reports that the client device is using a firewall. The Windows Security Center allows you to monitor various security items on a client device running the Windows XP SP2 operating system. There are no properties for you to specify in this scan beyond specifying the conditions under which the scan is applied. Note that accurate scan results require that the firewall be monitored through the Windows Security Center on the client device. If a firewall product does not register properly with the Windows Security Center, it is possible for the scan to indicate incorrectly that the client device has no firewall enabled. Test to ensure that Windows Security Center correctly registers the firewall products you deem acceptable or check the Windows Security Center documentation for details of the products it supports.

252

Access Gateway Advanced Edition Administrator’s Guide

Supported Versions
• Windows XP SP2 - Security Center

Scan Outputs
Scan Output Name Firewall Enabled Description Indicates if (True/False) the Windows Security Center reports that the client device is using a firewall.

Citrix Scans for ZoneAlarm
Detects if the specified version of the free ZoneAlarm firewall exists on the client device.

Supported Versions
• At least up to ZoneAlarm 2006 Version 6.5.731.00

Properties You Can Specify
Property Name Description/Format

Minimum required version Use the format N.N, where N is an integer. number

Scan Outputs
Scan Output Name Version Description The version of the key program executable. The major and minor version numbers are the same as those displayed in the program user interface. The rest of the version number may be ignored when reported. This Boolean output indicates if the required minimum version of the application is running on the client device.

Verified-ZoneAlarm

Citrix Scans for ZoneAlarm Pro
Detects if the specified version of the ZoneAlarm Pro firewall exists on the client device.

Appendix B

Scan Properties Reference

253

Supported Versions
• At least up to ZoneAlarm 2006 Version 6.5.731.00

Properties You Can Specify
Property Name Description/Format

Minimum required version Use the format N.N, where N is an integer. number

Scan Outputs
Scan Output Name Engine Version Description The version of the key program executable. The major and minor version numbers are the same as those displayed in the program user interface. The rest of the version number may be ignored when reported. This Boolean output indicates if the required minimum version of the application is running on the client device.

Verified-ZoneAlarm-Pro

Machine Identification Scan Packages
Citrix Scans for Domain Membership
Detects if the client device belongs to a specified domain.

Properties You Can Specify
Property Name A client domain name is required Domain name Description/Format True means the client device must belong to a named domain. False means the client device is not required to belong to a domain. A valid domain name. Workgroup names are not valid.

254

Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs
Scan Output Name Domain Verified-Domain Description The name of the domain that the client device belongs to. If a client domain name is not required, the output is “unknown.” Indicates if the client device belongs to the specified domain.

Citrix Scans for MAC Address
Detects the media access control (MAC) address for each network interface card (NIC) or network adapter on the client device and compares the address against a data set containing the list of group names mapped to valid MAC addresses. This scan requires you to create a double-column data set listing valid MAC addresses mapped to group names. The scan detects the network adapter (the first value or column in the data set) and maps that address to a group name (the second value or column in the data set). Scans use this mapping to verify to which group the client device belongs. The MAC addresses in the data set should be in the format NN:NN:NN:NN:NN:NN, such as 00:11:11:06:B3:E9. Note that you should use a colon (:) as the separator in this format rather than a hyphen (-). Important: This scan package treats data as case sensitive. Avoid creating conflicting entries that differ in case. For example, it is possible to create an entry for the same address and map it to two different groups. One entry might map the address 00:50:8b:e8:f9:28 to the Finance group. Another entry can map the same address with different case lettering, 00:50:8B:E8:F9:28, to the Sales group. Such entries make scan results unreliable. For more information about using data sets, see “Using Data Sets in Scans” on page 172.

Properties You Can Specify
Property Name Data set name Group name Description/Format Name of a data set file that maps each MAC address to a group name. Name of a group to which the NIC or network adapter must belong.

Appendix B

Scan Properties Reference

255

Scan Outputs
Scan Output Name Group name Matched-MAC-Address Description Returns the group name associated with the MAC address of the client device network interface or adapter. This Boolean output indicates if the network interface or adapter belongs to the specified group of MAC addresses.

Miscellaneous Scan Packages
Citrix Bandwidth Scan
Determines the connection bandwidth between the client and the Access Gateway appliance. You can use the results of this scan in policies to determine, for example, whether published applications can be launched. This scan determines the bandwidth of a client’s connection by reading an image file and calculating the time it takes to read the file during the time the scan runs. The image file, citrix_bw.gif, is located in the themes/default/images folder of the logon point’s virtual directory. To change the size of this image file, overwrite this file with another of the same name. Note that the accuracy of scan results is affected by the time allotted for the scan to run as well as the size of the image file. For example, users on slow connections may experience prolonged logon times if the image file is 72 MB and the scan runs for 120 seconds. If the scan runs for 5 seconds, however, the correct bandwidth may not be calculated. Test to ensure there is a balance between the size of the image file and the time allotted for the scan to run so that users with high bandwidth and low bandwidth connections have similar logon experiences.

Properties You Can Specify
Property Name Desired Bandwidth Time Description/Format The level at which a connection is considered “high bandwidth.” The maximum length of time the scan is allowed to run.

256

Access Gateway Advanced Edition Administrator’s Guide

Scan Outputs
Scan Output Name Bandwidth Description This Boolean output indicates if the client connection meets the specified bandwidth.

Operating System Scan Packages
Citrix Scans for Macintosh
Detects whether or not the client device is running the Mac OS system software. Scans from this package do not require client-side software to run on the client device. Scan outputs are determined by examining the communication sent by the user’s browser. There are no properties for you to specify in this scan beyond specifying the conditions under which the scan is applied.

Supported Versions
• Mac OS X

Scan Outputs
Scan Output Name Client Is Macintosh Description Reports whether or not the client device is running Mac OS system software.

Citrix Scans for Microsoft Windows Service Pack
Detects if the operating system software on the client device is running at a required minimum service pack level.

Properties You Can Specify
Property Name Description/Format

Minimum required service Select a Windows service pack version from the drop-down pack menu. Select None to detect a base, unpatched operating system version.

Appendix B

Scan Properties Reference

257

Scan Outputs
Scan Output Name Service Pack Description Returns the service pack version running on the client device.

Verified-Windows-Service- This Boolean output indicates if the required minimum Pack service pack level is met.

Citrix Scans for Microsoft Windows Update
Detects whether a set of specified operating system updates are installed on the client device. Note: This scan package requires you to create a single-column data set listing the update names you wish to detect.

Properties You Can Specify
Property Name Data set name Description/Format Name of a data set file that contains a single column list of updates appropriate for the detected operating system.

Scan Outputs
Scan Output Name Description

Verified-Windows-Updates This Boolean output indicates if the updates specified in the data set file exist on the client device.

258

Access Gateway Advanced Edition Administrator’s Guide

Sign up to vote on this title
UsefulNot useful