How to use WEBVPN with Citrix Metaframe Version 1.4 Author: Luis Jorge

Similar documents
CHAPTER 7 SSL CONFIGURATION AND TESTING

Forward proxy server vs reverse proxy server

Exchange Reporter Plus SSL Configuration Guide

SafeNet KMIP and Google Cloud Storage Integration Guide

Securing Adobe connect Server and CQ Server

Java Secure Application Manager

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Introduction to Mobile Access Gateway Installation

Configuring SSL in OBIEE 11g

UBS KeyLink Quick reference WEB Installation Guide

Accessing the Media General SSL VPN

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Working with Portecle to update / create a Java Keystore.

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Director and Certificate Authority Issuance

PowerChute TM Network Shutdown Security Features & Deployment

Deploying NetScaler Gateway in ICA Proxy Mode

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

Cisco Prime Central Managing Certificates

Gateway-to-Gateway VPN with Certificate

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Campus VPN. Version 1.0 September 22, 2008

1. Accessing the LONZA network from a private PC or Internet Café

VPN: Using WebVPN SSL Client This document outlines the process for using the WebVPN SSL with Internet Explorer and Firefox

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

SSL Certificate Generation

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Deploying Citrix MetaFrame with the FirePass Controller

Citrix Access on SonicWALL SSL VPN

Integrating EJBCA and OpenSSO

Citrix Receiver for Mobile Devices Troubleshooting Guide

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

VPN: Using the WebVPN SSL Client

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

MultiSite Manager. Setup Guide

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Service Manager 9.32: Generating SSL Profiles for an F5 HWLB

Application Note Startup Tool - Getting Started Guide

CA Nimsoft Unified Management Portal

Non-Employee VPN Quick Start Guide

Introduction SSL-VPN. Creating and Installing Digital Certificates on SonicWALL SSL-VPN Appliances

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

ViPNet ThinClient 3.3. Quick Start

Cleaning Encrypted Traffic

2X ApplicationServer & LoadBalancer Manual

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Setting Up SSL on IIS6 for MEGA Advisor

Connecting to HomeRun over the Web

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Stored Documents and the FileCabinet

Client applications are available for PC and Mac computers and ios and Android mobile devices. Internet

How To - Implement Single Sign On Authentication with Active Directory

EM Single Sign On 1.2 (1018)

Creating an authorized SSL certificate

TIBCO Spotfire Platform IT Brief

How to Implement Two-Way SSL Authentication in a Web Service

Securing Citrix with SSL VPN Technology

Installing and configuring Microsoft Reporting Services

Remote Access for LAPD Users Using Aventail SSL VPN

TIBCO iprocess Web Services Server Plug-in Installation. Software Release October 2011

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Enterprise Content Management System Monitor. How to deploy the JMX monitor application in WebSphere ND clustered environments. Revision 1.

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

HOW TO CONFIGURE PASS-THRU PROXY FOR ORACLE APPLICATIONS

Certificates for computers, Web servers, and Web browser users

SafeNet KMIP and Amazon S3 Integration Guide

Using LDAP Authentication in a PowerCenter Domain

WHITE PAPER Citrix Secure Gateway Startup Guide

CHECKLIST FOR THE MARKET SYSTEMS...

IBM Remote Lab Platform Citrix Setup Guide

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

HSBCnet FX AND MM TRADING. Troubleshooting and Minimum System Requirements

2X ApplicationServer & LoadBalancer Manual

DreamFactory on Microsoft SQL Azure

Using a Remote SQL Server Best Practices

Virtual Private Network (VPN)

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Public Health Information Network Messaging System

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Installation Instructions for SAP GUI for Java 7.2

Reflection DBR USER GUIDE. Reflection DBR User Guide. 995 Old Eagle School Road Suite 315 Wayne, PA USA

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

Configuring an Oracle Business Intelligence Enterprise Edition Resource in Metadata Manager

Web Interface with Active Directory Federation Services Support Administrator s Guide

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

RLP Citrix Setup Guide

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

How To Integrate An Ipm With Airwatch With Big Ip On A Server With A Network (F5) On A Network With A Pb (Fiv) On An Ip Server On A Cloud (Fv) On Your Computer Or Ip

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Configure Single Sign on Between Domino and WPS

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

Learning the Basics of Citrix Web Interface 4.6, Citrix Secure Gateway 3.1 and GoDaddy Wildcard SSL Certificate

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Transcription:

How to use WEBVPN with Citrix Metaframe Version 1.4 Author: Luis Jorge Introduction The vpn3000 supports various Citrix clients by using different WEBVPN features. Chart 1.1 shows a list of WEBVPN features and what Citrix clients are supported with each WEBVPN feature. VPN3000 Feature Options Full tunneling * Citrix Support Feature * * Features only in 4.7 and later code Citrix Metaframe Clients Supported Program Neighborhood Client, Web Client, Java Client Java or Web Client fig 1.1 Citrix Metaframe Presentation server has 3 modules with which 2 must be installed and a third module which is optional but highly recommended unless you are very familiar with Citrix Metaframe and HMTL coding. The 2 modules that must be installed are Presentation Server & License Server. The other module you will need to have installed is the Web Interface module. These 3 modules can be on the same or different servers. The Web interface module runs on a server with IIS installed and is required to use the Java or active-x client. There is an advanced option of deploying the java, active-x, & ICA files via your own custom build web server and interface for more advanced applications. The document that explains how to do this can be found at http://support.citrix.com/servlet/kbservlet/download/4259-102-11012/icajava.pdf How to configure vpn3000 to support Citrix Metaframe Web Client / Java Client using Citrix Support Feature The vpn3000 controls the Citrix Support Feature function at the group level. To enable support for Citrix you will need to turn on Citrix support in the WEBVPN tab under the group you would like to access the Citrix server via WEBVPN. (see 2.1). You most likely want to add a predefined link to the users Home Page (a.k.a. Portal Page) for quick launch and easy access. You would add the Citrix web interface server as a normal HTTP resource just like any other web server. When using the web client or Java client it will use the FQDN name found in the CN field of the SSL certificate to determine where to establish a secure Citrix connection. When defining the Citrix web interface server resource on the portal page of the vpn3000 you can use the IP address or the FQDN of that Citrix server. If the web server

is not setup to point to the Citrix web portal login page as its default page you will need to provide the complete link to the Web Portal path. Example http://10.0.0.1/citrix/metaframe/default/deafult.aspx http://citrix.mycompany.com/citrix/metaframe/default/deafult.aspx fig 2.1 In addition to enabling support for Citrix at the group level you will also need to consider what type of SSL cert you plan to use. There are 3 options Self Signed Certificates These are certificates that are created locally on the box and are self signed, as to say the Root Authority is itself Purchased Certificates These certificates are purchased from a publicly well known Certificate Authority like Verisign or Entrust. The certificates purchased will be signed by their root certificate for validation. Most

browsers and Java certificate stores contain the root cert from these companies and thus any certificates purchased from them will be automatically trusted by the pc. Corporate or Private Certificate Authority These would be certificates generated and signed by your own local certificated authority server. One of the most common examples of this would be Microsoft s Certificate Authority server One of the requirements of the Citrix Java or WEB CLIENT is to use FQDN when connecting to the server; you will need to make sure your certificate when generated is done using the FQDN, not the IP address. This FQDN must be located in the CN field of the certificate. Example: vpn3000.cisco.com ssl-box.cisco.com How to generate a self signed certificate on the vpn3000 Under administration >>> certificate management screen you will see a list of SSL certificates currently installed in the box. There will be one for private and one for public (see fig 3.1). Click the generate link next to the ssl cert you would like to create. In this case it should be the public SSL cert since your users should be accessing the box via the public interface. The screen that follows is the certificate info page. In the CN field fill in the FQDN you would like your users to use when accessing the vpn3000 via WEBVPN, by default the IP address of the interface is filled in (see fig 3.2). fig 3.1

fig 3.2 How to use Purchased Certificates or Corporate or Private Certificate Authority This topic will not be discuss here since it s not anything new to support Citrix. This info can be found the in Administrators Guide on www.cisco.com. How to configure Citrix web interface to use Java w/vpn3000 WEBVPN There are two items needed to be configured to get the Citrix Java client to work. One is to configure the Citrix Web Interface, the other is two determine if you will need to install a trusted root certificate in the Sun Java store. These directions are assuming you are using the Sun Java virtual machine not the Microsoft one. In a future doc we will add the topic of using Microsoft s JVM. The first question to answer is what type of certificate authority did you get your SSL certificate from.

Purchased Certificates : If you purchased the certificate from a public certificate authority then the SUN JVM most likely has the root certificate installed in the certificate store as a trusted root thus trusting any certificates signed by it. In this case there should be nothing you will need to do for that certificate to work and you should continue on to configure your Citrix web interface. Self Signed Certificates: If you are using self signed certificates you will need to import (install) this root certificate into the JVM certificate store. See how to extract self signed certificates from the vpn3000 then see how to import root certificates into Sun Java certificate store. Corporate or Private Certificate Authority: If you are using corp. or private certificate authority you will need to import (install) the root certificate that signed the SSL certificate. See how to import root cert into Sun Java certificate store. How to export self signed vpn3000 root certificates There are a few ways on how to retrieve the self signed root certificates from the vpn3000. The first way is http or https to \\boxaddress\cert\ssl.crt this will open a dialalog box and allow to save the certificate for that interface, so if you are trying to get the public interfaces SSL certificate than make sure you use the public IP for the box address or DNS name will work also. The other option is to login to the GUI and under administration >>> certificate management screen (see fig 3.1) you will see a list of SSL certificates currently installed in the box. There will be one for private and one for public (see fig 3.1). Click the export link next to the SSL cert you would like to export. In this case it should be the public SSL cert since your users should be accessing the box via the public interface. The screen that follows will ask for a password since this export will also include the private key for the SSL certificate. The vpn3000 will open a new browser window that will display the encrypted private key and the certificate key (see fig 6.1). You want to copy and paste the certificate part of this screen (see below) into a text editor like notepad. You then will want to save the file with an extension of.cer. Now you will be able to import this certificate into the JVM certificate store. -----BEGIN CERTIFICATE----- MIIClDCCAf0CBEHkOuAwDQYJKoZIhvcNAQEEBQAwgZExCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMREwDwYDVQQHEwhGcmFua2xpbjEcMBoGA1UE ChQTQ2lzY28gU3lzdGVtcywgSW5jLjEeMBwGA1UECxQVVlBOIDMwMDAgQ29uY2Vu dhjhdg9ymrkwfwydvqqdfbazay52cg4uy2lzy28uy29tmb4xdta1mdexmtiwnduy MFoXDTA4MDExMTIwNDUyMFowgZExCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNz YWNodXNldHRzMREwDwYDVQQHEwhGcmFua2xpbjEcMBoGA1UEChQTQ2lzY28gU3lz dgvtcywgsw5jljeembwga1uecxqvvlboidmwmdagq29uy2vudhjhdg9ymrkwfwyd VQQDFBAzay52cG4uY2lzY28uY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKB gqcylcjiedq0ncgcuyaqlrorlg4epidojxkajrao4nih6a3ybyotoufaz04dchjn XIF7uSxG196FILic95j/1a0z7zZbo7Mr2n1GH2sucd9I94zZ+PCmfaLPm6BIa2f9 pv3347cg/s7bovcaajf+aq3bhbpmhmaokmjzz5d1nq1goqibazanbgkqhkig9w0b AQQFAAOBgQBRIzAbLazgtQ6Wduf9aUcIPBG08aZSyZ2BsrlA4VijeUzcm6xj/Jbg TitOjRv0pS2AZtEiJiv/7xJ/0oHXAX7GV/9deWFXpTaQU93/m4rEp2kh5N8fE4VU

CYS/ipWynuQzoJW2RdmUlZSQdcp5Y85jvcYZ9e1wLT6w2eLC+TsEyQ== -----END CERTIFICATE-----

fig 6.1 How to import root certificates into Sun s Java certificate store This process must be done to allow the JVM to trust the SSL certificate being presented from the vpn3000. The Citrix java code will be able to access the FQDN but will not connect without the JVM trusting the SSL certificate being presented. If the SSL cert is not trusted you will see the following error when make a connection (see fig 7.1) fig 7.1 There are two ways to import certificates into the Java certificate store. The first way is to use a command line tool called keytool. The keytool utility is installed by default when JVM was installed on the machine. The JVM certificate store is a file called cacerts located in...\lib\security\cacerts and has a default password of changeit. The other option is to use a GUI based program like keystore explorer which is a graphical version of the keytool tool. The keytool program can be found in c:\program files\java\j2re.1.4.2_06\bin\keytool.exe *** This will vary per version of code *** Example of the syntax is keytool -import -trustcacerts -alias mycert -file certnew.cer - keystore..\lib\security\cacerts *** This syntax will vary *** The JVM certificate store cacerts has a default password of changeit The keystore explorer can be found at http://www.lazgosoftware.com/kse/index.html How to configure the Citrix Web Interface For this example we will configure the web interface to default to the Java Citrix client and to use the connection manager. This is a very basic example of how to use the Web Interface. There are several other advanced options like using the Citrix Web Client which is an Active-X applet, using Program Neighborhood Client that might be already installed on the machine, or using auto detect if you have any client already install, and if not default to the Java or Web Client. You can also not choose to use the connection

manager and when a person connects they get desktop which looks and feels like their local machine. For details on how to configure more advanced options in the Web interface please refer to the Citrix administration Guides. You can launch the web interface console from within the Citrix Access Suite console or directly via http. Example http://10.0.0.1/citrix/metaframe/wiadmin http://citrix.mycompany.com/citrix/metaframe/wiadmin There is only one parameter that is 100% necessary for this to work with the vpn3000 which is enable SSL/TLS option. All other options are for you to choose how the Citrix Web Interface will act and look for your users. The encryption option has no effect on the vpn3000 and you will still be using SSL encryption for your session to the vpn3000 to access Citrix. This option is used when you want to use encryption if you were not using the vpn3000 or if you want to provide some basic encryption for local LAN traffic. If you would like you can use this option in combination with the vpn3000. Here is a screen shot for the Client deployment setting screen under the Web Interface console.

The only item we have checked on this first screen is Client for Java as the default.

As stated in the doc in earlier section SSL/TLS MUST BE CHECK for this to work with the vpn3000.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information