Application Note. Citrix Presentation Server through a Citrix Web Interface with OTP only

Transcription

1 Application Note Citrix Presentation Server through a Citrix Web Interface with OTP only

2 ii Preface All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, GEMENOS CEDEX, FRANCE. Tel: +33 (0) Fax: +33 (0) Printed in France. Document Reference: September 20, 2007

3 Contents Preface... vi Who Should Read This Book...vi For More Information...vi Conventions... vii Contact Our Hotline... vii Overview... 1 Main steps... 1 Architecture... 2 Elements description... 3 Authentication process... 4 Configure the Domain Controller Server... 5 Configure Citrix Web Interface... 8 Configure the Internet Authentication Service IAS RADIUS prerequisites Add a RADIUS Client Configure Access Policies Install and configure SA Server agent for IAS Restart IAS Configure the Gemalto Strong Authentication Server Configure the ISA Server Rule creation Authentication server configuration Saving the rule changes and restarting the firewall service GXO/OSG SMS Layer Connector...Error! Bookmark not defined. Modifying the CLASSPATH... Error! Bookmark not defined. OTACS Size Allocation... Error! Bookmark not defined. Terminology...Error! Bookmark not defined. Abbreviations... Error! Bookmark not defined. Glossary... Error! Bookmark not defined. References...Error! Bookmark not defined. Standards and Specifications... Error! Bookmark not defined.

4 iv Preface Web Site Addresses... Error! Bookmark not defined. Other Gemalto Documentation... Error! Bookmark not defined. Index...Error! Bookmark not defined. List of Figures Figure 1 - Architecture... 2 Figure 2 - Authentication process... 4 Figure 3 - Allowing authentication delegation to the ISA 2006 Server... 5 Figure 4 - Selecting authentication protocol... 6 Figure 5 - Select Users or Computers... 6 Figure 6 - Add Services... 7 Figure 7 - ISA 2006 Server Properties... 7 Figure 8 Access Management Console... 8 Figure 9 Create Site... 9 Figure 10 - Specify IIS Location... 9 Figure 11 - Specify Configuration Source Figure 12 - Specify Authentication Settings Figure 13 - Confirm Settings For New Site Figure 14 - Creating Site Figure 15 - Welcome to the Specify Initial Configuration Wizard Figure 16 Specify Server Farm Figure 17 - Select Application Type Figure 18 - Confirm Settings Figure 19 - Access Management Console Figure 20 - Configure Authentication Methods Figure 21 - Properties Figure 22 - IAS RADIUS Server Figure 23 - New RADIUS Client Figure 24 - New RADIUS Client Figure 25 - Policy Configuration Method Figure 26 - Policy Conditions Figure 27 - Attribute type Figure 28 - Client IP Address Figure 29 - Policy Conditions Figure 30 - Selecting Permissions Figure 31 - Editing Dial-In Profile Figure 32 - Encryption Type Figure 33 - Connection Request Authentication Figure 34 - Connection Request Policies Figure 35 - SA Server Agent install Shield Wizard Figure 36 - License Agreement Figure 37 - Configuring SA Server URL Figure 38 - Installing the SA IAS Agent Figure 39 - Finishing the Installation Figure 40 - Stopping the IAS Service Figure 41 - Starting the IAS Service Figure 42 - Firewall Policy Figure 43 - Create Access Rule Figure 44 - New Web Publishing Rule Wizard... 30

5 v Figure 45 - Publishing Type Figure 46 - Server Connection Security Figure 47 - Internal Publishing Details Figure 48 - Setting Public Name Details Figure 49 - Selecting Web Listener Figure 50 - Web Listener Name Figure 51 - Client Connection Security Figure 52 - Web Listener IP Addresses Figure 53 - Listener SSL Certificates Figure 54 - Select Certificate Figure 55 - Listener SSL Certificates Figure 56 - Authentication Settings Figure 57 - Single Sign On Settings Figure 58 - Completing the New Web Listener Wizard Figure 59 - Select Web Listener Figure 60 - Authentication Delegation Figure 61- User Sets Figure 62 - Completing the New Web Publishing Rule Wizard Figure 63 - Kerberos Constrained Delegation Figure 64 - Web Listener properties Figure 65 - Authentication Properties Figure 66 - Authentication Servers Figure 67 - Adding RADIUS Server Figure 68 - Shared Secret Figure 69 - IAS server Figure 71 - Applying changes Figure 72 - Saving Configuration Changes Figure 73 - Monitoring Figure 74 - Stopping the Firewall service Figure 75 - Starting the Firewall service... 47

6 vi Preface Preface The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets. This solution enables organizations to deploy a strong authentication solution for their end-users, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of userswho Should Read This Book Who Should Read This Book This guide is intended for system administrators responsible for configuring the ISA, SA Server and Citrix Web Interface in order to use Gemalto OTP devices to authenticate mobile users with ISA Administrators should be familiar with: Citrix Web Interface. The Gemalto SA Server system architecture. Microsoft Internet Security and Acceleration Server For More Information For a complete list of the documentation for the Gemalto Strong Authentication (SA) Server, refer to the release notes (README.txt) on the Gemalto SA Server CD (or zip image of the CD). For more information about other supported components, see the manufacturer s documentation for those products.

7 vii Conventions The following conventions are used in this document: In this manual, the following highlighting styles are used: Bold Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values. Italic Variables that you must replace with a value, book titles, news or emphasized terms. In this manual, hyperlinks are marked as described below Internal Links Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book. External Links Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or program) to navigate to that Web address or compose an . In this manual, notes and cautions are marked like this: Notes: Information that further explains a concept or instruction, tips, and tricks. Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure. Contact Our Hotline If you do not find the information you need in this manual, or if you find errors, contact the Gemalto hotline at Please note the document reference number, your job function, and the name of your company. (You will find the document reference number at the bottom of the legal notice on the inside front cover.)

8

9 1 Overview This document provides a deployment scenario to show you how it is possible to configure the Microsoft ISA 2006 Server to use Gemalto SA Server to authenticate Mobiles Users in order to get access to applications through Citrix Web Interface. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. Main steps The main steps are: 1. SA Server installation 2. RADIUS Server configuration a. Installation b. Remote access rule creation c. SA agent installation 3. ISA 2006 Server configuration 4. Citrix Web Interface configuration 5. Domain Controller configuration

10 2 Preface Architecture Figure 1 - Architecture

11 3 Elements description To provide SA Server authentication for mobile users, your system requires the following pre-requisites: A Microsoft Internet Security and Acceleration Server 2006 installed on a Microsoft Windows 2003 Server. The server has got two physical interfaces and is able to act as a gateway from the Internal Network to the External Network. o o o <IP internal address> allows access to the Internal Network. This network is seen as a trusted network. In our laboratory <IP internal address> was <IP external address> represents the IP address of the physical interface visible from the External Network. This address will be set during the appliance configuration. The External Network is seen as a not trusted network. In our laboratory <IP external address> was We named the ISA Server isawi, this name will appear in the next screenshots. An AD Domain machine hosting an Active Directory LDAP and acting as domain controller. In our laboratory the domain hosted by AD Domain was w2k3.gemsafe.gem. We will use the term Mobile Users to refer to users who have an account in AD Domain and who will access from the External Network to the Internal Network through the ISA 2006 Server. Their accounts must be configured to allow remote access control. A Microsoft Certification Authority used to issue web certificates to the web servers. In our laboratory, the Certification Authority was installed on the server hosting the Domain Controller. A Citrix Web Interface. You will have to create and configure a website. These steps will not be treated in the following document; we will mention only the creation of the website and the configuration steps taking part in the authentication process. In our laboratory, the Citrix Web Interface server was named wi.w2k3.gemsafe.gem. <IP web interface address> was A Citrix Presentation Server. You will have to provide the applications for mobiles users. The provision of the applications will not be explained in this document. In our laboratory the Citrix Presentation Server is citrixpsonly. A Gemalto SA Server, We have installed the server in a Mixed mode. It is supposed to be provisioned for devices and users. <Base URL SA Server> will be used to refer to the URL that should be used to access SA Server. In our laboratory <Base URL SA Server> was A RADIUS Server, This server is the link between ISA 2006 Server and the Gemalto SA Server. o o IAS RADIUS for which <IP IAS address> will be used to refer to IAS RADIUS server IP address. In our laboratory, <IP IAS address> was You will have to install the Gemalto IAS Agent. In order to demonstrate a successful authentication, we also need: VPN Client machines. We used standard XP SP2 machines. These are the kind of machines that will be used by Mobile

12 4 Preface Users. Authentication process To allow mobile users getting access to the published applications, we use the Kerberos Constrained Delegation feature available on Microsoft ISA The following schema shows the authentication process based on the Kerberos Constrained Delegation feature. Figure 2 - Authentication process Step 1, receipt of client credentials: The client sends a request to connect to the applications in the internal network. The client provides the credentials in an HTML form. Steps 2 and 3, sending credentials: ISA Server sends the credentials to the authentication provider. The authentication provider in our case is a RADIUS server, the Gemalto agent snaps the credentials and send them to the Strong Authentication Server. Once the credentials accepted, the RADIUS server sends an acknowledgment notifying that the user is authenticated. The ISA 2006 server generates a Kerberos ticket. Step 4, authentication delegation: ISA Server forwards the client's request to the Citrix Web Interface, and authenticates itself to the Citrix Web Interface using the client's credentials. Step 5, server response: The Citrix Web Interface sends a response to the client, which is intercepted by ISA Server. Step 6, forwarding the response: ISA Server forwards the response to the client.

13 2 Configure the Domain Controller Server Here is the main configuration steps needed to be accomplished on the Domain Controller. Figure 3 - Allowing authentication delegation to the ISA 2006 Server 1. On Active Directory Users and Computers, select Computer 2. Right-click on your <ISA 2006 Server name>, select Properties, Note: In our laboratory, the ISA 2006 Server was named ISAWI.

14 6 Configure the Domain Controller Server Figure 4 - Selecting authentication protocol 3. On Delegation tab, check Trust this computer for delegation to specified services only, 4. Check Use any authentication protocol. 5. Click on Add. Figure 5 - Select Users or Computers 6. Type exchange and click Check Names to verify the name, 7. Click on OK.

15 Configure the Domain Controller Server 7 Figure 6 - Add Services 8. Select the http as Service Type. 9. Click on OK. Figure 7 - ISA 2006 Server Properties 10. Click on OK,

16 3 Configure Citrix Web Interface To configure Kerberos with Citrix Web Interface, you must launch Access Management Console. Figure 8 Access Management Console 1. In Access Management Console, click right on Web Interface and select Create site.

17 Configure Citrix Web Interface 9 Figure 9 Create Site 2. Select Access Platform site and click on Next. Figure 10 - Specify IIS Location 3. Click on Next.

18 10 Configure Citrix Web Interface Figure 11 - Specify Configuration Source 4. Select Local File(s) and click on Next. Figure 12 - Specify Authentication Settings 5. Click on Next.

19 Configure Citrix Web Interface 11 Figure 13 - Confirm Settings For New Site 6. Click on Next. Figure 14 - Creating Site 7. Check Configure this site now and click on Finish.

20 12 Configure Citrix Web Interface Figure 15 - Welcome to the Specify Initial Configuration Wizard 8. Click on Next.

21 Configure Citrix Web Interface 13 Figure 16 Specify Server Farm 9. In Farm name field, type your farm name, in our case we choice Farmgemsafe. Then in Server field click on Add and type your Presentation Server. In our case, it s citrixpsonly.w2k3.gemsafe.gem and in XML service port enter Note: The XML service port is defined in your Presentation Server. The default port is 8888.

22 14 Configure Citrix Web Interface Figure 17 - Select Application Type 10. Select Remote and click on Next. 11. Select Direct (users enter the Web Interface URL) and click on Next.

23 Configure Citrix Web Interface 15 Figure 18 - Confirm Settings 12. Click on Finish. Figure 19 - Access Management Console 13. In Access Management Console, in Web Interface select In Common Task, click on Configure authentication methods.

24 16 Configure Citrix Web Interface Figure 20 - Configure Authentication Methods 14. Check Pass-through and click on Properties. Figure 21 - Properties 15. In Pass-through tab, select Kerberos Authentication and check use Kerberos authentication to connect to servers.

25 4 Configure the Internet Authentication Service We used the IAS server version embedded in Windows Server 2003 SP1. IAS RADIUS prerequisites The IAS RADIUS installation is not described in this document. It is presumed to be already done. Check IAS RADIUS Server domain The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory. Access to IAS administration You have to: Click on Start and Select Administrative Tools Select Internet Authentication Service

26 18 Configure the IAS Figure 22 - IAS RADIUS Server Add a RADIUS Client You now have to add the ISA 2006 Server as a RADIUS client: Right click on RADIUS Clients and Select New RADIUS Client Figure 23 - New RADIUS Client 1 In Friendly name enter a name for Microsoft ISA Server 2006, In Client address (IP or DNS) enter the <IP internal address>. In our laboratory, we used Click on Next.

27 19 Figure 24 - New RADIUS Client 2 Select RADIUS Standard for Client-Vendor: Enter the chosen shared secret in Shared secret: and in Confirm shared secret:. This must be the same value as the one you entered when you configured the authentication type page 42) Click on [Finish] to validate those parameters. Configure Access Policies You have to add a new remote access policy: Right click on Remote Access Policies and Select New Remote Access Policy Click on Next in the wizard windows Figure 25 - Policy Configuration Method Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name. Click on Next.

28 20 Configure the IAS Figure 26 - Policy Conditions Click on Add in Policy Conditions window Figure 27 - Attribute type Select Client-IP-Address in Attribute types: and click on Add Figure 28 - Client IP Address Enter <IP internal address> in Type a word or a wild card (for example, abc.*): and click on OK.

29 21 Figure 29 - Policy Conditions Click on Next. Figure 30 - Selecting Permissions Select Grant remote access permission in If a connection request matches the specified conditions: and click on Next.

30 22 Configure the IAS Figure 31 - Editing Dial-In Profile Click on Edit Profile in the profile window Select Authentication tab and uncheck all boxes except Unencrypted authentication (PAP, SPAP) Select Encryption tab Figure 32 - Encryption Type Check only the No encryption box. Then click on OK

31 23 In the Profile window, click on Next. In the New Remote Access Policy Wizard window, click on Finish. The new policy is now available. Configure Connection Request Policies You have to add a new connection request policy: In Connection Request Processing, right click on Connection Request and select New Connection Request Policy Click on Next in the wizard window Select A custom policy, enter a name in Policy name and click on Next In the Policy conditions windows, click on Add, select Client-IP-Address, Click on Add, enter <IP Internal Address>, click on OK and cick on Next. In the Request Processing Method, click on Edit Profile. Figure 33 - Connection Request Authentication In the Authentication tab, select Authenticate requests on this server and click on OK. In the Request Processing Method window, click on Next. In the New Connection Request Policy Wizard window, click on Finish.

32 24 Configure the IAS Figure 34 - Connection Request Policies The new policy is now available. Install and configure SA Server agent for IAS You now have to install the SA Server IAS agent on the IAS RADIUS server. This component will forward all authentication requests received by IAS to SA Server. Double-click on IAS_AgentSetup.exe on the IAS RADIUS server, Figure 35 - SA Server Agent install Shield Wizard Click on Next.

33 25 Figure 36 - License Agreement Select I accept the terms in the license agreement and click on Next. Figure 37 - Configuring SA Server URL You now have to enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. Click on Next,

34 26 Configure the IAS Figure 38 - Installing the SA IAS Agent Click on Install. Figure 39 - Finishing the Installation Click on Finish. Restart IAS To launch the installed agent, you now have to re-start IAS. In Internet Authentication Service window, click on in the toolbar to stop IAS.

35 27 Figure 40 - Stopping the IAS Service Then, click on the green arrow in the same toolbar to restart the server and take the changes into account. Figure 41 - Starting the IAS Service

36 28 Configure the IAS 5 Configure the Gemalto Strong Authentication Server For the installation and the configuration steps, please refer to the Gemalto SA Server documentations.

37 29 6 Configure the ISA Server 2006 As represented in the figure 1, we chose to install the Microsoft ISA Server 2006 as a front end firewall. This configuration devises space on two different networks: an internal one, which represents the corporation local area network, and an external network (Internet). We will now describe the access rules that must be created in order to manage mobile user s access. Rule creation Launch the ISA Server Management, Figure 42 - Firewall Policy In the Microsoft Internet Security and Acceleration Server node, select Firewall Policy (isawi).

38 30 Configure the IAS Figure 43 - Create Access Rule In the Tasks tab, click on Publish Web Sites, The New Web Publishing Rule Wizard will appear, Figure 44 - New Web Publishing Rule Wizard In Web publishing rule name, enter the access rule name, Click on Next,

39 31 Figure 45 - Publishing Type In the Publishing Type window, select the type that meet your enterprise infrastructure, Note: In our laboratory, we chose Publish a single web site or load balancer. Click on Next,

40 32 Configure the IAS Figure 46 - Server Connection Security Click on Next, Select Use SSL to connect to the published Web server or server farm,

41 33 Figure 47 - Internal Publishing Details In Internal Site name, enter the Web site name, Note: In our laboratory, the web internal site name was wi.w2k3.gemsafe.gem. Figure 48 - Setting Public Name Details

42 34 Configure the IAS In Accept requests for, select Any domain name. In Public name, enter the site name, Note: In our laboratory, the web internal site name was wi.w2k3.gemsafe.gem. Figure 49 - Selecting Web Listener Click on New...

43 35 Figure 50 - Web Listener Name In Web listener name, enter a name, Note: In our laboratory, we chose Web Interface listener as listener name. Figure 51 - Client Connection Security Select Require SSL secured connections with clients, Click on Next.

44 36 Configure the IAS Figure 52 - Web Listener IP Addresses In Web Listener IP Addresses window, Check External, Check ISA Server will compress content sent to clients through this Web Listener[ ], Click on Next. Figure 53 - Listener SSL Certificates

45 37 Check Use a single certificate for this Web Listener, Click on Select Certificate Figure 54 - Select Certificate Select the valid web certificate that meets your configuration, Click on Select. Note: The web certificate must be installed in Local Computer Certificate Store to be considered as valid. In our laboratory, the web certificate was issued to wi.w2k3.gemsafe.gem.

46 38 Configure the IAS Figure 55 - Listener SSL Certificates Click on Next. Figure 56 - Authentication Settings In Select how clients will provide credentials to ISA Server, select HTML Form Authentication. In Select how ISA Server will validate client credentials, select Radius OTP.

47 39 Click on Next. Figure 57 - Single Sign On Settings In the Single Sign On Setting window, check Enable SSO for Web sites published with this Web listener, In SSO domain name, type your enterprise domain name, Note: In our laboratory, the domain name was w2k3.gemsafe.gem.

48 40 Configure the IAS Figure 58 - Completing the New Web Listener Wizard Click on Finish. Figure 59 - Select Web Listener Click on Next.

49 41 Figure 60 - Authentication Delegation In Select the method used by ISA Server [ ], select Kerberos constrained delegation, In Type the Service Principal Name (SPN) [ ], enter your Web Interface. Note: In our laboratory, the SPN was Click on Next. Figure 61- User Sets

50 42 Configure the IAS In the User Sets window, make sure that the All Authenticated Users item is selected, Click on Next. Figure 62 - Completing the New Web Publishing Rule Wizard Click on Finish. Figure 63 - Kerberos Constrained Delegation Note: This window refers to the Domain Controller configuration step. We must allow the Kerberos Constrained Delegation to ISA 2006 Server. Please refer to the Domain Controller Configuration part. Authentication server configuration After you create the Web publishing rule, you need to set up the authentication server. The Gemalto strong authentication solution is based on the RADIUS Protocol. This section describes the configuration steps that need to be done on the ISA 2006 Server. On the Firewall Policy Rules, right-click on the Citrix Web Interface rule, Select Properties.

51 43 Figure 64 - Web Listener properties On the Citrix Web Interface window, select Listener tab, Click on Properties, Figure 65 - Authentication Properties On the Web Interface Listener Properties window, select Authentication tab,

52 44 Configure the IAS Click on Configure Validation Servers Figure 66 - Authentication Servers On the Authentication Servers window, select RADIUS Servers tab, Click on Add Figure 67 - Adding RADIUS Server

53 45 In Server name, enter the IAS server name or <IP IAS address>, In Server description, enter a description, In Shared secret Click on Change Figure 68 - Shared Secret Enter the RADIUS shared secret, Click on OK twice. Figure 69 - IAS server Click on OK twice.

54 46 Configure the IAS Saving the rule changes and restarting the firewall service Figure 70 - Applying changes Click on Apply to save the changes. Figure 71 - Saving Configuration Changes Click on OK. To restart the Microsoft ISA 2006 Server service proceed as follows, Figure 72 - Monitoring In the Microsoft Internet Security and Acceleration Server tree, select Monitoring,

55 47 Figure 73 - Stopping the Firewall service Right-click on Microsoft Firewall, Click on Stop. Figure 74 - Starting the Firewall service Right-click on Microsoft Firewall, Click on Start.

56 48 Configure the IAS 7 Client connection On the client workstation, open your web browser and type the ISA Server external IP address or the DNS name associated to it, Figure 75 - Security Alert In the Security Alert window, click on Yes,

57 49 Figure 76 - User authentication web page In the User name, enter the user name, Note: In our laboratory, we have created a user named sasadmin. In Passcode, enter the OTP given by the Gemalto token followed by the user password. Click on Log On.

58 50 Configure the IAS Figure 77 Citrix Web Interface You have now access to the published application.