StoneGate SSL VPN Technical Note 2081 Setting Up SSO with Citrix Presentation Server
Table of Contents Introduction................................... page 3 Overview..................................... page 3 Note on Access Clients.......................... page 3 Standard Resource for Citrix Presentation Server........ page 3 Feedback..................................... page 6 Table of Contents 2
Introduction This technical note describes how to setup and configure Single Sign-On with Citrix Presentation Server and StoneGate SSL VPN. Prerequisites This technical note assumes a thorough understanding of StoneGate SSL VPN installation and Citrix Presentation Server administration. Use the further reading to gain the required knowledge. Further Reading More information on StoneGate SSL VPN administration can be found in the StoneGate SSL VPN Administrator s Guide, the Online Help, and the Technical Note repository provided with the product. Another source of information is the Stonesoft Support site, which can be found at http://www.stonesoft.com/support/. For more information on related subjects, visit http://www.citrix.com/. Overview It is possible to configure your StoneGate SSL VPN installation to support Single Sign-On (SSO) using Citrix Presentation Server. This technical note will guide you through the necessary steps. Note In these instructions, Citrix Presentation Server is added as a standard resource. The standard resource automatically uses a dynamic tunnel to access the resource. As a result, Citrix scripts nfuse15.wascr and nfuse16.wascr, which changes the real IP of the NFuse server that the client receives in the.ica file to 127.0.0.1 and 127.0.0.1:1494 respectively, should not be used. Also note that the use of dynamic tunnels requires administrator rights on the client computer the first time it is used. Note on Access Clients To avoid the need for administrator rights on a Windows client computer, or if you are running a Mac OS X or Linux client computer, a static tunnel must be used to access the resource. This means that the standard resource for Citrix can not be used, since it uses a dynamic tunnel. When static tunnels are used, the Citrix wascr script/-s nfuse15.wascr and nfuse16.wascr are required. Standard Resource for Citrix Presentation Server To configure SSO support for Citrix Presentation Server using a standard resource, follow the instructions below in order: 1. Add Citrix Presentation Server Standard Resource 2. Edit Advanced Resource Settings 3. Add SSO Domain 4. Add Resource Path 5. Edit Tunnel Set Adding a Citrix Presentation Server Standard Resource!To set up a Citrix Presentation Server 1. In the main menu, select Manage Resource Access and then click Standard Resources in the left-hand menu. 2. Select Citrix Presentation Server and enter general settings. Introduction 3
Display Name: citrixsso 3. Click Next and enter Citrix Web server settings. Citrix Presentation Server: <your Citrix server s IP address> Keep default port. 4. Enter Citrix Presentation Server settings. Citrix Presentation Server 1: <your Citrix server s IP address> Keep default port. 5. Enter Application Portal Settings and click Next. 6. Protect the resource host with applicable access rules and click Next. Please refer to Add Access Rules topic in the Getting Started section of the Online Help for instructions when needed. 7. Click Finish Wizard. Editing Advanced Resource Settings!To edit the advanced resource settings 1. In the left-hand menu, select Manage Resource Access. 2. In the Web Resources section, select the citrixsso created in the Add Citrix Presentation Standard Resource section above and then click the Edit Resource Host link. 3. Select the Advanced Settings tab and enter Access Settings: Select the Forward cookies between client and resource checkbox Cookies to Check: NFuseFolder NFuseMode icaclientcode icaobjectcode icaclientavailable icabrowsercode icascreenresolution NFuseUseSavedFolder icaispassthrough WINGSession WIUser Action: Allow 4. Click Save and then click Publish in the top menu. Note The cookies listed above are all automatically added by the standard resource. Standard Resource for Citrix Presentation Server 4
Adding a SSO Domain!To add a SSO domain to the configuration 1. In the left-hand menu, select SSO Domains. Refer to Add SSO Domains for general instructions. 2. Add domain attributes: Attribute Name: User name Attribute Restriction: Editable Referenced By: User input Attribute Name: Password Attribute Restriction: Editable Referenced By: User input Attribute Name: Domain Attribute Restriction: Hidden Referenced By: Static Attribute Value: citrixssotest 3. Click Next. 4. Protect the SSO domain with applicable access rules and click Next. 5. Click Finish Wizard. Adding a Resource Path!To add a resource path to the configuration 1. In the left-hand menu, select Manage Resource Access. 2. In the Web Resources section, select citrixsso and then click the Add Resource Path link. 3. Enter general settings. Path: Citrix/MetaFrame/default/frameset.asp 4. Enter Single Sign-On settings: Select the Enable Single Sign-On checkbox. Single Sign-On Type: Form based SSO Domain: citrixsso 5. Click Next. 6. Enter Logon Form settings: Method: POST Standard Resource for Citrix Presentation Server 5
Form Action (URL): http://<address of Citrix server>/citrix/metaframe/auth/login.aspx Form Data: state=login&logintype=explicit&user=[$username]&password=[$password]&context= %5BFind+Context%5D&tree=CRTREE&login=Log+In&slLanguage=en 7. Enter Verification of Logon Response settings: Verification URL: http://<address of Citrix server>/citrix/metaframe/site/applist.aspx Form Response: applist 8. Click the Add Client Request Header link. 9. Enter general settings and click Next. Header: User-Agent 10.Click Next. 11.Protect the resource path with applicable access rules and click Next. 12.Click Finish Wizard and then click Publish in the top menu. Editing the Tunnel Set!To edit tunnel set for this configuration 1. In the left-hand menu, select Tunnel Sets. 2. Select the Citrix tunnel set to edit it. 3. Select Advanced and set the Redirect URL text field to: /http/citrixweb/citrix/metaframe/default/frameset.asp Note The /CitrixWeb/ part of the path presented above is set according to the Display Name setting we have used for the Citrix web recourse. For example, if the Display Name of the Citrix web recourse was set to citrixsso, the above link would have been: /http/citrixsso/citrix/metaframe/default/frameset.asp. Feedback Stonesoft is always interested in feedback from our users. For comments regarding Stonesoft s products, contact feedback@stonesoft.com. For comments regarding this technical note, contact documentation@stonesoft.com. Feedback 6
Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise Copyright and Disclaimer Copyright 2000 2007 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. SG_SVTN_2081_20070629 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 7