• No results found

How To Configure A Citrix Access Gateway Standard Edition Administrator Administrator S Guide

N/A
N/A
Protected

Academic year: 2021

Share "How To Configure A Citrix Access Gateway Standard Edition Administrator Administrator S Guide"

Copied!
310
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

copy of the End User License Agreement is included on your product CD-ROM.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

© 2005 - 2006 Citrix Systems, Inc. All rights reserved.

Citrix, ICA (Independent Computing Architecture) and Program Neighborhood are registered trademarks, and Citrix Presentation Server, Access Gateway, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries.

RSA © 1996-1997 RSA Security Inc., All Rights Reserved.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). AOL Instant Messenger is a registered trademark of America Online, Inc.

McAfee Personal Firewall Plus is a registered trademark of McAfee, Inc.

Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation.

ZoneAlarm is a trademark or registered trademark of Zone Labs LLC in the United States and other countries.

Win32 Client: Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc. 1998. (CJKV Information Processing, by Ken Lunde. ISBN: 1565922247.) All rights reserved.

Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2005 Macrovision Corporation. All rights reserved.

Trademark Acknowledgements

Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. SafeWord Remote Access, SafeWord for Citrix, and SafeWord PremierAccess are registered trademarks or trademarks of Secure Computing Corporation.

Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003, Win32, Outlook, ActiveX, Active Directory, MSN Messenger, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Firefox is a trademark of the Mozilla Foundation.

BlackICE PC Protection is trademark of Network Ice Corporation. ICQ is a trademark or servicemark of ICQ.

UNIX is a registered trademark of The Open Group. Softerra is a trademark of Softerra LLC.

Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners.

(3)

Contents

Chapter 1

Introduction

How to Use This Guide . . . .13

Document Conventions . . . .13

Getting Service and Support. . . .14

Subscription Advantage . . . .15

Knowledge Center Watches . . . .15

Education and Training . . . .15

Related Documentation. . . .16

Chapter 2

Introducing Citrix Access Gateway

Access Gateway Technologies . . . .17

Access Gateway Modes of Operation . . . .18

Functions of the Access Gateway . . . .19

New Features. . . .19

Chapter 3

Planning Your Deployment

Deploying the Access Gateway . . . .23

Access Gateway in the Network DMZ . . . .24

Installing the Access Gateway in the DMZ . . . .25

Access Gateway Connectivity in the DMZ . . . .25

Access Gateway in a Secure Network . . . .25

Access Gateway Connectivity in a Secure Network . . . .26

Security Considerations . . . .26

Configuring Secure Certificate Management . . . .26

Authentication Support . . . .27

Deploying the Access Gateway with Citrix Presentation Server . . . .28

Deploying the Access Gateway in the DMZ with Citrix Presentation Server. .28 Deploying the Access Gateway in a Double-Hop DMZ . . . .32

Deploying Additional Appliances for Load Balancing and Failover . . . .33

(4)

Deploying Access Gateway Advanced Edition . . . .34

Multiple Servers in an Access Server Farm . . . .36

Chapter 4

Installing the Access Gateway for the First Time

Getting Ready to Install the Access Gateway . . . .37

Materials and Information Needed for Installation. . . .37

Setting Up the Access Gateway Hardware . . . .38

Configuring TCP/IP Settings for the Access Gateway . . . .39

Configuring TCP/IP Settings Using the Serial Console. . . .39

Configuring TCP/IP Settings Using Network Cables . . . .41

Configuring TCP/IP Settings for a Double-Hop Deployment . . . .44

Restarting the Access Gateway. . . .44

Chapter 5

Configuring the Access Gateway for Your Network Environment

Installing Licenses. . . .45

Obtaining Your License Files . . . .46

Configuring Licenses for Multiple Appliances . . . .48

Information about Your Licenses . . . .49

Updating Existing Licenses. . . .49

Licensing Grace Period . . . .50

Testing Your License Installation . . . .50

Creating and Installing Certificates . . . .51

Overview of the Certificate Signing Request . . . .51

Creating a Certificate Signing Request. . . .52

Installing a Certificate and Private Key from a Windows Computer . . . .55

Installing Root Certificates on the Access Gateway. . . .55

Installing Multiple Root Certificates. . . .56

Configuring Additional Network Settings . . . .57

Configuring Name Service Providers . . . .57

Editing the HOSTS File . . . .58

Configuring Dynamic and Static Routes . . . .58

Configuring the Date and Time on the Access Gateway. . . .63

Configuring a Network Time Protocol Server . . . .63

Using the Default Portal Page. . . .64

Installing Secure Access Client for Linux . . . .66

(5)

Chapter 6

Configuring Authentication and Authorization

Choosing When to Configure Authentication on the Access Gateway. . . .70

Configuring Authentication on the Access Gateway. . . .70

Configuring the Default Realm . . . .72

Creating Additional Realms . . . .73

Configuring Local Authentication . . . .74

Configuring Local Users. . . .75

Adding Users to Multiple Groups. . . .76

Changing Password for Users . . . .76

Configuring LDAP Authentication and Authorization . . . .77

Configuring LDAP Authorization . . . .81

LDAP Authorization Group Attribute Fields . . . .82

Using Certificates for Secure LDAP Connections . . . .83

Determining Attributes in your LDAP Directory. . . .83

Configuring RADIUS Authentication and Authorization . . . .85

RADIUS Authorization. . . .87

Choosing RADIUS Authentication Protocols . . . .88

Configuring RSA SecurID Authentication . . . .88

Configuring RSA Settings for a Cluster . . . .92

Resetting the Node Secret . . . .92

Configuring Secure Computing SafeWord Authentication. . . .92

Configuring SafeWord Settings on the Access Gateway. . . .93

Configuring Authorization with SafeWord . . . .94

Configuring NTLM Authentication and Authorization. . . .94

Configuring NTLM Authorization . . . .96

Configuring Double-Source Authentication . . . .97

Changing Password Labels. . . .98

Chapter 7

Configuring Network Access and Group Resources

Configuring Network Routing . . . .99

Providing Network Access to Users. . . .100

Enabling Split Tunneling and Accessible Networks . . . .101

Configuring User Groups . . . .103

Configuring Access Control Lists. . . .103

Creating Local User Groups . . . .104

Configuring Resource Groups . . . .104

Creating User Groups . . . .106

(6)

Configuring Resources for a User Group. . . .107

Configuring User Membership in Multiple Groups . . . .108

Configuring Network Resources . . . .108

Allowing and Denying Network Resources and Application Policies . . . .111

Setting Application Policies . . . .112

Configuring End Point Policies and Resources . . . .114

Configuring End Point Resources. . . .114

Building an End Point Policy for a Group . . . .116

Setting the Priority of Groups. . . .117

Configuring Pre-Authentication Policies . . . .119

Chapter 8

Configuring User Connections for Secure Access Client

System Requirements . . . .122

Operating Systems. . . .122

Web Browsers . . . .122

How User Connections Work. . . .123

Establishing the Secure Tunnel. . . .123

Tunneling Private Network Traffic over Secure Connections . . . .124

Terminating the Secure Tunnel and Returning Packets to the Client . . . .126

Supporting the Secure Access Client . . . .127

Configuring Proxy Servers for the Secure Access Client . . . .128

Configuring Secure Access Client to Work with Non-Administrative Users .129 Configuring Single Sign-on with Windows Operating System . . . .129

Connecting with Earlier Versions of the Secure Access Client . . . .130

Connecting Using a Web Address . . . .131

Installing the ActiveX Helper . . . .132

Logging on Using the Secure Access Client . . . .132

Connections Using Kiosk Mode. . . .136

Creating a Kiosk Mode Resource . . . .139

Configuring Client Applications for Kiosk Mode . . . .139

Configuring File Shares for Kiosk Mode . . . .143

Configuring Authentication Requirements after Network Interruption . . . .144

Configuring Other Group Properties . . . .145

Enabling IP Pooling. . . .146

Enabling Split DNS . . . .147

Enabling Internal Failover. . . .147

Enabling Domain Logon Scripts. . . .147

Enabling Secure Access Client Session Time-Outs . . . .148

Configuring Web Session Time-Outs. . . .149

(7)

Closing and Disabling User Connections. . . .150

How the Access Gateway Handles Connections . . . .151

Closing a Connection to a Resource . . . .151

Disabling and Enabling a User . . . .152

Requiring Client Certificates for Authentication . . . .152

Defining Client Certificate Criteria. . . .153

Using Client Certificates with Access Gateway Advanced Edition . . . .155

Installing Root Certificates . . . .155

Obtaining a Root Certificate from a Certificate Authority. . . .155

Installing Root Certificates on a Client Device . . . .156

Selecting an Encryption Type for Client Connections. . . .156

Supporting Voice over IP Softphones . . . .157

Improving Voice over IP Connections . . . .158

Chapter 9

Configuring Logon and Portal Pages for Secure Access Client

Configuring Access Gateway Logon Pages. . . .159

Enabling Logon Page Authentication . . . .159

Customizing the Logon Page . . . .160

Access Gateway Portal Page Templates . . . .161

Downloading and Working with Portal Page Templates . . . .161

Including the ActiveX Control . . . .163

Installing Custom Portal Page Files . . . .163

Linking to Clients from Your Web Site . . . .164

Choosing a Portal Page for a Group . . . .165

Configuring a Portal Page with Multiple Logon Options . . . .165

Logging On Using Double-Source Authentication . . . .166

Logging On When Pre-Authentication Policies are Configured . . . .166

Chapter 10

Providing Access to Published Applications

How User Connections to a Server Farm Work. . . .168

Replacing the Secure Gateway. . . .170

Preparing to Migrate to the Access Gateway . . . .173

Migrating from the Secure Gateway to the Access Gateway. . . .174

Monitoring the Access Gateway after Installation . . . .177

Configuring the Web Interface. . . .177

Deploying the Web Interface Parallel to the Access Gateway in the DMZ . .177 Deploying the Web Interface behind the Access Gateway in the DMZ . . . . .179

(8)

Configuring the Web Interface for Authentication . . . .180

Setting Up and Testing the Web Interface . . . .181

Configuring the Web Interface . . . .182

Configuring the Secure Ticket Authority. . . .184

Configuring ICA Access Control . . . .185

Using the Web Interface as a Logon Page . . . .186

Configuring Single Sign-On to the Web Interface. . . .187

Configuring the Access Gateway for Single Sign-On to the Web Interface . .188 Configuring the Web Interface for Single Sign-On . . . .189

Enabling Session Reliability. . . .191

Chapter 11

Deploying the Access Gateway in a Double-Hop Demilitarized Zone

Communication Flow in a Double-Hop DMZ Configuration . . . .195

Client Authentication. . . .195

Session Ticket Creation. . . .196

Connection Completion. . . .197

Preparing for a Double-Hop DMZ Deployment . . . .198

Supporting Load Balancing. . . .198

Using Logon Page Authentication in a Double-Hop DMZ . . . .199

Planning the Access Gateway Administration Tool Installation . . . .201

Opening Ports and Managing Certificates . . . .203

Components Required to begin the Deployment . . . .203

Installing the Access Gateway in a Double-Hop DMZ . . . .204

Step 1: Installing an Access Gateway in the First DMZ . . . .204

Step 2: Enabling or Disabling Logon Page Authentication . . . .205

Step 3: Configuring the Access Gateway to Redirect Connections to the Web In-terface. . . .205

Step 4: Installing an Access Gateway in the Second DMZ . . . .207

Step 5: Configuring the Access Gateway to Communicate with the Access Gate-way Proxy . . . .207

Step 6: Configuring the Access Gateway Proxy to Communicate with the Access Gateway . . . .209

Step 7: Configuring the Access Gateway to Handle Secure Ticket Authority and ICA Traffic . . . .210

Step 8: Opening the Appropriate Ports on the Firewalls . . . .211

(9)

Client Connection Process in a Double-Hop DMZ Deployment . . . .217

Client Authentication. . . .217

Session Ticket Creation. . . .218

Client Launch . . . .218

Connection Completion. . . .219

Chapter 12

Maintaining the Access Gateway

Access Gateway Administration Tools . . . .222

The Administration Tool. . . .222

The Administration Portal. . . .223

Monitoring the Access Gateway with the Administration Desktop. . . .225

Upgrading the Access Gateway Software . . . .226

Installing the Software Upgrade . . . .228

Reinstalling the Access Gateway Software . . . .228

Saving and Restoring the Access Gateway Configuration . . . .229

Restarting and Shutting Down the Access Gateway . . . .230

Restarting the Access Gateway. . . .230

Shutting Down the Access Gateway. . . .230

Initializing the Access Gateway . . . .231

Allowing ICMP Traffic . . . .231

Configuring Third-Party Personal Firewalls . . . .232

BlackICE PC Protection . . . .233

McAfee Personal Firewall Plus. . . .233

Norton Personal Firewall. . . .233

Sygate Personal Firewall (Free and Pro Versions) . . . .233

Tiny Personal Firewall . . . .234

ZoneAlarm Pro . . . .234

Chapter 13

Installing Additional Access Gateway Appliances

Creating a Cluster of Access Gateway Appliances . . . .236

Configuring Multiple Appliances to Use a Load Balancer . . . .239

Configuring Load Balancing. . . .240

(10)

Appendix A

Monitoring the Access Gateway

Viewing and Downloading System Message Logs . . . .245

Viewing Secure Access Client Connection Logs . . . .246

Forwarding System Messages to a Syslog Server . . . .247

Enabling and Viewing SNMP Logs . . . .247

Multi Router Traffic Grapher Example . . . .248

Viewing System Statistics . . . .249

Monitoring Access Gateway Operations . . . .250

Appendix B

Securing Connections with Digital Certificates

Introduction to Security Protocols, Cryptography, and Digital Certificates . . . . .253

Introduction to Security Protocols . . . .253

Introduction to Cryptography . . . .254

Digital Certificates and Certificate Authorities . . . .257

Getting Certificates . . . .260

If Your Organization Is its Own Certificate Authority. . . .261

If Your Organization Is not its Own Certificate Authority . . . .261

Getting Server Certificates . . . .262

Digital Certificates and Access Gateway Operation . . . .262

Using Windows Certificates. . . .262

Unencrypting the Private Key. . . .263

Converting to a PEM-Formatted Certificate. . . .264

Combining the Private Key with the Signed Certificate . . . .264

Generating Trusted Certificates for Multiple Levels . . . .265

Requiring Certificates for Internal Connections . . . .266

Using Wildcard Certificates . . . .267

Appendix C

Examples of Configuring Network Access

Configuration Examples . . . .270

Scenario for Configuring LDAP Authentication and Authorization. . . .271

Preparing for the LDAP Authentication and Authorization Configuration. . .271

Configuring the Access Gateway to Support Access to the Internal Network Re-sources . . . .276

Scenario for Creating Guest Accounts Using the Local Users List. . . .285

Creating a Guest User Authentication Realm. . . .286

Creating Local Users . . . .287

Creating and Assigning a Network Resource to the Default User Group . . . .287

(11)

Appendix D

Troubleshooting the Access Gateway

Troubleshooting Web Interface Connections. . . .291

Web Interface Appears without Typing Credentials . . . .291

Applications do not Appear after Logging On . . . .291

Users are Sent to a Logon Page that Asks to Start the Secure Access Client .292 Other Issues. . . .292

License File Does not Match Access Gateway. . . .292

Defining Accessible Networks Subnet Restriction. . . .293

VMWare . . . .293

ICMP Transmissions . . . .293

Ping Command . . . .293

LDAP Authentication . . . .293

End Point Policies . . . .294

Network Resources . . . .294

Kiosk Connections. . . .294

Internal Failover . . . .294

Certificate Signing. . . .294

Certificate Revocation Lists . . . .295

Network Messages to Non-Existent IPs . . . .295

The Access Gateway Does not Start and the Serial Console Is Blank. . . .295

The Administration Tool Is Inaccessible . . . .295

Devices Cannot Communicate with the Access Gateway . . . .296

Using Ctrl-Alt-Delete to Restart the Access Gateway Fails . . . .296

SSL Version 2 Sessions and Multilevel Certificate Chains . . . .296

H.323 Protocol. . . .296

Certificates Using 512-Bit Keypairs . . . .296

Unable to Restrict Drive Mapping with an Application Policy . . . .296

Secure Access Client. . . .297

Secure Access Client Connections with Windows XP. . . .297

DNS Name Resolution Using Named Service Providers. . . .297

Auto-Update Feature . . . .297

Client Connections from a Windows Server 2003 . . . .297

NTLM Authentication. . . .297

WINS Entries. . . .298

(12)
(13)

Introduction

This chapter describes who should read the Citrix Access Gateway Administrator’s Guide, how it is organized, and its document conventions.

How to Use This Guide

This user guide is intended for system administrators responsible for installing and configuring the Access Gateway. This document assumes that the Access Gateway is connected to an existing network and that the administrator has experience configuring that network

The configuration steps in this document assume that the Access Gateway is deployed as a standalone appliance and that users connect directly to the Access Gateway.

This user guide also has information for configuring the Access Gateway to work with Citrix Presentation Server and Access Gateway Advanced Edition. For more information, see “Providing Access to Published Applications” on page 167 and “Deploying Access Gateway Advanced Edition” on page 34.

Document Conventions

Access Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user input.

Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. %SystemRoot% The Windows system directory, which can be WTSRV, WINNT,

WINDOWS, or other name you specify when you install Windows.

(14)

Getting Service and Support

Citrix provides technical support primarily through the Citrix Solution Advisors. Our Citrix Solutions Advisor partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support or check for your nearest CSN partner at http://www.citrix.com/support/.

In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at

http://support.citrix.com/. Knowledge Center features include:

• A knowledge base containing thousands of technical solutions to support your Citrix environment

• An online product documentation library

• Interactive support forums for every Citrix product • Access to the latest hotfixes and service packs • Security bulletins

• Online problem reporting and tracking (for organizations with valid support contracts)

Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization’s Citrix products.

{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.

[ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves.

| (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type

/hold or

/release or /delete.

… (ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[,…] means you can type additional

devicenames separated by commas.

(15)

Subscription Advantage

Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information.

You can find more information on the Citrix Web site at

http://www.citrix.com/services/ (select Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information.

Knowledge Center Watches

The Citrix Knowledge Center allows you to configure watches. A watch notifies you if the topic you are interested in was updated. Watches allow you to stay notified of updates to Knowledge Base or Forum content. You can set watches on product categories, document types, individual documents, and on Forum product categories and individual topics.

To set up a watch, log on to the Citrix Support Web site at

http://support.citrix.com. After you are logged on, in the upper right corner, click My Watches and follow the instructions.

Education and Training

Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

(16)

Related Documentation

For additional information about the Access Gateway, refer to the following guides:

(17)

Introducing Citrix Access Gateway

Citrix Access Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, the Access Gateway works through any firewall and supports all applications and protocols. It is fast, simple, and cost-effective to deploy and maintain with a Web-deployed and automatically updating client. Users receive a consistent desk-like user experience with “always-on” connectivity, an integrated worm-blocking client, and integrated end-point scanning. With the Citrix Access Gateway, organizations can quickly and easily deploy one product for all of their secure remote access needs.

The Access Gateway gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, email, intranet sites, and applications just as if they are working inside of their organization’s firewall.

The following topics provide an overview to the Access Gateway: • Access Gateway Technologies

• Access Gateway Modes of Operation • New Features

Access Gateway Technologies

The Access Gateway is quick and easy to deploy and simple to administer. The most typical deployment configuration is to locate the Access Gateway behind your firewall or in the demilitarized zone (DMZ). More complex deployments, such as with a server load balancer or in a double-hop DMZ, are also supported. The first time the Access Gateway is started, use the Access Gateway

(18)

for authentication, authorization, and group-based access control, kiosk mode, end point resources and polices, portal pages, and IP pools.

For more information about installing the Access Gateway, see Getting Started with Citrix Access Gateway Standard Edition or “Installing the Access Gateway for the First Time” on page 37.

Access Gateway Modes of Operation

The Access Gateway can be used in one of four ways:

Connections through the appliance only. In this scenario, the Access Gateway is installed as a standalone appliance in the DMZ. Users connect directly to the Access Gateway using the Secure Access Client and then have access to network resources, such as email and Web servers.

Connections using the Web Interface and Citrix Presentation Server. In this scenario, users log on to the Web Interface and then are connected to their applications on Citrix Presentation Server. Depending on how the Access Gateway is deployed with Presentation Server, users can connect with just Citrix Presentation Server Clients, Secure Access Client, or have simultaneous

connections using both clients. For more information, see “Providing Access to Published Applications” on page 167.

Connections using Access Gateway Advanced Edition. In this scenario, the Access Gateway is installed in the DMZ. Initial TCP/IP settings for the appliance are configured during installation of the appliance. Advanced settings to manage the Access Gateway are configured using the Access Management Console included with Access Gateway Advanced Edition. For more information, see “Deploying Access Gateway Advanced Edition” on page 34 or the Citrix Access Gateway Advanced Edition Administrator’s Guide.

Connections using kiosk mode. The Access Gateway also provides kiosk mode, which opens a virtual network computing-like connection to the Access Gateway. Kiosk mode can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), and client applications. For more information about kiosk mode, see “Connections Using Kiosk Mode” on page 136.

(19)

Functions of the Access Gateway

The Access Gateway performs the following functions: • Authentication

• Termination of encrypted sessions • Access control (based on permissions)

• Data traffic relay (when the first three functions are met)

As a standalone appliance in the DMZ, the Access Gateway operates as follows: • A remote user downloads the Secure Access Client by connecting to a

secure Web address and providing authentication credentials.

• After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Access Gateway establishes a secure tunnel.

• As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Access Gateway. • The Access Gateway terminates the SSL tunnel, accepts any incoming

traffic destined for the private network, and forwards the traffic to the private network. The Access Gateway sends traffic back to the remote computer over a secure tunnel.

New Features

(20)

Configurable symmetric encryption ciphers. You can select the specific cipher that the Access Gateway uses for symmetric data encryption on an SSL

connection. You can select one of these three encryption ciphers: • RC4 128 Bit, MD5/SHA

• 3DES, SHA

• AES 128/256 Bit, SHA

Automatic detection of proxy server settings. In this release, the Secure Access Client automatically detects the proxy server settings specified in the operating system.

Secure Access Client connections. The Secure Access Client included in this release can connect to earlier versions of the Access Gateway. Also, earlier versions of the Secure Access Client can connect to this release of the Access Gateway if enabled on the Global Cluster Policies tab.

Automatic port redirection. You can configure the Access Gateway so that any unsecure HTTP connection attempt on port 80 is automatically redirected by the Access Gateway to a secure HTTPS connection attempt on port 443 (or other administrator-specified port).

Disable desktop sharing. You can disable the desktop sharing feature of the Secure Access Client for a user group. The Secure Access Client desktop sharing feature allows a user to view a list of all other users who are logged on. If this capability causes privacy concerns for your organization, you can disable the desktop sharing feature to prevent a specific group of users from viewing the list of online users.

Additional control over Secure Access Client connections. You can configure the Secure Access Client to disconnect from the Access Gateway if there is no user activity on the connection for a specific time interval. You can also force a client disconnection if the connection remains active for a specific time interval or if the Access Gateway does not detect keyboard or mouse activity.

Disable kiosk mode. In this release, you can disable kiosk mode for client connections. When kiosk mode is disabled, users do not see the kiosk link on the Web portal page. Users are only allowed to log on using the full Secure Access Client or Citrix Presentation Server Clients.

(21)

Updated licensing. Licensing for the Access Gateway has changed to allow one Access Gateway to be a license server for all deployed appliances. Licenses are installed on one Access Gateway and the other appliances in the network are configured to obtain their licenses from the primary Access Gateway.

Voice over IP softphone support. The Access Gateway supports voice over IP softphones from Avaya, Nortel, and Cisco.

Editable HOSTS file. You can edit the HOSTS file on the Access Gateway from the user interface of the Administration Tool. The Access Gateway uses the HOSTS file in conjunction with DNS servers to force DNS resolution to translate host names to IP addresses.

Running logon scripts defined in the Microsoft Active Directory Group Policy. The Access Gateway supports the execution of Windows logon scripts defined in a Microsoft Active Directory Group Policy. Users must successfully authenticate with the Secure Access Client before the logon scripts can execute.

NTLM authentication and authorization support. If your environment includes Windows NT 4.0 domain controllers, the Access Gateway can

authenticate users against the user domain accounts maintained on the Windows NT server. The Access Gateway can also authorize users to access internal network resources based on a user’s group memberships on the Windows NT 4.0 domain controller.

Added challenge-response to RADIUS user authentication. The Access Gateway now supports challenge-response token authentication with new PIN and next token modes when RSA SecurID authentication is used with RADIUS. SafeWord PremierAccess changed to support standards-based RADIUS token user authentication. The proprietary PremierAccess configuration file has been removed and replaced using RADIUS server support. Legacy SafeWord PremierAccess realms are converted when the Access Gateway is upgraded to Version 4.5. SafeWord authentication is configured using RADIUS-style parameters.

(22)
(23)

Planning Your Deployment

This chapter discusses deployment scenarios for the Access Gateway. You can deploy the Access Gateway at the perimeter of your organization’s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Access Gateway before they can access any resources on the internal network.

This chapter includes these four sections: • Deploying the Access Gateway.

• Deploying the Access Gateway with Citrix Presentation Server. This section discusses deploying the Access Gateway with a server farm. You can deploy the Access Gateway in a single-hop DMZ configuration or a double-hop DMZ configuration.

• Deploying additional Access Gateway appliances to support load balancing and failover.

• Deploying the Access Gateway with Access Gateway Advanced Edition.

Deploying the Access Gateway

This section discusses the following Access Gateway deployments:

• Deploying the Access Gateway in the network demilitarized zone (DMZ) • Deploying the Access Gateway in a secure network that does not have a

DMZ

(24)

Access Gateway in the Network DMZ

Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization’s secure internal network and the Internet (or any external network). When the Access Gateway is deployed in the DMZ, users access it using the Secure Access Client, Citrix Presentation Server Clients or the kiosk client.

Access Gateway deployed in the DMZ

(25)

Installing the Access Gateway in the DMZ

In this configuration, you install the Access Gateway in the DMZ and configure it to connect to both the Internet and the internal network. Follow the instructions in “Installing the Access Gateway for the First Time” on page 37 to perform installation and configuration.

Access Gateway Connectivity in the DMZ

When you deploy the Access Gateway in the DMZ, client connections must traverse the first firewall to connect to the Access Gateway. By default, clients use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall.

The Access Gateway decrypts the SSL connections from the client and

establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access. For example, if you authorize external users to access a Web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. The Access Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external clients.

The Access Gateway administrative tools available on the Access Gateway also listen for connections on these ports:

• Port 9001 - Connections to the Administration Portal occur on this port. • Port 9002 - Connections to the Administration Tool occur on this port.

Access Gateway in a Secure Network

You can install the Access Gateway in the secure network. In this scenario, there is typically one firewall between the Internet and the secure network. The Access Gateway resides inside the firewall to control access to the network resources.

(26)

Access Gateway deployed in a secure network

Access Gateway Connectivity in a Secure

Network

When an Access Gateway is deployed in the secure network, the Secure Access Client or kiosk client connections must traverse the firewall to connect to the Access Gateway. By default, both of these clients use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall.

Security Considerations

When planning any type of Access Gateway deployment, there are basic security issues associated with certificates, authentication, and authorization that you should understand.

Configuring Secure Certificate Management

By default, the Access Gateway includes a self-signed SSL server certificate that enables it to complete SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments.

(27)

Before you deploy the Access Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority and upload it to the Access Gateway.

If you deploy the Access Gateway in any environment where the Access Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on the Access Gateway. For more information about root certificates, see “Installing Root Certificates on the Access Gateway” on page 55.

For example, if you deploy the Access Gateway with Citrix Presentation Server and the Web Interface, you can encrypt connections from the Access Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on the Access Gateway.

For more information, see “Creating and Installing Certificates” on page 51 and “Securing Connections with Digital Certificates” on page 253.

Authentication Support

You can configure the Access Gateway to authenticate users and control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying the Access Gateway, your network environment should have the corporate directories and authentication servers in place to support one of these authentication types:

• LDAP

• RADIUS

• RSA SecurID

• NTLM

• Secure Computing SafeWord products

If your environment supports none of the authentication types listed above, or you have a small population of remote users, you can create a list of local users on the Access Gateway and configure the Access Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory.

(28)

Deploying the Access Gateway with Citrix Presentation

Server

When deploying the Access Gateway to provide secure remote access to Citrix Presentation Server, the Access Gateway works with the Web Interface and the Secure Ticket Authority (STA) to provide access to published applications and resources hosted on a server farm.

This section covers the basic aspects of deploying the Access Gateway with a server farm. For a detailed discussion of this deployment, see “Providing Access to Published Applications” on page 167.

The configuration of your organization’s network determines where you deploy the Access Gateway when it operates with a server farm. There are two options: • If your organization protects the internal network with a single DMZ,

deploy the Access Gateway in the DMZ.

• If your organization protects the internal network using two DMZs , deploy one Access Gateway in each of the two network segments in a double-hop DMZ configuration. For more information about deploying the Access Gateway in a double-hop DMZ, see “Deploying the Access Gateway in a Double-Hop Demilitarized Zone” on page 193.

Deploying the Access Gateway in the DMZ with

Citrix Presentation Server

Deploying the Access Gateway in the DMZ is the most common configuration when the Access Gateway operates with a server farm.

(29)

Access Gateway and Web Interface deployed in the DMZ. Computers in the secure network are running Citrix Presentation Server.

When the Access Gateway is deployed in the DMZ to provide remote access to a server farm, these three possibilities exist:

Deploy the Web Interface behind the Access Gateway in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ. The initial client connection goes to the Access Gateway and is then redirected to the Web Interface.

An example of this configuration is discussed in “Establishing a Secure Connection to the Server Farm” on page 30.

Deploy the Access Gateway parallel to the Web Interface in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ, but the initial client connection goes to the Web Interface instead of the Access Gateway.

The Web Interface interacts with the Secure Ticket Authority (STA) and generates an ICA file to ensure the Presentation Server Client traffic is routed through the Access Gateway to a computer running Presentation Server in the server farm.

(30)

Deploy the Access Gateway in the DMZ and deploy the Web Interface in the internal network. In this configuration, user requests are authenticated by the Access Gateway before they are relayed to the Web Interface in the secure network. The Web Interface does not perform authentication, but interacts with the STA and generates an ICA file to ensure ICA traffic is routed through the Access Gateway to the server farm.

For detailed information, see “Providing Access to Published Applications” on page 167.

Establishing a Secure Connection to the Server Farm

This section provides one example of how an Access Gateway deployed in the DMZ works with the Web Interface to provide a secure, single point-of-access to published resources available on a secure enterprise network.

In this example, all of the following conditions exist:

• Clients from the Internet connect to the Access Gateway using Presentation Server Clients.

• The Web Interface resides behind the Access Gateway in the DMZ. Clients make the initial connection to the Access Gateway and the connection is passed to the Web Interface.

• The secure network contains a server farm. One server within this server farm runs the STA and one server within the server farm runs the Citrix XML Service.

The process by which clients access resources published by the server farm occurs as follows:

• A remote user types the address of the Access Gateway; for example, https://www.ag.wxyco.com, in the address field of a Web browser. The client attempts this SSL connection on port 443. Port 443 must be open through the firewall for this connection to succeed.

• The Access Gateway receives the connection request, but is configured to redirect the request to the Web Interface.

• The Web Interface sends a logon page to the client browser.

• The user submits authentication credentials. These credentials pass back through the Access Gateway to the Web Interface.

• The Web Interface sends the user credentials to the Citrix XML Service running in the server farm.

(31)

• The Web Interface populates a Web page with the list of published resources that the user is authorized to access and sends this Web page to the client.

• The user clicks a published application link. An HTTP request is sent to the Web Interface indicating the published application that was selected. • The Web Interface interacts with the XML Service and receives a ticket

indicating the server on which the published application will run.

• The Web Interface sends a session ticket request to the STA. This request specifies the IP address of the server on which the published application runs. The STA saves this IP address and sends the requested session ticket to the Web Interface.

• The Web Interface generates an ICA file containing the ticket issued by the STA and sends it to the client browser.

The ICA file generated by the Web Interface contains the Fully Qualified Domain Name (FQDN) or the Domain Name Server (DNS) name of the Access Gateway. Note that the IP address of the server running the requested application is never revealed to the client.

• The ICA file contains data instructing the Web browser to launch the Presentation Server Client. The client connects to the Access Gateway using the Access Gateway FQDN or DNS name in the ICA file. Initial SSL/ TLS handshaking occurs to establish the identity of the Access Gateway. • The Presentation Server Client sends the session ticket to the Access

Gateway and the Access Gateway contacts the STA for ticket validation. • The STA returns the IP address of the server on which the requested

application resides to the Access Gateway.

• The Access Gateway establishes a TCP connection to a computer running Presentation Server.

• The Access Gateway completes the connection handshake with the Presentation Server Client and indicates to the client that the connection is established with the server.

All further traffic between the client and the server is simply proxied through the Access Gateway.

(32)

Deploying the Access Gateway in a Double-Hop DMZ

Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ.

You can deploy the Access Gateway in a double-hop DMZ configuration to provide a single point-of-access to a server farm residing in an internal network. With this configuration, you must deploy two Access Gateway appliances: one in the first stage of the DMZ and one in the second stage of the DMZ.

Two Access Gateway appliances deployed in a double-hop DMZ

The figure above shows two Access Gateway appliances deployed in a double-hop DMZ to control access to a server farm.

In this deployment, the clients, the Access Gateway appliances, and the Web Interface perform these operations:

• Users from the Internet use a Web browser and Presentation Server Client to connect to the Access Gateway in the first DMZ.

• The Access Gateway in the first DMZ receives the client connections and redirects these connections to the Web Interface in the second DMZ. This

(33)

Access Gateway also handles connections from the clients that connect to the server farm on the internal network.

• The Web Interface performs various interactions with the Web browser clients and components of the server, including the XML Service and the Secure Ticket Authority (STA). These interactions provide a user with a list of published applications and enable the user to access a published

application by clicking a link in this list.

• The Access Gateway in the second DMZ acts as a proxy that enables ICA traffic to traverse the second DMZ and connect to the server farm in the internal network. The Access Gateway in the second DMZ also enables the Access Gateway in the first DMZ to communicate with the STA in the internal network.

For detailed information about these interactions and the configurations required to deploy two Access Gateway appliances in a double-hop DMZ configuration, see “Deploying the Access Gateway in a Double-Hop Demilitarized Zone” on page 193.

Deploying Additional Appliances for Load Balancing and

Failover

You can install multiple Access Gateway appliances into your environment for one or both of these reasons:

Scalability. If you have a large remote user population, install additional Access Gateway appliances to accommodate the user load.

High Availability. If an Access Gateway fails, you can install an additional Access Gateway to ensure that the internal network remains available to remote users.

Important The Web Interface must be installed parallel to the Access Gateway in the second DMZ.

(34)

Deploying Access Gateway Appliances behind a

Load Balancer

To support both scalability and high availability, you can install a load balancer and then install multiple Access Gateway appliances behind the load balancer. Deploying multiple appliances behind a load balancer enables you to support a large population of remote users and maintain high availability of the internal network to the users.

Multiple Access Gateway appliances deployed behind a load balancer

For detailed information about deploying multiple Access Gateway appliances behind a load balancer, see “Installing Additional Access Gateway Appliances” on page 235.

Deploying Access Gateway Advanced Edition

(35)

If you purchased the Access Gateway Advanced Edition, you must configure the Access Gateway to communicate with the Advanced Access Control software. Use the Administration Tool to switch the Access Gateway to use Advanced Access Control that is then used to manage settings for the gateway cluster(s). After you configure Advanced Access Control, use the Administration Tool to manage appliance-specific settings only.

To enable Advanced Access Control

1. On the Access Gateway Cluster tab, select an Access Gateway and click the Advanced Options tab.

2. Select Advanced Access Control.

3. In Server running Advanced Access Control, type the IP address or FQDN of the server that is running the Access Management Console. 4. To encrypt communication between the Access Gateway and the server

running Advanced Access Control, select Secure server communication. 5. Click Submit.

The server or servers that are configured to connect to the Access Gateway appear in Servers Running Advanced Access Control. To remove a server from the list, select the server and then click Remove.

Caution When you select the Advanced Access Control for managing the Access Gateway, the corresponding settings in the Administration Tool are deactivated. If you configured these settings with the Administration Tool before selecting Advanced Access Control, you must configure these settings again using the Access Management Console. For more information about configuring these settings in the console, see the Citrix Access Gateway Advanced Edition Administrator’s Guide.

If you disable administration with the Advanced Access Control, settings in the Access Management Console are deactivated and existing configuration values are removed. Settings that were previously configured on the Access Gateway are restored.

(36)

Multiple Servers in an Access Server Farm

If the Access Gateway is configured to establish connections with multiple servers running Access Gateway Advanced Edition, the servers are checked to make sure they are active before the Access Gateway sends a request to them. If the Access Gateway detects that one server is not active, it can check at a specified interval to see if the server is back online. You can specify the interval period, in seconds, when the Access Gateway checks the server. The minimum amount of time that can be set is 60 seconds.

To specify the retry interval for a server running Advanced Access Control

1. Click the Access Gateway Cluster tab and then click the Advanced Options tab.

(37)

Installing the Access Gateway for

the First Time

The Access Gateway installs in any network infrastructure without requiring changes to the existing hardware or back-end software. It works with other networking products such as server load balancers, cache engines, firewalls, routers, and IEEE 802.11 wireless devices.

Citrix recommends installing the Access Gateway in the corporate demilitarized zone (DMZ). When installed in the DMZ, the Access Gateway participates on two networks: a private network and a public network with a publicly routable IP address. Typically, the private network is the corporate network and the public one is the Internet. You can also use the Access Gateway to partition local area networks internally in the organization for access control and security. You can create partitions between wired or wireless networks and data and voice networks.

Getting Ready to Install the Access Gateway

To install the Access Gateway, verify that the contents of the box match the packing list. If an item on the packing list is missing from the box, contact Citrix Customer Care.

If you are installing the Access Gateway in a rack, see Getting Started with Citrix Access Gateway Standard Edition for instructions.

Materials and Information Needed for Installation

Before installing the Access Gateway, collect materials for the initial configuration and for the connection to your network.

For initial configuration, use one of the following setups: • A cross-over cable and a Windows computer

(38)

For a connection to a local area network, use the following items:

• One network cable to connect the Access Gateway inside of a firewall or to a server load balancer

• Two network cables to connect the Access Gateway located in the demilitarized zone (DMZ) to the Internet and private networks Citrix recommends that you use the Access Gateway Standard Edition Pre-Installation Checklist to collect the following network information for appliances:

• The Access Gateway internal IP address and subnet mask • The Access Gateway external IP address and subnet mask

• The Access Gateway FQDN for network address translation (NAT) • The IP address of the default gateway device

• The port to be used for connections

If connecting the Access Gateway to a server load balancer: • The Access Gateway IP address and subnet mask.

• The settings of the server load balancer as the default gateway device (if required). See the load balancer manufacturer’s documentation for more information.

• The FQDN of the server load balancer to be used as the external public address of the Access Gateway.

• The port to be used for connections.

Setting Up the Access Gateway Hardware

This section provides procedures for setting up the Access Gateway for the first time.

To physically connect the Access Gateway

1. Install the Access Gateway in a rack if it is rack-mounted.

For more information about installing the Access Gateway in a rack, see Getting Started with Citrix Access Gateway Standard Edition.

(39)

2. Connect the power cord to the AC power receptacle.

3. Connect either the serial cable to a Windows computer, a cross-over cable to a Windows computer, or an RJ-45 network cable to a network switch and the Access Gateway.

4. Configure the TCP/IP settings using the instructions in “Configuring TCP/ IP Settings for the Access Gateway” on page 39.

Access Gateway connection options using a cross-over cable, a network switch, or terminal emulation

Configuring TCP/IP Settings for the Access Gateway

The preconfigured IP address of the Access Gateway is 10.20.30.40. The IP address can be changed using a serial cable and a terminal emulation program, or by connecting the Access Gateway using network cables and the Administration Tool.

Configuring TCP/IP Settings Using the Serial

Console

(40)

The serial console provides the following options for configuring the Access Gateway:

[0] Express Setup configures the TCP/IP settings for Interface 0 on the Access Gateway Cluster > General Networking tab

[1] Ping is used to ping other network devices to check for connectivity[2] Link Modes is used to set the duplex mode and speed mode for

Interface 0 on the Access Gateway Cluster > General Networking tab[3] External Administration Port enables or disables connections to the

Administration Tool from a remote computer • [4] Display Log displays the Access Gateway log

[5] Reset Certificate resets the certificate to the default certificate that comes with the Access Gateway

[6] Change Administrative Password allows you to change the default administrator password of rootadmin

[7] Help displays help information

[8] Log Out logs off from the Access Gateway

To configure TCP/IP settings using a serial cable

1. Connect the serial cable to the 9-pin serial port on the Access Gateway and connect the cable to a computer that is capable of running terminal

emulation software.

Important Citrix recommends changing the administrator password before connecting the Access Gateway to your network. The new password can be six to 127 characters long and cannot begin or end with a space.

(41)

2. On the computer, start a terminal emulation application such as HyperTerminal.

3. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional.

4. Turn on the Access Gateway. The serial console appears on the computer terminal after about three minutes.

5. If using HyperTerminal, press the Enter key.

6. On the serial console, enter the default administrator credentials. The user name is root and the password is rootadmin.

7. To set the IP address and subnet mask and the default gateway device for Interface 0, type 0 and press Enter to choose Express Setup. After you respond to the prompts, the information you entered appears. To commit your changes, type y; the Access Gateway restarts.

8. To verify that the Access Gateway can ping a connected network device, type 1 and enter the IP address of the device.

9. Remove the serial cable and connect the Access Gateway using either a cross-over cable to a Windows computer or a network cable to a network switch and then turn on the Access Gateway.

Additional Access Gateway settings are configured using the Administration Tool.

Configuring TCP/IP Settings Using Network

Cables

The Access Gateway has two network adapters installed. One network adapter communicates with the Internet and client computers that are not inside the corporate network. The other network adapter communicates with the internal network.

Note HyperTerminal is not automatically installed on Windows 2000 Server or Windows Server 2003. To install HyperTerminal, use Add/Remove Programs in the Control Panel.

(42)

Citrix recommends that both network adapters be configured for maximum security. If only one network adapter is used, it has to be routable for internal resources using Network Address Translation (NAT). Also, if only one network adapter is used, throughput of network traffic is cut in half and can cause a bottleneck of network traffic.

You can install the Access Gateway and configure TCP/IP settings using network cables, such as two RJ-45 network cables, or cross-over cables. The RJ-45 cables are connected to a network switch and to the Access Gateway. The cross-over cables are connected to a Windows computer and the Access Gateway.

To configure TCP/IP settings using network cables

1. Power on the Access Gateway.

After about three minutes, the Access Gateway is ready for its initial configuration with your network.

2. Open a Web browser and type https://10.20.30.40:9001 to open the Administration Portal. Use the default user name and password of root and rootadmin.

3. On the Downloads tab, under Access Gateway Administration Tool, click Install the Access Gateway Administration Tool.

Follow the prompts to complete installation.

4. Log on to the Administration Tool using the default user name and password.

5. On the Access Gateway Cluster tab, open the window for the Access Gateway.

6. On the General Networking tab, under Interface 0 and Interface 1, next to IP Address, type the new IP addresses of the appliance.

Citrix recommends selecting Use both interfaces.

7. In Subnet mask, enter the subnet mask that is appropriate for the IP address entered for the interface(s).

8. In External FQDN, type the fully qualified domain name.

9. In Duplex Mode select the direction of the transmission data.

The default setting is auto. You can also select full duplex or half duplex. 10. In Speed Mode select the network speed of the adapter.

(43)

The default setting is auto. You can also select 10Mbps, 100Mbps, or 1000Mbps.

11. In Maximum Transmission Unit (MTU), select the maximum

transmission unit that defines the maximum size of the transmitted packet. The default setting is 1500.

12. In Port, select the incoming port that is used for connections. The default is 443.

13. To configure a default gateway, in IP address, type the IP address of the gateway. In Interface, select the network adapter on the Access Gateway with which the Default Gateway communicates.

The IP address is the default gateway device, such as the main router, firewall, or server load balancers, depending on your network

configuration. This should be the same as the Default Gateway setting that is on computers on the same subnet.

For information about the relationship between the Default Gateway and dynamic or static routing, see “Configuring Additional Network Settings” on page 57.

After you configure your network settings on the Access Gateway, you need to restart the appliance.

Redirecting Connections on Port 80 to a Secure Port

By default, the Access Gateway does not accept unsecure connections on port 80. If a user attempts to connect to the Access Gateway using HTTP on port 80, the connection attempt fails.

You can configure the Access Gateway to automatically redirect HTTP connection attempts on port 80 to be secure connections on port 443 (or other secure port).

If a user attempts an unsecure connection on port 80, the Access Gateway automatically converts this connection attempt into a secure (SSL-encrypted) connection on port 443.

(44)

To redirect unsecure connections

1. Click the Access Gateway Cluster tab and open the window for the Access Gateway.

2. Click the General Networking tab. 3. Click the Advanced button.

4. Click Redirect any requests for port 80 to a secure port. 5. Click OK.

Configuring TCP/IP Settings for a Double-Hop

Deployment

The Access Gateway can be installed in a double-hop DMZ scenario to provide access to a server farm. For more information about this deployment, see “Deploying the Access Gateway in a Double-Hop Demilitarized Zone” on page 193.

Restarting the Access Gateway

After configuring your network settings, restart the Access Gateway.

To restart the Access Gateway

1. In the Administration Tool, click the Access Gateway Cluster tab and open the window for the Access Gateway.

2. On the Administration tab, next to Restart the appliance, click Restart.

-or-Click the Action menu and click Restart appliance name, where appliance name is the name of the Access Gateway.

You can also restart the Access Gateway from the Administration Portal.

To restart the Access Gateway from the Administration Portal

In the Administration Portal, click Maintenance. Next to Restart the Server, click Restart.

(45)

Configuring the Access Gateway for

Your Network Environment

After the initial TCP/IP settings are configured on the Access Gateway, you then need to configure the appliance for your network environment. The steps for additional configuration of the Access Gateway are:

• Installing Licenses

• Creating and Installing Certificates • Configuring Additional Network Settings

• Configuring the Date and Time on the Access Gateway • Using the Default Portal Page

Installing Licenses

The Access Gateway licensing limits the number of concurrent user sessions to the number of licenses purchased. If you purchase 100 licenses, you can have 100 concurrent sessions at any time. When a user ends a session, that license is released for the next user. A user who logs on to the Access Gateway from more than one computer occupies a license for each session.

If all licenses are occupied, no additional connections can be opened until a user ends a session or the administrator uses the Real-Time Monitor to close a connection, thereby releasing a license. For information about using the Real-Time Monitor to close connections, see “Configuring User Connections for Secure Access Client” on page 121.

(46)

If you have multiple appliances in your network, one Access Gateway is the licensing server, allocating licenses to the other appliances. When a user logs on to another appliance on the network, the license is pulled from the Access Gateway that is the licensing server. If you have a cluster, the installed licenses are not published to the other appliances. For more information about using licenses with multiple appliances, see “Configuring Licenses for Multiple Appliances” on page 48.

If you are using Access Gateway Advanced Edition, licensing functionality is handled by the Citrix License Server. For more information about licensing with Access Gateway Advanced Edition, see the Citrix Access Suite Licensing Guide and the Access Gateway Advanced Edition Administrator’s Guide.

Obtaining Your License Files

After you install the Access Gateway, you are ready to obtain your license files from Citrix. This process involves going to http://www.mycitrix.com/ to access your available licenses and generating a license file. When the license file is generated, download it to the computer where the Administration Tool is installed. After the license file is on the computer, you can then upload it to the Access Gateway.

Before going to the Citrix Web site, you need the following information:

The license code. You can find the code on the Access Gateway CD, in an email you receive from Citrix, or from the Subscription Advantage Management-Renewal-Information system (SAMRI).

Your user ID and password for MyCitrix. You can register for this password on MyCitrix.

The FQDN of the Access Gateway. The entry field for this name on MyCitrix is case-sensitive so ensure that you copy the FQDN exactly as it appears on the Access Gateway Cluster > General Networking tab.

Important The host name in the license file must match exactly the host name on the Access Gateway, including letter case.

(47)

How many licenses you want to include in the license file. You do not have to download all of the licenses you are entitled to at once. For example, if your company purchases 100 licenses, you can choose to download 50. At a later date, you can allocate the rest in another license file. Multiple license files can be installed on the Access Gateway.

To obtain your license file

1. From a Web browser, go to http://www.mycitrix.com/. 2. Enter your user name and password.

If this is the first time you are logging on to the site, you are asked for additional background information.

3. Select Licensing > Citrix Activation System > Activate or Allocate Licenses.

4. Follow the process to obtain your license file.

After you successfully download the license file to your computer, you can then install it on the Access Gateway.

To install a license on the Access Gateway

1. On the Access Gateway Cluster tab, open the window for the Access Gateway.

2. Click the Licensing tab.

3. Select Use this appliance as the license server.

4. Next to Install a license file, click Browse and navigate to the license file, and then click Open.

5. Click Submit after the license file is uploaded to the Access Gateway.

References

Related documents

CRYPTOCard’s Citrix Access Suite (protecting Presentation Server, Web Interface, Access Gateway, MetaFrame Secure Access Manager, MetaFrame Password Manager) provides

Administrator access is needed if you require MCEC to configure your computer with these settings. Ideally your administrator can configure these details

It uses either a DB-11 low profile mounting base or DB-3S mounting base with the DB-ADPT adapter, a DB-X11RS mounting base with relay or DB-X3RS mounting base with relay with

Configure the EasyCall Gateway using the EasyCall Gateway administration tool: To define the properties of a trunk , Configuring Telephony Settings , and To configure a

This chapter describes the process of connecting to the InTouch Access Anywhere Server through the Secure Gateway and how to configure the Secure Gateway Node.. Connecting to

Figure 8: HIV-infected Jurkat cells but not acellular HIV virus cause endothelial cell death

If your secure network contains Citrix Presentation Server with the Secure Gateway in the first DMZ, and the Secure Gateway Proxy and the Web Interface in the second DMZ, servers

If the appliances in a cluster are configured to support failover (but are not deployed behind a load balancer), each appliance must have a unique SSL server certificate installed..