Supplementary Guide
the MetaFrame Secure Access Manager CD-ROM.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
© 2004 Citrix Systems, Inc. All rights reserved.
Citrix, Citrix Load Manager, Independent Computing Architecture (ICA), Independent Management Architecture (IMA), Citrix Extranet, MultiWin, SecureICA, Program Neighborhood, and
MetaFrame, are registered trademarks or trademarks of Citrix Systems, Inc. in the U.S.A. and other countries.
Microsoft, Windows, Windows 2000, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective manufacturer
Contents
Chapter 1
Welcome
About this Guide . . . 6
New Features Included in this Release . . . 6
Deploying MetaFrame Secure Access Manager. . . 8
Single-hop Deployment . . . 9
Details of the Single-hop Deployment . . . 9
Why You Would Select this Deployment . . . 10
Double Hop Deployment . . . 11
Details of the Double-hop Deployment . . . 11
Why You Would Select this Deployment . . . 12
Protecting Your Secure Network. . . 13
Authorization. . . 13
Access Control . . . 13
Trusted Sites . . . 13
MetaFrame Secure Access Manager Documentation. . . 14
Citrix Information, Support, and Resources Online . . . 15
Chapter 2
Installing MetaFrame Secure Access Manager
Installation Prerequisites . . . 18For the Advanced Gateway Client . . . 18
For the Secure Ticket Authority (STA) . . . 18
For the Logon Agent . . . 18
Order of Installation. . . 19
On the MetaFrame Secure Access server. . . 19
On the Secure Gateway server . . . 20
On the Index server . . . 20
Installing MetaFrame Secure Access Manager from the CD . . . 21
Installing MetaFrame Secure Access Manager from the Web . . . 21
Upgrading the Secure Ticket Authority (STA) . . . 21
Upgrading the Logon Agent . . . 22
Installing the Advanced Gateway Client. . . 23
Chapter 3
Configuring MetaFrame Secure Access Manager
Configuring the Secure Ticket Authority (STA). . . 26
Enabling Access to Large Numbers of Servers . . . 27
Saving a Copy of the Server List to Another File . . . 28
Using Static Port Mappings for Exchange Servers . . . 28
Specifying the Details of Outlook Web Access Servers . . . 29
Accessing Web Sites that Contain Java Applets and ActiveX Objects. . . 29
Fully Qualified Domain Names (FQDN) and Unqualified Domain Names . . 29
Configuring the Logon Agent . . . 30
Restricting Access on a Windows NT Group Basis. . . 33
Configuring Remote Access to Internal ICA Applications . . . 34
Configuring the Secure Gateway. . . 35
Securing the Computer Running MetaFrame Presentation Server . . . 35
Registering the Upgraded STA. . . 35
Chapter 4
Troubleshooting
User Attempts to Logon but Client Is Not Detected. . . 38Error Message At Logon . . . 40
User Cannot Launch the Advanced Gateway Client . . . 41
User Cannot Access Email . . . 41
Error Message “Your session has timed out” Appears. . . 42
Unable to Configure an Email Account using Control Panel. . . 42
Welcome
Citrix MetaFrame Secure Access Manager provides secure, single-point access over the Web to a wide range of internal and external information resources, including applications, data sources, documents, Web content, and services. With a set of easy-to-use, wizard-driven configuration tools, IT administrators can enable browser-based access to the entire enterprise—personalized to each user’s needs and with secure connectivity over the Web.
MetaFrame Secure Access Manager includes:
Secure access to any application or information over the Internet. Providing standards-based encryption over the Internet, MetaFrame Secure Access Manager eliminates the cost and configuration requirements of a traditional virtual private network (VPN).
Single-point access to enterprise resources. Efficiency improves when workers can quickly access and search information resources from a single location. MetaFrame Secure Access Manager aggregates resources and makes it easy to find any information resource within the enterprise or across the Web.
Personalized, role-based user experience. Users need the right information
organized according to their individual preference. Personalized user access ensures that the right people can easily access the right information and applications.
Easy deployment and management. MetaFrame Secure Access Manager seamlessly integrates into existing MetaFrame Presentation Server environments and provides centralized administration to make management simple. Wizard-driven
About this Guide
This guide provides information about deploying MetaFrame Secure Access Manager 2.2 and configuration details for the new features included in version 2.2. You should use this guide in conjunction with the MetaFrame Secure Access Manager Administrator’s Guide, whichprovides conceptual information and procedures for the Service Pack 1 (2.1) version of MetaFrame Secure Access Manager.
Topics in this guide include:
• New Features Included in this Release
• Deploying MetaFrame Secure Access Manager • Installing MetaFrame Secure Access Manager • Configuring MetaFrame Secure Access Manager • Uninstalling MetaFrame Secure Access Manager • Troubleshooting
New Features Included in this Release
MetaFrame Secure Access Manager 2.2 includes the following new features and enhancements:
• Messaging synchronization • Alternative user interface support
The new features are enabled by upgrades to the following components: • Secure Ticket Authority
• Logon Agent
Users access messaging synchronization and alternative user interfaces by means of the new Advanced Gateway Client.
Alternative user interface support. This feature allows users to connect directly to other portals or Web-enabled applications such as IBM WebSphere, SharePoint, and SAP upon logon rather than to the access center. This ensures that a third-party user interface can operate securely with Secure Gateway. It also allows users to access Web sites that publish Java applets from within an existing Access Center. For more information, see “Accessing Web Sites that Contain Java Applets and ActiveX Objects” on page 29.
The Advanced Gateway Client supports the following Web browsers: • Internet Explorer 5.5 and above
• Netscape 6 and above • Mozilla
Deploying MetaFrame Secure Access Manager
MetaFrame Secure Access Manager provides secure, single-point access over the Internet to a wide range of internal and external information resources, including applications, data sources, documents, Web content, and services. With minimal effort, IT administrators can serve the entire enterprise to a browser, tailored to each user’s needs, with fully secure connectivity, over the Internet.
If your enterprise network contains an access center running on MetaFrame Secure Access Manager, you can deploy Secure Gateway to provide secure Internet access to any published resource available through the access center. Published resources include Web sites, internal Web servers, resources published on a server farm, and so on.
In such deployments, the Secure Gateway works with the Logon Agent to provide authentication, authorization, and redirection to the access center.
The following section provides two recommended topologies for deploying the Secure Gateway with MetaFrame Secure Access Manager:
Single-hop Deployment
This illustration shows a typical single-hop deployment. The unsecure network contains a client device running the Advanced Gateway Client, the demilitarized zone contains the Secure Gateway and Logon Agent components, and the secure network contains servers running MetaFrame Secure Access Manager, internal Web servers, and an Exchange Server. MetaFrame Secure Access Manager runs the Secure Ticket Authority, and Authentication Service. A MetaFrame Presentation server within the server farm runs the Citrix XML Service. A firewall separates the unsecure network from the demilitarized zone and a second content-inspecting firewall separates the demilitarized zone from the secure network. Root and server certificates are installed on the appropriate machines to enable secure
communications.
Details of the Single-hop Deployment
In this scenario, the Secure Gateway provides secure access to messaging synchronization services and alternative user interface servers. It also provides secure access to an access center running MetaFrame Secure Access Manager. Users connect to the Secure Gateway and upon authentication are allowed to access content, internal Web servers, Exchange servers, and published resources.
In this configuration, the firewall facing the Internet has port 443 open. The firewall between the DMZ and the secure network has ports 443, 80, 1494 (if accessing published resources), and UDP (User Datagram Protocol) port 5500 (for SecurID authentication) open. It has port 135 and three other MAPI service protocol ports open to allow access to the Exchange server. It also has other appropriate ports open to allow access to internal Web resources.
Citrix recommends that you configure Exchange to use explicit port numbers for the MAPI services. For more information about explicitly setting Exchange ports, see Microsoft Knowledge Base Article 148732, “Setting TCP/IP Port Numbers for Internet Firewalls.”
Why You Would Select this Deployment
Double Hop Deployment
This illustration shows a typical double-hop deployment. The unsecure network contains a client device running the Advanced Gateway Client. The first stage of the DMZ contains the Secure Gateway, and the second stage of the DMZ contains the Logon Agent and Secure Gateway Proxy. The secure network contains servers running MetaFrame Secure Access Manager, internal Web servers, and an Exchange Server. MetaFrame Secure Access Manager runs the Secure Ticket Authority and Authentication Service. A MetaFrame Presentation server within the server farm runs the Citrix XML Service. A firewall separates the unsecure network from the first stage of the DMZ, a second firewall separates the first stage of the DMZ from the second stage of the DMZ, and a third firewall separates the second stage of the DMZ from the secure network. Root and server certificates are installed on the appropriate machines to enable secure communications.
Details of the Double-hop Deployment
Users connect to the server running the Secure Gateway in the DMZ. The Logon Agent is responsible for user authentication and authorization. The Secure Gateway Proxy is responsible for relaying all data exchanged between the server running the Secure Gateway and servers in the secure network.
Why You Would Select this Deployment
Citrix recommends deploying the Secure Gateway in this configuration if your secure network is not separated from the DMZ by a content-inspecting firewall, or the resources aggregated through MetaFrame Secure Access Manager are
Protecting Your Secure Network
MetaFrame Secure Access Manager protects access to your secure network using the following mechanisms.
Authorization
Authority to access the secure network is indicated by the presence of a ticket in the requests sent from the Advanced Gateway Client to the Secure Gateway. When users log on after MetaFrame Secure Access Manager 2.2 has been installed, they are issued a ticket granting ticket by the Secure Ticket Authority. The ticket granting ticket generates other cryptographically unique tickets that are presented to the Secure Gateway. These tickets identify the client and indicate authorization to access the secure network.
For more information, see “Configuring the Secure Ticket Authority (STA)” on page 26.
Access Control
MetaFrame Secure Access Manager allows you to control access to servers within the secure network in a number of ways.
You can define the list of servers the Secure Ticket Authority (STA) permits users to access within the secure network. The STA Access Configuration List (ACL) can be as restrictive as you require.
For more information, see “Configuring the Secure Ticket Authority (STA)” on page 26.
You can limit access to permitted servers on a group basis using the Logon Agent Configuration Tool. Only users who are members of the messaging synchronization or alternative user interface groups can access these servers from the unsecure network. Groups can be configured to contain the following members: • All authenticated users
• Members of an NT domain group (if you are running the Citrix XML Service) • No users
For more information, see “Configuring the Logon Agent” on page 30.
Trusted Sites
MetaFrame Secure Access Manager Documentation
The MetaFrame Secure Access Manager documentation includes electronic manuals and online application help. This documentation set is designed to help users, administrators, and information and technology professionals who integrate access centers with other applications and services.
The following documentation is included with MetaFrame Secure Access Manager: • The Readme files on the MetaFrame Secure Access Manager CD provide the
latest information about MetaFrame Secure Access Manager functionality, known issues, and documentation changes. Be sure to read these documents for important information before you install MetaFrame Secure Access Manager or its components.
• The MetaFrame Secure Access Manager Administrator’s Guide provides conceptual information and procedures for the Service Pack 1 (2.1) version of Secure Access Manager.
• The MetaFrame Secure Access Manager Supplementary Guide provides additional information about deploying Secure Access Manager 2.2 and configuration details for the new features.
• The Secure Gateway for MetaFrame Administrator’s Guide provides conceptual and procedural information about installation, configuration, and usage of the Secure Gateway for MetaFrame. This guide also provides reference information about digital certificates, as well as compatibility guidelines for network components that are found in a Secure Gateway deployment.
• The Secure Gateway for MetaFrame Pre-installation Checklist is a worksheet designed to help you collect the information required during installation of Secure Gateway. Citrix recommends that you fill out this checklist before installing the Secure Gateway for MetaFrame.
• Context-sensitive help is available for the Access Management Console and each configuration utility included with Secure Gateway for MetaFrame. You can view the help by clicking the help buttons provided.
• Online help for users is available from the help buttons in the access center header. Users can get information about common tasks, including how to log on, add content to access center pages, navigate the access center, and personalize their views.
The modules that gather, process, and display information in an access center are called Content Delivery Agents (CDAs).Each CDA includes a help button to explain the function and settings for the CDA.
Citrix Information, Support, and Resources Online
The Citrix home page is at http://www.citrix.com. You can find information and services there for administrators and users. You can access technical support services and locate more information to assist you with MetaFrame Secure Access Manager and other Citrix solutions.
The following are some of the resources available from the Citrix Web site:
MetaFrame Secure Access Manager home. The main page for Citrix MetaFrame Secure Access Manager is at http://www.citrix.com/secureaccess. Visit the site for updates to software and documentation, information about upcoming releases, white papers and product briefs, and information about Citrix partners.
Citrix Developer Network. The Citrix Developer Network (CDN) is an open-enrollment membership program that provides access to developer toolkits, technical information, and test programs for software and hardware vendors, system integrators, licensees, and corporate developers who incorporate Citrix computing solutions into their products. For more information, go to
http://www.citrix.com/cdn.
MetaFrame Secure Access Manager Software Development Kit (SDK). MetaFrame Secure Access Manager includes CDAs that enhance teamwork and collaboration. However, even the most comprehensive collection of CDAs cannot meet the needs of every enterprise. Therefore, Citrix designed the MetaFrame Secure Access Manager SDK for developers to create CDAs that provide features beyond those that are currently implemented. The SDK is available from the Citrix Developer Network.
Citrix product documentation library. The library contains the latest documentation for all Citrix products. You can download updated editions of the documentation that ships with Citrix products, as well as supplemental documentation that is available only on the Web site.
Citrix ICA Clients. You can download Citrix ICA Clients for all supported platforms from the main page of the Citrix site.
Support options. Program information about Citrix Preferred Support Services options is available from the Support area of the Citrix site.
Software downloads. The Support section of the Citrix Web site provides access to the latest service packs, hotfixes, utilities, and product literature for download.
Support forums. The interactive online Support Forums provide outlets for discussion of technical issues with other Citrix users.
Education. Citrix offers a variety of instructor led training (ILT) and Web-based training (WBT) solutions. ILT courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. These certification programs include Citrix Certified Administrator (CCA), Citrix Certified Enterprise Administrator (CCEA), and the new Citrix Certified Integration Architect (CCIA). Citrix certifications demonstrate the highest level of product knowledge and competency. Citrix WBT courses are available through CALCs, resellers, and at www.citrix.com/edu. For more information about Citrix Education solutions, visit www.citrix.com/edu.
Installing MetaFrame Secure Access
Manager
This chapter tells you how to install MetaFrame Secure Access Manager. The procedures contain complete instructions for installing the Advanced Gateway Client and upgrading both the Secure Ticket Authority (STA) and Logon Agent. This chapter contains the following topics:
• Installation Prerequisites
• Installing MetaFrame Secure Access Manager from the CD • Installing MetaFrame Secure Access Manager from the Web • Upgrading the Secure Ticket Authority (STA)
• Upgrading the Logon Agent
• Installing the Advanced Gateway Client
Installation Prerequisites
Before proceeding further, ensure that your system meets the prerequisites described below.
For the Advanced Gateway Client
Before installing the Advanced Gateway Client, you must ensure that: • You are logged on as a local administrator
• The computer you want to install the client on is not running a server operating system
• The computer you want to install the client on is not running Citrix Extranet software
For the Secure Ticket Authority (STA)
Before upgrading the STA, you must ensure that the MetaFrame Secure Access Manager 2.0 Secure Ticket Authority component is installed on the server you want to upgrade.
For information about other system requirements, see the MetaFrame Secure Access Manager Getting Started Guide.
For the Logon Agent
Before upgrading the Logon Agent, you must ensure that the Secure Gateway 2.0 Logon Agent component is installed. You must also ensure that you have applied MetaFrame Secure Access Manager 2.0 Service Pack 1.
Order of Installation
The installation sequence for MetaFrame Secure Access Manager is as follows: 1. Install MetaFrame Secure Access Manager
2. Install Secure Gateway for MetaFrame
3. Install the Index Server for MetaFrame (optional)
Important The Secure Gateway for MetaFrame must be installed after you install MetaFrame Secure Access Manager.
Before you can install MetaFrame Secure Access Manager 2.2, you must install MetaFrame Secure Access Manager 2.0, and apply MetaFrame Secure Access Manager 2.0, Service Pack 1 (2.1).
The tables below list the tasks you must carry out on each server to ensure MetaFrame Secure Access Manager installs correctly.
On the MetaFrame Secure Access server
Complete the following tasks to install MetaFrame Secure Access Manager:
Task Complete? Install MetaFrame Secure Access Manager 2.0 and configure the Secure Ticket
Authority.
For more information, see the MetaFrame Secure Access Manager 2.0 Getting Started Guide.
Install MetaFrame Secure Access Manager 2.0, Service Pack 1 (2.1). For more information, see the MetaFrame Secure Access Manager 2.1 Administrator’s Guide.
On the Secure Gateway server
Complete the following tasks to install Secure Gateway for MetaFrame:
On the Index server (optional)
Complete the following tasks if you want to install an Index Server:
Task Complete? Install Secure Gateway for MetaFrame 2.0. Configure the Logon Agent and
Secure Gateway Service.
For more information, see the MetaFrame Secure Access Manager 2.0 Getting Started Guide.
Install MetaFrame Secure Access Manager 2.0, Service Pack 1 (2.1). For more information, see the MetaFrame Secure Access Manager 2.1 Administrator’s Guide.
Install MetaFrame Secure Access Manager 2.2. Reconfigure the Logon Agent to enable messaging synchronization and alternative user interface support. Reconfigure the Secure Gateway Service to register the upgraded Secure Ticket Authority for use with the Secure Gateway.
Task Complete?
Install the Index Server for MetaFrame 2.0 and configure the Secure Ticket Authority.
For more information, see the MetaFrame Secure Access Manager 2.0 Getting Started Guide.
Installing MetaFrame Secure Access Manager from the CD
You can install MetaFrame Secure Access Manager from the product CD.
To install MetaFrame Secure Access Manager
1. Insert the product CD-ROM in the CD-ROM drive. The startup screen appears if autorun is enabled. If autorun is not enabled, enter d:\autorun.exe at a command prompt (replace d with the CD drive letter).
2. Choose the component to install.
3. Choose the version of the component currently installed on the computer. 4. Follow the instructions on screen.
When you choose an option, a wizard guides you through the installation process.
To install the Advanced Gateway Client
Users requiring access to messaging synchronization or alternative user interfaces must install the Advanced Gateway Client on their computer. For more information, see “Installing the Advanced Gateway Client” on page 23.
Installing MetaFrame Secure Access Manager from the Web
You can download the files needed to upgrade MetaFrame Secure Access Manager to version 2.2 from the Citrix Web site. These files provide upgrades to the STA and Logon Agent components.
Important You can only upgrade to MetaFrame Secure Access Manager 2.2 using the files available for Web download if you currently have MetaFrame Secure Access Manager 2.0, Service Pack 1 installed.
You can also download the file needed to install the Advanced Gateway Client. For more information, see “Installing the Advanced Gateway Client” on page 23.
Upgrading the Secure Ticket Authority (STA)
You must upgrade the STA in order to configure the new functionality provided by MetaFrame Secure Access Manager 2.2.
To upgrade the STA
3. Read and accept the license agreement and click Next. 4. Review the installation information and click Next.
5. On the Destination Folder page, confirm the installation path is correct and click Next.
Important This folder must be the IIS scripts folder, typically C:\Inetpub\scripts. If you customized the location of this folder during a previous installation of
MetaFrame Secure Access Manager, you must enter the details of the customized location.
6. Read the security warning and click Next. 7. Click Finish to exit the wizard.
After the installation is complete, the Secure Ticket Authority Configuration wizard starts automatically. For more information, see “Configuring the Secure Ticket Authority (STA)” on page 26.
Upgrading the Logon Agent
You must upgrade the Logon Agent in order to configure access to the new functionality provided by MetaFrame Secure Access Manager 2.2.
To upgrade the Logon Agent
1. Log on to the server as an administrator. Run the CSG_LA_2.2.msi file. 2. On the Welcome page, click Next.
3. Read and accept the license agreement and click Next. 4. Review the installation information and click Next. 5. Read the security warning and click Next.
6. Click Finish to exit the wizard.
Installing the Advanced Gateway Client
Users requiring access to messaging synchronization or alternative user interfaces must install the Advanced Gateway Client on their computer. You can install the Advanced Gateway Client using one of the following packages:
• AdvGWClient.msi – a Windows Installer package for use with Windows 2000 Active Directory Services or Microsoft Systems Management Server
• AdvGWClient.exe – a self-extracting executable for use with Windows 98
Important Be aware that the Advanced Gateway Client changes the network protocol stack on the client computer by installing a Layered Service Provider.
To install the Advanced Gateway Client
1. Log on to the computer as an administrator, and run the Advanced Gateway Client install.
2. On the Welcome page, click Next.
3. Read and accept the license agreement and click Next. 4. Review the Readme information and click Next.
5. On the Destination Folder page, confirm the installation path is correct and click Next.
6. Read the security warning and click Next.
7. On the Ready to Install the Application page, click Next. The Internet Options dialog box appears.
8. On the Security tab, click Trusted sites. 9. Click Sites.
10. In the Add this Web site to the zone box, type the URL for the Secure Gateway server that you want to add to the Trusted Sites zone, and then click Add.
Important Users must add the URL of the Secure Gateway server to their own Trusted sites zone if they want to use the messaging synchronization and alternative user interface functionality provided by MetaFrame Secure Access Manager.
Uninstalling MetaFrame Secure Access Manager
This section describes how to uninstall all MetaFrame Secure Access Manager 2.2 components.
To uninstall the Advanced Gateway Client
1. Log on as a local administrator and exit any applications running on the client device.
2. In Control Panel click Add/Remove Programs. 3. Select Adv. Gateway Client and click Remove. 4. Click Yes to confirm removal.
To remove the upgrade to the STA
1. Log on as an administrator and exit any applications running on the server. 2. In Control Panel click Add/Remove Programs.
3. Select Secure Gateway for MetaFrame - Secure Ticket Authority Upgrade
and click Remove.
4. Click Yes to confirm removal.
To remove the upgrade to the Logon Agent
1. Log on as an administrator and exit any applications running on the server. 2. In Control Panel click Add/Remove Programs.
3. Select Secure Gateway for MetaFrame - Logon Agent Upgrade and click
Remove.
Configuring MetaFrame Secure
Access Manager
This chapter contains instructions for configuring both the STA and Logon Agent to provide access to messaging synchronization and alternative user interfaces. This chapter contains the following topics:
• Configuring the Secure Ticket Authority (STA) • Configuring the Logon Agent
Configuring the Secure Ticket Authority (STA)
After upgrading the STA, you must configure it in order to use the new functionality provided by MetaFrame Secure Access Manager 2.2.
To configure the STA
1. The STA Configuration tool starts automatically following installation of the STA upgrade. If you want subsequently to change any of the settings, select
Start > Programs > Citrix > Secure Gateway > Secure Ticket Authority Configuration.
2. On the Welcome page, under Select configuration level, select Advanced and click Next.
3. On the Configure parameters page, accept the default configuration parameters and click Next.
4. The ID is a unique identification number for the STA that the wizard retrieves automatically.
5. On the Define ticket granting parameters page, enter the following information and click Next:
• Final timeout (sec): Enter the total lifetime (in seconds) for a ticket-granting ticket issued by the STA.
Valid values for this field are 0 - 999999, where 0 indicates that the ticket-granting ticket never expires.
• Idle timeout (sec): Enter the period of inactivity (in seconds) after which ticket-granting tickets issued by the STA time-out. Inactivity is defined as the absence of new TCP connections.
Valid values for this field are 0 - 999999, where 0 indicates that there is no idle time-out period.
• Access limit: Enter the total number of TCP connections allowed per ticket-granting ticket.
Valid values for this field are 0 - 999999, where 0 indicates that there is no limit to the number of TCP connections allowed per ticket-granting ticket. 6. On the Specify servers page, click Add.
7. In the Server details dialog box, enter the following information:
• Name: Enter the name of the server to which you want this STA to permit access.
This may be a fully qualified domain name (FQDN), a NetBIOS name, or an unqualified domain name, but not an IP address.
• TCP port: Enter the port number of the server to which you want this STA to permit access.
8. The next page tells you that configuration of the STA is complete and informs you that the World Wide Web Publishing Service must be restarted for configuration changes to take effect.
Leave Restart the service selected and click Finish.
You can modify the STA configuration file manually to enable access to large numbers of servers, or to save a copy of the server list to another file before uninstalling MetaFrame Secure Access Manager.
Enabling Access to Large Numbers of Servers
If you want to add a large number of servers to the STA Access Configuration List, you can edit the CtxSta.config file manually.
To add details of a server to the file
1. Open the CtxSta.config file, typically located in the \Inetpub\scripts folder. 2. Scroll to the bottom of the file and locate the LongTicketDestinations=
entry.
3. On a new line, type the details of the server you want to add to the list, using the following format:
LongTicketDestination<destination number>=<group>/ <host>:<port>
Where:
<destination number> is the number of the destination server, from zero
upwards, in numerical order.
<group> is 0 for Alternative User Interface or 1 for Messaging Synchronization <host> is the name of the destination server
This may be a fully qualified domain name (FQDN), a NetBIOS name, or an unqualified domain name, but not an IP address.
<port> is the port number of the destination server
For example:
LongTicketDestination0=1/www.citrix.com:80
4. Update the LongTicketDestinations= entry to include the total number of
Saving a Copy of the Server List to Another File
If you have configured a large number of servers for use with the Advanced Gateway Client, you may want to make a copy of this list before uninstalling MetaFrame Secure Access Manager 2.2. The list of servers can be found in the CtxSta.config file, located in the \\Inetpub\scripts folder. After re-installing MetaFrame Secure Access Manager 2.2, copy the list of servers back into the CtxSta.config file.
To save a copy of the server list to another file
1. Open the CtxSta.config file.
2. Scroll to the bottom of the file and copy the entries beginning LongTicketDestinations.
3. Open a text editor, such as Notepad. 4. Paste the list of servers into the new file. 5. Save the file.
To copy the saved list into the STA configuration file
1. Open the text file containing your saved server list. 2. Copy the entries onto the clipboard.
3. Open the CtxSta.config file.
4. Paste the server list into the bottom of the file. 5. Save the CtxSta.config file.
Using Static Port Mappings for Exchange Servers
When you specify the details of an Exchange server for the messaging
synchronization group and accept the default port 135, the server is queried by the STA about the ports currently in use for Exchange services. These ports are added implicitly. However, if you restart your Exchange server these ports may change. This prevents the STA from contacting the Exchange server, and terminates the sessions of any users who are currently logged on. If you do not set these ports explicitly, you must restart the World Wide Web Publishing Service every time the Exchange server is restarted.
Specifying the Details of Outlook Web Access Servers
If you are specifying the details of an Outlook Web Access server, specify the group as messaging synchronization and set the port number manually. This is port 80 for HTTP servers and port 443 for HTTPS servers.
These settings apply whether a user is accessing the Outlook Web Access server directly from a browser or using the MetaFrame Secure Access Manager Outlook Web Access CDA.
Accessing Web Sites that Contain Java Applets and
ActiveX Objects
You may want users to be able to access Web sites that publish Java applets or ActiveX objects that need to communicate with a server on your secure network. To enable users to access these sites, add this server to the list that the STA permits the alternative user interface group to access.
Fully Qualified Domain Names (FQDN) and Unqualified
Domain Names
You may need to add servers to the Server Access list using both FQDN and unqualified domain names. This depends upon the naming conventions used by your organization. For example, users may be able to access a Web site on a server using either of the following URLs:
http://server01/homepage
http:/server01.citrix.eu.com/homepage
Configuring the Logon Agent
After upgrading the Logon Agent you must configure it in order to use the new functionality provided by MetaFrame Secure Access Manager 2.2.
To configure the Logon Agent
1. The Logon Agent Configuration tool starts automatically following installation of the Logon Agent upgrade. If you want subsequently to change any of the settings, select Start > Programs > Citrix > Secure Gateway > Logon Agent Configuration.
2. On the Welcome page, under Select configuration level, select Advanced and click Next.
3. On the SpecifyAuthentication Service (AS) details page, enter the following information and click Next:
• FQDN: Enter the fully qualified domain name of the Web server running the Authentication Service. This is the server on which you installed MetaFrame Secure Access Manager.
• Path: Specify the path for the Authentication Service. This is typically \<PortalName>\AuthService\AuthService.asmx, where PortalName is replaced with the name of an access center.
• Secured with HTTPS: Select this check box to encrypt all communications between the Logon Agent and the Authentication Service using SSL or TLS.
• TCP Port: Specify the network port on which to contact the Authentication Service.
• Use default: Select this check box to use the default port to contact the Authentication Service.
4. On the Specify Secure Gateway Service (SG) details page, enter the following information, and click Next.
• Enable Advanced Gateway Client for access via Secure Gateway: Leave this check box selected to enable secure external access to the server running the Secure Gateway service.
• FQDN: Enter the fully qualified domain name of the server running the Secure Gateway Service.
• TCP Port: Specify the network port on which to contact the Secure Gateway Service. By default this is port 443.
5. On the Secure Ticket Authority (STA) details page, click Add. 6. In the STA details dialog box enter the following information:
• FQDN: Enter the fully qualified domain name of the server running the STA.
• Path: Specify the default path and file for the STA, typically Inetpub\Scripts\CtxSTA.dll.
• ID: The configuration wizard populates this field automatically when you click OK. The configuration wizard attempts to resolve the FQDN you specify and read the ID string from the server running the STA.
If the configuration wizard is unable to resolve the address specified, enter the ID for the STA manually.
The ID is a unique identification string for the STA. Run the Secure Gateway Diagnostics wizard (click Start > Programs > Citrix > Secure Gateway Diagnostics) and examine the results reported. The ID for the STA is one of the values reported by the wizard.
In the Communication protocol section, enter the following values: • Ensure the Secured with HTTPS check box is cleared
• Select the Use default check box to use the default port assignment for the STA
Click OK. Click Next to proceed with configuration.
7. On the Citrix XML Service details page, enter the following information and click Next:
• Use Citrix XML Service: Select this check box if you are running the Citrix XML Service on a computer running MetaFrame Presentation Server.
Important If you do not configure the Citrix XML Service, you cannot filter access to messaging synchronization and alternative user interface functionality on a Windows NT domain basis. You can only allow or deny access to all
authenticated users.
• FQDN: Enter the fully qualified domain name of the server running the Citrix XML Service.
• Path: Specify the default path and file for the Citrix XML Service, typically Scripts\ctxadmin\ctxadmin.dll.
• TCP Port: Specify the network port on which to contact the Citrix XML Service.
By default the Citrix XML Service is configured to share the default TCP/IP communication port (port 80) with Microsoft Internet Information Services. If you do not want the Citrix XML Service to share the TCP port with IIS, you can use a separate port for the Citrix XML Service.
For more information about configuring the Citrix XML Service port, see “Configuring the Citrix XML Service Port” in the MetaFrame Presentation Server Administrators Guide.
• Use default: Select this check box to use the default port to contact the Citrix XML Service.
8. On the Access Group details page, type the name of the NT domain you want to assign access rights for in the Domain box.
9. Click Modify.
10. In the Select Group dialog box, select the users you want to be able to access the service. You can:
• Permit All Authenticated Users
• Permit Members of Group
If you select this option, enter the name of the Windows NT group you want to be able to access messaging synchronization or alternative user interfaces; For example, Domain Users.
• Deny Access to All
11. On the Redirect Web page details, either:
• Accept the default option to Use Access Center
—Or—
• Clear the Use Access Center check box and type the URL you want to direct users to following logon, in the URL of Alternative User Interface
box
Important You cannot use IP addresses in the URL of Alternative User Interface URL box.
13. On the Logon Agent Web page redirection page, accept the default option to
Set server’s default Web page to point to the Logon Agent and click Finish. The Set server’s default Web page to point to the Logon Agent option makes the Logon Agent page appear when users browse to the URL for the Secure Gateway server.
If you clear this option, users must type in a URL that includes a direct path to the Login.asp file instead of a shorter URL to the Secure Gateway server. For example:
https://server2.citrix.com/Logon Agent/Login.asp instead of:
https://server2.citrix.com
Restricting Access on a Windows NT Group Basis
If you want to restrict access to the messaging synchronization and alternative user interface features using Windows NT groups, you must use MetaFrame
Presentation Server.
MetaFrame Presentation Server provides limited group membership information to the Logon Agent in the DMZ from the secure network.
Group membership is cached at the Logon Agent.When you run the configuration tool for the first time, the cache is initialized.
Note This can take a long time for large groups.
The cache is updated either when the groups configured are changed in the configuration tool, or the refresh group membership check box is selected.
Configuring Remote Access to Internal ICA Applications
If you use Web Interface to let users inside your corporate network access ICA applications, you can configure MetaFrame Secure Access Manager to extend that access to remote users. To configure remote access to internal ICA applications, you must ensure that:
• Your server farm is configured to enable XML Service DNS address resolution. For more information about enabling XML Service DNS address resolution, see “Using DNS Address Resolution” in the MetaFrame Presentation Server Administrator’s Guide.
• The Web Interface is configured to request DNS addresses from your server farm. You can do this by editing the NFuse.conf file, typically found in \\Program Files\Citrix\NFuse\conf.
Amend the line AddressResolutionType=IPV4-port to read AddressResolutionType=dns-port.
• The STA is configured to permit the Alternative User Interface group to access: • the Web server running the Web Interface
• any MetaFrame Presentation Server computer running ICA applications For more information, see “Configuring the Secure Ticket Authority (STA)” on page 26.
Configuring the Secure Gateway
Before installation and configuration of MetaFrame Secure Access Manager is complete you must ensure that:
• The Secure Gateway is configured to secure the computer MetaFrame Presentation Server.
• The upgraded STA is registered for use with the Secure Gateway.
Securing the Computer Running MetaFrame Presentation
Server
To secure the computer running MetaFrame Presentation Server:
1. Choose Start > Citrix > Secure Gateway > Secure Gateway Service Configuration.
2. On the Secure Gateway deployment scenario page, select the MetaFrame XP Server check box.
3. Click OK.
Registering the Upgraded STA
Troubleshooting
This chapter provides information about basic techniques to assist you in
troubleshooting potential problems that could occur when using MetaFrame Secure Access Manager. This chapter contains the following topics:
• User Attempts to Logon but Client Is Not Detected • Error Message At Logon
• User Cannot Launch the Advanced Gateway Client • User Cannot Access Email
User Attempts to Logon but Client Is Not Detected
Problem
A user attempts to log on but Secure Access Manager cannot detect the presence of the Advanced Gateway Client on the computer.
Background
MetaFrame Secure Access Manager may be unable to detect the presence of the client if the user is running a Netscape or Mozilla browser. When the Advanced Gateway Client is installed, the accepted documents field in Internet Explorer is modified to advertise the presence of the client. This is not acceptable behavior for Netscape or Mozilla browsers. In these circumstances, the Logon Agent is not able to detect the presence of the client.
Solution
If the Logon Agent is unable to detect the presence of the client, the user is directed to the No Client Detected page. The following three options are available:
• I have already installed the Advanced Gateway Client. If the client is already installed on the computer, select this option. A cookie is added to the cookies list indicating that the client is already installed and the user can log on successfully.
• I want to download the Advanced Gateway Client now. If the client is not already installed on the computer, select this option. The user is redirected to the client download site and should run the Advanced Gateway Client installer. • I want to exit now. If the user cannot install the client immediately, select this
option. The client can be installed at a more appropriate time.
Before selecting any of these options, check whether the client is already installed on the computer.
To check if the client is already installed on the computer
1. On the Start menu, select Settings > Control Panel. 2. Double-click Add/Remove Programs.
If the client is installed you will see an entry for the Advanced Gateway Client
What if a User Clicks “I have already installed the Advanced
Gateway Client” by Mistake?
If a user selects this option by mistake, the cookie indicating the client is already installed must be removed from the user’s cookie list.
To remove the cookie from the user’s cookie list
1. Double-click My Computer.
Error Message At Logon
Problem
The following error message appears when a user attempts to logon: “Access was attempted via an untrusted gateway server”
Background
To prevent users from inadvertently accessing untrusted third party sites, the Advanced Gateway Client allows connections only through a Secure Gateway that is added to the Trusted sites zone.
Solution
Ensure the Secure Gateway server is added to the user’s Trusted sites zone.
To add the Secure Gateway Server to the Trusted sites zone
1. From the Start menu, select Settings > Control Panel. 2. Double-click Internet Options.
3. Click the Security tab and then click Trusted sites. 4. Click Sites.
5. In the Add this Web site to the zone text box, type the Internet address for the Secure Gateway server that you want to add to the Trusted Sites zone and then click Add.
User Cannot Launch the Advanced Gateway Client
Problem
When a user attempts to launch the Advanced Gateway Client using Netscape or Mozilla, the browser asks the user what they want to do with the downloaded launch file.
Background
Netscape and Mozilla browsers require users to configure what they are allowed to do without explicit confirmation.This means newly installed applications cannot rely on inbuilt platform launch mechanisms.
Solution
Users must configure a MIME type helper application for the MIME type used to describe the launch file.
For information about configuring MIME type helper applications, refer to the Netscape or Mozilla documentation.
User Cannot Access Email
Problem
A user can log on but is unable to access email.
Background
When you configure an Exchange server for the messaging synchronization group and accept the default port 135, the server is queried by the STA about the ports currently in use for Exchange services. These ports are added implicitly. However, if you restart your Exchange server these ports may change. This prevents the STA from contacting the Exchange server, and terminates the sessions of any users currently logged on. If you do not set these ports explicitly, you must restart the STA service every time the Exchange server is restarted.
Solution
For more information about explicitly setting Exchange ports, see Microsoft Knowledge Base Article 148732, “Setting TCP/IP Port Numbers for Internet Firewalls.”
Error Message “Your session has timed out” Appears
Problem
A user’s Advanced Gateway Client session times out.
Background
The idle timeout period configured for ticket granting tickets restarts each time a new connection is made from the client. Microsoft Outlook uses persistent connections and can hold a single connection open beyond the idle timeout limit configured for ticket granting tickets. If the user is connected to Outlook and then attempts to open a new connection, that connection attempt is denied because no other new connections have been made within the specified idle timeout period.
Solution
The user must log off and log back in to MetaFrame Secure Access Manager.
Unable to Configure an Email Account using Control Panel
Problem
You are unable to configure new email accounts using the Mail option available in Control Panel.
Background
Control Panel applets are run using the rundll32.exe helper application. This application can execute arbitrary code, and for security reasons is not permitted for use with the Advanced Gateway Client.
Solution
Index
A
access
restricting33
Windows NT groups33 access centers
user help14 access control13 access groups
specifying details of32 access limit
configuring26 definition26
Access Management Console online help14
accessing
Web sites containing ActiveX objects29 Web sites containing Java applets29 ActiveX objects
accessing Web sites containing29 adding
Secure Gateway server to Trusted sites23
,
40 Advanced Gateway Clientinstallation prerequisites18 installing23
uninstalling24 alternative user interfaces7
definition7
supported applications7 Authentication Service
specifying details of30 authorization13
C
CDAs
online help for14
Citrix Developer Network (CDN)15 Citrix Documentation Library16 Citrix Preferred Support Services15 Citrix Solution Knowledgebase15
Citrix XML Service specifying details of31 configuring
Logon Agent30
remote access to internal ICA applications34 STA26
STA Access Configuration List (ACL) manually27 ticket granting ticket parameters26
D
deploying
MetaFrame Secure Access Manager8 deployment
double-hop DMZ11 single-hop DMZ9 topologies8 documentation
documentation library online15 MetaFrame Secure Access Manager14 submitting comments15
double-hop DMZ11 deployment details11
F
final timeout configuring26 definition26 FQDN26
,
29Fully Qualified Domain Names see FQDN29
I
ICA applications
configuring remote access to34 idle timeout
configuring26 definition26 installation
installing
Advanced Gateway Client23 from the CD21
from the Web21 Logon Agent upgrade22 STA upgrade21
J
Java applets
accessing Web sites containing29
L
Logon Agent configuring30
installation prerequisites18 uninstalling the upgrade24 upgrading22
M
messaging synchronization6 definition6
supported applications6 MetaFrame Secure Access Manager
deploying8
deployment scenarios8 security mechanisms13
MetaFrame Secure Access Manager Software Development Kit (SDK)15
Microsoft Exchange servers using static port mappings28
O
online documentation14 online help for users14 online resources15
Outlook Web Access (OWA) servers specifying details of29
P
prerequisites
Advanced Gateway Client18 Logon Agent18
STA18
protecting
secure network13
R
remote access
configuring for ICA applications34 resources online15
restricting
access on a Windows NT group basis33
S
Secure Gateway for MetaFrame8 Secure Gateway Service
specifying details of30 secure network
protecting13 Secure Ticket Authority
see STA13 security mechanisms
access control13 authorization13
MetaFrame Secure Access Manager13 Trusted sites13
single-hop DMZ9 deployment details9 specifying
access group details32
Authentication Service details30 Citrix XML Service details31
details of Outlook Web Access (OWA) servers29 Secure Gateway Service details30
STA details31 STA
Access Configuration List (ACL)27 configuring26
installation prerequisites18 specifying details of31 uninstalling the upgrade24 upgrading21
STA Access Configuration List (ACL)13 adding large numbers of servers to27 configuring manually27
saving a copy to another file28 static port mappings
T
ticket granting tickets
configuring access limit26 configuring final timeout26 configuring idle timeout26 configuring parameters for26 definition13
troubleshooting37
Advanced Gateway Client not detected38 cannot add email account using Control Panel42 unable to launch client41
user cannot access email41 user session times out42 Trusted sites13
adding the Secure Gateway server to23
,
40U
uninstalling
Advanced Gateway Client24 Logon Agent upgrade24 STA upgrade24
unqualified domain names26
,
29 upgradingLogon Agent22 STA21
W
Windows NT groups