Citrix Systems, Inc.

Guidelines for Deploying Citrix Access Essentials 1.5 with Windows Small Business Server 2003 Citrix Systems, Inc.

Notice The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. ( CITRIX ), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Copyright 2006 Citrix Systems, Inc., 851 W Cypress Creek Rd, Ft. Lauderdale, Florida 33309 U.S.A. All rights reserved. Version History April 25, 2006 Lisa Durbin Final edited version Guidelines for Deploying Citrix Access Essentials 1.5 with Windows Small Business Server 2003 ii

Table of Contents INTRODUCTION...1 OVERVIEW...1 FIREWALL/ROUTER CONFIGURATION...2 IP CONFIGURATION...2 DNS CONFIGURATION...3 REMOTE ACCESS...3 SECURITY CONSIDERATIONS...4 LIMITATIONS...4 INSTALLATION STEPS...5 PREPARATION...5 Software Requirements...5 Hardware Requirements...5 Internet Connection...5 LAN Setup...6 Testing...6 SMALL BUSINESS SERVER INSTALLATION...6 Part 1 Initial Installation...6 Part 2 Initial Configuration...7 Part 3 Connect to the Internet...11 Testing...16 Part 4 Install Service Pack 1...17 ACCESS ESSENTIALS INSTALLATION...17 Part 1 Install Access Essentials...17 Part 2 Configure Access Essentials...20 Testing...25 INTEGRATION TASKS...26 Part 1 Install Small Business Server Certificate...26 Part 2 Forwarding Services from Access Essentials...28 Part 3 Publishing Microsoft SharePoint (CompanyWeb)...31 Part 4 Integrating Access Essentials into SharePoint (Optional)...35 CLIENT CONFIGURATION...42 Testing...43 FIREWALL CONFIGURATION...43 TESTING...43 CLIENT CONFIGURATION...44 POST INSTALLATION...44 INSTALLATION CHECKLIST...44 NETWORK CONFIGURATION...46 LAN/IP CONFIGURATION...47 Guidelines for Deploying Citrix Access Essentials 1.5 with Windows Small Business Server 2003 iii

Introduction This whitepaper provides you with details about deploying Access Essentials with Windows Small Business Server 2003. It is designed to complement the Citrix Access Essentials Administrator s Guide. Citrix Access Essentials running on a Windows Server 2003 system provides secure, multi-user, remote Web access to applications and file shares residing on a Small Business Server (SBS). The guidelines below provide configuration and installation directions for the combined deployment. They identify important differences from standalone SBS configurations to ensure the best use of a single external facing IP address while maintaining maximum firewall and Internet proxy compatibility over TCP port 443. In this way, remote users will gain secure Internet access to the SBS resources through a general and convenient Web interface that takes the place of Remote Web Workplace. Note: The instructions apply to the most common deployment scenario and may require minor variation to suit your particular situation. Overview Figure 1 illustrates the relationship between the basic components in a typical multi-user remote access configuration. Both the Small Business Server (SBS) and the Access Essentials server sit on the internal LAN, as would most internal workstations and other file servers (not shown). Citrix recommends using a combined firewall/router to provide the first level of protection between the internal LAN and external Internet traffic, rather than using the SBS server in that role. External users connect over the Internet using their Internet Service Provider (ISP). The workstations may be desktops, notebook/laptop/tablets, and mobile computers/pdas using wire and wireless connections. They need only have a standard Internet Web browser. Figure 1- High-level Deployment Diagram For client/server applications, the client software is installed on the server running Access Essentials rather than on each user s workstation. The server portion, for example a database engine, remains on the SBS system. Logically, the Access Essentials system acts as the secure concentrator for multi-user sessions that rely on SBS back-end application. Internal as well as external users are given access to these applications from the Web browser even when the applications are not designed for the Web. The software in conjunction with a Citrix Presentation Server client installed on the user s access device intelligently redirects remote user inputs and application outputs over the network to match the appearance and response of running directly on the application server. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 1

Firewall/Router Configuration The firewall should be configured to forward TCP port 443 to the server running Access Essentials rather than directly to the SBS system. As discussed later, Access Essentials will forward selected traffic, such as Outlook Web Access, to SBS. Other ports associated with Small Business Server should be forwarded by the firewall/router on to the Small Business Server. Any DHCP service provided by the firewall/router should be disabled. IP Configuration The DHCP service should be enabled on the Small Business Server. The Small Business Server and the server running Access Essentials should each be configured to have a single, static IP address. All of the workstations on the network can be configured to use DHCP. All computers on the internal LAN should be configured to use the LAN address of the Firewall/Router as their default gateway. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 2

DNS Configuration All computers on the internal LAN except the Small Business Server should use the Small Business Server as their DNS server. If the firewall/router device supports DNS forwarding, the Small Business Server should be configured to use the Firewall/Router as its DNS server; otherwise, the Small Business Server should be configured to use the Internet Service Provider s DNS server(s). Remote Access This deployment allows remote clients to access these facilities: Windows applications hosted by Access Essentials Small Business Server, Outlook Web Access Small Business Server, Server performance and usage reports Small Business Server, Outlook Mobile Access Small Business Server, Outlook via the Internet Small Business Server, Windows SharePoint Services intranet site (with optional Access Essentials integration) Small Business Server, Business Web site For all services based on HTTPS, Internet clients connect to Access Essentials on port 443. Access Essentials intercepts transmissions on this port for services it provides, and forwards requests for other services to the Small Business Server. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 3

Security Considerations The following points should be considered when implementing this deployment: Access Essentials is only designed to accept Internet traffic on TCP port 443. Do not configure the firewall to treat Access Essentials as the DMZ server or forward additional ports to the server running Access Essentials. The Web service access restrictions configured in the Small Business Server do not prevent Internet users from accessing those services. Instead, access restrictions are configured on the server running Access Essentials. The servers running both Access Essentials and Small Business Server may receive unauthenticated Internet traffic. Although both products are designed to accommodate this, ensure appropriate security procedures are in place, such as anti-virus and regular patching. Limitations There are a number of limitations with this deployment. The following features of Remote Web Workplace (RWW) will not function: Connect to a company s application-sharing server Connect to computers at work Connect to server desktops The HTTPS Web site delivered to the Internet will not run from Small Business Server. The HTTPS Internet Web site is delivered from the server running Access Essentials. One of the benefits of using Access Essentials is that you can avoid having to make multiple hops through RWW to reach SBS-resident resources. The following sections provide more detailed installation instructions for this deployment. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 4

Installation Steps This section describes how to implement this deployment for the fictitious organization called Jump Inc. Each action is identified by a unique number. A checklist in the following section can be used to keep track of progress. Preparation Before starting the installation, verify that your system meets the following requirements. Software Requirements Ensure you are running the following software: Microsoft Windows Small Business Server 2003 [P1] Microsoft Small Business Server 2003 Service Pack 1 [P2] Microsoft Windows Server 2003, Standard or Enterprise CD-ROMs (for Access Essentials Server) [P3] Citrix Access Essentials CD-ROM (or CD-ROM download image) [P4] Microsoft Office CD-ROM (optional) Microsoft Visual J#.NET Version 1.1 (optional, required for Access Essentials SharePoint integration) [P5] Citrix Web Interface for SharePoint (optional, required for Access Essentials SharePoint integration) [P6] Hardware Requirements Ensure your system contains the following hardware: Robust server-class computer to run Small Business Server [P7] Robust server-class computer to run Access Essentials [P7] NAT Firewall/Router (or a separate server running Microsoft ISA Server) Internet Connection Your Internet connection will need at least one static IP address. This will be your Firewall External Address (keep note of this address). A broadband class connection (or better) is recommended. You will need a registered Internet domain name. Your ISP may be able to register a domain for you. Alternatively, there are many companies that will do this for you. When the Internet domain name is registered, assign a name within your domain that will be used to connect to your network. For example, if you use access as the name and jumpinc.com as the Internet domain name, your full server Internet domain name will be access.jumpinc.com. When you select your server Internet domain name, record it and use domain management tools to assign a firewall external address to the name. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 5

LAN Setup To install a NAT firewall/router: 1. Disable any DHCP servers in the NAT firewall/router. 2. Choose a suitable private IP address range for your LAN (see the RFC 1918 Web site for details on private address ranges). For example: In small networks (fewer than 250 computers in total), use the address range 192.168.16.0/255.255.255.0. In larger networks, use the address range 172.16.0.0/255.255.0.0. Make a note of this address. 3. Set the NAT firewall/router s LAN address to the #1 device on the network, which by convention is the address of the gateway. For example, 192.168.16.1 or 172.16.0.1. Make a note of this address. Testing Note: Citrix does not endorse any particular third-party site and assumes no responsibility for content or availability of any third-party sites. To check the preparation steps, perform the following tasks: [P8] Check the NAT firewall/router configuration. Connect a computer to the LAN port on the firewall/router. Manually configure the computer s IP address to an address valid in the subnet, with the Firewall Internal Address as the default gateway. Then, ensure you can view Internet sites using a Web browser on that computer. [P9] Check the allocated IP address using a service such as www.whatismyip.com. From a computer connected to the LAN port on the firewall/router, visit the site. Check the IP address displayed matches the Firewall External Address, which is the static IP address supplied by your ISP. If your ISP uses transparent Web proxies, the IP address shown may not be the actual IP address. Check with your ISP if the address shown is not the address expected. [P10] Check the Internet domain name is registered using a service such as http://www.zoneedit.com/whois.html. Enter the registered DNS name, and verify that a domain registration record is displayed. [P11] Check the server Internet domain name is registered using a service such as www.zoneedit.com/lookup.html. Enter the DNS name, and verify that the IP address returned is the Firewall External Address. Small Business Server Installation Install Windows Small Business Server 2003 on the appropriate server. If your server is preinstalled, skip to Part 2 or Part 3 depending on how your server has been preconfigured. Part 1 Initial Installation Perform the following steps to install the operating system on the server: 1. Connect the server to the network. 2. Insert the Windows Small Business Server 2003 CD-ROM 1. 3. Restart the computer and run Windows setup. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 6

4. When prompted for a Computer Name, choose an appropriate name and record it. Part 2 Initial Configuration After installing the operating system, complete the initial configuration of the server as follows: 1. Specify the organizational details: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 7

2. Specify the domain identities: Record the name of the internal domain name, and if necessary, update your record of the Small Business Server computer name. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 8

3. Enter the details for the IP address configuration: If necessary, update the IP address to an address within the range specified by the LAN subnet address/mask. Record the address you specify as the Small Business Server address. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 9

4. Select the components to install as required: Installing all components is recommended. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 10

Part 3 Connect to the Internet The To Do List appears when you log on to the Small Business Server as an administrator: It is essential to configure the Connect to the Internet task correctly for a joint deployment of Small Business Server with Access Essentials. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 11

To configure Internet connection: 1. Click Connect to the Internet. On the Connection Type page, select Broadband: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 12

2. On the Broadband Connection page, select A local router device with an IP address: 3. In the Router Connection page, use either the DNS forwarding capabilities of your NAT Firewall/Router (if available), or directly access the ISP s DNS servers. The following example utilizes the DNS forwarding capabilities of the NAT firewall/router, where the Firewall Internal Address is specified as both the preferred DNS server and the local IP address of the router: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 13

4. In the Web Services Internet page, select the services to be made available over HTTP (unlike standalone Small Business Server, this page does not affect HTTPS connections): Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 14

Note: The restrictions specified only controls access to Web services when accessed over HTTP, not HTTPS. If you restrict access to a Web service, it still may be possible for Internet users to access the service through HTTPS. All HTTPS restrictions are configured on the server running Access Essentials. 5. In the Web Server Certificate page, select Create a new Web server certificate. This certificate is used to secure the communication between Access Essentials and Small Business Server once Access Essentials is installed. Enter the server Internet domain name: 6. If you use Exchange to receive Internet email, specify the email settings in the wizard. These settings depend on the facilities provided by your ISP (for example, whether you must directly send email or route email through your ISP s SMTP server). Note: You may need to configure the NAT firewall/router to forward the SMTP port (port 25) to the Small Business Server. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 15

7. In the E-mail Domain Name page, enter your Internet domain name: 8. Complete the remaining wizard steps to finish the Connect to the Internet task. [S1] Testing To test the Small Business Server installation, it is recommended that the following checks are completed: [S2] On the Small Business Server, run the command ipconfig /all. Check the settings displayed are as expected. For example: Windows IP Configuration Host Name............ : jumpdc Primary Dns Suffix....... : jumpinc.com.local Node Type............ : Hybrid IP Routing Enabled........ : No WINS Proxy Enabled........ : No DNS Suffix Search List...... : jumpinc.com.local com.local Ethernet adapter Server Local Area Connection: Connection-specific DNS Suffix. : Description........... : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) Physical Address......... : 00-03-FF-87-28-3D DHCP Enabled........... : No IP Address............ : 192.168.16.2 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 192.168.16.1 Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 16

DNS Servers........... : 192.168.16.2 Primary WINS Server....... : 192.168.16.2 [S3] Verify Internet connectivity. Using a browser on the Small Business Server, browse the Web to verify the server s network settings and firewall configuration. [S4] Using a PC connected to the LAN, verify that the PC is configured to use DHCP. Run the ipconfig /all command and check the settings displayed are as expected. Check the PC can browse the Web. [S5] From the PC, check you can access the core services provided by Small Business Server: o http://companyweb displays SharePoint site o http://{small Business Server Computer Name} displays SBS Welcome Page o http://{small Business Server Computer Name}/Exchange displays Outlook Web Access [S6] From the PC, check you can access any additional services you will be using (either remotely or later, from the Internet): o Outlook Mobile Access browse to http://{small Business Server Computer Name}/OMA o Remote Outlook configure Outlook to connect via HTTPS (see the SBS documentation) Part 4 Install Service Pack 1 Install Windows Small Business Server 2003 Service Pack 1 following the instructions provided by Microsoft. Access Essentials Installation You can install the Access Essentials server after installing Small Business Server. You must install Access Essentials after Small Business Server due the critical network services provided by Small Business Server, for example acting as a Domain Controller. The following sections outline the important aspects of installing Access Essentials on the server. It is assumed that the base Windows Server 2003 operating system is preinstalled. Part 1 Install Access Essentials To prepare the Access Essentials server, make sure the server is attached to the network and, if necessary, install Windows Server 2003. You then need to configure the Windows network settings on the server. To configure Windows network settings: 1. Set the server to a static IP address. The DHCP server in Small Business Server reserves the first 10 IP addresses in your network for static assignment. Choose one of these addresses not currently in use. Set the Access Essentials server s IP address using the TCP/IP properties of the network adaptor, and record it. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 17

2. Specify the Firewall Internal Address as the default gateway and the Small Business Server Address as the DNS server: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 18

3. It is recommended that you specify the Small Business Server Address as the WINS server: The server can then be added to the Small Business Server domain, ensuring you restart the server. You can now install Citrix Access Essentials on the server by inserting the CD-ROM in the drive, or run the setup.exe program from the CD-ROM. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 19

Part 2 Configure Access Essentials After installing Access Essentials, the Quick Start tool is displayed: To configure the server running Access Essentials, you complete the necessary tasks using the Quick Start tool. This document focuses on the External Access task, which is critical for a successful deployment. The following steps describe how to set up Access Essentials with a temporary certificate. You will need to later request a full SSL certificate to maintain operation after the initial 30-day period. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 20

To set up Access Essentials with a temporary certificate: 1. Open the Quick Start tool and click External Access. 2. Click Manage External Access. In the Specify External Access Method page, select Enable external access direct to the server: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 21

3. In the Create a Server Request page, enter the server Internet domain name in the Public address field: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 22

4. Enter your geographical information: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 23

5. In the Specify Certificate Source page, select Generate a temporary certificate: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 24

6. In the Specify Root Certificate File Name page, enter or browse to the location to save the generated root certificate: It is recommended that before proceeding, you complete all of the tasks in the Quick Start tool. Testing To validate the Access Essentials installation, run the following tests: [A1] On the server running Access Essentials, run the command ipconfig /all. Check the settings displayed are as expected. For example: Windows IP Configuration Host Name............ : CITRIX Primary Dns Suffix....... : jumpinc.com.local Node Type............ : Hybrid IP Routing Enabled........ : No WINS Proxy Enabled........ : No DNS Suffix Search List...... : jumpinc.com. local com.local Ethernet adapter Server Local Area Connection: Connection-specific DNS Suffix. : Description........... : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) Physical Address......... : 00-03-FF-87-28-3D DHCP Enabled........... : No IP Address............ : 192.168.16.3 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 192.168.16.1 Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 25

DNS Servers........... : 192.168.16.2 Primary WINS Server....... : 192.168.16.2 [A2] Verify Internet connectivity. Using a browser on the Access Essentials Server, browse the Web to verify the server s network settings and firewall configuration. [A3] Using the Access Essentials Quick Start tool, publish an application (for example, Notepad). From a PC on the LAN (not the Access Essentials Server), browse to the Access Essentials Web page http://<servername>. Check you are able to authenticate and then start the application. [A4] From a PC on the LAN, browse to the Access Essentials HTTPS Web page https://<servername>. A warning appears indicating that the certificate is invalid due to a name mismatch. If you acknowledge the error, the Access Essentials Web site is displayed. Do not launch applications at this time. The HTTPS site is intended for Internet use only, and applications may not launch because the firewall configuration is incomplete. Integration Tasks After configuring and testing both servers individually, you can start the integration tasks. Before starting, ensure that you have tested the Small Business Server and Access Essentials server as detailed above. This will help troubleshoot any problems that may arise. Part 1 Install Small Business Server Certificate The certificate created by Small Business Server is required to enable communication between the server running Access Essentials and the Small Business Server. To install the certificate: 1. From a command line on the server running Access Essentials, run mmc.exe 2. Using File>Add/Remove Snap-in, load the Certificates snap-in for the account on the local computer. 3. Navigate to Console Root>Certificates (Local Computer)>Trusted Root Certification Authorities>Certificates node. 4. Right-click and select All Tasks>Import. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 26

5. In the wizard, click Browse to open the SBScert\sbscert.cer file from the ClientApps share on the Small Business Server: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 27

6. Ensure the certificate is installed in the trusted root certification authorities store: Complete the wizard to install the certificate. Part 2 Forwarding Services from Access Essentials The Citrix Secure Gateway configuration file must be updated to determine which services on the Small Business Server are accessible from the Internet using HTTPS. Identify the following lines in the file Program Files\Citrix\Secure Gateway\conf\httpd.conf: # Reverse Proxy Web Interface <Location /> ProxyPass http://localhost:8080/ ProxyPassReverse http://localhost:8080/ </Location> Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 28

Replace the lines with the text below, substituting the Small Business Server Internal Domain Name ({SBSDOMNAME}) and Server Internet Domain Name ({SRVDOMNAME}) as appropriate: # Preserve the host header from the original request ProxyPreserveHost On SSLProxyEngine on # Reverse Proxy ActiveSync # <Location /Microsoft-Server-ActiveSync> # ProxyPass https://{sbsintdomname}/microsoft-server-activesync # ActiveSync ProxyPassReverse https://{sbsintdomname}/microsoft-server- # </Location> # Remote Outlook # <Location /rpc> # ProxyPass https://{sbsintdomname}/rpc # # ProxyPassReverse https://{sbsintdomname}/rpc </Location> # Reverse Proxy Outlook Mobile Access (WAP access) # <Location /OMA> # ProxyPass https://{sbsintdomname}/oma # # ProxyPassReverse https://{sbsintdomname}/oma </Location> # Network Configuration Wizard # <Location /ConnectComputer> # ProxyPass https://{sbsintdomname}/connectcomputer # ProxyPassReverse https://{sbsintdomname}/connectcomputer # </Location> # Remote Web Workplace # <Location /Remote> # ProxyPass https://{sbsintdomname}/remote # # ProxyPassReverse https://{sbsintdomname}/remote </Location> # Outlook Web Access # <Location /Exchange> # ProxyPass https://{sbsintdomname}/exchange # # ProxyPassReverse https://{sbsintdomname}/exchange </Location> # <Location /exchweb> # ProxyPass https://{sbsintdomname}/exchweb # # ProxyPassReverse https://{sbsintdomname}/exchweb </Location> # <Location /Public> # ProxyPass https://{sbsintdomname}/public # # ProxyPassReverse https://{sbsintdomname}/public </Location> # Server Usage Report # <Location /Monitoring> # ProxyPass https://{sbsintdomname}/monitoring # ProxyPassReverse https://{sbsintdomname}/monitoring # </Location> # Information and Answers # <Location /ClientHelp> # ProxyPass https://{sbsintdomname}/clienthelp Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 29

# ProxyPassReverse https://{sbsintdomname}/clienthelp # </Location> # Backup Status # <Location /Backup> # ProxyPass https://{sbsintdomname}/backup # ProxyPassReverse https://{sbsintdomname}/backup # </Location> # Reverse Proxy Web Interface <Location /> ProxyPass http://localhost:8080/ ProxyPassReverse http://localhost:8080/ ProxyPassReverse http://{fwextdomname}/ </Location> For each of the services you want to access from the Internet, uncomment the appropriate section of the file. For example, if your Small Business Server Internal Name is jumpdc.jumpinc.com.local, your Server Domain Name is access.jumpinc.com and you want access to Outlook Web Access:... # Outlook Web Access <Location /Exchange> ProxyPass https://jumpdc.jumpinc.com.local/exchange ProxyPassReverse https://jumpdc.jumpinc.com.local/exchange </Location> <Location /exchweb> ProxyPass https://jumpdc.jumpinc.com.local/exchweb ProxyPassReverse https://jumpdc.jumpinc.com.local/exchweb </Location> <Location /Public> ProxyPass https://jumpdc.jumpinc.com.local/public ProxyPassReverse https://jumpdc.jumpinc.com.local/public </Location>... # Reverse Proxy Web Interface <Location /> ProxyPass http://localhost:8080/ ProxyPassReverse http://localhost:8080/ ProxyPassReverse http://access.jumpinc.com/ </Location> Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 30

Note: Any changes you make to the httpd.conf file will be overwritten if you reconfigure External Access in the Quick Start tool. Make equivalent changes to %ProgramFiles%\Citrix\Quick Start\httpd.conf.template to reapply the changes when the httpd.conf file is regenerated. Part 3 Publishing Microsoft SharePoint (CompanyWeb) You can provide remote access to the Small Business Server SharePoint site (CompanyWeb) using Access Essentials. To enable remote access: 1. Start the Quick Start tool on the server running Access Essentials. 2. Click Applications and select Publish application. 3. Select the Internet Explorer application, and complete the wizard: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 31

4. In the Applications task area, select the published Internet Explorer application and click Modify: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 32

5. In the Specify the Application Path page, add http://companyweb/ to the end of the path: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 33

6. In the Modify the Application Details page, rename the application to Company Web, and complete the wizard: You can optionally install Microsoft Office on the server running Access Essentials. This is recommended to provide a rich document viewing and editing experience with the SharePoint, allowing you to open and edit documents without downloading the documents to client devices. To install Office, insert the CD-ROM in the server running Access Essentials, and follow the installation instructions onscreen. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 34

Part 4 Integrating Access Essentials into SharePoint (Optional) You can provide access to the applications published by Access Essentials by installing and configuring the Citrix Web Interface for SharePoint package. It is necessary that users making use of the integration connect to the SharePoint server from a computer that is a member of the Small Business Server domain. To configure the server: 1. Install Microsoft Visual J#.NET Version 1.1 using the instructions provided by Microsoft. 2. Install Citrix Web Interface for SharePoint. Select Typical installation type when prompted during installation: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 35

3. Enter the name and TCP port of the Citrix Presentation Server XML Service. Use the Access Essentials Computer Name as the name and 8001 as the TCP Port: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 36

4. Once the installation has completed, load the Active Directory Users and Computers tool found in the Administrative tools folder. Select the Access Essentials computer from the list of computers in the domain: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 37

5. Right-click on the computer name and select Properties. In the General tab, select Trust computer for delegation: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 38

6. Connect to the Web Interface for SharePoint administrators Web site at http://small Business Server Address:8988/Admin/: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 39

7. Select Client Deployment and Enable automatic client deployment. Change the version number to 9.156.41065: 8. Copy the wficat.cab file from the Setup\ClientUpdates\en folder on the Citrix Access Essentials CD-ROM to the wpresources\cpswimsp.webpart\en\ica32 folder in the SharePoint website (normally found in the C:\Inetpub\companyweb folder). 9. Launch the Presentation Server Console on the server running Access Essentials. After logging on using administrator credentials, select the Properties menu for the Citrix Access Essentials node in the tree view. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 40

10. Click MetaFrame Settings and select Enable XML Service DNS address resolution: Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 41

11. To add Web Interface functionality to a SharePoint page, add the Citrix Presentation Server Applications Web Part to the appropriate page: Note: The Citrix Custom Menu Web Part should not be used with Access Essentials integration. Client Configuration The ICA client configuration file, appsrv.ini (found in Documents and Settings\<username>\Application Data\ICAClient), must be modified for each user accessing the Web Interface for SharePoint integration. The [WFClient] section of the file should have the following line added: EnableSSOnThruICAFile=On Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 42

Testing To validate the integration, complete the following steps: [I1] Launch Internet Explorer on the server running Access Essentials. Browse to the HTTPS URL for the Internal Small Business Server Domain Name, for example https://jumpdc.jumpinc.com.local. The browser should connect without error. If a certificate warning is displayed, the Small Business Server certificate has not been successfully installed on the server running Access Essentials. [I2] Test each of the services you will be using remotely, from a PC/PDA on the LAN. Configure the services using the HTTPS URL to the Internal Access Essentials Server Domain Name, for example https://citrix.jumpinc.com.local. Certificate warnings appear because the URL does not match the URL on the server s certificate. The services will still work if the certificate warning is dismissed. [I3] Log on to Access Essentials using the internal Web site (use the Access Essentials Computer Name as the address). Verify you can start the company Web application, that Internet Explorer is displayed, and that the company Web site is loaded. [I4] (Optional, for SharePoint integration) Launch Internet Explorer on the server running Access Essentials. Browse to the HTTP URL for the company Web site. The browser should connect without error. [I5] (Optional, for SharePoint integration) Navigate to the SharePoint page which contains the Citrix Presentation Server Applications Web Part. The Web Part displays the list of published applications and content that the user has permission to run. [I6] (Optional, for SharePoint integration) Attempt to launch one of the published applications. A connection is made to the server running Access Essentials and the application launches. If a logon dialog appears, the computer running the Web browser is not a member of the Small Business Server domain or the EnableSSOnThruICAFile=On line has not been added to the users appsrv.ini file. Firewall Configuration After preparing the servers, you must open a selection of TCP ports in the NAT firewall/router, based on the table below. Opening port 443 is minimum requirement to enable Internet access to HTTPS services. Other ports may be opened, depending on your requirements. Testing Port Destination Address Reason 80 Small Business Server Address HTTP access to public Web site, ActiveSync and other services. 443 Access Essentials Server Address SSL-protected access to published applications and Small Business Server applications. 444 Small Business Server Address SSL-protected access to your company s internal Web site (must use https:// prefix in your browser). 25 Small Business Server Address SMTP port, only required if SBS is configured to directly receive email from the Internet. [F1] From a PC/PDA outside of the LAN, verify each of the services you want to use over the Internet is available. Use the HTTPS URL to the Server Internet Domain Name. You may receive an SSL warning that the certificate is not trusted. If that is the case, see Client Configuration, below. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 43

Client Configuration If you use a temporary SSL certificate (recommended in this document), you need to distribute the root certificate to each client device. To install the root certificate on each client [C1]: 1. Locate the root certificate on the server running Access Essentials (the default location is C:\root.cer). 2. Copy the root certificate to the client device. 3. Double-click the root certificate. 4. Install the certificate. Post Installation After the deployment is complete, you should request a public SSL certificate using the External Access task in the Access Essentials Quick Start tool. [X1] Installation Checklist CompleteActionNotes Complete Action Notes Preparation P1 P2 P3 P4 Small Business Server 2003 CD-ROMs available. Small Business Server 2003 Service Pack 1 Windows Server 2003 CD-ROMs available. Citrix Access Essentials CD-ROM (or CD-ROM image) (optional) P5 Visual J#.NET Version 1.1 (optional) P6 Citrix Web Interface for SharePoint P7 2 x Server-class PCs P8 Test NAT Firewall / Router For the server running Access Essentials. You may be asked for this during Access Essentials installation. This component is only needed if Access Essentials SharePoint integration is required. This component is only needed if Access Essentials SharePoint integration is required. One each for Small Business Server and Citrix Access Essentials. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 44

P9 Test allocated IP address. P10 Test Internet Domain Name registration P11 Test Server Internet Domain Name record. Small Business Server Installation S1 SBS Connect to the Internet task has been run S2 Network settings Run: ipconfig /all S3 Internet connectivity Browse the Web S4 DHCP server Run: ipconfig /all on client PC S5 SBS core services Browse to specific SBS URLs S6 Additional SBS services Outlook Mobile Access/Remote Outlook Access Essentials Installation A1 Network settings Run: ipconfig /all A2 Internet connectivity Browse the Web A3 LAN application access A4 Internet application access Use the http:// address check the Web site is displayed and applications start. Use the https:// address check the Web site is displayed. Applications may not start because the firewall is not yet configured. Integration Tasks I1 I2 Small Business Server Certificate installed on Access Essentials Test services forwarded through the server running Access Essentials. I3 CompanyWeb published (Optional) I4 Test connections to the SharePoint server following Citrix Web Interface for SharePoint installation Use a browser on Access Essentials to verify the certificate is installed. Use PC/PDA on the LAN to verify services. Check you can start the Company Web published application for Access Essentials. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 45

(Optional) (Optional) I5 I6 Test application Web Interface integration with SharePoint. Test application launching through from the SharePoint site. Firewall Configuration F1 Verify services from the Internet. Check each of the services you want to use is functional from a PC / PDA on the Internet. Client Configuration (perform for each client device) C1 Install the Access Essentials root certificate on to each client device. Copy the file C:\root.cer on the server running Access Essentials on to each client PC, then double-click and select Install. Post Installation X1 Request a public SSL certificate. Use the External Access task in the Access Essentials Quick Start tool. Network Configuration The tables below are for recording useful information about your installation. Name Value Notes Internet Domain Name Internal Domain Name NETBIOS Domain Name Server Internet Domain Name e.g. jumpinc.com e.g. jumpinc.com.local e.g. JUMPINC e.g. access.jumpinc.com LAN Subnet Address / Mask e.g. 192.168.16.0/255.255.255.0 Small Business Server Computer Name e.g. JUMPDC This is a domain registered on the Internet. Full DNS name for the internal domain. The short (NETBIOS) name of the domain. The name used by Internet clients to connect to your server. This must end with your Internet domain name. The range of IP addresses used on the LAN. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 46

Access Essentials Computer Name Internal Small Business Server Domain Name Internal Access Essentials Server Domain Name e.g. CITRIX e.g. jumpdc.jumpinc.com.local e.g. citrix.jumpinc.com.local This is the name used on the LAN, not the name used from the Internet. This is a combination of the computer name and the internal domain name. This is a combination of the computer name and the internal domain name. LAN/IP Configuration Name IP Address Notes Firewall Internal Address e.g. 192.168.16.1 Firewall External Address Small Business Server Address Access Essentials Server Address Static IP address allocated by your Internet Service Provider. e.g. 192.168.16.2 e.g. 192.168.16.3 Set as default gateway on all PCs and servers. Static IP address, allocated by you. Static IP address, allocated by you. Guidelines For Deploying Citrix Access Essentials 1.5 With Windows Small Business Server 2003 47