WHITE PAPER XenApp 6 Smart Auditor 1.3 Installation and Configuration XenApp6 www.citrix.com
Table of Contents Smart Auditor Overview...3 Components...3 Communication...3 Deployment Notes...3 Provisioning and Cloning...3 Installation...4 System Requirements...4 SmartAuditor Database...4 SmartAuditor Server...4 SmartAuditor Policy Console...4 SmartAuditor Agent...4 SmartAuditor Player...5 Installation Components...5 Database Installation...5 SmartAuditor Server Installation...7 SmartAuditor Agent... 11 SmartAuditor Player... 12 Configuration... 14 Appendix A Securing with SSL/HTTPS... 15 Appendix B Smart Auditor Player Error... 19 Appendix C Creating Policies... 20 2
Smart Auditor Overview This guide is to assist in setting up a Smart Auditor 1.3 deployment with XenApp 6. It is assumed you have a running SQL 2008 Server and XenApp 6 server already running. Four servers and one workstation are used in this guide. 1. DC1.jc.lab Domain Controller and Certificate Authority 2. SQL.jc.lab 2008 SQL Server SP2 3. XA6.jc.lab XA6 4. SA.jc.lab Smart Auditor Server 5. W7.jc.lab Windows 7 Workstation running Online Plugin and Smart Auditor Player All servers in this guide are running Windows Server 2008 R2. Components SmartAuditor Agent A component installed on each XenApp server to enable recording. Responsible for recording session data SmartAuditor Server A server that hosts o The broker An IIS hosted Web Application that handles the search queries and file download requests from the SmartAuditor player, handles policy administration requests from the SmartAuditor Policy Console, and evaluates recording policies o The Storage Manager A windows service that manages the recorded session files received from each SmartAuditor-enabled computer running XenApp. Communication Communication between SmartAuditor components is achieved through IIS and Microsoft Message Queuing (MSMQ). IIS provides the web services communication link between each SmartAuditor component. MSMQ provides a reliable data transport mechanism for sending recorded session data from the SmartAuditor Agent to the SmartAuditor server. Deployment Notes Configure server certificates for SSL/HTTPS SQL server requires TCP/IP to be enabled and SQL Server Browser service to be running and Windows Authentication. It is recommended to disable session sharing when using SmartAuditor because session sharing for published applications can conflict with active policies. SmartAuditor matches the active policy with the first published application that a user opens. Provisioning and Cloning If you are planning to use provisioning services with XenApp you must prepare the server with the XenApp Server Configuration Tool. This tool is included with the installation media, but there is an updated version of the tool that can be downloaded from http://support.citrix.com/article/ctx124981. This tool will prepare MSMQ to be unique for each XenApp server so there are no problems with the Message Queuing service. XenApp 5 can use the XenApp prep tool to configure the server for provisioning and cloning. Note: Failure to do this step could result in recordings being lost. 3
Installation SmartAuditor supports multiple configurations. All administration components can be instal led on one server if desired. This guide will use four servers and one workstation consisting of a SQL server, SmartAuditor Admin server, a XenApp 6 server and a Windows 7 workstation. System Requirements SmartAuditor Database Supported Operating Systems: Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 with Service Pack 2 Microsoft Windows 2000 with Service Pack 4 Requirements: Microsoft SQL Server 2008 (Enterprise and Express) Microsoft SQL Server 2005 (Enterprise and Express with Service Pack 2).NET Framework 3.5 SmartAuditor Server Supported Operating Systems: Requirements: Microsoft Windows Server 2008 R2.NET Framework Version 3.5 Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HTTP support enabled SmartAuditor Policy Console Supported Operating Systems: Microsoft Windows Server 2008 R2 Microsoft Windows 7 Microsoft Windows Vista Requirements: Install the Microsoft IIS Management Console manually before installing the Smart Auditor Policy Console Microsoft IIS Management Console SmartAuditor Agent Supported Operating Systems Requirements: Windows Server 2008 R2 XenApp Server XenApp 6 Platinum.NET Framework 3.5 4
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HTTP support enabled. SmartAuditor Player Supported Operating Systems Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Installation Components 1. SmartAuditor Administration The SmartAuditor administration components are the SmartAuditor Database, SmartAuditor Server, and SmartAuditor Policy Console. 2. SmartAuditor Agent for Citrix XenApp The SmartAuditor Agent must be installed on a server running XenApp 3. SmartAuditor Player The SmartAuditor Player is installed on one or more workstations for users who view session recordings. Database Installation In this case the database installation will be installed on a 2008 SQL Server SP2 running on Windows Server 2008 R2. Launch the SmartAuditor Administration setup. On the Select Features screen deselect Citrix SmartAuditor Policy Console and Citrix SmartAuditor Server. The only component needed is Citrix SmartAuditor Database. On the Database Configuration screen you must enter the account that will access the database and the Database Instance. 5
Domain\machine$ of Smart Auditor Broker SQL Server Hostname The accessing user account is the name of the SmartAuditor server. This should be in the format as shown in the installer window domain\<machine-name>$. In this case, the SmartAuditor server will be SA$ and the database is the hostname of the SQL Server. You could also enter localhost. If a named instance is used, the Database instance should be in the format hostname\instance-name. The installation will create the new SmartAuditor database and add the machine account as DB_OWNER. 6
SmartAuditor Server Installation Roles - IIS There are a few prerequisites that must first be installed before running the SmartAuditor Server installation. Open Server Manager and add the IIS Role. Select the following options: 7
Application Development: Security: ASP.NET (more components will be automatically select, click add required roles to accept) Windows Authentication Management Tools: IIS 6 Management Compatibility o IIS 6 Metabase Compatibility o o o IIS 6 WMI Compatibility IIS 6 Scripting Tools IIS 6 Management Console Roles Application Server Application server is needed to install the.net Framework. Select.NET Framework 3.5.1 Features MSMQ In addition to the IIS role you must install the Message Queuing Feature. Using Server Manager you must add the MSMQ Feature with the following options: 8
Message Queuing Message Queuing Server HTTP Support You will once again be prompted for additional requirements, accept additional requirements to continue. Once the prerequisites are installed you can launch the SmartAuditor installation. In this case you will deselect Citrix SmartAuditor Database from the installation wizard. 9
On the next screen the database instance is the name of your SQL server. If you are using a named instance you must enter hostname\instance-name. SQL Server Hostname 10
SmartAuditor Agent The SmartAuditor Agent should be installed on XenApp servers that you wish to record sessions. You must first install.net Framework 3.5 and MSMQ on the XenApp Server. Use the Server Manager to add MSMQ..NET Framework should already be installed from the XenApp installation. The agent will be installed on XA6. Launch the installation wizard and enter the host name of the Smart Auditor server. Note: You must launch the agent install from the XA6 install wizard rather than browsing for the MSI file direct. The default installation of SmartAuditor uses HTTPS/SSL to secure communications. At this point SSL is not configured. To use HTTP, you must deselect SSL in the IIS Management Console. Open the IIS Management Console and navigate to the SmartAuditorBroker site. Open the SSL settings and uncheck the box for Require SSL Later in this guide a Server Certificate will be created to secure traffic is SSL. 11
Open the SmartAuditor Agent properties from the Start Menu and click the Connections tab. Ve rify the SmartAuditor Server name is correct and change the SmartAuditor Broker Protocol to HTTP. SmartAuditor Player The SmartAuditor Player can be installed on the SmartAuditor server or another workstation in the domain. In this case the player will be installed on a Windows 7 workstation. There are no special configurations to install the SmartAuditor player. Click through the wizard until the installation completes. Once the installation is complete, configure the player to point to the SmartAuditor Server. Launch the SmartAuditor Player. Select Tools > Options. On the connections tab, enter the hostname for the SmartAuditor Server and the desired protocol. By default SmartAuditor is configured to use HTTPS/SSL to secure communications. At this point there is no Certificate so you must select HTTP. The site should already be configured for HTTP at this point. Later in the guide we will configure server certificates. Click on the Binoculars to search for recorded and/or live sessions. 12
If you receive the following error it is because you did not grant access rights to view recordings: Open the SmartAuditor Authorization Console on the SmartAuditor Server. Right click on the Player under Role Assignments and add your Active Directory Account. Once added you should see your users/groups populated. Connect back to your SmartAuditor Player and click the binoculars again. You will now be able to view session recordings. 13
Configuration To start using SmartAuditor you have to configure a policy. SmartAuditor uses one active policy. Open the SmartAuditor Policy Console on the SmartAuditor Server. Enter the Hostname and Protocol for the SmartAuditor Server. At this point we are still using HTTP for the protocol. Right click the policy Record everyone with notification to active this policy. Launch a published application to the XenApp server. You should receive the following notification: You will now see a live session in the SmartAuditor Player. 14
Appendix A Securing with SSL/HTTPS In most cases it will be desired to secure the IIS and MSMQ traffic for security reasons. This example will use IIS to generate a server certificate that will be sent to the domain controller/certificate authority for signing. Generate the Server Certificate Request To generate the Server Certificate open the IIS Management Console on the Smart Auditor Server. Click the server name in the left column. Double click on Server Certificates. Under Actions select Create Certificate Request Use the wizard to create the signing request. The common name should be the FQDN of the Smart Auditor server. 15
Click next and use the defaults and then save the certrequest.txt to the local file system. Open the cert request with notepad and copy the text. Open your browser and point to your Certificate Authority. In this case it is http://dc1/certsrv. 1. Click Request a Certificate 2. Click Advanced Certificate Request 3. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file 4. Paste the certificate request data into the text field 5. Set Certificate Template to Web Server and submit 6. Download the certificate Go back to the IIS Management Console and select Complete Certificate Request. Use the certificate that was just downloaded to the local file system. Enter whatever you wish for the friendly name. Now that the cert is installed, the binding must be created in the IIS Management Console. Click on the Default Web Site and then click on Bindings in the Actions column. Click on Add and select https. Select the certificate that was just created by looking at the friendly name. 16
There should now be two bindings present. You can now re-enable the setting to require SSL on the Default Website or the Smart Auditor Website. Launch the Smart Auditor Policy Console again and select HTTPS this time. 17
Go back to the XenApp server and open the Smart Auditor Agent properties. Change the Smart Auditor Broker protocol and Message Queuing to HTTPS. Be sure to use the FQDN of the Smart Auditor Broker. The service will restart after making the change. The Smart Auditor Player should also be configured to use HTTPS at this point. Start a new session and open the Smart Auditor Player to verify that the recordings are working. 18
Appendix B Smart Auditor Player Error If you attempt to play a recording from the Smart Auditor Player and get the following error: You must configure the Smart Auditor Player to accept new client versions. This can be done by editing the following configuration file. C:\Program Files\Citrix\Smart Auditor\Player\bin\SmartAudPlayer.exe.config. There are settings for different client. In this case, just change the windows client to a higher version. <add key = Windows value= 12.1 /> This will allow sessions recorded from the 12.1 plugin to be played. You can increase this value to whatever you like. 19
Appendix C Creating Policies You may decide that the generic policy to record everything does not fit your organization or requirements well. Polices can be configured based on users, servers, and applications. To create a new recording policy, open the Smart Auditor Policy Console. 1. Right click on Recording Policies and select Add New Policy 2. Right click on New policy and click on Add New Rule 3. Select Enable Session Recording with Notification and click Next 4. Check the box for Published Applications and then click the hyperlink for Select Published Applications 20
5. Click on Farms and the click on Add Farms 6. Enter the server name of any XenApp 6 server, in this case (XA6) 7. Click on Connect. The farm should be enumerated 8. Click close and then you should see a list of published applications 9. Add Notepad from the list of applications 21
10. Click OK and then click Finish 11. Right click on the policy and select Activate. You can also rename the policy if desired. 12. Test again by launching a published notepad Note: A policy can contain many rules, but there can only be one active policy running at a time. 22