Deployment Guide ICA Proxy for XenApp Citrix Receiver for iphone. Access Gateway Enterprise Edition

Similar documents
Deployment Guide ICA Proxy for XenApp

Deployment Guide ICA Proxy for XenApp

DEPLOYMENT GUIDE XenApp, Avaya 1X Agent. Deployment Guide. Avaya 1X Agent. XenApp.

Application Template Deployment Guide

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

Deploying NetScaler Gateway in ICA Proxy Mode

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Citrix StoreFront 2.0

icrosoft TMG Replacement with NetScaler

App Orchestration 2.0

White paper. Microsoft and Citrix VDI: Virtual desktop implementation scenarios

Single Sign On for ShareFile with NetScaler. Deployment Guide

Simplicity is power.

White paper. Improving visibility to user login experience with Citrix EdgeSight

Technical Guide for Adding XenDesktop 4 to an Existing XenApp 5 Environment

Citrix Receiver for Mobile Devices Troubleshooting Guide

The complete solution for enabling BYO.

Solutions Guide. Deploying Citrix NetScaler with Microsoft Exchange 2013 for GSLB. citrix.com

Citrix Receiver for Enterprise Applications The technical detail

Citrix Access Gateway

Features of a comprehensive application security solution

App Orchestration 2.5

Deployment Guide for Citrix XenDesktop

Microsoft SharePoint 2013 with Citrix NetScaler

Microsoft Dynamics CRM 2015 with NetScaler for Global Server Load Balancing

Extending Microsoft Hyper-V with Advanced Automation and Management from Citrix

Citrix Workspace Cloud Apps and Desktop Service with an on-premises Resource Reference Architecture

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Advanced virtualization management for Hyper-V and System Center environments.

Evaluation Virtual Appliance Quick Start Guide for Citrix XenApp

Citrix Systems, Inc.

Remote access to enterprise PCs

WHITE PAPER Citrix Service Provider Secure Multi-tenant Desktop as a Service with NetScaler VPX

Accelerating Microsoft Windows 7 migrations with Citrix XenApp

Building a better branch office.

How To Use Netscaler As An Afs Proxy

This guide identifies two possible enterprise integration scenarios for NetScaler and Azure AD.

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Five reasons why you need Citrix Essentials for Hyper-V now

High Availability for Desktop Virtualization

Advanced virtualization management for Hyper-V and System Center environments

Cloud Networking Services

The Benefits of Virtualizing Citrix XenApp with Citrix XenServer

Executive summary. Introduction Trade off between user experience and TCO payoff

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH

Citrix XenClient. Extending the benefits of desktop virtualization to mobile laptop users.

Citrix XenDesktop with FlexCast technology. Citrix XenDesktop: Desktop Virtualization For All.

CA Nimsoft Service Desk

Using Vasco IDENTIKEY Server with NetScaler

WHITE PAPER. Citrix XenDesktop. Cost savings with centralized virtual desktops.

White paper. Getting started with EdgeSight for Load Testing

The Citrix guide to desktop virtualisation

XenDesktop 5 with Access Gateway

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

609: Front-ending and load balancing XenDesktop and XenApp with NetScaler

WHITE PAPER. Pay-as-You-Grow Licensing. Pay-as-You-Grow: Flexible Capacity in the Datacenter with On-Demand Licensing.

Citrix MetaFrame Password Manager 2.5

Citrix Password Manager 4.1

Deploying NetScaler with Microsoft Exchange 2016

Easy and secure application access from anywhere

Sample Configuration: Cisco UCS, LDAP and Active Directory

Deployment Guide. Web Filter. Deployment Guide. A Step-by-Step Technical Guide

Taking Windows Mobile on Any Device

How To Integrate An Ipm With Airwatch With Big Ip On A Server With A Network (F5) On A Network With A Pb (Fiv) On An Ip Server On A Cloud (Fv) On Your Computer Or Ip

Exam : 1Y Citrix Access Gateway 8.0 Enterprise Edition: Administration. Title : Version : DEMO

Citrix OpenCloud Access. Accelerate cloud computing adoption and simplify identity management.

Introduction to Mobile Access Gateway Installation

DIGIPASS Authentication for Cisco ASA 5500 Series

Provisioning ShareFile on Microsoft Azure Storage

WHITE PAPER Citrix Secure Gateway Startup Guide

Better virtualization of. XenApp and XenDesktop with XenServer

SKU Services Citrix Consulting

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler

Configuring Citrix NetScaler for IBM WebSphere Application Services

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC

Citrix Lab Manager 3.6 SP 2 Quick Start Guide

Solutions Guide. Deploying Citrix NetScaler for Global Server Load Balancing of Microsoft Lync citrix.com

CA Unified Infrastructure Management Server

How to Configure Web Authentication on a ProCurve Switch

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Hands-on Lab Exercise Guide

CA NetQoS Performance Center

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Citrix XenApp, MDOP, and Configuration Manager

CA Performance Center

Citrix OpenCloud Access. Enabling seamless delivery of cloud-hosted applications.

Citrix Lifecycle Management

Citrix desktop virtualization and Microsoft System Center 2012: better together

AppFlow: next-generation application performance monitoring.

Integrated Citrix Servers

Centrify Cloud Connector Deployment Guide

Citrix XenServer Workload Balancing Quick Start. Published February Edition

Citrix Systems, Inc.

Layer 2-7 High Availability

Staying Ahead of the Hacker Curve Turn-key Web Application Security Solution

Installation Guide. SafeNet Authentication Service

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Transcription:

Deployment Guide ICA Proxy for XenApp Citrix Receiver for iphone Access Gateway Enterprise Edition www.citrix.com

Table of Contents Introduction...3 Solution Requirements...4 Prerequisites...4 Network Diagram...5 XenApp...7 Configuration - XenApp Plugin...7 NetScaler AGEE Certificates...12 Self Signed Certificates...12 NetScaler AGEE...13 Public VIP...13 NetScaler AGEE...16 Private VIP...16 LDAP Authentication...17 NetScaler AGEE...21 Proxy Group, Session Profile...21 Secure Ticket Authority...26 Testing from a PC...27 Testing iphone Receiver...29

Introduction A member of the Citrix Delivery Center product family, Citrix NetScaler is a purpose-built web application delivery solution that accelerates application performance up to five times while improving security and reducing web infrastructure costs. In addition to delivering web applications for thousands of corporate customers, NetScaler is also the delivery infrastructure of choice for most of the world s largest consumer websites, touching an estimated 75 percent of all Internet users each day. Citrix Access Gateway, a member of the Citrix Delivery Center, is the only SSL VPN to securely deliver any application with policy-based SmartAccess control. Users will have easy-to-use secure access to all of the enterprise applications and data they need to be productive, and IT can cost effectively extend access to applications while maintaining security through SmartAccess application-level policies. With Access Gateway, organizations are empowered to cost-effectively meet the anywhere access demands of all workers enabling flexible work options, easier outsourcing and non-employee access, and business continuity readiness while ensuring the highest level of information security. The newest release of the company s popular Citrix Access Gateway appliance now includes integration with Citrix XenDesktop, allowing companies to deliver virtual desktops securely to thousands of end users based on their unique identity, location and security status. Citrix XenApp, a member of the Citrix Delivery Center product family, is the industry s de facto standard for delivering Windows-based applications with the best performance, security and cost savings. XenApp is the most complete application virtualization system available with the ability to virtualize applications on both the client side and server side, delivering them on demand based on the user, the application or the location (online or offline). By centralizing applications and data in secure datacenters, IT can reduce the costs of management and support, increase data security and facilitate business continuity. XenApp Platinum Edition adds critical capabilities for application performance monitoring, secure remote access, WAN optimization and single-sign-on application security. Citrix Delivery Center is the first solution on the market to deliver applications and desktops to any user, anytime, anywhere from a secure central location. Citrix Delivery Center s market leading application delivery technologies - XenServer, NetScaler, XenApp and XenDesktop - enable IT to dramatically improve agility, while enabling the best performance and highest security at the lowest cost. Citrix Receiver is a lightweight software client that makes accessing virtual applications and desktops on any device as easy as turning on your TV. Citrix Receiver provides iphone users with fast, secure, and easy access to their enterprise applications. With Citrix Receiver for iphone, users can access any XenApp application from their Apple iphone or ipod Touch. Users can view, review, edit, and interact with full-featured Windows applications, documents, and data just like they would if they were at their PC. 3

Solution Requirements ICA Proxy for Citrix Receiver iphone ICA Proxy for XenApp ICA Proxy for NetScaler AGEE Prerequisites Citrix NetScaler L4/7 Application Switch, version 9.0+ running Access Gateway (Quantity x 2 for High Availability) Citrix XenApp Server 5.0+ Microsoft Server with Active Directory iphone Configuration Utility iphone Citrix Receiver for iphone 4

Network Diagram The following is the Network that was used to develop this deployment guide. Citrix ICA Proxy for iphone Logical Network Diagram Win2k3 (S1 & DC) IPA: 1.1.1.4 FQDN: auth.ns.com Domain Controller LDAP Auth -or- SMS Auth CA cert: ns.com Server Cert: ag.ns.com XenApp NetScaler AGEE Public URL https://ag.ns.com IPA: 1.1.1.3 FQDN: xa.ns.com ICA Proxy FQDN: ag.ns.com 1.1.1.5 FQDN: ag.ns.com 2.2.2.5 Private: 1.1.1.0/24 Public: 2.2.2.0/24 VLAN Legend NetScaler VLAN 1 VLAN 2 VLAN 1 (Private): Interface 1/1, Untagged NSIP: 1.1.1.10 / 24 SNIP: 1.1.1.1 / 24 private-vip: 1.1.1.5 / 24 VLAN 2 (Public): Interface 1/8, Untagged SNIP: 2.2.2.2 / 24 public-vip: 2.2.2.5 / 24 5

Citrix ICA Proxy for iphone Certificate Chain of Trust Certificate Authority Trusted Root CA Certificate (xencloud.net) Server Certificate (ag.xencloud.net) NetScaler Import: Trusted Root CA Certificate ~and~ Server Certificate Import: Trusted Root CA Certificate Win2k3 (S1 & DC) iphone Configuration Utility XenApp iphone 6

XenApp Configuration - XenApp Plugin From the Access Management Console: Citrix Resources Configuration Tools Web Interface Action Create Site. Select XenApp Services. Select Next. Once you have installed Citrix XenApp you will need to configure it such that it will work with the Citrix NetScaler in an ICA Proxy deployment. Creating a XenApp service will publish the XenApp applications through the Citrix client, such as XenApp client or Citrix Receiver. IIS Location: IIS Site: Default Web Site Path: /Citrix/PNAgent/ 7

Confirm: Next. Finish. Configure Site Now. Specify Server Farm: Farm Name: <your farm name> Servers: <XenApp Hostname> 8

Resource Type: Remote Next Confirm: Finish 9

From the Access Management Console: Actions Manage Secure Client Access Edit Secure Client Access. Specify Access Method: Client IP: Default Method: Gateway Direct Next. 10

Gateway Settings: Address: <FQDN of NetScaler Access Gateway> Port: 443 Note: Your first thought might be to configure the private FQDN here, but that isn t the case. According to the sentence in the dialog box, this is the FQDN that public users will use to access the applications - through the Access Gateway. Therefore, this needs to be the public FQDN of the AG, which in this example is ag.ns.com, and resolves to 2.2.2.5. Secure Ticket Authority: URL: <ip address of XenApp>/ scripts/ctxsta.dll Select Finish 11

NetScaler AGEE Certificates Self Signed Certificates You will need two certificates. A self signed Root CA, and a server certificate unless you purchased a certificate for example from Verisign, then you only need the server certificate. Follow the deployment guide located here to create a Self Signed Server Certificate and download a Root CA Certificate: http://community.citrix.com/display/ocb/2010/05/10/citrix+receiver+certificate+chain Link them together and bind them to the Access Gateway VIP. 12

NetScaler AGEE Public VIP Create the public facing VIP that users will connect to when they type in https://ag.xencloud.net into their browser URL locator. From the NetScaler GUI: NetScaler Access Gateway Access Gateway Wizard. Create Virtual Server: Type: New IP Address: 67.97.253.89 Port: 443 Name: ag.xencloud.net Next. Server Certificate: Options: Use an installed certificate and private key pair Certificate: xencloudagsrv. keypair Next. Note: 1) ag.xencloud.net must resolve to ip address 67.97.253.89 & 2) Common Name in Server Certificate xencloudagsrv.cer must contain ag.xencloud.net. 13

DNS: DNS Server: 10.217.105.151 Note: In this example our Active Directory Domain Controller also serves as our DNS. Next. Authentication: Type: LDAP IP: 10.217.105.151 Port: 636 Time-out: 3 Base DN: dc=xencloud,dc=net Admin DN: cn=administrator,cn =users,dc=xencloud,dc=net Password: <password> Confirm: <password> Login Attr: samaccountname Filter: Group Attr: memberof Sub Attr: CN SSL Attr: samaccountname Security Type: SSL Next. 14

Additional: Authorization: Allow Redirect: Redirect to secure web address Address: https://ag.xencloud.net Next. Clientless Access: Use the Access Gateway Plugin and allow access scenario fallback. Next. Finish. 15

NetScaler AGEE Private VIP Create the private facing VIP that XenApp will connect to when it authenticates users. From the NetScaler GUI: NetScaler Access Gateway Access Gateway Wizard. Create Virtual Server: Type: New IP Address: 10.217.105.5 Port: 443 Name: ns.xencloud.net-vip Next. Server Certificate: Options: Use an installed certificate and private key pair Certificate: xencloudagsrv. keypair Next. Note: 1) ns.xencloud.net must resolve to ip address 10.217.105.5 & 2) Common Name in Server Certificate xencloudnssrv.cer must contain ns.xencloud.net. 16

DNS: DNS Server: 10.217.105.151 Note: In this case our Active Directory Domain Controller also serves as our DNS. Next. LDAP Authentication Authentication: Type: LDAP IP: 10.217.105.151 Port: 636 Time-out: 3 Base DN: dc=xencloud,dc=net Admin DN: cn=administrator,cn =users,dc=xencloud,dc=net Password: <password> Confirm: <password> Login Attr: samaccountname Filter: Group Attr: memberof Sub Attr: CN SSL Attr: samaccountname Security Type: SSL Use the guidance of this screenshot to configure the NetScaler AGEE for LDAP Authentication. If you wish to implement SMS Authentication, go to the next screenshot. Next. Finish. 17

Authentication: Type: LDAP IP: 10.217.105.151 Port: 636 Time-out: 3 Base DN: dc=xencloud,dc=net Admin DN: cn=administrator,cn =users,dc=xencloud,dc=net Password: <password> Confirm: <password> Login Attr: samaccountname Filter: Group Attr: memberof Sub Attr: CN SSL Attr: samaccountname Security Type: SSL Next. Finish. 18

Additional: Authorization: Allow Next. Clientless Access: Use the Access Gateway Plugin and allow access scenario fallback. Next. Finish. 19

VIPs: After configuring the Public VIP and Private VIP you should see them in the Access Gateway -> Virtual Servers in the NetScaler config GUI. Public VIP: is used for client connections coming from outside the organization, internet or intranet. Private VIP: is used by the XenApp server to call back to the NetScaler AGEE, to authenticate users. The Server certificate should be bound to both the Public and Private VIPs. 20

From the NetScaler GUI: NetScaler Access Gateway Groups. Select Add. Group Name: <groupname> In this example our group name is: iphoneproxy3 NetScaler AGEE Proxy Group, Session Profile To proxy the ICA connections from the XenApp server to the Citrix Receiver for iphone, the NetScaler AG needs to be configured to do so. You do this by adding a group, and configure the group for proxy ICA connections via a session profile. The group name MUST match the memberof group name in the LDAP/Active Directory server. Note: The same group must be added to the LDAP/Active Directory server. Create. Select the Policies tab, Add Policy. Type in policy name, in this example it is the same as the group name: iphoneproxy3. At Request Profile, select New to create a new profile. In this example, the request profile is the same as the group name: iphoneproxy3. This session profile will be used to identify the Citrix Receiver for iphone sessions and tunnel traffic accordingly. 21

Client Experience: Home Page: none Select Override Global. Clientless Access: On. Select Override Global. Single Sign-on to Web Applications: Selected Select Override Global. 22

Published Applications: ICA Proxy: On Select Override Global Web Interface Address: http://10.217.105.155/citrix/ PNAgent/config.xml Select Override Global Web Interface Portal Mode: Normal Select Override Global Single Sign-on Domain: <your domain> Select Override Global Note: Single Sign-on Domain in this example is xencloud. Select Ok. Under named expressions, select True Value, Add Expression. Then Create. 23

Session profile: After you create the session policy, configure the following expressions and select Match All Expressions as the operator for the expressions: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver REQ.HTTP.HEADER User-Agent CONTAINS CFNetwork REQ.HTTP.HEADER User-Agent CONTAINS Darwin Select Ok. 24

Group Binding: The iphoneproxy3 session should be bound to the iphoneproxy3 group. 25

Secure Ticket Authority Communication between the XenApp Server and the NetScaler AG depends on the Citrix Secure Ticket Authority. You must configure this in the NetScaler AG. In this case the CTX STA resides on the XenApp server. From the NetScaler GUI: NetScaler Access Gateway Virtual Servers. Open the public vip. In this example it is ag.xencloud.netvip at IP Address 67.97.253.89. Select Published Applications. Under Secure Ticket Authority, Add. Enter the URL to the Secure Ticket Authority, in this example the same as the XenApp Server, http://10.217.105.155/scripts/ ctxsta.dll Create. Create. 26

From a web browser, enter the FQDN of the public vip: In this example it is: https://ag.xencloud.net Testing from a PC Once you have installed all of the components of this solution, you should test it, by publishing a test application such as Notepad, in XenApp, then connect and see if Single Sign-On works, and that the PNAgent is configured correctly. Enter login credentials, which are consequently configured in Active Directory. The user for Web Interface has been added as a memberof the iphoneproxy3 group in Active Directory, which matches the group name we have configured in the Access Gateway. Because we have configured this solution for Single Sign-On, you should only have to enter credentials one time. 27

Application: At this point you should see a XML file returned in the browser. This tells you that the iphone should be able to work correctly with the iphone Receiver and XenApp. 28

Testing iphone Receiver Once you have installed all of the components of this solution, you should test it, by publishing a test application such as Notepad, in XenApp, then connect with the Citrix iphone Receiver. Install AGEE Cert locally: On a Windows PC, run the MMC and then add the certificate snap-in for the current user. Copy the root certificate from the Trusted Root Authorities to the personal keystore (make sure to copy and not move). Download and Install the iphone Configuration Utility: Select Configuration Profiles. Create a new Configuration Profile. Fill out the General profile information. 29

Credentials: Select Credentials -> Configure. Select the Root CA Certificate. Note: If using an Intermediate Certificate, you should install the Root CA Certificate and the Intermediate Root CA Certificate. 30

Export: Select Export. Save locally. 31

iphone Certificate: At this point you can: 1) email the profile to yourself, and open it with the iphone. 2) email the Root CA Certificate to yourself, and open it with the iphone 3) Install it to your iphone locally using itunes. In this example, we install the profile locally using itunes. 32

33 Install the Cert & Profile onto the iphone:

34

Download the Citrix Receiver for iphone: Install and open itunes by Apple. Navigate to the Apple Application Store, search, download and install the Citrix Receiver for iphone. 35

Account Settings: At this point you should see the Citrix Receiver on your iphone. Tap on it to open it, and configure with the gateway settings to the AGEE iphone Proxy. For this example: Address: ag.xencloud.net User: <username> Pass: <password> Domain: xencloud.net Sign In Automatically: Off Citrix Access Gateway: Access Gateway: On Gateway Type: Enterprise Edition Gateway Authentication: Domain Only Apps: Tap on Next, and Citrix Receiver should login through the AGEE, and receive the Applications published on XenApp. 36

Worldwide Headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309, USA T +1 800 393 1888 T +1 954 267 3000 Americas Citrix Silicon Valley 4988 Great American Parkway Santa Clara, CA 95054, USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen, Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central, Hong Kong T +852 2100 5000 Citrix Online Division 6500 Hollister Avenue Goleta, CA 93117, USA T +1 805 690 6400 www.citrix.com About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the world s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2008 was $1.6 billion. The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. ( CITRIX ), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. 2009 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information