Enterprise Services for NFuse
Enterprise Services for NFuse
Technical Training
Technical Training
Jay Tomlin
Citrix Technical Support
January 2002
Now everything computes
By the end of this session…
You should be able to:
Explain the role of Enterprise
Services for NFuse (aka ESN)
Identify target customers
Describe the architecture
Install and use the product
What is NFuse?
NFuse is an
application access
broker providing end
users access to
published
applications over the
web.
Users logging into
NFuse must have
valid logon
credentials on the
target MetaFrame
servers
NFuse
End user One MetaFrame
What is NFuse Enterprise?
Enterprise Services for
NFuse (ESN) is an
application access broker
providing scalability,
manageability, and
published application
aggregation.
ESN provides a single point
of access to MetaFrame
installations with multiple
farms in separate
administrative domains
Users logging into ESN
receive seamless access to
MetaFrame servers in
Example Security Scopes
SQL Database JDBC XML ESN MetaFrame Farm 1 MetaFrame Farm 2 MetaFrame Farm 3 MetaFrame Farm 4 Active Directory Domain NT Domains in a trust relationshipUNIX NIS Domain
Novell NDS Tree
Security Scopes Publishers
Primary Account Authority Secondary Account
Account Mappings
Account Mappings
In order to provide single
sign-on for users in multiple
domains, ESN associates
accounts in one domain to
their corresponding accounts
in other domains.
There are two types of
account mapping: Manual and
Automatic
Manual mappings are
maintained by the end users
Automatic mappings are
created by the ESN
administrator
For farms in the ESN domain,
no mapping is necessary
Account in Domain A Account in
Domain B
Defining the ID Mapping Policy
For each farm added to ESN, you define an ID
Mapping policy:
Click here if this MetaFrame Farm is in the same domain as the ESN server. Click here to use “Manual” mapping, where end-users provide a username and password
Click here to use
Manual Account Mapping
Manual Mapping
Manual for the end user
Users must specify the
username and password for the foreign domains
Until they do so, applications from publishers in those
domains are not visible
ESN stores their password for future use
Passwords in the database are obfuscated, but this is not considered strong encryption. Admins are
Automatic Account Mapping
Automatic Mapping
Automatic for the end-user
ESN administrator must work with the domain administrator(s) to create a set of user accounts The accounts should be new user
accounts, all with the same
password and all members of the same group
ESN users are mapped to the next available domain user account automatically
Domain B usernames are
irrelevant, but passwords must be the same for all users in that group
The group name and group password must be provided to the ESN server
Account JohnB in Domain A
Unused accounts in Domain B, all members of the same group
Sample Deployment Scenario 1
General ESN Deployment
Euphrates
Publisher 1
Publisher 2
Publisher 3
Publisher 4 NFuse
Client
Client
Sample Deployment Scenario 2
ESN Deployed in its own Security Scope
Euphrates
Publisher 1
Publisher 2
Publisher 3
Publisher 4 NFuse
Client
Client
Sample Deployment Scenario 3
Multiple Publisher Security Scopes, ESN in its
own Security Scope
Euphrates
Publisher 1
Publisher 2
Publisher 3
Publisher 4 NFuse
Client
Client
Sample Deployment Scenario 4
Multiple Security Scopes, ESN in a Publisher
Security Scope
Euphrates
Publisher 1
Publisher 2
Publisher 3
Publisher 4 NFuse
Client
Client
Security Scope B
Security Scope A
Installing NFuse Enterprise 1.0
The NFuse Enterprise Web Server
Windows 2000 Server in a Domain
IIS 5.0 with SSL enabled, NFuse 1.61 or later Java Development Kit 1.3.1 (not just the JRE)
Set a JAVA_HOME system environment variable equal to the JDK location, e.g. c:\jdk1.3.1_01
Apache Tomcat 3.2.3 gets installed and integrated
with IIS for you as part of the setup process. “Tomcat Jakarta” service will be added to the Services control panel
The Database Server
May be the same machine as above
Microsoft SQL 7.0 or SQL 2000 (no Oracle support
in version 1.0)
Database will be created automatically and named
“NFUSE” by default
Installer creates a SQL logon account
ESN uses NetDirect’s JDataConnect JDBC library to
connect to the database
Installing NFuse Enterprise
MetaFrame Server Farms
All MetaFrame servers must be MetaFrame XP FR1 for Windows or MetaFrame 1.1 FR1 for UNIX (or later)
MetaFrame servers must be in some sort of domain (NT4, ADS, NDS, NIS, NIS+), not just a workgroup
XP FR1 contains an upgraded version of the XML service required for NFuse Enterprise
Note: ESN
≠
MetaFrame
The ESN server should not also be a
Installation and initial configuration
• After installing Win2K SP2, IIS, NFuse 1.61, JDK 1.3.1, and MS SQL Server, you are ready to install NFuse Enterprise
• The SQL Server can be on a separate machine, but for the 1.0 release NFuse 1.61 and ESN 1.0 must be on the same server
Files copied to Program Files\Citrix
• By default, Tomcat and some ESN
configuration files are installed beneath \Program Files\Citrix.
• End-user web pages are also created
beneath Inetpub\ wwwroot\Citrix\ NFuseEnterprise.
IIS-Tomcat integration requires IIS restart
• To continue
installation, you must agree that it is OK to restart IIS
• The installer modifies the IIS metabase for
Tomcat integration
• This action allows IIS to provide Java servlets through the normal HTTP port (80) instead of the default Tomcat port (8080)
Creating the NFUSE database
• If this is the first ESN server, choose to install the database.
• You may change the database name to something other than NFUSE if desired
• If you are adding an ESN server to an
existing deployment, don’t install the
database again
SQL Server Authentication
• First, enter the SQL username and
password of a SQL
system admin (like sa). The password can not be blank.
• Next, enter a new SQL login and password. The installer will create this account and a new role (EUPH_Role) for accessing the database from now on. Don’t
forget the password…
Database admin accounts
Must be an existing SQL system administrator. The password can not be blank.
First time setup - Configuring database access
• Each ESN server needs to be told where the NFUSE database resides, and what SQL login to use (there may be more than one ESN
server per database). Enter the database details here.
• Version 1.0 supports MSSQL only, later versions will add support for Oracle
• The database user entered here should match the
“NFuse Enterprise system user” created during
installation
Select the Primary Account Authority Type
• The ESN server must belong to an NT4, Active Directory, NDS or NIS domain. Select the authority type from the drop-down menu and
provide additional details if necessary.
• Users will log into NFuse Enterprise using credentials from this authority
• Accounts from this authority can be mapped to accounts in other domains
Define ESN Administrators Group
• As with the CMC, a group of
administrators are recognized as having authority to alter ESN settings. Select a
group from the drop-down menu.
• In order to add
MetaFrame farms to the ESN site or make any other behavioral changes, you must log into the admin site as a user who belongs to this group.
Log in to /NFuseEnterprise/admin/login
• After completing the first-time setup screens, you can log in as an NFuse
Enterprise administrator.
• You must log in with an account that belongs to the group selected on the
previous screen
Log in to configure ESN preferences
ESN Administration - Overview
ESN Administration - Farms
ESN Administration - Appearances
ESN Administration – Global Settings
Configure ESN administrators, single sign-on
• To enable single sign-on, add the following line to NFuse.conf:
NFuseEnterprisePassword=secret
• Enable only “Windows
Authentication” in IIS on the /Citrix/ NFuseEnterprise folder
• Enable the “Allow web-server based authentication” checkbox, add the IP address of the NFuse web server (127.0.0.1) and its password as a Presentation Tier Identity
More detail: Single Sign-On
XML NFuse 1.61 MetaFrame Farm ESNNFuse.conf configured with an NFuseEnterprisePassword entry
IIS, set for Integrated Windows
Authentication, triggers NTLM
authentication at the web server. IIS now knows the username
IIS
Workstation, already authenticated to the Domain, visits website using Internet Explorer
HTTP
Web server identified by ESN as a Presentation Tier Identity. App icons are returned to the user
ICA clients must be configured to use Desktop Credentials Pass-Through
ESN Administration – Group Settings
Configure Independent Group Default Settings
• Each domain group can be given its own set of defaults for home farm, appearance, window size, color depth, audio and encryption,
including whether to allow users an override option
ESN Administration – Event log
• Events are stored in the ESN database and can be
searched/filtered for recent events.
Sample HTML event log
ESN Administration – Online Help
The end-user view
Users sign on to the primary domain
http://
<ESN_server>
/Citrix/NFuseEnterprise/
• End users connect to the URL shown above
• If single sign-on has not been enabled, users will prompted to sign on using credentials from the
authority to which the ESN server belongs
Viewing applications
• Applications from foreign domains with manual account mapping will not appear until the user
provides credentials for those domains
• Users can choose between tree view or folder view
• App list can be searched for keywords
End-user Settings
If permitted by the admin, users can alter settings
Changing passwords, expired or not
Manage primary and secondary IDs
• Click the ‘Edit Table’ button to manage login IDs in foreign domains
• If your primary password has expired, you are prompted by the web server to change it
• After signing on, you can click the User IDs tab to change your