How to use WEBVPN with Citrix Metaframe Version 1.4 Author: Luis Jorge Introduction The vpn3000 supports various Citrix clients by using different WEBVPN features. Chart 1.1 shows a list of WEBVPN features and what Citrix clients are supported with each WEBVPN feature. VPN3000 Feature Options Full tunneling * Citrix Support Feature * * Features only in 4.7 and later code Citrix Metaframe Clients Supported Program Neighborhood Client, Web Client, Java Client Java or Web Client fig 1.1 Citrix Metaframe Presentation server has 3 modules with which 2 must be installed and a third module which is optional but highly recommended unless you are very familiar with Citrix Metaframe and HMTL coding. The 2 modules that must be installed are Presentation Server & License Server. The other module you will need to have installed is the Web Interface module. These 3 modules can be on the same or different servers. The Web interface module runs on a server with IIS installed and is required to use the Java or active-x client. There is an advanced option of deploying the java, active-x, & ICA files via your own custom build web server and interface for more advanced applications. The document that explains how to do this can be found at http://support.citrix.com/servlet/kbservlet/download/4259-102-11012/icajava.pdf How to configure vpn3000 to support Citrix Metaframe Web Client / Java Client using Citrix Support Feature The vpn3000 controls the Citrix Support Feature function at the group level. To enable support for Citrix you will need to turn on Citrix support in the WEBVPN tab under the group you would like to access the Citrix server via WEBVPN. (see 2.1). You most likely want to add a predefined link to the users Home Page (a.k.a. Portal Page) for quick launch and easy access. You would add the Citrix web interface server as a normal HTTP resource just like any other web server. When using the web client or Java client it will use the FQDN name found in the CN field of the SSL certificate to determine where to establish a secure Citrix connection. When defining the Citrix web interface server resource on the portal page of the vpn3000 you can use the IP address or the FQDN of that Citrix server. If the web server
is not setup to point to the Citrix web portal login page as its default page you will need to provide the complete link to the Web Portal path. Example http://10.0.0.1/citrix/metaframe/default/deafult.aspx http://citrix.mycompany.com/citrix/metaframe/default/deafult.aspx fig 2.1 In addition to enabling support for Citrix at the group level you will also need to consider what type of SSL cert you plan to use. There are 3 options Self Signed Certificates These are certificates that are created locally on the box and are self signed, as to say the Root Authority is itself Purchased Certificates These certificates are purchased from a publicly well known Certificate Authority like Verisign or Entrust. The certificates purchased will be signed by their root certificate for validation. Most
browsers and Java certificate stores contain the root cert from these companies and thus any certificates purchased from them will be automatically trusted by the pc. Corporate or Private Certificate Authority These would be certificates generated and signed by your own local certificated authority server. One of the most common examples of this would be Microsoft s Certificate Authority server One of the requirements of the Citrix Java or WEB CLIENT is to use FQDN when connecting to the server; you will need to make sure your certificate when generated is done using the FQDN, not the IP address. This FQDN must be located in the CN field of the certificate. Example: vpn3000.cisco.com ssl-box.cisco.com How to generate a self signed certificate on the vpn3000 Under administration >>> certificate management screen you will see a list of SSL certificates currently installed in the box. There will be one for private and one for public (see fig 3.1). Click the generate link next to the ssl cert you would like to create. In this case it should be the public SSL cert since your users should be accessing the box via the public interface. The screen that follows is the certificate info page. In the CN field fill in the FQDN you would like your users to use when accessing the vpn3000 via WEBVPN, by default the IP address of the interface is filled in (see fig 3.2). fig 3.1
fig 3.2 How to use Purchased Certificates or Corporate or Private Certificate Authority This topic will not be discuss here since it s not anything new to support Citrix. This info can be found the in Administrators Guide on www.cisco.com. How to configure Citrix web interface to use Java w/vpn3000 WEBVPN There are two items needed to be configured to get the Citrix Java client to work. One is to configure the Citrix Web Interface, the other is two determine if you will need to install a trusted root certificate in the Sun Java store. These directions are assuming you are using the Sun Java virtual machine not the Microsoft one. In a future doc we will add the topic of using Microsoft s JVM. The first question to answer is what type of certificate authority did you get your SSL certificate from.
Purchased Certificates : If you purchased the certificate from a public certificate authority then the SUN JVM most likely has the root certificate installed in the certificate store as a trusted root thus trusting any certificates signed by it. In this case there should be nothing you will need to do for that certificate to work and you should continue on to configure your Citrix web interface. Self Signed Certificates: If you are using self signed certificates you will need to import (install) this root certificate into the JVM certificate store. See how to extract self signed certificates from the vpn3000 then see how to import root certificates into Sun Java certificate store. Corporate or Private Certificate Authority: If you are using corp. or private certificate authority you will need to import (install) the root certificate that signed the SSL certificate. See how to import root cert into Sun Java certificate store. How to export self signed vpn3000 root certificates There are a few ways on how to retrieve the self signed root certificates from the vpn3000. The first way is http or https to \\boxaddress\cert\ssl.crt this will open a dialalog box and allow to save the certificate for that interface, so if you are trying to get the public interfaces SSL certificate than make sure you use the public IP for the box address or DNS name will work also. The other option is to login to the GUI and under administration >>> certificate management screen (see fig 3.1) you will see a list of SSL certificates currently installed in the box. There will be one for private and one for public (see fig 3.1). Click the export link next to the SSL cert you would like to export. In this case it should be the public SSL cert since your users should be accessing the box via the public interface. The screen that follows will ask for a password since this export will also include the private key for the SSL certificate. The vpn3000 will open a new browser window that will display the encrypted private key and the certificate key (see fig 6.1). You want to copy and paste the certificate part of this screen (see below) into a text editor like notepad. You then will want to save the file with an extension of.cer. Now you will be able to import this certificate into the JVM certificate store. -----BEGIN CERTIFICATE----- MIIClDCCAf0CBEHkOuAwDQYJKoZIhvcNAQEEBQAwgZExCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMREwDwYDVQQHEwhGcmFua2xpbjEcMBoGA1UE ChQTQ2lzY28gU3lzdGVtcywgSW5jLjEeMBwGA1UECxQVVlBOIDMwMDAgQ29uY2Vu dhjhdg9ymrkwfwydvqqdfbazay52cg4uy2lzy28uy29tmb4xdta1mdexmtiwnduy MFoXDTA4MDExMTIwNDUyMFowgZExCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNz YWNodXNldHRzMREwDwYDVQQHEwhGcmFua2xpbjEcMBoGA1UEChQTQ2lzY28gU3lz dgvtcywgsw5jljeembwga1uecxqvvlboidmwmdagq29uy2vudhjhdg9ymrkwfwyd VQQDFBAzay52cG4uY2lzY28uY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKB gqcylcjiedq0ncgcuyaqlrorlg4epidojxkajrao4nih6a3ybyotoufaz04dchjn XIF7uSxG196FILic95j/1a0z7zZbo7Mr2n1GH2sucd9I94zZ+PCmfaLPm6BIa2f9 pv3347cg/s7bovcaajf+aq3bhbpmhmaokmjzz5d1nq1goqibazanbgkqhkig9w0b AQQFAAOBgQBRIzAbLazgtQ6Wduf9aUcIPBG08aZSyZ2BsrlA4VijeUzcm6xj/Jbg TitOjRv0pS2AZtEiJiv/7xJ/0oHXAX7GV/9deWFXpTaQU93/m4rEp2kh5N8fE4VU
CYS/ipWynuQzoJW2RdmUlZSQdcp5Y85jvcYZ9e1wLT6w2eLC+TsEyQ== -----END CERTIFICATE-----
fig 6.1 How to import root certificates into Sun s Java certificate store This process must be done to allow the JVM to trust the SSL certificate being presented from the vpn3000. The Citrix java code will be able to access the FQDN but will not connect without the JVM trusting the SSL certificate being presented. If the SSL cert is not trusted you will see the following error when make a connection (see fig 7.1) fig 7.1 There are two ways to import certificates into the Java certificate store. The first way is to use a command line tool called keytool. The keytool utility is installed by default when JVM was installed on the machine. The JVM certificate store is a file called cacerts located in...\lib\security\cacerts and has a default password of changeit. The other option is to use a GUI based program like keystore explorer which is a graphical version of the keytool tool. The keytool program can be found in c:\program files\java\j2re.1.4.2_06\bin\keytool.exe *** This will vary per version of code *** Example of the syntax is keytool -import -trustcacerts -alias mycert -file certnew.cer - keystore..\lib\security\cacerts *** This syntax will vary *** The JVM certificate store cacerts has a default password of changeit The keystore explorer can be found at http://www.lazgosoftware.com/kse/index.html How to configure the Citrix Web Interface For this example we will configure the web interface to default to the Java Citrix client and to use the connection manager. This is a very basic example of how to use the Web Interface. There are several other advanced options like using the Citrix Web Client which is an Active-X applet, using Program Neighborhood Client that might be already installed on the machine, or using auto detect if you have any client already install, and if not default to the Java or Web Client. You can also not choose to use the connection
manager and when a person connects they get desktop which looks and feels like their local machine. For details on how to configure more advanced options in the Web interface please refer to the Citrix administration Guides. You can launch the web interface console from within the Citrix Access Suite console or directly via http. Example http://10.0.0.1/citrix/metaframe/wiadmin http://citrix.mycompany.com/citrix/metaframe/wiadmin There is only one parameter that is 100% necessary for this to work with the vpn3000 which is enable SSL/TLS option. All other options are for you to choose how the Citrix Web Interface will act and look for your users. The encryption option has no effect on the vpn3000 and you will still be using SSL encryption for your session to the vpn3000 to access Citrix. This option is used when you want to use encryption if you were not using the vpn3000 or if you want to provide some basic encryption for local LAN traffic. If you would like you can use this option in combination with the vpn3000. Here is a screen shot for the Client deployment setting screen under the Web Interface console.
The only item we have checked on this first screen is Client for Java as the default.
As stated in the doc in earlier section SSL/TLS MUST BE CHECK for this to work with the vpn3000.