Administrator’s Guide

(1)

Administrator’s Guide

Secure Gateway for MetaFrame

®

Version 2.0

(2)

of the CD containing Secure Gateway for MetaFrame software. Copyright and Trademark Notice

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

Citrix, ICA, NFuse, MetaFrame, and Program Neighborhood are registered trademarks and Citrix Solutions Network, MetaFrame XP, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries.

Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

Microsoft, MS-DOS, Windows, Windows NT, and Win32 are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries.

UNIX is a registered trademark of The Open Group in the U.S.A. and other countries. All other trademarks and registered trademarks are the property of their respective owners.

(3)

Before You Begin

About this Guide

This document provides detailed information to help you plan a deployment of, install, configure, and troubleshoot Secure Gateway for MetaFrame. The intended audience for this guide comprises experienced Citrix MetaFrame administrators responsible for installing, configuring, and maintaining Citrix MetaFrame server products. This guide is not intended for users of the network. This guide assumes knowledge of:

• System administration

• Networking and security technologies

• Microsoft Windows 2000 Server

• Microsoft IIS 5.0

• Internet protocols (IP, TCP, and so on)

• Citrix MetaFrame Secure Access Manager (previously known as Citrix NFuse Elite), Version 2.0

• Citrix MetaFrame XP Application Server for Windows with Feature Release 2, or later

• Citrix MetaFrame Server for UNIX Operating Systems, Version 1.1 or later

• Web Interface for MetaFrame XP (previously known as Citrix NFuse Classic) 1.61, or later

(10)

Use this guide in conjunction with:

• Citrix MetaFrame Secure Access Manager Administrator’s Guide

• Citrix MetaFrame XP Application Server for Windows Administrator’s Guide

• Citrix MetaFrame for UNIX Operating Systems Administrator’s Guide

• Web Interface for MetaFrame XP Administrator’s Guide

• Citrix ICA Client Administrator’s Guides

For further information on topics discussed in this document, visit

http://www.citrix.com/The following table highlights references to typical user tasks and conceptual information in this guide:

For further information about topics discussed in this document, visit http://www.citrix.com/.

Task For more Information see

...

Learn more about Citrix MetaFrame products and ICA Clients The Citrix Knowledgebase at http://knowledgebase.citrix.com/

Learn about digital certificates and certificate installation “Understanding Security Basics” on page 133.

Install and configure Secure Gateway components “Installing Secure Gateway for MetaFrame” on page 39.

Using Secure Gateway with MetaFrame Secure Access Manager

“Using Secure Gateway With MetaFrame Secure Access Manager” on page 65.

Using Secure Gateway with MetaFrame XP Servers “Using Secure Gateway With MetaFrame XP Servers” on page 91.

Learn more about Secure Gateway performance counters and error logs

“Using Secure Gateway for MetaFrame” on page 51.

Get general recommendations about using network components such as load balancers, SSL accelerator cards, firewalls, and so on

“Optimization and Security Guidelines” on page 115.

Troubleshoot a Secure Gateway deployment and learn about known problems at the time of release.

.“Troubleshooting” on page 125.

(11)

Secure Gateway for MetaFrame Documentation

Secure Gateway for MetaFrame, Version 2.0, includes the following electronic documentation:

• This manual, the Administrator’s Guide, provides conceptual and procedural

information about installation, configuration, and usage of Secure Gateway. This guide also provides reference information about digital certificates, as well as compatibility guidelines for network components that are found in a Secure Gateway deployment.

• The Pre-installation Checklist is a worksheet designed to help system administrators collect the information required during installation of Secure Gateway. Citrix recommends that you fill out this checklist before installing the software.

• Context-sensitive Help, available from the Secure Gateway configuration,

management, and diagnostic tools, provides information about configuration values required to run the software.

• The Readme file contains last-minute updates, corrections to the documentation, and a list of known problems.

Using PDF Documentation

To use the Secure Gateway documentation provided in a PDF file, you need to have the Adobe Acrobat Reader (Version 4 or later) program. The Reader program lets you view, search, and print the documentation files.

(12)

Document Conventions

Citrix documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Convention Meaning

Boldface Commands, names of interface items such as text boxes and option buttons, and user input.

Italics Placeholders for information or parameters that you provide. For example,

filename in a procedure means you type the actual name of a file. Italics

also are used for new terms and the titles of books.

UPPERCASE Keyboard keys, such as CTRL for the Control key and F2 for the function key that is labeled F2.

Monospace Text displayed at a command prompt or in a text file.

%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other name specified when Windows is installed.

{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.

[ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves.

| (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type /hold or

/release or /delete.

… (ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[,…] means you can type additional

devicenames separated by commas.

(13)

Citrix on the World Wide Web

The Citrix Web site is at http://www.citrix.com/. The site offers a variety of information and services for Citrix customers and users. From the Citrix home page, you can access Citrix technical support services and other information designed to assist Secure Gateway administrators.

The following are some of the resources available on the Citrix Web site:

Citrix Product Documentation Library. The library, which contains the latest documentation for all Citrix products, is at http://www.citrix.com/support (select Product Documentation). You can download updated editions of the documentation that ships with Citrix products, as well as supplemental documentation that is available only on the Web site.

Citrix ICA Clients. Downloadable Citrix ICA Clients for all supported platforms are available from http://www.citrix.com/download.

Support options. Program information about Citrix Preferred Support Services options is available from the Support area of the Citrix Web site at

http://www.citrix.com/support.

Other downloads. An FTP server provides access to the latest service packs, hotfixes, utilities, and product literature for download.

Online knowledgebase. The online Solution Knowledge Base contains an extensive collection of application notes, technical articles, troubleshooting tips, and white papers.

Discussion forums. The interactive online Solution Forums provide outlets for discussion of technical issues with other Citrix users.

FAQs. Frequently Asked Questions (FAQ) pages provide answers to common technical and troubleshooting questions.

Education. Information about programs and courseware for Citrix training and certifications is available from http://www.citrix.com/training/.

Contact information. The Web site provides contact information for Citrix offices, including the worldwide headquarters and headquarters for European, Asia Pacific, and Japan operations.

Developer network. The Citrix Developer Network (CDN) is at

(14)

Providing Feedback About this Guide

We strive to provide accurate, clear, complete, and usable documentation for Citrix products. If you have any comments, corrections, or suggestions for improving Secure Gateway for MetaFrame documentation, we want to hear from you.

(15)

Introducing Secure Gateway for

MetaFrame

Overview

Secure Gateway for MetaFrame (Secure Gateway) is a Citrix MetaFrame

infrastructure component you can use to secure access to resources and applications hosted on servers running one or more Citrix MetaFrame products. Secure Gateway for MetaFrame transparently encrypts and authenticates all user connections to protect against data tampering and theft.

This chapter is an overview of the capabilities and components of Secure Gateway for MetaFrame. It includes the following topics:

• Why You Need Secure Gateway

• Why Use Secure Gateway

• What You Need

• New in this Release

• Secure Gateway Features

(16)

Why You Need Secure Gateway

Today enterprises increasingly rely on global networks that link branch offices, telecommuters, road warriors, and partners. However, the high cost of maintaining and implementing private leased lines is often very prohibitive. Using cost-effective public networks

−

such as the Internet

−

is a compelling solution to this issue.

Any enterprise that relies on the Internet for connectivity must contend with security issues. Despite the enthusiasm for access at any time, any where, from any device, corporations must still be assured that they can protect confidential data from prying eyes as it travels through a public network.

Secure Gateway for MetaFrame functions as a secure Internet gateway between Citrix MetaFrame servers and client workstations. It is simple to deploy, simple to use, reduces costs, provides ease in firewall traversal, and is designed to integrate seamlessly with Citrix products.

All data traversing the Internet between a remote workstation and Secure Gateway is encrypted using IETF standard SSL and TLS security protocols. Secure Gateway transparently encrypts and authenticates all user connections to protect against eavesdropping and data tampering.

Why Use Secure Gateway

Secure Gateway for MetaFrame is an optimized security solution for securing access to Citrix MetaFrame servers.

Secure Gateway is available to customers using Citrix MetaFrame server products. If your organization has purchased licenses for one or more Citrix MetaFrame server products, such as MetaFrame XP Server or MetaFrame Secure Access Manager, you are entitled to use Secure Gateway for MetaFrame.

Secure Gateway components are installed in the DMZ to form a secure perimeter around Citrix MetaFrame servers in your enterprise network. Remote users connect over the Internet to a Secure Gateway server which authenticates the user, and establishes a secure channel for ICA and HTTP/S traffic data between the client device and Citrix MetaFrame servers in the enterprise network.

What You Need

(17)

For Access to MetaFrame XP Servers

To securely access published resources available on a MetaFrame XP server farm, deploy Secure Gateway in the DMZ. In this configuration, Secure Gateway for MetaFrame manages authentication and authorization functions and is responsible for creating a a secure channel for ICA data exchanged between the client device and MetaFrame servers in the secure network.

To deploy Secure Gateway to access published resources on a MetaFrame XP server farm, you need to deploy Secure Gateway components described below.

Secure Gateway Service

(18)

Secure Ticket Authority

The STA is responsible for issuing “session tickets” in response to connection requests for published applications. These session tickets form the basis of authentication and authorization for access to published applications on a MetaFrame server farm.

If you deploy Secure Gateway for secure access to published applications on a MetaFrame server farm, install the STA on a stand-alone server in the secure network.

You Also Need

In addition to the Secure Gateway components described above, you need to have installed and configured the following to work with Secure Gateway:

Web Interface for MetaFrame XP When you deploy Secure Gateway for secure Internet access to a MetaFrame server farm, you need to install Web Interface for MetaFrame XP in the DMZ.

Web Interface for MetaFrame XP provides Web access to published applications on a MetaFrame server farm. Web Interface for MetaFrame XP works with Secure Gateway to provide a logon interface, and facilitates authentication and authorization of connection requests to a MetaFrame XP Server farm.

Citrix XML Service When Secure Gateway provides secure access to published applications available on a MetaFrame server farm, the Citrix XML Service is contacted for published application availability and location.

The Citrix XML Service is the point of contact for a MetaFrame server farm and provides an HTTP interface to the ICA Browser. It uses TCP instead of UDP, which allows connections to work across most firewalls. The default port for the Citrix XML Service is 80. You need to ensure that this component is configured, functioning correctly, and is accessible through the firewall in front of the secure network.

A Server Farm It is assumed that your enterprise network contains a Citrix MetaFrame server farm with published resources that network users can access over the LAN. For information about MetaFrame XP servers, see the Citrix

(19)

For Access to MetaFrame Secure Access Manager and

MetaFrame XP Servers

To securely access Web content and published application resources aggregated through an access center available on a server running MetaFrame Secure Access Manager, you need to deploy Secure Gateway in the DMZ. In this configuration, Secure Gateway manages authentication and authorization functions and is responsible for creating a a secure channel for HTTPS and ICA traffic exchanged between the client device and servers in the secure network.

If you plan to deploy Secure Gateway to securely access MetaFrame Secure Access Manager server(s) and a MetaFrame server farm, you need to deploy the following Secure Gateway components.

Secure Gateway Service

(20)

Logon Agent

The Logon Agent provides the Web interface that users interact with when they log on to Secure Gateway. The Logon Agent is also responsible for facilitating the authentication of user credentials and obtaining information about the resources the user is authorized to access.

You Also Need

The following components are accessed by Secure Gateway for MetaFrame to provide authentication and authorization support.

Authentication Service A service, available on a server running MetaFrame Secure Access Manager, which is responsible for issuing access tokens in response to HTTP connection requests for resources available from an access center. These access tokens form the basis of authentication and authorization for HTTP/S connections to an access center. See the MetaFrame Secure Access Manager

Administrator’s Guide for information about the Authentication Service.

Secure Ticket Authority (STA) The STA is responsible for issuing “session tickets” in response to connection requests for published applications. These session tickets form the basis of authentication and authorization for access to published

applications available on a MetaFrame server farm. If you allow access to published resources through an access center available on a MetaFrame Secure Access Manager server, configure the STA on this server. An instance of the STA is installed when you install MetaFrame Secure Access Manager.

Gateway Client for MetaFrame (Gateway Client) An ActiveX plug-in, available on the server running MetaFrame Secure Access Manager, that downloads automatically to an authenticated, remote client browser. The Gateway Client is a browser plug-in that provides the mechanism required to access internal Web servers, on the enterprise network, available through the access center. An internal Web server is a Web server on the enterprise network available to authenticated users. An example of an internal Web site is a Finance or Human Resources departmental Web site on the Intranet for the use of employees.

The Gateway Client is automatically downloaded and installed into the client browser. Once installed, the Gateway Client acts as a proxy between the client browser and the Secure Gateway.

(21)

You must install and configure the Program Neighborhood CDA if you want to provide secure Internet access to published applications through an access center. Users connecting through Secure Gateway are able to launch published applications available on the access center page. For information about the Program

Neighborhood CDA, see the MetaFrame Secure Access Manager Administrator’s

Guide.

Citrix XML Service When Secure Gateway provides secure access to published applications available on a MetaFrame server farm, the Citrix XML Service is contacted for published application availability and location.

The Citrix XML Service is the point of contact for a MetaFrame server farm and provides an HTTP interface to the ICA Browser. It uses TCP instead of UDP, which allows connections to work across most firewalls. The default port for the Citrix XML Service is 80. You need to ensure that this component is configured, functioning correctly, and is accessible through the firewall in front of the secure network.

An Access Center It is assumed that your enterprise network contains a server(s) running MetaFrame Secure Access Manager, and that you created an access center that allows access to Web content, internal Web servers, and published resources. For information about MetaFrame Secure Access Manager, refer to the Citrix

MetaFrame Secure Access Manager Administrator’s Guide.

A Server Farm It is assumed that your enterprise network contains one or more MetaFrame server farms hosting published resources that network users can access over the LAN. For information about Citrix MetaFrame servers, see the Citrix

MetaFrame Server Administrator’s Guides.

New in this Release

Secure Gateway introduces the following new features and performance enhancements available when you use any Citrix MetaFrame Server product, including Citrix MetaFrame Secure Access Manager.

Compatible with Microsoft Windows Server 2003

Secure Gateway for MetaFrame is compatible with 32-bit Windows Server 2003 operating systems, currently at Release Candidate 2.

Supports Single Stage or Two Stage DMZ Deployment

(22)

Supports Secure Communication Between Secure Gateway

Components

With Secure Gateway for MetaFrame, Version 2.0 you can secure communication links between Secure Gateway components. Secure Gateway components support the use of digital certificates, and the task of securing links between components is easily accomplished through user-friendly configuration wizards.

Improved Configuration, Management, and Diagnostic Tools

Secure Gateway for MetaFrame, Version 2.0 features improved configuration tools to enable you to configure Secure Gateway components. All configuration tasks are wizard driven and provide context-sensitive Help about the tasks and the

information you need to enter.

The Secure Gateway Management Console, available with Secure Gateway, is an MMC snap-in you can use to manage, analyze, and troubleshoot a Secure Gateway deployment. A diagnostic tool, Secure Gateway Diagnostics, which reports configuration, certificate details, and the state of each configured component is also available from the Secure Gateway Management Console.

Features Available When You Use MetaFrame Secure

Access Manager, Version 2.0

The following Secure Gateway features are available when you purchase a license for MetaFrame Secure Access Manager, Version 2.0:

Secure Access to MetaFrame Secure Access Manager

Secure Gateway integrates seamlessly with MetaFrame Secure Access Manager to provide a secure channel for HTTP/S data exchanged between client workstations and the access center. You can configure access to MetaFrame server farms through MetaFrame Secure Access Manager, in which case Secure Gateway securely transits ICA as well as HTTPS traffic.

Secure Internet Access to Enterprise Web Servers

(23)

Supports RSA SecurID Integration

Secure Gateway for MetaFrame is designed for seamless integration with RSA SecurID Authentication. If your organization has invested in SecurID

Authentication, you can with a few, easy configuration steps integrate SecurID functionality into Secure Gateway. Users logging on through Secure Gateway are prompted to enter their SecurID passcode in addition to their domain credentials.

Secure Gateway Features

Secure Gateway for MetaFrame also has the following features that were available with previous versions:

Strong encryption. Secure Gateway delivers improved security by encrypting the user’s ICA sessions using 128–bit encryption.

Certificate–based security. Standard PKI (Public Key Infrastructure) technology provides the framework and trust infrastructure for authentication and

authorization.

Standard encryption protocols. Secure Gateway uses SSL Version 3.0 or TLS Version 1.0 to secure ICA traffic transmitted over public networks, such as the Internet. TLS 1.0 is the next generation IETF standard, security protocol, a successor to SSL (Secure Sockets Layer) 3.0.

Connections between client workstations and Secure Gateway are encrypted using SSL or TLS protocols. You can further enhance security by forcing the Secure Gateway to restrict use of ciphersuites to commercial or government ciphersuites certified for Federal Information Processing Standard (FIPS) 140 requirements.

Authentication. Secure Gateway facilitates authentication of users attempting to establish connections to Citrix MetaFrame servers. Secure Gateway also supports integration of two-factor authentication using third-party security solutions, such as RSA SecurID or smart cards.

Authorization. Authorization takes place when the Secure Gateway confirms that the user has been authenticated by the enterprise network. The authorization process is entirely transparent to the user.

Single point of entry. The need to publish the address of every Citrix MetaFrame XP server is eliminated and certificate management on the server is simplified. This allows a single point of encryption and access into Citrix MetaFrame XP servers.

Secure Gateway overcomes problems with firewall traversal by using a widely accepted port, typically 443, for HTTP or ICA traffic through firewalls.

(24)

Scalable and extensible solution. A single Secure Gateway deployment can easily support a small corporate site consisting of hundreds of users. You can support medium to large sites catering to thousands of users using multiple load–balanced Secure Gateway servers. Secure Gateway components do not require any special hardware devices or network equipment upgrades.

Event and audit logging. Critical and fatal system events are logged to the Secure Gateway application log. This log file provides administrators with a record of systems events and facilitates diagnosis of system problems.

Logging levels are configurable, and can be set from the user interface. Depending on the configured logging level, you can retrieve a complete record of network connection attempts to the Secure Gateway. You can also configure the Secure Gateway to omit log entries for polls from network equipment such as load balancers.

What To Do Next

(25)

Deploying Secure Gateway for

MetaFrame

Overview

Read this chapter to understand how the Secure Gateway for MetaFrame solution works and plan its deployment within your enterprise. This chapter contains the following topics:

• How Secure Gateway Secures Your Environment

• Deploying Secure Gateway With MetaFrame Secure Access Manager

• Deploying Secure Gateway With MetaFrame XP Servers

• Deploying Secure Gateway for Access to All Citrix MetaFrame Servers

(26)

How Secure Gateway Secures Your Environment

Secure Gateway for MetaFrame provides secure Internet access to Citrix MetaFrame servers in an enterprise network.

Secure Gateway uses open standard security protocols and public key infrastructure (PKI) to secure HTTP and/or ICA connections to the secure corporate network.

SSL or TLS is used to encrypt communications between remote client devices and the Secure Gateway Service.

(27)

Connecting to an Access Center Through Secure Gateway

1. Type the URL for the Secure Gateway server into the address bar of your Web browser. You are presented with the logon screen.

2. Enter your user credentials for the access center and click Log In.

3. The authentication process takes a few seconds and if successful, a security warning prompting you to download and install and run the Gateway Client for MetaFrame appears.

(28)

5. After a brief interval, the page for the access center appears. The page is populated with Web pages, published applications, alert messages, and so on.

(29)

Deployment Scenarios

You can deploy Secure Gateway to provide secure access to enterprise resources aggregated through an access center on servers running MetaFrame Secure Access Manager, or to published resources available on MetaFrame XP server farms.

Secure Gateway is flexible, easy to deploy, and integrates seamlessly into your existing Citrix MetaFrame infrastructure. The following sections describe recommended deployment scenarios for Secure Gateway.

Deploying Secure Gateway With MetaFrame Secure

Access Manager

In this configuration, Secure Gateway is deployed to provide secure access to Web content and resources available from an access center.

(30)

How It Works

1. A remote user types the address of the Secure Gateway server, for instance, https://www.securegateway.company.com/, into the address field of a Web browser.

2. The Secure Gateway server deployed in the DMZ receives the request and examines the contents for an access token. If no access token is present, it routes the request to the Logon Agent. If an access token is found, the Secure Gateway server performs actions described in step 9.

3. The Logon Agent examines the URL request and sends a logon page to the Secure Gateway server. The Secure Gateway server sends the logon page to the client browser.

4. The user enters and submits logon credentials.

5. Submitted user credentials are passed to the Logon Agent through the Secure Gateway server.

6. The Logon Agent forwards user credentials to the Authentication Service on the secure network.

7. The Authentication Service examines credentials, authenticates the user if credentials are valid, and generates an access token that is sent to the Logon Agent. If the credentials were invalid an appropriate message is displayed on the client browser and the user is prompted to reenter user credentials.

8. The Logon Agent sends the access token to the client browser through the Secure Gateway server. The access token is set into the client browser and an automatic HTTP request containing the embedded token is launched.

9. The Secure Gateway server receives and examines the HTTP request. This time the embedded access token is found in the HTTP request and the Secure Gateway server contacts the Authentication Service to verify the access token. The Authentication Service verifies the access token and returns a URL to the requested access center resource.

(31)

Deploying Secure Gateway With MetaFrame XP Servers

In this configuration, Secure Gateway for MetaFrame is deployed to provide secure Internet access directly to MetaFrame XP servers in the enterprise.

Mobile workers and partners are allowed to access enterprise applications and resources such as network printers published on a MetaFrame server farm. In this usage scenario, Secure Gateway securely transits ICA traffic over the Internet.

How It Works

In this scenario, Secure Gateway works in conjunction with Web Interface for MetaFrame XP to provide secure access to published applications available on a secure enterprise network.

1. A remote user types the address of the Secure Gateway server, for instance, https://www.securegateway.company.com/, into the address field of a Web browser.

2. The Secure Gateway server deployed in the DMZ receives the request and relays the request to Web Interface for MetaFrame XP.

(32)

4. The user enters and submits valid user credentials which is routed to Web Interface for MetaFrame XP through the Secure Gateway server.

5. Web Interface for MetaFrame XP sends user credentials to the Citrix XML Service available from the MetaFrame XP server farm in the secure network, and obtains a list of applications that this user is authorized to access.

6. Web Interface for MetaFrame XP populates the Web page with the list of published applications that the user is authorized to access.

7. When the user clicks a published application link, Web Interface for MetaFrame XP sends the IP address and port for the requested MetaFrame XP server to the STA and requests an ICA session ticket for the user. The STA saves the IP address and issues the requested ticket to Web Interface for MetaFrame XP.

8. Web Interface for MetaFrame XP generates an ICA file containing the ticket issued by the STA, and sends it to the client browser.

Important The ICA file generated by Web Interface for MetaFrame XP contains the FQDN or DNS name of the Secure Gateway server. The address of the MetaFrame XP server(s) that the ICA Client eventually connects to is never exposed to the client.

9. The client Web browser uses the ICA file to launch the ICA Client. The ICA Client connects to the Secure Gateway server using the FQDN or DNS name in the ICA file. Initial SSL/TLS handshaking is performed to establish the identity of the Secure Gateway server.

10. The Secure Gateway server examines the ICA file for a ICA session ticket. If a ticket is found, it uses information contained in the ticket to identify and contact the STA for ticket validation.

If ticket validation is successful, the STA returns the IP address of the MetaFrame server on which the requested application resides. If the ticket is invalid, or has expired, the STA informs the Secure Gateway server and an error message appears on the client device.

11. On receipt of the IP address for the MetaFrame XP server, the Secure Gateway server establishes an ICA connection to the MetaFrame server. When the ICA connection is established, the Secure Gateway server encrypts and decrypts data flowing through the connection.

(33)

Deploying Secure Gateway for Access to All Citrix

MetaFrame Servers

In this configuration, Secure Gateway for MetaFrame provides secure Internet access to enterprise resources aggregated through MetaFrame Secure Access Manager, including published applications and resources hosted on MetaFrame XP servers.

MetaFrame Secure Access Manager is used to aggregate Web content and

published applications available in the enterprise. Mobile workers and partners are allowed to access both Web content and published applications over the Internet or WAN. In this usage scenario, Secure Gateway for MetaFrame transits HTTP and ICA traffic securely over the Internet.

How It Works

(34)

2. The Secure Gateway server deployed in the DMZ examines the connection request examines the contents for an “access token.” If no access token is present, it routes the request to the Logon Agent. If an access token is found, the Secure Gateway server performs actions described in step 9.

3. The Logon Agent examines the connection request and sends the logon page to the Secure Gateway server. The Secure Gateway server sends the logon page to the client browser.

4. The user enters and submits logon credentials. Submitted user credentials are passed to the Logon Agent through the Secure Gateway server. The Logon Agent forwards user credentials to the Authentication Service on the secure network.

5. The Authentication Service examines credentials, authenticates the user if credentials are valid, and generates a access token that is sent to the Logon Agent. If the credentials were invalid an appropriate message is displayed on the client browser and the user is prompted to reenter user credentials.

6. The Logon Agent sends the access token to the client browser through the Secure Gateway server. The access token is set into the client browser and an automatic HTTP request containing the embedded access token is launched.

7. The Secure Gateway receives and examines the HTTP request. This time the embedded access token is found in the HTTP request and the Secure Gateway contacts the Authentication Service to verify the access token. The

Authentication Service verifies the access token and returns the address of an access center.

8. The Secure Gateway opens a secure communications channel to the access center. The access center page is displayed on the client Web browser. The user is able to access Web or application resources available through the access center.

9. To access a published application resource on a MetaFrame XP server, the user navigates to the Program Neighborhood CDA window, and clicks on the application required.

10. The Program Neighborhood CDA contacts the Citrix XML Service on the MetaFrame XP server farm for the application requested by the user. The Citrix XML Service returns a server address.

11. The Program Neighborhood CDA sends the address for the requested

(35)

12. The Program Neighborhood CDA generates an ICA file containing the ticket issued by the STA, and sends it to the client browser.

13. The Web browser uses the ICA file to launch the ICA Client. The ICA Client connects to the Secure Gateway server using the FQDN or DNS name in the ICA file. Initial SSL/TLS handshaking is performed to establish the identity of the server running the Secure Gateway server.

14. The Secure Gateway server examines the ticket from the ICA Client and uses information contained in the ticket to identify and contact the STA for ticket validation. If ticket validation is successful, the STA returns the address of the MetaFrame server on which the requested application resides. If the ticket is invalid, or has expired, the STA informs the Secure Gateway server and an error message appears on the client device.

(36)

Deploying Secure Gateway in a Double Hop DMZ

In the deployment scenarios described above, the DMZ is assumed to be a single stage DMZ, commonly referred to as a single hop DMZ. Depending on the security and network policies practised by your organization, the network may contain a DMZ that’s divided into two stages, also referred to as a double hop DMZ.

Secure Gateway for MetaFrame XP is designed to fully support deployment in a double hop scenario. To deploy Secure Gateway in a double hop DMZ, install the Secure Gateway Service in the first hop DMZ and the Logon Agent and Secure Gateway Proxy on separate servers in the second hop DMZ. The Secure Gateway Proxy functions as a conduit for traffic originating from the Secure Gateway Service to servers in the secure network, and vice versa.

How It Works

The illustration above shows a double hop deployment in which Secure Gateway provides secure access to an access center and a MetaFrame XP server farm.

(37)

The communications flow is similar to those described in single hop deployment scenarios in the previous sections, except that any communications to servers on the secure network are proxied through the Secure Gateway Proxy.

Depending on the type and configuration of your firewall, it may not be possible to position the Logon Agent or Web Interface for MetaFrame XP in the same DMZ segment as the Secure Gateway in a double hop DMZ. This situation is likely to occur when firewalls are separate physical devices. The Secure Gateway Service must be able to communicate with the Logon Agent or Web Interface server, which in turn must be able to communicate with the Authentication Service on the secure network.

In typical double hop DMZ deployments, the server running the Logon Agent or Web Interface for MetaFrame XP must be located in the second hop DMZ.

All of the deployment scenarios described in “Deployment Scenarios” on page 29 can be deployed in a double hop DMZ. For more information about double hop deployment scenarios, refer to “Using Secure Gateway With MetaFrame Secure Access Manager” on page 65 and “Using Secure Gateway With MetaFrame XP Servers” on page 91.

What To Do Next

(38)

(39)

Installing Secure Gateway for

MetaFrame

This chapter contains information about system requirements and instructions about installing and configuring Secure Gateway software. This chapter contains the following topics:

• Installation Prerequisites

• Certificate Requirements

• Before You Install

• Which Components You Need to Install

(40)

Installation Prerequisites

At this point, based on the guidance provided in “Deployment Scenarios” on page 17, you know which Secure Gateway deployment scenario suits your enterprise.

Before proceeding further, ensure that servers on which you intend to install Secure Gateway components meet the minimum hardware and software requirements described below.

For the Secure Gateway Service

Review the following requirements to ensure that the server on which you intend to install the Secure Gateway Service meets the installation prerequisites:

Important To maximize security of the Secure Gateway solution, Citrix recommends you use this server exclusively to run one or more Secure Gateway components.

For the Secure Gateway Proxy

Installation prerequisites for servers running the Secure Gateway Proxy and the Secure Gateway Service are identical.

Server Hardware Server Software

Recommended minimum requirements for Windows 2000 Server. Refer to the Windows 2000 Server product documentation or see the Microsoft Web site for more information.

Microsoft Windows 2000 Server with Service Pack 3 or later. The latest service pack is always recommended.

256MB of RAM.

Additional 150MB of available hard disk space.

(41)

For the Logon Agent

Review the following minimum requirements to ensure that the server on which you intend to install the Logon Agent meets installation prerequisites:

For the Secure Ticket Authority

Review the following requirements to ensure that the server on which you intend to install the STA meets installation prerequisites.

Server Hardware Server Software

Network Interface Card (NIC). IIS 5.0, installed as default on Windows 2000 Servers.

RSA ACE/Agent

This component must be installed if you wish to install the Logon Agent with support for RSA SecurID two-factor authentication.

Server Hardware Server Software

256MB of RAM. Internet Information Services (IIS) 5.0, installed as default on Windows 2000 servers.

(42)

For Client Devices

Client device requirements depend on whether you connect to an access center, or directly to a MetaFrame XP server farm.

If You Are Connecting to MetaFrame Secure Access Manager

To connect to an access center through Secure Gateway, client devices must meet or exceed the following requirements:

Important To install and run the Gateway Client, required for access to internal Web servers aggregated through MetaFrame Secure Access Manager, client devices must be running a 32-bit Windows operating systems and running Internet Explorer 5.0 or later.

Hardware Software

Standard PC architecture, required to run Internet Explorer 5.0 or later

Internet Explorer, Version 5.0, 5.5, or 6.0 If you are running Internet Explorer, Version 5.0 ensure Microsoft Internet Explorer High Encryption Pack is installed. See the Microsoft Web site for more information.

Pointing device Trusted root certificates required to connect to the Secure Gateway server.

Network Interface Card (NIC).

(43)

If You Are Connecting to a MetaFrame XP Server Farm

To access published applications on a MetaFrame server farm through Secure Gateway, client devices must meet or exceed the following requirements:

Secure Access Manager Compatibility

Secure Gateway for MetaFrame is compatible with Citrix MetaFrame Secure Access Manager, Version 2.0.

MetaFrame XP Server Compatibility

Secure Gateway, Version 2.0, is compatible with Citrix MetaFrame XP Server for Windows, Version 1.0 with Feature Release 2 or later.

Web Interface for MetaFrame XP Compatibility

Secure Gateway, Version 2.0, is compatible with Web Interface for MetaFrame XP Version 2.0, NFuse Classic, Version 1.61 and 1.7.

Hardware Software

Standard PC architecture, required to run the Citrix ICA Client, Version 6.30 or later. See the ICA Client Administrator’s Guide for more information.

A Web browser (as required to connect to Web Interface for MetaFrame XP or NFuse Classic server). See the Web Interface for MetaFrame XP

Administrator’s Guide for a list of supported Web

browsers.

If you are running Internet Explorer, Version 5.0 ensure Microsoft Internet Explorer High Encryption Pack is installed. See the Microsoft Web site for more information.

Pointing device Citrix ICA Client (Version 6.30 or later) software.

Network Interface Card (NIC). Trusted root certificates required to connect to Secure Gateway for MetaFrame.

(44)

Certificate Requirements

Secure Gateway for MetaFrame uses digital certificates to secure connections between remote users connecting through the Internet to enterprise networks. This means that all client devices and secure servers in a Secure Gateway deployment verify each other’s identity and authenticity using digital certificates.

For conceptual information about digital certificates and cryptography, see “Understanding Security Basics” on page 133.

Important If you purchased server certificates from a commercial CA, support for root certificates for most commercial CAs is built into Internet Explorer and Microsoft Windows 2000 Server products. If you obtained server certificates from a private CA or commercial CAs whose root certificates are not supported by the Windows operating system, you must install matching root certificates on all client devices and servers connecting to secure servers.

(45)

As shown above, if your DMZ is structured as a single hop DMZ, you need certificates listed below:

• Root certificates on all client devices that connect to Secure Gateway for MetaFrame.

• Root certificates on every Secure Gateway component that connects to a secure server. For example, in the illustration above, a root certificate must be present on the server running the Secure Gateway Service to verify the server certificate installed on the server running the Authentication Service or the STA.

• A server certificate on the server running the Secure Gateway Service.

• Optional. A server certificate on the server running the Logon Agent. This is required only when the Logon Agent is installed on a separate server, and you require secure communications between the Secure Gateway Service and the Logon Agent.

In the illustration shown above, the Logon Agent and the Secure Gateway Service are installed on the same server. In this case, a single server certificate can be shared by the two components.

• Optional. A server certificate on the server running the STA and the

Authentication Service. The STA and the Authentication Service are installed by default when you install Secure Access Manager.

(46)

In a Double Hop DMZ Deployment

As shown below, if your DMZ is segmented into a double hop DMZ, you need certificates listed below:

• Root certificates on all client devices connecting to the Secure Gateway server.

• Root certificates on every Secure Gateway component that connects to a secure server or Web server. For example, in the illustration above an appropriate root certificate must be present on the server running the Secure Gateway Service to verify the server certificate installed on the server running MetaFrame Secure Access Manager.

• A server certificate on the server running the Secure Gateway Service.

• Optional. A server certificate on the server(s) running the Secure Gateway Proxy.

• Optional. A server certificate on the server running the Logon Agent.

• Optional. A server certificate on the server running the STA and the Authentication Service.

(47)

Before You Install

• Ensure your hardware and software meet installation prerequisites as described in “Installation Prerequisites” on page 40.

• Install certificates on servers, see “Certificate Requirements” on page 44.

• Print and complete tasks and information described in the Pre-installation

Checklist. Keep the completed checklist on hand when you install Secure

Gateway for MetaFrame software.

Installation Sequence

The Secure Gateway Service is designed to discover and verify existence of the other components in your Secure Gateway deployment during configuration. For example, when you configure the Secure Gateway Service, a check is performed to verify that servers running the Logon Agent, Web Interface for MetaFrame XP, STA, and the Authentication Service, if used, are functional. If a required

component is not found, the Secure Gateway Service may fail to start. It is therefore important to follow the recommended installation sequence.

1. Always install components on the secure network first.

2. Optional. If your DMZ is segmented into a double hop DMZ, install components in the second hop DMZ next.

3. Install components in the first hop DMZ last.

Which Components You Need to Install

The tables below describe the components required in single and double hop DMZ deployment scenarios.

In a Single Hop DMZ Deployment

To provide secure access to... In the DMZ, install... On the secure network, install...

An access center (HTTP and ICA)

• Secure Gateway Service • Logon Agent

MetaFrame Secure Access Manager

A MetaFrame XP server Farm (ICA only)

• Secure Gateway Service • Web Interface for MetaFrame XP

• STA

(48)

In a Double Hop DMZ Deployment

Installing Secure Gateway for MetaFrame

The Secure Gateway installer is designed so you can install the Secure Gateway Service and the Logon Agent, or the Secure Gateway Proxy. To install a Secure Gateway component, do the following:

1. Insert the CD containing Secure Gateway software. In the menu displayed, click Secure Gateway for MetaFrame. The installation wizard is launched and after a brief interval during which the installer checks the server for installed applications, the Select Components dialog box appears.

2. In the Installation Mode section, select one of the following options:

• Secure Gateway Service: Select this option to install the Secure Gateway Service software. If you choose to install the Secure Gateway Service, you are also presented with the option of installing the Logon Agent. The Logon Agent can be installed in Basic mode or with support for RSA SecurID integration.

• Secure Gateway Proxy: Select this option only if your DMZ is setup as double hop DMZ and you wish to install the Secure Gateway Proxy in the second hop DMZ.

3. In the Citrix MetaFrame products to secure section, select the option representative of the server products you want Secure Gateway to provide access to:

• MetaFrame Secure Access Manager and MetaFrame XP Server(s): Select this option if you wish to deploy Secure Gateway to provide secure Internet access to servers running MetaFrame Secure Access Manager and MetaFrame XP Server.

To provide secure access to...

In the first hop DMZ, install...

In the second hop DMZ, install... On the secure network, install...

An access center (HTTP and ICA)

Secure Gateway Service • Secure Gateway Proxy • Logon Agent

• MetaFrame Secure Access Manager

• MetaFrame XP Server

A MetaFrame XP server farm (ICA only)

Secure Gateway Service • Secure Gateway Proxy • Web Interface for MetaFrame

XP

• STA

(49)

• MetaFrame Secure Access Manager: Select this option if Secure Gateway is being deployed to provide secure Internet access exclusively to an access center hosted on a MetaFrame Secure Access Manager server.

• MetaFrame XP Server(s): Select this option if Secure Gateway is being deployed to provide secure Internet access directly to published resources hosted on MetaFrame XP servers.

Click Next.

4. Accept the license agreement and click Next.

5. View information specific to the installation of the software and click Next.

6. In the Select Features dialog, click on the component you wish to install and select Will be installed on local hard drive from the menu displayed. If you wish to install a component on a different server, select Entire feature will be unavailable. Click Next.

7. Click Finish in the Ready to Install the Application dialog.

The installation program starts. Click Finish in the Ready to Install the Application dialog.

(50)

Configuring Secure Gateway Components

Configuration wizards for each Secure Gateway component are launched when installation is complete. Each configuration wizard guides you through

configuration tasks and provides context-sensitive Help describing the task and values you need to enter.

Deployment based configuration instructions for each Secure Gateway component are described in “Using Secure Gateway With MetaFrame Secure Access Manager” on page 65 and “Using Secure Gateway With MetaFrame XP Servers” on page 91.

Upgrading Secure Gateway Components

You can upgrade previous versions of the Secure Gateway Service or the STA to Version 2.0.

When you run the Secure Gateway installer on a server it automatically checks for installed versions of Secure Gateway for MetaFrame. If a previously installed version of Secure Gateway software is detected, you are given the option to upgrade or remove the previous version.

Important Upgrades are not available for the Secure Gateway Proxy and the Logon Agent. These components are new in Secure Gateway for MetaFrame, Version 2.0.

Uninstalling a Secure Gateway Component

You can uninstall Secure Gateway components using Add/Remove Programs in Control Panel.

To uninstall Secure Gateway software

1. Exit any applications running on the server.

2. Choose Start > Settings > Control Panel > Add/Remove Programs.

(51)

Using Secure Gateway for

MetaFrame

This chapter describes usage of the management and diagnostic tools available for Secure Gateway for MetaFrame. It also describes the Gateway Client for

MetaFrame, which is downloaded to client devices from an access center and provides the proxying mechanism required to browse internal Web servers through Secure Gateway.

This chapter contains the following topics:

• Tools Available When You Install the Secure Gateway Service

• Using the Configuration Tools

• Using the Secure Gateway Management Console

• Monitoring Secure Gateway Service Performance

• Using the Gateway Client for MetaFrame

(52)

Tools Available When You Install the Secure Gateway Service

When you install the Secure Gateway Service, shortcuts for the Secure Gateway Service Configuration, the Secure Gateway Management Console, and the Secure Gateway Diagnostics wizard are added to the Secure Gateway program menu on your Windows Start menu.

If you install the Logon Agent on the same server as the Secure Gateway Service a shortcut to the Logon Agent Configuration wizard is also added to Secure Gateway program menu on your Windows Start menu.

Using the Configuration Tools

Use the configuration tools to configure Secure Gateway components. To launch the Secure Gateway Service Configuration wizard, from the Windows Start menu, select Programs>Citrix>Secure Gateway>Secure Gateway Service

Configuration.

(53)

Using the Secure Gateway Management Console

The Secure Gateway Management Console is a Microsoft Management Console (MMC) snap-in and provides an administrator with tools to administer, monitor, and troubleshoot Secure Gateway for MetaFrame.

The Secure Gateway Management Console contains shortcuts for the following tools:

ICA Sessions Click this icon to view a listing of all ICA connections currently running through the Secure Gateway service.

HTTP/S Sessions Click this icon to view a listing of all HTTPS connections currently running through the Secure Gateway service.

Secure Gateway Event Log Displays the Windows Event Viewer with the application log for the Secure Gateway.

Secure Gateway Performance Statistics Displays an instance of the Windows Performance Monitor containing performance statistics applicable to the Secure Gateway Service. Review this list to obtain detailed information about utilization of operating system resources.

(54)

Monitoring Secure Gateway Service Performance

Monitoring system performance is an important part of maintaining and administering a Secure Gateway deployment. Performance data can be used to:

• Understand the workload on the Secure Gateway Service, and the corresponding effect it has on system resources.

• Observe changes and trends in workloads and resource usage so you can plan system sizing and failover.

• Test changes in configuration or other tuning efforts by monitoring the results.

• Diagnose problems and target components or processes for optimization.

Citrix recommends that you regularly monitor performance of the Secure Gateway Service as part of your administrative routine.

Viewing Secure Gateway Performance Statistics

You can display an instance of the Windows Performance monitor from the Secure Gateway Management Console.

To view Secure Gateway performance statistics

1. Select Start>Programs>Citrix>Secure Gateway>Secure Gateway Management Console.

2. In the tree view, select Secure Gateway Performance Statistics. Performance statistics for the Secure Gateway Service appear in the right pane.

(55)

What Counters Are Available for the Secure Gateway Service

The following performance counters are available for the Secure Gateway Service:

Counter Name Description

Total Successful Connections (Total) Specifies the total number of successful client connection requests. This counter is incremented when a client is successfully connected to the requested server (access center or MetaFrame server). It is the sum of total HTTP/S and ICA connections.

Total Successful Connections (HTTP/S) Specifies the total number of successful HTTP/S client connections requests. This counter is incremented when a HTTP/S client is connected to the requested access center or internal Web server through Secure Gateway. It is the sum of the Total Successful Validations (Cached) and Total Successful Validations (Requests) counters.

Total Successful Connections (ICA) Specifies the total number of ICA connection requests.

The counter is incremented when the client is connected to the requested MetaFrame server through Secure Gateway.

Failed Connections (Total) Specifies the total number of failed client connection requests.

The counter is incremented when a client fails to complete the handshaking process or a connection could not be established to the requested resource. It is the sum of the Failed Connections (Timed Out), Failed Connections (SSL Error), Failed Connections (Server Connect Error), Failed Connections (STA or AS Error), and Failed Connections (ACL Rejected) counters.

Failed Connections (Timed Out) Specifies the total number of client connection requests that were accepted but timed out before initiating the handshake.

The counter is incremented when the client completes the TCP handshake but does not initiate the protocol handshake within the allowed time interval.

Failed Connections (SSL Error) Specifies the total number of client connection requests that were accepted but did not successfully complete the SSL handshake.

(56)

Failed Connections (Server Connect Error) This represents the total number of client connections requests accepted by the Secure Gateway. These connection requests failed because the Secure Gateway was unable to establish a connection to the requested resource (access center or MetaFrame server).

The counter is incremented when the Secure Gateway Service tries to connect to the requested server and is unable to. This may be because the requested server is unavailable or whose address cannot be resolved. In a double hop deployment, you may get a failed connection error where the Secure Gateway Service completes connection processing but the Secure Gateway Proxy is unable to.

Failed Connections (STA or AS Error) This is the total number of client connection requests that were accepted but failed due to an unsuccessful validation request to the STA or the

Authentication Service.

The counter is incremented when the Secure Gateway Service attempts to validate the ticket or access token with the STA or Authentication Service respectively and validation fails. The validation may fail because the cookie/ ticket is invalid/corrupt, the ticket has expired, or the authority service is unavailable.

Failed Connections (ACL Rejected) Specifies the total number of client connections requests that failed because the access control lists (ACLs) on the Secure Gateway do not allow the Secure Gateway to establish connections to a requested resource (hosted on an access center or MetaFrame server) or to accept connections from a specific client IP address.

Administrator’s Guide