How To Configure A Citrix Access Gateway Standard Edition Administrator Administrator S Guide

Transcription

1 Citrix Access Gateway Standard Edition Administrator s Guide Citrix Access Gateway TM 4.5

2 Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included on your product CD-ROM. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc Citrix Systems, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture) and Program Neighborhood are registered trademarks, and Citrix Presentation Server, Access Gateway, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries. RSA RSA Security Inc., All Rights Reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( AOL Instant Messenger is a registered trademark of America Online, Inc. McAfee Personal Firewall Plus is a registered trademark of McAfee, Inc. Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. ZoneAlarm is a trademark or registered trademark of Zone Labs LLC in the United States and other countries. Win32 Client: Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc (CJKV Information Processing, by Ken Lunde. ISBN: ) All rights reserved. Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright 2005 Macrovision Corporation. All rights reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. SafeWord Remote Access, SafeWord for Citrix, and SafeWord PremierAccess are registered trademarks or trademarks of Secure Computing Corporation. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003, Win32, Outlook, ActiveX, Active Directory, MSN Messenger, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Firefox is a trademark of the Mozilla Foundation. BlackICE PC Protection is trademark of Network Ice Corporation. ICQ is a trademark or servicemark of ICQ. UNIX is a registered trademark of The Open Group. Softerra is a trademark of Softerra LLC. Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners. Document Code: August 23, 2006 (MS)

3 CONTENTS Contents Chapter 1 Chapter 2 Chapter 3 Introduction How to Use This Guide Document Conventions Getting Service and Support Subscription Advantage Knowledge Center Watches Education and Training Related Documentation Introducing Citrix Access Gateway Access Gateway Technologies Access Gateway Modes of Operation Functions of the Access Gateway New Features Planning Your Deployment Deploying the Access Gateway Access Gateway in the Network DMZ Installing the Access Gateway in the DMZ Access Gateway Connectivity in the DMZ Access Gateway in a Secure Network Access Gateway Connectivity in a Secure Network Security Considerations Configuring Secure Certificate Management Authentication Support Deploying the Access Gateway with Citrix Presentation Server Deploying the Access Gateway in the DMZ with Citrix Presentation Server..28 Deploying the Access Gateway in a Double-Hop DMZ Deploying Additional Appliances for Load Balancing and Failover Deploying Access Gateway Appliances behind a Load Balancer

4 4 Citrix Access Gateway Standard Edition Administrator s Guide Deploying Access Gateway Advanced Edition Multiple Servers in an Access Server Farm Chapter 4 Chapter 5 Installing the Access Gateway for the First Time Getting Ready to Install the Access Gateway Materials and Information Needed for Installation Setting Up the Access Gateway Hardware Configuring TCP/IP Settings for the Access Gateway Configuring TCP/IP Settings Using the Serial Console Configuring TCP/IP Settings Using Network Cables Configuring TCP/IP Settings for a Double-Hop Deployment Restarting the Access Gateway Configuring the Access Gateway for Your Network Environment Installing Licenses Obtaining Your License Files Configuring Licenses for Multiple Appliances Information about Your Licenses Updating Existing Licenses Licensing Grace Period Testing Your License Installation Creating and Installing Certificates Overview of the Certificate Signing Request Creating a Certificate Signing Request Installing a Certificate and Private Key from a Windows Computer Installing Root Certificates on the Access Gateway Installing Multiple Root Certificates Configuring Additional Network Settings Configuring Name Service Providers Editing the HOSTS File Configuring Dynamic and Static Routes Configuring the Date and Time on the Access Gateway Configuring a Network Time Protocol Server Using the Default Portal Page Installing Secure Access Client for Linux Configuring Network Access

5 5 Citrix Access Gateway Standard Edition Administrator s Guide Chapter 6 Chapter 7 Configuring Authentication and Authorization Choosing When to Configure Authentication on the Access Gateway Configuring Authentication on the Access Gateway Configuring the Default Realm Creating Additional Realms Configuring Local Authentication Configuring Local Users Adding Users to Multiple Groups Changing Password for Users Configuring LDAP Authentication and Authorization Configuring LDAP Authorization LDAP Authorization Group Attribute Fields Using Certificates for Secure LDAP Connections Determining Attributes in your LDAP Directory Configuring RADIUS Authentication and Authorization RADIUS Authorization Choosing RADIUS Authentication Protocols Configuring RSA SecurID Authentication Configuring RSA Settings for a Cluster Resetting the Node Secret Configuring Secure Computing SafeWord Authentication Configuring SafeWord Settings on the Access Gateway Configuring Authorization with SafeWord Configuring NTLM Authentication and Authorization Configuring NTLM Authorization Configuring Double-Source Authentication Changing Password Labels Configuring Network Access and Group Resources Configuring Network Routing Providing Network Access to Users Enabling Split Tunneling and Accessible Networks Configuring User Groups Configuring Access Control Lists Creating Local User Groups Configuring Resource Groups Creating User Groups Default Group Properties

6 6 Citrix Access Gateway Standard Edition Administrator s Guide Configuring Resources for a User Group Configuring User Membership in Multiple Groups Configuring Network Resources Allowing and Denying Network Resources and Application Policies Setting Application Policies Configuring End Point Policies and Resources Configuring End Point Resources Building an End Point Policy for a Group Setting the Priority of Groups Configuring Pre-Authentication Policies Chapter 8 Configuring User Connections for Secure Access Client System Requirements Operating Systems Web Browsers How User Connections Work Establishing the Secure Tunnel Tunneling Private Network Traffic over Secure Connections Terminating the Secure Tunnel and Returning Packets to the Client Supporting the Secure Access Client Configuring Proxy Servers for the Secure Access Client Configuring Secure Access Client to Work with Non-Administrative Users.129 Configuring Single Sign-on with Windows Operating System Connecting with Earlier Versions of the Secure Access Client Connecting Using a Web Address Installing the ActiveX Helper Logging on Using the Secure Access Client Connections Using Kiosk Mode Creating a Kiosk Mode Resource Configuring Client Applications for Kiosk Mode Configuring File Shares for Kiosk Mode Configuring Authentication Requirements after Network Interruption Configuring Other Group Properties Enabling IP Pooling Enabling Split DNS Enabling Internal Failover Enabling Domain Logon Scripts Enabling Secure Access Client Session Time-Outs Configuring Web Session Time-Outs Disabling Desktop Sharing

7 7 Citrix Access Gateway Standard Edition Administrator s Guide Closing and Disabling User Connections How the Access Gateway Handles Connections Closing a Connection to a Resource Disabling and Enabling a User Requiring Client Certificates for Authentication Defining Client Certificate Criteria Using Client Certificates with Access Gateway Advanced Edition Installing Root Certificates Obtaining a Root Certificate from a Certificate Authority Installing Root Certificates on a Client Device Selecting an Encryption Type for Client Connections Supporting Voice over IP Softphones Improving Voice over IP Connections Chapter 9 Chapter 10 Configuring Logon and Portal Pages for Secure Access Client Configuring Access Gateway Logon Pages Enabling Logon Page Authentication Customizing the Logon Page Access Gateway Portal Page Templates Downloading and Working with Portal Page Templates Including the ActiveX Control Installing Custom Portal Page Files Linking to Clients from Your Web Site Choosing a Portal Page for a Group Configuring a Portal Page with Multiple Logon Options Logging On Using Double-Source Authentication Logging On When Pre-Authentication Policies are Configured Providing Access to Published Applications How User Connections to a Server Farm Work Replacing the Secure Gateway Preparing to Migrate to the Access Gateway Migrating from the Secure Gateway to the Access Gateway Monitoring the Access Gateway after Installation Configuring the Web Interface Deploying the Web Interface Parallel to the Access Gateway in the DMZ..177 Deploying the Web Interface behind the Access Gateway in the DMZ Deploying the Web Interface in the Secure Network

8 8 Citrix Access Gateway Standard Edition Administrator s Guide Configuring the Web Interface for Authentication Setting Up and Testing the Web Interface Configuring the Web Interface Configuring the Secure Ticket Authority Configuring ICA Access Control Using the Web Interface as a Logon Page Configuring Single Sign-On to the Web Interface Configuring the Access Gateway for Single Sign-On to the Web Interface..188 Configuring the Web Interface for Single Sign-On Enabling Session Reliability Chapter 11 Deploying the Access Gateway in a Double-Hop Demilitarized Zone Communication Flow in a Double-Hop DMZ Configuration Client Authentication Session Ticket Creation Connection Completion Preparing for a Double-Hop DMZ Deployment Supporting Load Balancing Using Logon Page Authentication in a Double-Hop DMZ Planning the Access Gateway Administration Tool Installation Opening Ports and Managing Certificates Components Required to begin the Deployment Installing the Access Gateway in a Double-Hop DMZ Step 1: Installing an Access Gateway in the First DMZ Step 2: Enabling or Disabling Logon Page Authentication Step 3: Configuring the Access Gateway to Redirect Connections to the Web Interface Step 4: Installing an Access Gateway in the Second DMZ Step 5: Configuring the Access Gateway to Communicate with the Access Gateway Proxy Step 6: Configuring the Access Gateway Proxy to Communicate with the Access Gateway Step 7: Configuring the Access Gateway to Handle Secure Ticket Authority and ICA Traffic Step 8: Opening the Appropriate Ports on the Firewalls Step 9: Managing SSL Certificates in a Double-Hop DMZ Deployment

9 9 Citrix Access Gateway Standard Edition Administrator s Guide Client Connection Process in a Double-Hop DMZ Deployment Client Authentication Session Ticket Creation Client Launch Connection Completion Chapter 12 Chapter 13 Maintaining the Access Gateway Access Gateway Administration Tools The Administration Tool The Administration Portal Monitoring the Access Gateway with the Administration Desktop Upgrading the Access Gateway Software Installing the Software Upgrade Reinstalling the Access Gateway Software Saving and Restoring the Access Gateway Configuration Restarting and Shutting Down the Access Gateway Restarting the Access Gateway Shutting Down the Access Gateway Initializing the Access Gateway Allowing ICMP Traffic Configuring Third-Party Personal Firewalls BlackICE PC Protection McAfee Personal Firewall Plus Norton Personal Firewall Sygate Personal Firewall (Free and Pro Versions) Tiny Personal Firewall ZoneAlarm Pro Installing Additional Access Gateway Appliances Creating a Cluster of Access Gateway Appliances Configuring Multiple Appliances to Use a Load Balancer Configuring Load Balancing Configuring Access Gateway Appliances to Operate behind a Load Balancer Configuring Access Gateway Failover

10 10 Citrix Access Gateway Standard Edition Administrator s Guide Appendix A Appendix B Appendix C Monitoring the Access Gateway Viewing and Downloading System Message Logs Viewing Secure Access Client Connection Logs Forwarding System Messages to a Syslog Server Enabling and Viewing SNMP Logs Multi Router Traffic Grapher Example Viewing System Statistics Monitoring Access Gateway Operations Securing Connections with Digital Certificates Introduction to Security Protocols, Cryptography, and Digital Certificates Introduction to Security Protocols Introduction to Cryptography Digital Certificates and Certificate Authorities Getting Certificates If Your Organization Is its Own Certificate Authority If Your Organization Is not its Own Certificate Authority Getting Server Certificates Digital Certificates and Access Gateway Operation Using Windows Certificates Unencrypting the Private Key Converting to a PEM-Formatted Certificate Combining the Private Key with the Signed Certificate Generating Trusted Certificates for Multiple Levels Requiring Certificates for Internal Connections Using Wildcard Certificates Examples of Configuring Network Access Configuration Examples Scenario for Configuring LDAP Authentication and Authorization Preparing for the LDAP Authentication and Authorization Configuration Configuring the Access Gateway to Support Access to the Internal Network Resources Scenario for Creating Guest Accounts Using the Local Users List Creating a Guest User Authentication Realm Creating Local Users Creating and Assigning a Network Resource to the Default User Group Scenario for Configuring Local Authorization for Local Users

11 11 Citrix Access Gateway Standard Edition Administrator s Guide Appendix D Troubleshooting the Access Gateway Troubleshooting Web Interface Connections Web Interface Appears without Typing Credentials Applications do not Appear after Logging On Users are Sent to a Logon Page that Asks to Start the Secure Access Client.292 Other Issues License File Does not Match Access Gateway Defining Accessible Networks Subnet Restriction VMWare ICMP Transmissions Ping Command LDAP Authentication End Point Policies Network Resources Kiosk Connections Internal Failover Certificate Signing Certificate Revocation Lists Network Messages to Non-Existent IPs The Access Gateway Does not Start and the Serial Console Is Blank The Administration Tool Is Inaccessible Devices Cannot Communicate with the Access Gateway Using Ctrl-Alt-Delete to Restart the Access Gateway Fails SSL Version 2 Sessions and Multilevel Certificate Chains H.323 Protocol Certificates Using 512-Bit Keypairs Unable to Restrict Drive Mapping with an Application Policy Secure Access Client Secure Access Client Connections with Windows XP DNS Name Resolution Using Named Service Providers Auto-Update Feature Client Connections from a Windows Server NTLM Authentication WINS Entries Using Third-Party Client Software

12 12 Citrix Access Gateway Standard Edition Administrator s Guide

13 CHAPTER 1 Introduction How to Use This Guide This chapter describes who should read the Citrix Access Gateway Administrator s Guide, how it is organized, and its document conventions. This user guide is intended for system administrators responsible for installing and configuring the Access Gateway. This document assumes that the Access Gateway is connected to an existing network and that the administrator has experience configuring that network The configuration steps in this document assume that the Access Gateway is deployed as a standalone appliance and that users connect directly to the Access Gateway. This user guide also has information for configuring the Access Gateway to work with Citrix Presentation Server and Access Gateway Advanced Edition. For more information, see Providing Access to Published Applications on page 167 and Deploying Access Gateway Advanced Edition on page 34. Document Conventions Access Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface: Convention Boldface Italics %SystemRoot% Monospace Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other name you specify when you install Windows. Text displayed in a text file.

14 14 Citrix Access Gateway Standard Edition Administrator s Guide Convention { braces } A series of items, one of which is required in command statements. For example, { yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves. (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold /release /delete } means you type /hold or /release or /delete. (ellipsis) Getting Service and Support Citrix provides technical support primarily through the Citrix Solution Advisors. Our Citrix Solutions Advisor partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support or check for your nearest CSN partner at In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment An online product documentation library Interactive support forums for every Citrix product Access to the latest hotfixes and service packs Security bulletins Meaning You can repeat the previous item or items in command statements. For example, /route:devicename[, ] means you can type additional devicenames separated by commas. Online problem reporting and tracking (for organizations with valid support contracts) Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization s Citrix products.

15 Chapter 1 Introduction 15 Subscription Advantage Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at (select Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information. Knowledge Center Watches The Citrix Knowledge Center allows you to configure watches. A watch notifies you if the topic you are interested in was updated. Watches allow you to stay notified of updates to Knowledge Base or Forum content. You can set watches on product categories, document types, individual documents, and on Forum product categories and individual topics. To set up a watch, log on to the Citrix Support Web site at After you are logged on, in the upper right corner, click My Watches and follow the instructions. Education and Training Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available from

16 16 Citrix Access Gateway Standard Edition Administrator s Guide Related Documentation For additional information about the Access Gateway, refer to the following guides: Getting Started with Citrix Access Gateway Standard Edition Citrix Access Gateway Standard Edition Pre-Installation Checklist Citrix Access Gateway Standard Edition Readme

17 CHAPTER 2 Introducing Citrix Access Gateway Citrix Access Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, the Access Gateway works through any firewall and supports all applications and protocols. It is fast, simple, and cost-effective to deploy and maintain with a Web-deployed and automatically updating client. Users receive a consistent desk-like user experience with always-on connectivity, an integrated worm-blocking client, and integrated end-point scanning. With the Citrix Access Gateway, organizations can quickly and easily deploy one product for all of their secure remote access needs. The Access Gateway gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, , intranet sites, and applications just as if they are working inside of their organization s firewall. The following topics provide an overview to the Access Gateway: Access Gateway Technologies Access Gateway Modes of Operation New Features Access Gateway Technologies The Access Gateway is quick and easy to deploy and simple to administer. The most typical deployment configuration is to locate the Access Gateway behind your firewall or in the demilitarized zone (DMZ). More complex deployments, such as with a server load balancer or in a double-hop DMZ, are also supported. The first time the Access Gateway is started, use the Access Gateway Administration Tool to configure the basic settings that are specific to your corporate network, such as the IP address, subnet mask, default gateway IP address, and DNS address. After you complete the basic connection, you then configure the settings specific to Access Gateway operation, such as the options

18 18 Citrix Access Gateway Standard Edition Administrator s Guide for authentication, authorization, and group-based access control, kiosk mode, end point resources and polices, portal pages, and IP pools. For more information about installing the Access Gateway, see Getting Started with Citrix Access Gateway Standard Edition or Installing the Access Gateway for the First Time on page 37. Access Gateway Modes of Operation The Access Gateway can be used in one of four ways: Connections through the appliance only. In this scenario, the Access Gateway is installed as a standalone appliance in the DMZ. Users connect directly to the Access Gateway using the Secure Access Client and then have access to network resources, such as and Web servers. Connections using the Web Interface and Citrix Presentation Server. In this scenario, users log on to the Web Interface and then are connected to their applications on Citrix Presentation Server. Depending on how the Access Gateway is deployed with Presentation Server, users can connect with just Citrix Presentation Server Clients, Secure Access Client, or have simultaneous connections using both clients. For more information, see Providing Access to Published Applications on page 167. Connections using Access Gateway Advanced Edition. In this scenario, the Access Gateway is installed in the DMZ. Initial TCP/IP settings for the appliance are configured during installation of the appliance. Advanced settings to manage the Access Gateway are configured using the Access Management Console included with Access Gateway Advanced Edition. For more information, see Deploying Access Gateway Advanced Edition on page 34 or the Citrix Access Gateway Advanced Edition Administrator s Guide. Note When deploying the Access Gateway Advanced Edition, the appliance must be the only component in the DMZ that is communicating with the access server farm. Access Gateway Advanced Edition does not work with the Secure Gateway. Connections using kiosk mode. The Access Gateway also provides kiosk mode, which opens a virtual network computing-like connection to the Access Gateway. Kiosk mode can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), and client applications. For more information about kiosk mode, see Connections Using Kiosk Mode on page 136.

19 Chapter 2 Introducing Citrix Access Gateway 19 New Features Functions of the Access Gateway The Access Gateway performs the following functions: Authentication Termination of encrypted sessions Access control (based on permissions) Data traffic relay (when the first three functions are met) As a standalone appliance in the DMZ, the Access Gateway operates as follows: A remote user downloads the Secure Access Client by connecting to a secure Web address and providing authentication credentials. After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Access Gateway establishes a secure tunnel. As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization s intranet and forwards the packets to the Access Gateway. The Access Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The Access Gateway sends traffic back to the remote computer over a secure tunnel. This release of the Access Gateway includes the following new features: Double-hop DMZ support for Citrix Presentation Server. You can deploy the Access Gateway in a double-hop DMZ configuration to provide a single point-ofaccess to a server farm residing in an internal network. With this configuration, you must deploy two Access Gateway appliances: one in the first stage of the DMZ and one in the second stage of the DMZ. The Access Gateway in the second stage of the DMZ operates as a proxy for ICA traffic traversing the second DMZ. For more information about deploying the Access Gateway in a double-hop scenario, see Deploying the Access Gateway in a Double-Hop Demilitarized Zone on page 193.

20 20 Citrix Access Gateway Standard Edition Administrator s Guide Configurable symmetric encryption ciphers. You can select the specific cipher that the Access Gateway uses for symmetric data encryption on an SSL connection. You can select one of these three encryption ciphers: RC4 128 Bit, MD5/SHA 3DES, SHA AES 128/256 Bit, SHA Automatic detection of proxy server settings. In this release, the Secure Access Client automatically detects the proxy server settings specified in the operating system. Secure Access Client connections. The Secure Access Client included in this release can connect to earlier versions of the Access Gateway. Also, earlier versions of the Secure Access Client can connect to this release of the Access Gateway if enabled on the Global Cluster Policies tab. Automatic port redirection. You can configure the Access Gateway so that any unsecure HTTP connection attempt on port 80 is automatically redirected by the Access Gateway to a secure HTTPS connection attempt on port 443 (or other administrator-specified port). Disable desktop sharing. You can disable the desktop sharing feature of the Secure Access Client for a user group. The Secure Access Client desktop sharing feature allows a user to view a list of all other users who are logged on. If this capability causes privacy concerns for your organization, you can disable the desktop sharing feature to prevent a specific group of users from viewing the list of online users. Additional control over Secure Access Client connections. You can configure the Secure Access Client to disconnect from the Access Gateway if there is no user activity on the connection for a specific time interval. You can also force a client disconnection if the connection remains active for a specific time interval or if the Access Gateway does not detect keyboard or mouse activity. Disable kiosk mode. In this release, you can disable kiosk mode for client connections. When kiosk mode is disabled, users do not see the kiosk link on the Web portal page. Users are only allowed to log on using the full Secure Access Client or Citrix Presentation Server Clients. Specify multiple ports and port ranges for network resources. This release allows you to configure port ranges. You have four options when configuring the ports the Access Gateway uses to connect to internal network resources. You can specify a single port, multiple individual ports, a range of ports, or all ports.

21 Chapter 2 Introducing Citrix Access Gateway 21 Updated licensing. Licensing for the Access Gateway has changed to allow one Access Gateway to be a license server for all deployed appliances. Licenses are installed on one Access Gateway and the other appliances in the network are configured to obtain their licenses from the primary Access Gateway. Voice over IP softphone support. The Access Gateway supports voice over IP softphones from Avaya, Nortel, and Cisco. Editable HOSTS file. You can edit the HOSTS file on the Access Gateway from the user interface of the Administration Tool. The Access Gateway uses the HOSTS file in conjunction with DNS servers to force DNS resolution to translate host names to IP addresses. Running logon scripts defined in the Microsoft Active Directory Group Policy. The Access Gateway supports the execution of Windows logon scripts defined in a Microsoft Active Directory Group Policy. Users must successfully authenticate with the Secure Access Client before the logon scripts can execute. NTLM authentication and authorization support. If your environment includes Windows NT 4.0 domain controllers, the Access Gateway can authenticate users against the user domain accounts maintained on the Windows NT server. The Access Gateway can also authorize users to access internal network resources based on a user s group memberships on the Windows NT 4.0 domain controller. Added challenge-response to RADIUS user authentication. The Access Gateway now supports challenge-response token authentication with new PIN and next token modes when RSA SecurID authentication is used with RADIUS. SafeWord PremierAccess changed to support standards-based RADIUS token user authentication. The proprietary PremierAccess configuration file has been removed and replaced using RADIUS server support. Legacy SafeWord PremierAccess realms are converted when the Access Gateway is upgraded to Version 4.5. SafeWord authentication is configured using RADIUS-style parameters. Updated serial console menu. There are new menu items on the serial console allowing you to change the Access Gateway administrator password, set the duplex mode and network adapter speed, and revert to the default certificate that comes with the Access Gateway.

22 22 Citrix Access Gateway Standard Edition Administrator s Guide

23 CHAPTER 3 Planning Your Deployment This chapter discusses deployment scenarios for the Access Gateway. You can deploy the Access Gateway at the perimeter of your organization s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Access Gateway before they can access any resources on the internal network. This chapter includes these four sections: Deploying the Access Gateway. Deploying the Access Gateway with Citrix Presentation Server. This section discusses deploying the Access Gateway with a server farm. You can deploy the Access Gateway in a single-hop DMZ configuration or a double-hop DMZ configuration. Deploying additional Access Gateway appliances to support load balancing and failover. Deploying the Access Gateway with Access Gateway Advanced Edition. Deploying the Access Gateway This section discusses the following Access Gateway deployments: Deploying the Access Gateway in the network demilitarized zone (DMZ) Deploying the Access Gateway in a secure network that does not have a DMZ Deploying additional Access Gateway appliances to support load balancing and failover

24 24 Access Gateway Standard Edition Administrator s Guide Access Gateway in the Network DMZ Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization s secure internal network and the Internet (or any external network). When the Access Gateway is deployed in the DMZ, users access it using the Secure Access Client, Citrix Presentation Server Clients or the kiosk client. Note To deploy the Access Gateway in the DMZ to support access to a server farm, see Deploying the Access Gateway with Citrix Presentation Server on page 28. Access Gateway deployed in the DMZ

25 Chapter 3 Planning Your Deployment 25 Installing the Access Gateway in the DMZ In this configuration, you install the Access Gateway in the DMZ and configure it to connect to both the Internet and the internal network. Follow the instructions in Installing the Access Gateway for the First Time on page 37 to perform installation and configuration. Access Gateway Connectivity in the DMZ When you deploy the Access Gateway in the DMZ, client connections must traverse the first firewall to connect to the Access Gateway. By default, clients use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall. Note You can change the port clients use to connect to the Access Gateway by altering the port setting in the Administration Tool. This port setting is discussed in Configuring TCP/IP Settings Using Network Cables on page 41. The Access Gateway decrypts the SSL connections from the client and establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access. For example, if you authorize external users to access a Web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. The Access Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external clients. The Access Gateway administrative tools available on the Access Gateway also listen for connections on these ports: Port Connections to the Administration Portal occur on this port. Port Connections to the Administration Tool occur on this port. Access Gateway in a Secure Network You can install the Access Gateway in the secure network. In this scenario, there is typically one firewall between the Internet and the secure network. The Access Gateway resides inside the firewall to control access to the network resources.

26 26 Access Gateway Standard Edition Administrator s Guide Access Gateway deployed in a secure network Access Gateway Connectivity in a Secure Network When an Access Gateway is deployed in the secure network, the Secure Access Client or kiosk client connections must traverse the firewall to connect to the Access Gateway. By default, both of these clients use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall. Note You can change the port on which clients connect to the Access Gateway by altering the port setting in the Administration Tool. This port setting is discussed in Configuring TCP/IP Settings Using Network Cables on page 41. Security Considerations When planning any type of Access Gateway deployment, there are basic security issues associated with certificates, authentication, and authorization that you should understand. Configuring Secure Certificate Management By default, the Access Gateway includes a self-signed SSL server certificate that enables it to complete SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments.

27 Chapter 3 Planning Your Deployment 27 Before you deploy the Access Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority and upload it to the Access Gateway. If you deploy the Access Gateway in any environment where the Access Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on the Access Gateway. For more information about root certificates, see Installing Root Certificates on the Access Gateway on page 55. For example, if you deploy the Access Gateway with Citrix Presentation Server and the Web Interface, you can encrypt connections from the Access Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on the Access Gateway. For more information, see Creating and Installing Certificates on page 51 and Securing Connections with Digital Certificates on page 253. Authentication Support You can configure the Access Gateway to authenticate users and control the level of access (or authorization) that users have to the network resources on the internal network. Before deploying the Access Gateway, your network environment should have the corporate directories and authentication servers in place to support one of these authentication types: LDAP RADIUS RSA SecurID NTLM Secure Computing SafeWord products If your environment supports none of the authentication types listed above, or you have a small population of remote users, you can create a list of local users on the Access Gateway and configure the Access Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory. For more information about authentication and authorization, see Examples of Configuring Network Access on page 269 and Configuring Authentication and Authorization on page 69.