Citrix Access Gateway Standard Edition Administrator s Guide. Citrix Access Gateway 4.6, Standard Edition Model 2000 Series

240  Download (0)

Full text

(1)

Citrix Access Gateway™ 4.6, Standard Edition

Model 2000 Series

(2)

the End User License Agreement is included with the installation media.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

© 2003-2009 Citrix Systems, Inc. All rights reserved..

Citrix and ICA (Independent Computing Architecture) are registered trademarks and Citrix Access Gateway is a trademark of Citrix Systems, Inc. in the United States and other countries.

RSA Encryption © 1996-1997 RSA Security Inc., All Rights Reserved. This product includes software developed by Expat XML Parser © 1999 - 2009

This product includes software developed by Internet Systems Consortium © 2001 - 2009 This product includes software developed by Free Software Foundation, Inc. © 2007 This product includes software developed by the Independent JPEG Group © 1991 - 1998 This product includes software developed by libpng.org © 1995 - 2009

This product includes software developed by the OpenLDAP Foundation © 1998 - 2008 This product includes software developed by the OpenSSL Project © 1998 - 2008

This product includes zlib software developed by Jean-loup Gailly and Mark Adler © 1995 - 2005 This product includes software developed by SilverStripe Limited © 2006 - 2009

Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2003-2006 Macrovision Corporation and/or Macrovision Europe Ltd. All rights reserved.

Apache Software Foundation

Copyright © 2009 Citrix System, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Trademark Acknowledgements

Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product.

Portions of this software are based in part on the work of the Independent JPEG Group.

Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners.

(3)

Contents

Chapter 1

Introduction

How to Use This Guide . . . .11

Document Conventions . . . .11

Getting Service and Support. . . .12

Subscription Advantage . . . .13

Knowledge Center Alerts . . . .13

Education and Training . . . .13

Terminology Changes. . . .14

Chapter 2

Introducing Citrix Access Gateway

Access Gateway Technologies . . . .15

Access Gateway Modes of Operation . . . .16

Functions of the Access Gateway. . . .16

New Features in this Release . . . .17

Changes to Access Gateway Functions . . . .18

Chapter 3

Planning Your Deployment

Deploying the Access Gateway . . . .19

Access Gateway in the Network DMZ . . . .20

Installing the Access Gateway in the DMZ . . . .20

Access Gateway Connectivity in the DMZ . . . .21

Access Gateway in a Secure Network . . . .21

Access Gateway Connectivity in a Secure Network . . . .22

Planning for Security with the Access Gateway . . . .22

Configuring Secure Certificate Management . . . .22

Authentication Support . . . .23

Deploying the Access Gateway with Citrix XenApp or Citrix XenDesktop . . . . .24

Deploying the Access Gateway in a Double-Hop DMZ . . . .24

Deploying Additional Appliances for Load Balancing and Failover . . . .25

(4)

Deploying Access Gateway Advanced Edition. . . 26

Configuring Multiple Servers in an Access Server Farm . . . 27

Chapter 4

Installing the Access Gateway for the First Time

Getting Ready to Install the Access Gateway . . . 29

Materials and Information Needed for Installation . . . 29

Setting Up the Access Gateway Hardware . . . 31

Configuring TCP/IP Settings for the Access Gateway . . . 31

Configuring TCP/IP Settings Using the Serial Console . . . 32

Configuring TCP/IP Settings Using Network Cables . . . 34

Configuring TCP/IP Settings for a Double-Hop Deployment. . . 36

Restarting the Access Gateway . . . 37

Chapter 5

Configuring the Access Gateway for Your Network Environment

Installing Licenses . . . 39

Access Gateway License Types . . . 40

Finding Licensing Statistics . . . 40

Obtaining Your License Files. . . 42

Configuring Licenses for Multiple Appliances . . . 43

Downloading License Logs . . . 44

Refreshing Licensing Information . . . 44

Updating Existing Licenses . . . 44

Licensing Grace Period. . . 45

Testing Your License Installation . . . 45

Creating and Installing Certificates . . . 46

Overview of the Certificate Signing Request. . . 46

Installing a Certificate and Private Key from a Windows Computer . . . 49

Installing Root Certificates on the Access Gateway . . . 50

Installing Multiple Root Certificates . . . 50

Configuring Additional Network Settings. . . 51

Configuring Name Service Providers . . . 51

Editing the HOSTS File . . . 52

Configuring Dynamic and Static Routes . . . 53

Configuring the Date and Time on the Access Gateway . . . 57

Configuring a Network Time Protocol Server. . . 57

Using the Default Portal Page . . . 58

(5)

Chapter 6

Configuring Authentication and Authorization

Choosing When to Configure Authentication on the Access Gateway . . . 62

Configuring Authentication on the Access Gateway . . . 62

Configuring the Default Realm . . . 64

Creating Additional Realms . . . 66

Configuring Local Authentication. . . 67

Configuring Local Users . . . 68

Adding Users to Multiple Groups . . . 68

Changing Password for Users . . . 69

Configuring LDAP Authentication and Authorization . . . 69

Configuring LDAP Authorization . . . 73

LDAP Authorization Group Attribute Fields. . . 74

Using Certificates for Secure LDAP Connections. . . 76

Determining Attributes in your LDAP Directory . . . 76

Configuring RADIUS Authentication and Authorization. . . 77

RADIUS Authorization . . . 79

Choosing RADIUS Authentication Protocols . . . 80

Configuring RSA SecurID Authentication . . . 80

Configuring RSA Settings for a Cluster. . . 83

Resetting the Node Secret. . . 83

Configuring Secure Computing SafeWord Authentication . . . 84

Configuring SafeWord Settings on the Access Gateway . . . 84

Configuring Authorization with SafeWord . . . 85

Configuring Gemalto Protiva Authentication . . . 86

Configuring Gemalto Protiva Settings . . . 86

Configuring NTLM Authentication and Authorization . . . 87

Configuring NTLM Authorization. . . 88

Configuring Advanced Options for Authentication . . . 89

Configuring the User Name Prefix. . . 89

Configuring Authentication to use One-Time Passwords . . . 90

Hiding the Verify Response Prompt . . . 90

Configuring Double-Source Authentication . . . 90

Changing Password Labels . . . 92

Chapter 7

Configuring Network Access and Group Resources

Configuring Network Routing. . . 93

Providing Network Access to Users . . . 94

(6)

Configuring User Groups. . . 97

Configuring Access Control Lists . . . 97

Creating Local User Groups. . . 97

Configuring Resource Groups . . . 98

Creating User Groups . . . 99

Default Group Properties . . . 100

Configuring Resources for a User Group . . . 100

Configuring User Membership in Multiple Groups . . . 101

Configuring Network Resources . . . 102

Allowing and Denying Network Resources and Application Policies . . . 104

Setting Application Policies. . . 105

Configuring Endpoint Policies and Resources . . . 107

Building an Endpoint Policy for a Group . . . 109

Setting the Priority of Groups . . . 111

Configuring Pre-Authentication Policies . . . 112

Configuring the Access Gateway to work with Citrix Branch Repeater . . . 113

Chapter 8

Configuring User Connections for Citrix Access Gateway Plug-in

System Requirements. . . 116

Operating Systems . . . 116

Web Browsers. . . 116

How User Connections Work . . . 116

Establishing the Secure Tunnel . . . 117

Tunneling Private Network Traffic over Secure Connections . . . 117

Terminating the Secure Tunnel and Returning Packets to the Client . . . 119

Supporting the Access Gateway Plug-in . . . 120

Configuring Proxy Servers for the Access Gateway Plug-in . . . 121

Installing the Access Gateway Plug-in Using the Microsoft Installer (MSI) Package 122 Installing the MSI Package Using Group Policy . . . 122

Installing the MSI Package Using Advertisement. . . 123

Configuring Single Sign-on with Windows Operating System . . . 124

Connecting with Earlier Versions of the Access Gateway Plug-in . . . 125

Upgrading Earlier Versions of the Access Gateway Plug-in. . . 125

Connecting Using a Web Address. . . 126

Logging on Using the Access Gateway Plug-in . . . 127

Installing the Access Gateway Plug-in for Linux . . . 130

(7)

Configuring Other Group Properties . . . 133

Enabling IP Pooling . . . 133

Enabling Split DNS . . . 134

Enabling Internal Failover . . . 134

Enabling Domain Logon Scripts . . . 135

Enabling Access Gateway Plug-in Session Time-Outs . . . 136

Configuring Web Session Time-Outs . . . 137

Requiring Client Certificates for Authentication. . . 137

Defining Client Certificate Criteria . . . 138

Using Client Certificates with Access Gateway Advanced Edition . . . 139

Installing Root Certificates . . . 139

Obtaining a Root Certificate from a Certificate Authority . . . 139

Installing Root Certificates on a Client Device . . . 140

Selecting an Encryption Type for Client Connections . . . 140

Chapter 9

Configuring Logon and Portal Pages for Citrix Access Gateway Plug-in

Configuring Access Gateway Logon Pages . . . 143

Enabling Logon Page Authentication . . . 143

Customizing the Logon Page . . . 144

Access Gateway Portal Page Templates . . . 145

Downloading and Working with Portal Page Templates . . . 146

Installing Custom Portal Page Files . . . 147

Choosing a Portal Page for a Group. . . 147

Configuring a Portal Page with Multiple Logon Options . . . 148

Logging On When Pre-Authentication Policies are Configured . . . 149

Chapter 10

Maintaining the Access Gateway

Access Gateway Administration Tools . . . 151

The Administration Tool . . . 152

The Administration Portal . . . 153

Upgrading the Access Gateway Software . . . 156

Installing the Software Upgrade. . . 157

Reinstalling the Access Gateway Software. . . 158

Reinstalling the Software on the Model 2000 . . . 158

Reinstalling the Software on the Model 2010 . . . 158

Saving and Restoring the Access Gateway Configuration . . . 160

Restarting and Shutting Down the Access Gateway. . . 161

Restarting the Access Gateway . . . 161

(8)

Initializing the Access Gateway. . . 162

Allowing ICMP Traffic . . . 163

Configuring Third-Party Personal Firewalls . . . 163

McAfee Personal Firewall Plus . . . 164

Norton Personal Firewall . . . 164

Sygate Personal Firewall (Free and Pro Versions) . . . 165

Tiny Personal Firewall . . . 165

ZoneAlarm Pro . . . 165

Chapter 11

Installing Additional Access Gateway Appliances

Creating a Cluster of Access Gateway Appliances. . . 168

Configuring Multiple Appliances to Use a Load Balancer. . . 171

Configuring Load Balancing . . . 172

Configuring Access Gateway Appliances to Operate behind a Load Balancer . . 172 Configuring Load Balancing with Advanced Access Control . . . 175

Configuring Access Gateway Failover . . . 175

Appendix A

Monitoring the Access Gateway

Viewing and Downloading System Message Logs. . . 178

Viewing Access Gateway Plug-in Connection Logs. . . 179

Forwarding System Messages to a Syslog Server . . . 179

Enabling and Viewing SNMP Logs . . . 180

Multi Router Traffic Grapher Example . . . 180

Viewing System Statistics . . . 181

Monitoring Access Gateway Operations. . . 182

Appendix B

Securing Connections with Digital Certificates

Introduction to Security Protocols, Cryptography, and Digital Certificates. . . 185

Introduction to Security Protocols . . . 185

Introduction to Cryptography. . . 186

Digital Certificates and Certificate Authorities . . . 188

Getting Certificates . . . 191

If Your Organization Is its Own Certificate Authority . . . 192

If Your Organization Is not its Own Certificate Authority . . . 192

Getting Server Certificates. . . 192

(9)

Using Windows Certificates . . . 193

Unencrypting the Private Key . . . 194

Converting to a PEM-Formatted Certificate . . . 194

Combining the Private Key with the Signed Certificate . . . 195

Generating Trusted Certificates for Multiple Levels . . . 196

Requiring Certificates for Internal Connections . . . 197

Using Wildcard Certificates. . . 197

Appendix C

Examples of Configuring Network Access

Configuration Examples . . . 200

Scenario for Configuring LDAP Authentication and Authorization . . . 201

Preparing for the LDAP Authentication and Authorization Configuration . . 201

Configuring the Access Gateway to Support Access to the Internal Network Re-sources. . . 206

Scenario for Creating Guest Accounts Using the Local Users List . . . 215

Creating a Guest User Authentication Realm . . . 216

Creating Local Users . . . 217

Creating and Assigning a Network Resource to the Default User Group. . . . 217

Scenario for Configuring Local Authorization for Local Users . . . 218

Appendix D

Troubleshooting the Access Gateway

Troubleshooting Web Interface Connections . . . 221

Web Interface Appears without Typing Credentials . . . 221

(10)

Other Issues . . . 222

License File Does not Match Access Gateway . . . 222

Defining Accessible Networks Subnet Restriction . . . 223

Virtualization Software. . . 223 ICMP Transmissions . . . 223 Ping Command . . . 223 LDAP Authentication. . . 223 Endpoint Policies . . . 224 Network Resources. . . 224 Internal Failover . . . 224 Certificate Signing . . . 224

Certificate Revocation Lists . . . 225

Network Messages to Non-Existent IPs. . . 225

The Access Gateway Does not Start and the Serial Console Is Blank . . . 225

The Administration Tool Is Inaccessible . . . 225

Devices Cannot Communicate with the Access Gateway. . . 225

Using Ctrl-Alt-Delete to Restart the Access Gateway Fails . . . 226

SSL Version 2 Sessions and Multilevel Certificate Chains. . . 226

H.323 Protocol . . . 226

Certificates Using 512-Bit Keypairs . . . 226

Unable to Restrict Drive Mapping with an Application Policy. . . 226

Citrix Access Gateway Plug-in . . . 227

Access Gateway Plug-in Connections with Windows XP . . . 227

DNS Name Resolution Using Named Service Providers . . . 227

Auto-Update Feature . . . 227

Client Connections from a Windows Server 2003 . . . 227

NTLM Authentication . . . 227

WINS Entries . . . 227

(11)

Introduction

How to Use This Guide

This user guide is intended for system administrators responsible for installing and configuring the Access Gateway. This document assumes that the Access Gateway is connected to an existing network and that the administrator has experience configuring that network

The configuration steps in this document assume that the Access Gateway is deployed as a standalone appliance and that users connect directly to the Access Gateway.

This user guide also has information for configuring the Access Gateway to work with Access Gateway Advanced Edition. For more information, see “Deploying Access Gateway Advanced Edition” on page 26.

Document Conventions

Access Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user input.

Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. %SystemRoot% The Windows system directory, which can be WTSRV, WINNT,

WINDOWS, or other name you specify when you install Windows. Monospace Text displayed in a text file.

(12)

Getting Service and Support

Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support or check for your nearest CSN partner at http://support.citrix.com/.

In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at

http://support.citrix.com/. Knowledge Center features include:

• A knowledge base containing thousands of technical solutions to support your Citrix environment

• An online product documentation library

• Interactive support forums for every Citrix product • Access to the latest hotfixes and service packs • Security bulletins

• Online problem reporting and tracking (for organizations with valid support contracts)

Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization’s Citrix products.

[ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves.

| (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type

/hold or

/release or /delete.

… (ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[,…] means you can type additional

devicenames separated by commas.

(13)

Subscription Advantage

Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information.

You can find more information on the Citrix Web site at http://www.citrix.com. On the home page, click Support > Subscription Advantage.

You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information.

Knowledge Center Alerts

The Citrix Knowledge Center allows you to configure alerts, which notify you when the topic you are interested in is updated. You can set an alert on product categories. When there are updates to the product, you are notified of the update. To set up an alert, log on to the Citrix Support Web site at

http://support.citrix.com/. After you are logged on, under Products, select a product. Under Alerts, click Add to your Alerts. To remove an alert, go to the Knowledge Center product and click Remove from your Alerts.

Education and Training

Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

(14)

Terminology Changes

There are several name changes you need to be aware of for client software and Citrix product names. The following list contains updated terminology used in this document.

Related Documentation

For additional information about the Access Gateway, refer to the following guides:

Getting Started with Citrix Access Gateway Standard Edition Citrix Access Gateway Standard Edition Pre-Installation Checklist Citrix Access Gateway Standard Edition Integration Guide with Citrix

XenApp and Citrix XenDesktop

• Citrix Access Gateway Standard Edition Readme

From To

Access Gateway with Advanced

Access Control Access Gateway Advanced Edition Access Suite Console Access Management Console Secure Access Client Access Gateway Plug-in Citrix Presentation Server Citrix XenApp

(15)

Introducing Citrix Access Gateway

Citrix Access Gateway is a secure application access solution that provides administrators granular application-level policy and action controls to secure access to applications and data while allowing users to work from anywhere. It gives IT administrators a single point of control and tools to help ensure

compliance with regulations and the highest levels of information security across and outside the enterprise. At the same time, it empowers users with a single point of access—optimized for roles, devices, and networks—to the enterprise applications and data they need. This unique combination of capabilities helps maximize the productivity of today’s mobile workforce.

In This Chapter

• Access Gateway Technologies • Access Gateway Modes of Operation

Access Gateway Technologies

The Access Gateway is quick and easy to deploy and simple to administer. The most typical deployment configuration is to locate the Access Gateway behind your firewall or in the demilitarized zone (DMZ). More complex deployments, such as with a server load balancer or in a double-hop DMZ, are also supported. The first time the Access Gateway is started, use the Access Gateway

Administration Tool to configure the basic settings that are specific to your internal network, such as the IP address, subnet mask, default gateway IP address, and DNS address. After you complete the basic connection, you then configure the settings specific to Access Gateway operation, such as the options for authentication, authorization, and group-based access control, endpoint resources and polices, portal pages, and IP pools.

For more information about installing the Access Gateway, see Getting Started

with Citrix Access Gateway Standard Edition or “Installing the Access Gateway

(16)

Access Gateway Modes of Operation

The Access Gateway can be used in one of three ways:

Connections through the appliance only. In this scenario, the Access

Gateway is installed as a standalone appliance in the DMZ. Users connect directly to the Access Gateway using Citrix Access Gateway Plug-in and then have access to network resources, such as email and Web servers. • Connections using the Web Interface, Citrix XenApp or Citrix

XenDesktop. In this scenario, users log on to the Web Interface and then

are connected to their applications on XenApp or published desktops on XenDesktop. Depending on how the Access Gateway is deployed with XenApp, users can connect with just Citrix XenApp Plug-ins (the new name for Citrix Presentation Server Clients), Access Gateway Plug-in, or have simultaneous connections using both plug-ins. Users connect to published desktops using Citrix Desktop Receiver. For more information, see Citrix Access Gateway Standard Edition Integration Guide for Citrix

XenApp and Citrix XenDesktop.

Note: Installation of either the Desktop Receiver or the Desktop Receiver

Embedded Edition on the same computer as XenApp plug-ins (client-side software for Citrix XenApp) is not supported. If you want your users to be able to access both virtual desktops and virtual applications from the same computer, Citrix recommends installing XenApp plug-ins on the virtual desktops that you create with XenDesktop. This allows your virtual desktops to receive virtual applications.

Connections using Access Gateway Advanced Edition. In this scenario,

the Access Gateway is installed in the DMZ. Initial TCP/IP settings for the appliance are configured during installation of the appliance. Advanced settings to manage the Access Gateway are configured using the Access Management Console included with Access Gateway Advanced Edition. For more information, see “Deploying Access Gateway Advanced Edition” on page 26 or the Citrix Access Gateway Advanced Edition Administrator’s

Guide.

Functions of the Access Gateway

The Access Gateway performs the following functions: • Authentication

(17)

• Access control (based on permissions)

• Data traffic relay (when the first three functions are met)

As a standalone appliance in the DMZ, the Access Gateway operates as follows: • A remote user downloads the Access Gateway Plug-in by connecting to a

secure Web address and providing authentication credentials.

• After downloading the Access Gateway Plug-in, the user logs on. When the user successfully authenticates, the Access Gateway establishes a secure tunnel.

• As the remote user attempts to access network resources across the VPN tunnel, the Access Gateway Plug-in encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Access Gateway. • The Access Gateway terminates the SSL tunnel, accepts any incoming

traffic destined for the private network, and forwards the traffic to the private network. The Access Gateway sends traffic back to the remote computer over a secure tunnel.

New Features in this Release

This release of Access Gateway Standard Edition includes the following new features:

New Operating System. The operating system on the Access Gateway is

updated.

Important: With this update, upgrading from earlier versions of the

Access Gateway is not supported. You must perform a clean installation of Version 4.6 on the Access Gateway appliance. For more information, see “Reinstalling the Access Gateway Software” on page 158.

Improved Management of the Access Gateway. The Administration

Desktop is incorporated into the Administration Tool, allowing easier and faster monitoring of client connections.

Support for Citrix XenDesktop. You can configure the Access Gateway

to allow users to connect to published desktops. You configure the Access Gateway the same way as you would for Citrix XenApp, providing the Web Interface information configured on XenDesktop. For more information, see the Citrix Access Gateway Standard Edition Integration Guide for

(18)

Support for Gemalto Protiva Authentication. You can configure an

authentication realm to support Gemalto Protiva authentication using RADIUS-based authentication. Users log on using a code provided by a Gemalto token.

New Access Gateway Plug-in MSI Package. Allows for centralized

management and policy-based distribution of the Access Gateway Plug-in.

Updated Access Gateway in for Linux. The Access Gateway

Plug-in for LPlug-inux allows connections to the Access Gateway from any supported Linux-based client device. The plug-in supports Linux kernel 2.6.x. • Support for XenDesktop Connection Licenses. You can install license

files that only allow connections to Citrix XenDesktop. When users connect, they can only establish the session using the Citrix Desktop Receiver. Connections using the Access Gateway Plug-in are prevented. XenDesktop Connection licenses are included with Citrix XenDesktop Standard, Advanced and Enterprise editions as of June 2009. XenDesktop Platinum Edition includes the Access Gateway Universal license, which enables all Access Gateway features.

Administration Tool Backward Compatibility. When you install the

Administration Tool for Access Gateway Standard Edition Version 4.6 and you have earlier versions of the appliance installed in your network, the Version 4.6 Administration Tool allows you to configure settings on the earlier version of the appliance.

Changes to Access Gateway Functions

The following Access Gateway features are removed from the Access Gateway: • Kiosk mode

• Desktop sharing

(19)

Planning Your Deployment

This chapter discusses deployment scenarios for the Access Gateway. You can deploy the Access Gateway at the perimeter of your organization’s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Access Gateway before they can access any resources on the internal network.

This section also discusses deploying the Access Gateway with Citrix XenApp or Citrix XenDesktop. If your deployment includes Citrix XenApp, you can deploy the Access Gateway in a single-hop or hop DMZ configuration. A double-hop deployment is not supported with Citrix XenDesktop. For more information about deploying the Access Gateway with a server farm, see the Citrix Access

Gateway Standard Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.

In This Chapter

• Deploying the Access Gateway • Access Gateway in the Network DMZ • Access Gateway in a Secure Network

• Planning for Security with the Access Gateway

• Deploying the Access Gateway with Citrix XenApp or Citrix XenDesktop • Deploying the Access Gateway in a Double-Hop DMZ

• Deploying Additional Appliances for Load Balancing and Failover • Deploying Access Gateway Advanced Edition

Deploying the Access Gateway

This section discusses the following Access Gateway deployments:

(20)

• Deploying the Access Gateway in a secure network that does not have a DMZ

• Deploying additional Access Gateway appliances to support load balancing and failover

Access Gateway in the Network DMZ

Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization’s secure internal network and the Internet (or any external network). When the Access Gateway is deployed in the DMZ, users access it using Citrix Access Gateway Plug-in or Citrix XenApp Plug-ins (the new name for Citrix Presentation Server Clients).

Access Gateway deployed in the DMZ

Installing the Access Gateway in the DMZ

(21)

Access Gateway Connectivity in the DMZ

When you deploy the Access Gateway in the DMZ, client connections must traverse the first firewall to connect to the Access Gateway. By default, connections use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall.

Note: You can change the port client devices use to connect to the Access

Gateway by altering the port setting in the Administration Tool. This port setting is discussed in “Configuring TCP/IP Settings Using Network Cables” on page 34. The Access Gateway decrypts the SSL connections from the device and

establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access. For example, if you authorize external users to access a Web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. The Access Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external client devices.

The Access Gateway administrative tools available on the Access Gateway also listen for connections on these ports:

• Port 9001 - Connections to the Administration Portal occur on this port • Port 9002 - Connections to the Administration Tool occur on this port

Access Gateway in a Secure Network

(22)

Access Gateway deployed in a secure network

Access Gateway Connectivity in a Secure

Network

When an Access Gateway is deployed in the secure network, Access Gateway Plug-in connections must traverse the firewall to connect to the Access Gateway. By default, client connections use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall.

Note: You can change the port on which client devices connect to the Access

Gateway by altering the port setting in the Administration Tool. This port setting is discussed in “Configuring TCP/IP Settings Using Network Cables” on page 34.

Planning for Security with the Access Gateway

When planning any type of Access Gateway deployment, there are basic security issues associated with certificates, authentication, and authorization that you should understand.

Configuring Secure Certificate Management

By default, the Access Gateway includes a self-signed SSL server certificate that enables it to complete SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments.

(23)

If you deploy the Access Gateway in any environment where the Access Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on the Access Gateway. For more information about root certificates, see “Installing Root Certificates on the Access Gateway” on page 50.

For example, if you deploy the Access Gateway with Citrix XenApp and the Web Interface, you can encrypt connections from the Access Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on the Access Gateway.

For more information, see “Creating and Installing Certificates” on page 46 and “Securing Connections with Digital Certificates” on page 185.

Authentication Support

You can configure the Access Gateway to authenticate users and control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying the Access Gateway, your network environment should have the directories and authentication servers in place to support one of these authentication types:

• LDAP • RADIUS • RSA SecurID • NTLM

• Secure Computing SafeWord products • Gemalto Protiva

If your environment supports none of the authentication types listed above, or you have a small population of remote users, you can create a list of local users on the Access Gateway and configure the Access Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory.

(24)

Deploying the Access Gateway with Citrix XenApp or

Citrix XenDesktop

When deploying the Access Gateway to provide secure remote access to Citrix XenApp or XenDesktop, the Access Gateway works with the Web Interface and the Secure Ticket Authority (STA) to provide access to published applications and desktops hosted in a server farm.

The configuration of your organization’s network determines where you deploy the Access Gateway when it operates with a server farm. There are two options: • If your organization protects the internal network with a single DMZ,

deploy the Access Gateway in the DMZ.

• If your organization protects the internal network using two DMZs , deploy one Access Gateway in each of the two network segments in a double-hop DMZ configuration. This configuration is only supported with Citrix XenApp.

For more information about deploying the Access Gateway with a server farm or in a double-hop DMZ, see the Citrix Access Gateway Standard Edition

Integration Guide with Citrix XenApp and Citrix XenDesktop.

Deploying the Access Gateway in a Double-Hop DMZ

Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a

double-hop DMZ.

You can deploy the Access Gateway in a double-hop DMZ configuration to provide a single point-of-access to a server farm residing in an internal network. With this configuration, you must deploy two Access Gateway appliances: one in the first stage of the DMZ and one in the second stage of the DMZ.

Important: When the Access Gateway is deployed in a double-hop scenario,

(25)

Deploying Additional Appliances for Load Balancing and

Failover

You can install multiple Access Gateway appliances into your environment for one or both of these reasons:

Scalability. If you have a large remote user population, install additional

Access Gateway appliances to accommodate the user load.

High Availability. If an Access Gateway fails, you can install additional

Access Gateway appliances to ensure that the internal network remains available to remote users.

Note: To support only high availability, you can configure one Access Gateway

as the primary Access Gateway and one (or more) Access Gateway appliance as a failover device. If the primary Access Gateway fails, client connections are directed to the failover Access Gateway. For more information about this configuration, see “Installing Additional Access Gateway Appliances” on page 167.

Deploying Access Gateway Appliances behind a

Load Balancer

(26)

Multiple Access Gateway appliances deployed behind a load balancer

For detailed information about deploying multiple Access Gateway appliances behind a load balancer, see “Installing Additional Access Gateway Appliances” on page 167.

Deploying Access Gateway Advanced Edition

(27)

Caution: When you select Advanced Access Control for managing the Access

Gateway, the corresponding settings in the Administration Tool are deactivated. If you configured these settings with the Administration Tool before selecting Advanced Access Control, you must configure these settings again using the Access Management Console. For more information about configuring these settings in the console, see the Citrix Access Gateway Advanced Edition

Administrator’s Guide.

If you disable administration with Advanced Access Control, settings in the Access Management Console are deactivated and existing configuration values are removed. Settings that were previously configured on the Access Gateway are restored.

To enable Advanced Access Control

1. On the Access Gateway Cluster tab, select an Access Gateway and click the Advanced Options tab.

2. Click Advanced Access Control.

3. In Server running Advanced Access Control, type the IP address or fully qualified domain name (FQDN) of the server that is running the Access Management Console.

4. To encrypt communication between the Access Gateway and the server running Advanced Access Control, select Secure server communication. 5. Click Submit.

The server or servers that are configured to connect to the Access Gateway appear in Servers Running Advanced Access Control. To remove a server from the list, select the server and then click Remove.

Configuring Multiple Servers in an Access Server

Farm

(28)

To specify the retry interval for a server running Advanced Access Control

1. Click the Access Gateway Cluster tab and then click the Advanced

Options tab.

2. Type the value in Retry invalid server in access server farm every

number of seconds seconds, where number of seconds is the text box and

(29)

Installing the Access Gateway for

the First Time

The Access Gateway can be installed in any network infrastructure without requiring changes to the existing hardware or back-end software. It works with other networking products such as server load balancers, cache engines, firewalls, routers, and IEEE 802.11 wireless devices.

Citrix recommends installing the Access Gateway in the demilitarized zone (DMZ). When installed in the DMZ, the Access Gateway participates on two networks: a private network and a public network with a publicly routable IP address. Typically, the private network is the internal network and the public one is the Internet. You can also use the Access Gateway to partition local area networks internally in the organization for access control and security. You can create partitions between wired or wireless networks and data and voice networks.

In This Chapter

• Getting Ready to Install the Access Gateway • Setting Up the Access Gateway Hardware

• Configuring TCP/IP Settings for the Access Gateway

Getting Ready to Install the Access Gateway

To install the Access Gateway, verify that the contents of the box match the packing list. If an item on the packing list is missing from the box, contact Citrix Customer Care.

If you are installing the Access Gateway in a rack, see Getting Started with Citrix

Access Gateway Standard Edition for instructions.

Materials and Information Needed for Installation

(30)

For initial configuration, use one of the following setups:

• A cross-over cable and a Windows computer

• Two network cables, a network switch, and a Windows computer • A serial cable and a computer with terminal emulation software For a connection to a local area network, use the following items:

• One network cable to connect the Access Gateway inside of a firewall or to a server load balancer

• Two network cables to connect the Access Gateway located in the demilitarized zone (DMZ) to the Internet and private networks Citrix recommends that you use the Access Gateway Standard Edition

Pre-Installation Checklist to collect the following network information for

appliances:

• The Access Gateway internal IP address and subnet mask • The Access Gateway external IP address and subnet mask

• The Access Gateway FQDN for network address translation (NAT) • The IP address of the default gateway device

• The port to be used for connections

If connecting the Access Gateway to a server load balancer, you need the following information:

• The Access Gateway IP address and subnet mask.

• The settings of the server load balancer as the default gateway device (if required). See the load balancer manufacturer’s documentation for more information.

• The FQDN of the server load balancer to be used as the external public address of the Access Gateway.

• The port to be used for connections.

Note: The Access Gateway does not work with Dynamic Host Configuration

(31)

Setting Up the Access Gateway Hardware

This section provides procedures for setting up the Access Gateway for the first time.

To physically connect the Access Gateway

1. Install the Access Gateway in a rack if it is rack-mounted.

For more information about installing the Access Gateway in a rack, see

Getting Started with Citrix Access Gateway Standard Edition.

2. Connect the power cord to the AC power receptacle.

3. Connect either the serial cable to a Windows computer, a cross-over cable to a Windows computer, or an RJ-45 network cable to a network switch and the Access Gateway.

4. Configure the TCP/IP settings using the instructions in “Configuring TCP/ IP Settings for the Access Gateway” on page 31.

Access Gateway connection options using a cross-over cable, a network switch, or terminal emulation

Configuring TCP/IP Settings for the Access Gateway

(32)

Configuring TCP/IP Settings Using the Serial

Console

You can use the serial console to set the IP address and subnet of the Access Gateway Interface 0, as well as the IP address of the default gateway device. All other configuration must be done using the Administration Tool. You can also use the serial console to test a connection with the ping command. If you want to reach the Access Gateway through the serial console before making any configuration settings, use a serial cable to connect the Access Gateway to a computer that has terminal emulation software.

The serial console provides the following options for configuring the Access Gateway:

[0] Express Setup configures the TCP/IP settings for Interface 0 on the Access Gateway Cluster > General Networking tab

[1] Ping is used to ping other network devices to check for connectivity

[2] Link Modes is used to set the duplex mode and speed mode for

Interface 0 on the Access Gateway Cluster > General Networking tab[3] External Administration Port enables or disables connections to the

Administration Tool from a remote computer • [4] Display Log displays the Access Gateway log

[5] Reset Certificate resets the certificate to the default certificate that

comes with the Access Gateway

[6] Change Administrative Password allows you to change the default

administrator password of rootadmin

Important: Citrix recommends changing the administrator password

before connecting the Access Gateway to your network. The new password can be six to 127 characters long and cannot begin or end with a space. • [7] Help displays help information

[8] Log Out logs off from the Access Gateway

Note: Citrix recommends using both network adapters on the appliance.

(33)

To configure TCP/IP settings using a serial cable

1. Connect the serial cable to the 9-pin serial port on the Access Gateway and connect the cable to a computer that is capable of running terminal

emulation software.

2. On the computer, start a terminal emulation application such as HyperTerminal.

Note: HyperTerminal is not automatically installed on Windows 2000

Server, Windows Server 2003 or Windows Server 2008. To install HyperTerminal, use Add or Remove Programs in the Control Panel. 3. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1

stop bit. Hardware flow control is optional.

4. Turn on the Access Gateway. The serial console appears on the computer terminal after about three minutes.

5. If using HyperTerminal, press the Enter key.

6. On the serial console, enter the default administrator credentials. The user name is root and the password is rootadmin.

Important: Citrix recommends changing the administrator password.

You can do this using the Administration Portal or the serial console. 7. To set the IP address and subnet mask and the default gateway device for

Interface 0, type 0 and press Enter to choose Express Setup. After you respond to the prompts, the information you entered appears. To commit your changes, type y; the Access Gateway restarts.

8. To verify that the Access Gateway can ping a connected network device, type 1 and enter the IP address of the device.

9. Remove the serial cable and connect the Access Gateway using either a cross-over cable to a Windows computer or a network cable to a network switch.

(34)

Configuring TCP/IP Settings Using Network

Cables

The Access Gateway has two network adapters installed. One network adapter communicates with the Internet and client devices that are not inside the secure network. The other network adapter communicates with the internal network. Citrix recommends that both network adapters be configured for maximum security. If only one network adapter is used, it has to be routable for internal resources using Network Address Translation (NAT). Also, if only one network adapter is used, throughput of network traffic is cut in half and can cause a bottleneck of network traffic.

You can install the Access Gateway and configure TCP/IP settings using network cables, such as two RJ-45 Ethernet network cables, or cross-over cables. The Ethernet cables are connected to a network switch and to the Access Gateway. The cross-over cables are connected to a Windows computer and the Access Gateway.

To configure the Access Gateway using cross-over or Ethernet cables, you first install the Administration Tool and then configure your settings.

To install the Administration Tool

1. Power on the Access Gateway.

After about three minutes, the Access Gateway is ready for its initial configuration with your network.

2. Open a Web browser and type https://10.20.30.40:9001 to open the Administration Portal. Use the default user name and password of root and

rootadmin.

3. On the Downloads tab, under Access Gateway Administration Tool, click

Install the Access Gateway Administration Tool.

Follow the prompts to complete installation.

After the Administration Tool is installed, you can then configure your network settings.

To configure network settings using the Administration Tool

1. Log on to the Administration Tool using the default user name and password.

2. On the Access Gateway Cluster tab, open the window for the Access Gateway.

(35)

Citrix recommends selecting Use both interfaces.

4. In Subnet mask, enter the subnet mask that is appropriate for the IP address entered for the interface(s).

5. In External FQDN, type the fully qualified domain name.

Important: The FQDN must match what is on the digital certificate and

the license for the Access Gateway.

6. In Duplex mode select the direction of the transmission data.

The default setting is auto. You can also select full duplex or half duplex. 7. In Speed mode select the network speed of the adapter.

The default setting is Auto. You can also select 10 Mbps, 100 Mbps, or

1000 Mbps.

8. In Maximum transmission unit (MTU), select the maximum transmission unit that defines the maximum size of the transmitted packet.

The default setting is 1500.

9. In Port, select the incoming port that is used for connections. The default is 443.

10. To configure a default gateway, under Default Gateway, in IP address, type the IP address of the gateway. In Interface, select the network adapter on the Access Gateway with which the Default Gateway communicates. The IP address is for the default gateway device, such as the main router, firewall, or server load balancers, depending on your network

configuration. This address should be the same as the Default Gateway setting used for computers on the same subnet.

For information about the relationship between the Default Gateway and dynamic or static routing, see “Configuring Additional Network Settings” on page 51.

11. Click Submit to save your configuration settings.

(36)

Note: You do not need to restart the Access Gateway until you complete all

configuration steps. These include configuring network access for the appliance and installing certificates and licenses. For more information about configuring additional network settings, see “Configuring the Access Gateway for Your Network Environment” on page 39.

Redirecting Connections on Port 80 to a Secure Port

By default, the Access Gateway does not accept unsecure connections on port 80. If a user attempts to connect to the Access Gateway using HTTP on port 80, the connection attempt fails.

You can configure the Access Gateway to automatically redirect HTTP

connection attempts on port 80 to be secure connections on port 443 (or another secure port).

If a user attempts an unsecure connection on port 80, the Access Gateway automatically converts this connection attempt into a secure (SSL-encrypted) connection on port 443.

To redirect unsecure connections

1. Click the Access Gateway Cluster tab and open the window for the Access Gateway.

2. Click the General Networking tab. 3. Click Advanced.

4. Click Redirect any requests for port 80 to a secure port and click OK.

Note: If you use the default setting of Do not accept connections on port 80, all user connection attempts on port 80 fail and there is no attempt

to redirect them to port 443.

Configuring TCP/IP Settings for a Double-Hop

Deployment

The Access Gateway can be installed in a double-hop DMZ scenario to provide access to a server farm. For more information about this deployment, see the

(37)

Restarting the Access Gateway

After configuring your network settings, restart the Access Gateway.

To restart the Access Gateway

1. In the Administration Tool, click the Access Gateway Cluster tab and open the window for the Access Gateway.

2. On the Administration tab, next to Restart the appliance, click Restart.

-or-Click the Action menu and click Restart appliance name, where appliance

name is the name of the Access Gateway.

You can also restart the Access Gateway from the Administration Portal.

To restart the Access Gateway from the Administration Portal

(38)
(39)

Configuring the Access Gateway for

Your Network Environment

After the initial TCP/IP settings are configured on the Access Gateway, you then need to configure the appliance for your network environment.

In this Chapter

• Installing Licenses

• Creating and Installing Certificates • Configuring Additional Network Settings

• Configuring the Date and Time on the Access Gateway • Using the Default Portal Page

Installing Licenses

Access Gateway licensing limits the number of concurrent user sessions to the number of licenses purchased. If you purchase 100 licenses, you can have 100 concurrent users logged on at any time. When a user logs off, that license is released for the next user. A user who logs on to the Access Gateway from more than one computer counts as two users and occupies two licenses.

When all of the licenses are in use, no additional connections can be opened until a user logs off or the administrator uses the Administration Tool to close a connection, thereby releasing a license.

(40)

If you have multiple appliances in your network, one Access Gateway is the licensing server, allocating licenses to the other appliances. When a user logs on to an appliance on the network, the license is pulled from the Access Gateway that is the licensing server. If you have a cluster, the installed licenses are not published to the other appliances. For more information about using licenses with multiple appliances, see “Configuring Licenses for Multiple Appliances” on page 43.

Important: The host name in the license file must match exactly the host name

on the Access Gateway, including letter case.

If you are using Access Gateway Advanced Edition, licensing functionality is handled by the Citrix License Server. For more information about licensing with Access Gateway Advanced Edition, see Getting Started with Citrix Licensing and the Access Gateway Advanced Edition Administrator’s Guide.

Access Gateway License Types

There are three types of licenses that can be installed on the Access Gateway: • The standard license is installed on Access Gateway Standard Edition only

and determines the number of users that can log on with the Access Gateway Plug-in, Citrix XenApp plugins, or Citrix Desktop Receiver. • The universal license is installed on Access Gateway Standard Edition,

Access Gateway Advanced Edition and Access Gateway Enterprise Edition and determines the number of users that can log on with the Access Gateway Plug-in, Citrix XenApp plugins, or Citrix Desktop Receiver. The Universal license is also used for clientless access connections through Access Gateway Advanced Edition and Access Gateway Enterprise Edition.

• The XenDesktop Connection license is installed on the Access Gateway and determines the number of ICA connections to Citrix XenDesktop that are allowed. These licenses are only included with XenDesktop Standard, Advanced and Enterprise as of June 2009. This license type is not for use with Citrix XenApp.

Finding Licensing Statistics

The Administration Tool shows the number of licenses in use by users. This includes licenses that are in use by the Access Gateway Plug-in and XenDesktop connections. You can find licensing information on the Access Gateway Cluster by opening the Access Gateway window and then clicking the Licensing and

(41)

Information on the Licensing Tab

On the Licensing tab, under Information about the licensing server, the information shown is from the Access Gateway that is acting as the license server. When users connect to the Access Gateway and use either an Access Gateway or XenDesktop Connection license, it appears on this tab. If you have multiple Access Gateway appliances in the cluster, the license information from all appliances is aggregated on this tab.

The information on the Licensing tab contains the following information:Total licenses available. The number in this field represents the total

number of Access Gateway (Standard and Universal) and XenDesktop Connection licenses that are installed on the Access Gateway.

Total licenses in use. This number represents all of the current licenses

currently in use. This includes Access Gateway and XenDesktop Connection licenses.

ICA licenses available. This is the total amount of XenDesktop

Connection licenses that are installed on the Access Gateway.

ICA licenses in use. This is the total number of XenDesktop Connection

licenses currently in use.

Access Gateway licenses available. This is the total number of Standard

and Universal licenses installed on the Access Gateway.

Access Gateway licenses in use. This is the total number of Access

Gateway licenses that are in use.

The Licensing tab also show information about the licenses installed on the Access Gateway. This includes total number of Access Gateway and XenDesktop Connection licenses, the Subscription Advantage expiration date, the issue and expiration dates of the licenses, the license type and the supported feature. If you have two licenses installed that have the same serial number, the files are not counted separately. The appliance that is the license server chooses one of the license files to allocate licenses to users.

Information on the Statistics Tab

(42)

Obtaining Your License Files

After you install the Access Gateway, you are ready to obtain your license files from Citrix. This process involves going to http://www.mycitrix.com/ to access your available licenses and generating a license file. When the license file is generated, download it to the computer where the Administration Tool is installed. After the license file is on the computer, you can then upload it to the Access Gateway.

Before going to the Citrix Web site, you need the following information:

The license code. You can find the code on the Access Gateway CD, in an

email you receive from Citrix, or from My Citrix. If you are upgrading from an older version of the Access Gateway, you can continue to use the existing license, if the license was obtained from the Subscription Advantage Management-Renewal-Information system (SAMRI) and the Subscription Advantage date is not expired.

Your user ID and password for My Citrix. You can register for this

password on My Citrix.

Note: If you cannot locate either of these items, contact Citrix Customer

Care.

The FQDN of the Access Gateway. The entry field for this name on

MyCitrix is case-sensitive so ensure that you copy the FQDN exactly as it appears on the Access Gateway Cluster > General Networking tab.How many licenses you want to include in the license file. You do not

have to download all of the licenses you are entitled to at once. For example, if your company purchases 100 licenses, you can choose to download 50. At a later date, you can allocate the rest in another license file. Multiple license files can be installed on the Access Gateway.

To obtain your license file

1. From a Web browser, go to http://www.citrix.com/ and click on My Citrix. 2. Enter your user name and password.

If this is your first time logging on to the site, you are asked for additional background information.

3. In My Tools, point to Choose a Toolbox and then click Activation

System/Manage Licenses > View Licenses > Click to Allocate.

(43)

After you successfully download the license file to your computer, you can then install it on the Access Gateway.

To install a license on the Access Gateway

1. On the Access Gateway Cluster tab, open the window for the Access Gateway.

2. Click the Licensing tab.

3. Select Use this appliance as the license server.

4. Next to Install a license file, click Browse, navigate to the license file, and then click Open.

5. On the General Networking tab, click Submit after the license file is uploaded to the Access Gateway.

Important: Citrix recommends that you retain a local copy of all license files

that you receive. When you save a backup copy of the configuration file, all uploaded license files are included in the backup. If you need to reinstall the Access Gateway server software and do not have a backup of the configuration, you will need the original license files.

Configuring Licenses for Multiple Appliances

If you installed multiple appliances in your network, select one Access Gateway to be the license server. Install the licenses on that Access Gateway, which then becomes the license server. The other appliances obtain their licenses from this Access Gateway. The other appliances on your network do not have to be a part of a cluster to connect to the license server and obtain a license. License allocation occurs for appliances regardless of their individual status in the network.

To obtain licenses from the license server

1. On the Access Gateway Cluster tab, open the window for the Access Gateway that is not the license server.

2. Click the Licensing tab.

3. Select Use a different appliance as the license server.

4. In FQDN or IP address, type the FQDN or IP address of the license server. 5. In Manager port and Vendor port change the port numbers or leave the

(44)

7. Repeat this procedure for each Access Gateway in your network. Repeat this procedure for each Access Gateway in the cluster that is not the license server.

The manager port makes the initial contact from the remote Access Gateway and passes it to the license server. Then, it passes communication from the manager port to the vendor port. The vendor port runs on the license server and grants the license using port number 27001. The port numbers can be changed depending on your firewall configuration. The manager port tracks the licenses that are checked out and which Access Gateway is using them.

You might need to create new firewall rules to allow network access to the license server ports.

Downloading License Logs

You can download license logs that provide you with detailed information about license use. When the logs are downloaded, they are in a compressed file named license_logs.zip.

To download license logs

1. On the Access Gateway Cluster tab, select an Access Gateway and click the Licensing tab.

2. Under Information about this Access Gateway, next to Download

licensing logs, click Download All.

3. Select the location to download the .zip file and then click Save.

Once the .zip file is saved to your computer, you can extract the license logs using a compression utility such as WinZip. You can open the license files (with file extension .lic) using Notepad.

Refreshing Licensing Information

When you make changes to licensing on the Access Gateway, you can refresh the information that is displayed on the Licensing tab.

To refresh licensing information

Under Information about the licensing server, click Refresh All Information.

Updating Existing Licenses

(45)

Licensing Grace Period

When the Access Gateway is first installed, there is a four day grace period where you are entitled to two licenses. Your license must be installed on the appliance by the end of this grace period. If it is not, users cannot log on.

If the Access Gateway licensing server fails, the other appliances in the cluster have a 30-day grace period. The Access Gateway keeps the date when it last contacted the license server. Users can continue to log on during this grace period. When the license server is detected by the remote appliance, the 30-day grace period is reset. If the license server fails again, users have another 30-day grace period.

Testing Your License Installation

To test that licensing is configured correctly, create a test user and then log on using Citrix Access Gateway Plug-in and credentials that you set up for the user.

To test your configuration

1. Open the Administration Tool. 2. Click the Access Policy Manager tab.

3. Right-click the Local Users folder in the left pane and click New User. 4. In the New User dialog box, in User Name, type a user name, and in

Password and Verify Password, type the same password in each field, and

click OK.

5. In a Web browser, type the address of the Access Gateway using either the IP address or fully qualified domain name (FQDN) to connect to either the internal or external interface. The format should be either https://ipaddress or https://FQDN.

6. On the Citrix Access Gateway page, type the user credentials. 7. On the portal page, click Citrix Access Gateway.

If this is the first time a user connects, the Access Gateway Plug-in is downloaded and installed on the client device. After installation is

complete, users must log on again using either the Web portal page or from the Start menu.

Figure

Updating...

References

Related subjects :