citrix sslvpn cps deploymentguide

NetScaler SSL VPN & Citrix Presentation Server Deployment GuideNetScaler SSL VPN front-ending ICA ProxyA Technical Guide for Secure Multiuser Portal Traffic

Deployment Guide

Deployment Guide

Notice:

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (CITRIX), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix.

The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.

Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

Copyright 2007 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.

Table of ContentsIntroduction ..........................................................................................................................................4Prerequisites .........................................................................................................................................5Network Diagram .................................................................................................................................6NetScaler Configuration ........................................................................................................................7

Deployment Model: Netscaler Two-Arm Mode .................................................................................7Important NetScaler IP Addresses .................................................................................................10IP Addresses, Interfaces and VLANs ..............................................................................................11Configuring NetScaler SSL VPN ....................................................................................................12Creating the SSL VPN Policy .........................................................................................................15Installing the NetScaler Root Certificate .........................................................................................19

Citrix Presentation Server Configuration ..............................................................................................20Setting up the backend applications ..............................................................................................20Publish the Application on Citrix Presentation Server......................................................................29Add Users and Groups to Presentation Server ...............................................................................30CPS Host VLAN Tagging compatibility ...........................................................................................35Connecting a second Citrix Presentation Server .............................................................................35Routing users based on authentication credentials ........................................................................35Securing Traffic Flows between portals/users .................................................................................36Save your configurations ................................................................................................................37

Appendix A - NetScaler Application Switch Configuration ...................................................................38Appendix B - Layer 2 Switch Configuration .........................................................................................46

4IntroductionCitrix Presentation Server is the de facto standard for delivering Windows applications at the lowest costanywhere. It offers both application virtualization and application streaming delivery methods to enable the best access experience for any user, with any device, working over any network. By centralizing applications and data in secure data centers, IT can reduce costs of management and support, increase data security, and facilitate business continuity. Presentation Server allows IT to deliver applications as a serviceproviding on-demand access to users, while affording IT the flexibility to leverage future application architectures.

Citrix NetScaler optimizes the delivery of web applications increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs.

As enterprises and service providers move toward the path of consolidation, they will continue to look for ways to do more with less. The most efficient piece of equipment in the datacenter to perform this task is the Citrix NetScaler. The Citrix NetScaler acts as a secure portal to direct traffic based on users authentication credentials, into specific Citrix Presentation Server farms on the backend, all coming out of the same physical NetScaler port. By adding Citrix Presentation Server to the backend, this not only extends the value of both products, but increases the capability for cost savings exponentially. While the SSL VPN provides front end security and serves as an access gateway into the server farms, it continues to provide multi-scalable capabilities in a single, tightly integrated solution because it sends all backend traffic out one port on the back of the NetScaler. On the backend, we can have a myriad installation of CPS farms installed in either physical or virtual machines ready to accept the traffic coming from the NetScaler. This deployment guide walks through the configuration details of how-to configure the Citrix NetScaler and Citrix Presentation Server to provide this type of integration and scalability, while keeping the traffic separate and secure.

5PrerequisitesNetScaler running version 8.0+. (Qty 1 for single deployment, Qty 2 for HA deployment).

Citrix Presentation Server, version 4.5+.

Windows Server 2003, SP2, NIC w/ VLAN Tag Support.

Windows Domain Controller, Active Directory (optional).

Client laptop/workstation running Internet Explorer 6.0+.

Layer 2 switch w/VLAN support.

VLAN Legend Primary NetScaler Primary/Secondary NetScaler Secondary NetScaler

VLAN 1

VLAN 91

VLAN 92

TRUNK

IP Addresses: NSIP 10.217.104.100 SNIP 10.217.104.103 SNIP 169.145.91.239 SNIP 169.145.92.239

Shared IP Addresses: VIP 10.217.104.102

VLAN 91: Interface 1/4, Tagged IP: 169.145.91.240

VLAN92: Interface 1/4, Tagged IP: 169.145.92.240

VLAN 4: Interface 1/4, Untagged

VLAN 1: Interface 1/2, No Tag.

IP Addresses: NSIP 10.217.104.105 SNIP 10.217.104.105 SNIP 169.145.91.241 SNIP 169.145.92.241

10.217.104.0

Admin

user1

user2Interface1/4Interface 1/2

VLAN 1

VLAN 92

VLAN 91

Citrix NetScaler

https://10.217.104.102

Citrix Presentation

Server

srv1.citrixlabs.com169.145.91.151

0x91


0x92

VlanTrunk

6

The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site.

Network Diagram

7NetScaler ConfigurationDeployment Model: Netscaler Two-Arm Mode

NetScalers can be deployed alone or as a pair to provide high availability. Always start with the first NetScaler. The NetScalers in Two-Arm mode provide the utmost is site security, as they provide a full reverse-proxy gateway to intercept incoming traffic before it is sent to the Application servers (CPS). The NetScaler acts as an authentication point and an enforcement point using its own internal database, but can also be integrated with third party authentication/authorization systems for highly granular security. The sample deployment in this guide will make use of the NetScalers own internal authentication database combined with Session Policies for authorization and portal traffic direction.

There are three main components that require installation in this environment, the Citrix NetScaler(s), the Layer 2 switch with VLAN trunking and tagging, and the Citrix Presentation Servers on the backend. We will start with the NetScaler configuration, step-by-step.

1) Configure NSIP. Connect via serial port. Default login nsroot, nsroot. Run the configns command (nsconfig if at a shell prompt), and set the NetScaler IP (NSIP). In this example: 10.217.104.100.

Note: Changing the NSIP requires a reboot.

Serial: 9600, n, 8, 1

2) Connect to the NetScaler via the NSIP using a web browser. In this example: http://10.217.104.100

Note: Java will be installed.

Default login is: nsroot, nsroot.

Ethernet

83) Confirm licenses are installed.

Navigate to NetScaler > System > Licenses.

4) Enable SSL VPN.

Navigate to NetScaler > System > Settings > Basic

Features > SSL VPN.

95a) Add IP Addresses that will be used on this NetScaler device.

NetScaler > Network > IPs > Add.

5b) When finished, all Network IP Addresses should be visible.

10

Important NetScaler IP AddressesAcronym Description Usage

Note: NSIP is Mandatory and requires a reboot.

NSIP NetScaler IP Address The NetScaler IP (NSIP) is the management IP address for the appliance, and is used for all management related access to the appliance. There can only be one NSIP.

MIP Mapped IP Address The mapped IP address (MIP) is used by the Application Switch to represent the client when communicating with the backend managed server. Mapped IP addresses (MIP) are used for server-side connections and Reverse NAT. Think of this as the clients source address on the server-side of the Application Switch, assuming a two-arm proxy deployment. In this example you can think of it as the Tagged VLAN IP.

SNIP Subnet IP Address The Subnet IP address (SNIP) allows the user to access an Application Switch from an external host that is residing on another subnet. When a subnet IP address is added, a corresponding route entry is made in the route table. Only one such entry is made per subnet. The route entry corresponds to the first IP address added in the subnet.

VIP Virtual IP Address The Virtual Server IP address (VIP) is used by the Application Switch to represent the public facing ip address of the managed services. ARP and ICMP attributes on this IP address allow users to host the same vserver on multiple Application Switches residing on the same broadcast domain.

DFG Default Gateway IP Address of the router that forwards traffic outside of the subnet where the appliance is installed.

6) Assign a default route.

NetScaler > Network > Routing > Routes > Add.

11

7) Create VLANs and Assign Mapped IP Addresses to them.

NetScaler > Network > VLANs > Add.

Note: For this example: We create VLANs 4, 91, and 92 - all are tagged, but only VLANs 91 and 92 have MIPs associated with them.

Interface 1/4 will be used as our 802.1q VLAN Trunk to the Layer 2 Switch.

The corresponding port on the Layer 2 switch will be configured for 802.1q Trunking as well.

IP Addresses, Interfaces and VLANsAssigning IP Addresses to Interfaces is done virtually through the use of port based VLANs.

By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces. This VLAN is the default VLAN with a VID equal to 1.

When an interface is added to a new VLAN as an untagged member, the interface is automatically removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature, such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to check the box, to turn on tagging. VLANs are typically used to separate subnet traffic.

In this example we will leave the default VLAN ID 1 for subnet 10.217.104.0. Here we create VLAN ID 91 for subnet 169.145.91.0. While we are there, it is easy to assign VLAN 91 to interface 1-4, and assign the Mapped IP Address 169.145.91.240 by checking the make Active boxes. Since we are connected to a switch that is using VLAN tagging, we turn on tagging.

12

8) Disable unused interfaces, and HA

monitoring.

TIP: Disabling the blinking LCD PanelThe LCD panel on the front of the NetScaler will flash intermittently until the unused interfaces are disabled and HA monitoring is turned off on them. In the GUI, Navigate to NetScaler > Network > Interfaces. Select an interface, right-click to disable. Right-click to Open, and disable HA monitoring.

Configuring NetScaler SSL VPN

9a) To configure the SSL VPN, launch Navigate to

NetScaler > SSL VPN.

In the right-hand frame, select the link .

9b) Next.

13

9d) To create an SSL Certificate, select the second button.

9c) Virtual Server IP (VIP). Here is where the public facing Virtual IP (VIP), SSL Port# and FQDN are configured.

14

9e) Add the DNS Server IP Address.

9f) Create a user in the Local authentication database. The local

database is used for our example.

Other authentication methods include RADIUS,

LDAP, Active Directory, User Certificates

and TACACS.

15

10) Creating the SSL VPN Policy.

Navigate to NetScaler > SSL VPN. In the right-hand frame, select .

10a) Under Available Policies / Resources, select Session Policies > right-click > Add.

9g) View the summary screen and finish.

Creating the SSL VPN Policy

16

10b) Create Session Policy by typing in the name of the new session policy.

10c) After typing in the Name, select New to

add a new Request Profile.

Type in a Session Profile name.

Select the Override Global check box next to Home

Page, ICA Proxy and SmartAccess NT Domain.

Note:i. We point the Client to the backend Citrix Presentation Server home page at http://Srv1.citrixlabs.com/Citrix/AccessPlatform/.

ii. ICA Proxy is set to ON, because this SSL VPN is proxying ICA connections before they reach the CPS on the backend.

iii. The Windows Domain is set to Srv1, because we are using local authentication on the CPS Windows Server.

To use Active Directory, insert the name of the Windows Domain Controller

Note:In this example, we are using the SSL VPN to Proxy ICA connections, that is, stop the user, authenticate them with the NetScaler web interface, then pass their sessions on to the backend Citrix Presentation Server. This adds an extra level of security at the perimeter of the Citrix Presentation Server (CPS) farm.

17

10e) After the Policy is created, it must be enabled, and bound to the VPN Global, Configured Policies.

In the SSL VPN Policy Manager, in the left-hand frame, under Configured Policies / Resources, expand the VPN Global tree.

From the Available Policies / Resources, Click-and-drag the new session policy, to the Configured Policies

10d) After selecting Create, Close in Session Profile, you will return to Create Session Policy.

Change the named expressions to General, ns_true.

Select Add Expression.

Select Create, and Close.

18

11a) Bind the Session Policy to the user created

in the previous step. Navigate to Netscaler > SSL VPN > Users.

In the right-hand frame, select the user created

in the previous step, and open the configuration.

Select New and create a group to place the user

into. Add the user to the configured group.

11b) Select the Policies Tab and place a check

next to the policy created earlier in the SSL VPN

Policy Manager.

This will bind the Session Policy and Session Profile to the User

when they authenticate on the Netscaler.

19

12) Installing the NetScaler Root Certificate in clients browser.

11c) Open the SSL VPN Groups and assign the Session Policy to the group that the user belongs to.

Installing the NetScaler Root CertificateIn order for the client connection to work, the root certificate from the Netscaler must be installed in the Trusted Root folder of the Clients browser.

a. Use WinSCP to connect securely to the Netscaler and download the root certificate you created in the earlier step. The root cert is stored in /nsconfig/ssl with a filename of .cer-root.cert.

b. Launch internet explorer. Tools > Internet Options > Content > Certificates. Select the tab labeled Trusted Root Certification Authorities. Select Import and import the certificate.

20

13a) To configure CPS, Launch the Citrix Access

Management Console and Navigate to Citrix

Resources > Web Interface > right-click > Create site.

Note:Before beginning this step, it is advisable to find out what port the Citrix XML service is running on. To do this, from the Access Management Console, navigate to Citrix Resources > Presentation Server > > Servers > .

Right click on the server name, and select Properties.

At the bottom is XML service.

Citrix Presentation Server ConfigurationSetting up the backend applications

It is assumed that installation has already been completed for CPS licensing, CPS Server, CPS Access Management Console and CPS Web Interface. The CPS will need to be configured with an active license file.

21

13c) Specify the IIS Location.

For this example, we use the default.

Notice the default directory /Citrix/AccessPlatform matches the Session Profile in the NetScaler configuration.

13b) Select the type of site to create.

For this example, we are creating an Access Platform site, accessible through a Web Interface.

22

13d) Specify Configuration Source.

For this example, we use local files.

13e) Specify Authentication Settings.

For this example we use the built-in authentication

and access control.

23

13g) Finish.

13f) Confirm Settings.

24

13h) Specify Initial Configuration.

13i) Specify Server Farm.

Add the Server farm name, and the server to the farm.

25

13k) Specify Access Method.

13j) Select Application Type.

26

13l) Confirm Settings and Finish.

13m) Because NetScaler is configured to Proxy ICA Connections, we

must change the Secure Client Access method.

From the Access Management Console,

navigate to Citrix Resources > Configuration

Tools > Web Interface > http:///

Citrix/AccessPlatform.

Perform a right-click > Manage Secure

Client Access > Edit DMZ Settings.

27

13o) Set the Fully Qualified Domain Name (FQDN) on the Citrix Presentation Server.

Navigate to Citrix Resources > Configuration Tools > Web Interface > http:///Citrix/AccessPlatform.

Perform a right-click > Manage Secure Client Access > Edit Gateway Settings.

13n) Edit the default access method and change it from Direct to Gateway Direct.

28

13p) Add the FQDN and Secure Ticket Authority

to the local Citrix Presentation Server.

The FQDN should point back to the NetScaler

SSL VPN Gateway.

The Secure Ticket Authority (STA) is

configured locally on CPS.

Note: Take notice of the use of port 8080 for XML in the URL.

13q) The STA must also be configured in the NetScaler

SSL VPN Gateway.

On the NetScaler GUI: Navigate to NetScaler >

SSL VPN. In the right frame select .

In the left side frame, navigate to Configured

Policies / Resource > Virtual Servers > > STA Servers.

Right click on STA Servers and Add

the URL of the Citrix Presentation Server STA.

In this example, http://169.145.91.151:8080. Note: The use of port 8080 for XML.

29

14) Publish the Application on the Citrix Presentation Server.

From the Access Management Console, navigate to Citrix Resources > Presentation Server > Servers > right-click > All tasks > Publish Application on server.

In this example, we published the server desktop.

13r) On the local CPS machine, Add entries into the /etc/hosts file for the local CPS.

In this example, 169.145.91.151 equates to srv1.citrixlabs.com.

Also, add entries into the NetScaler DNS table for the backend CPS.

Navigate to NetScaler > DNS > Records > Address Records > Add.

Publish the Application on Citrix Presentation Server

30

15) Add users and a group that will be given

access to this Citrix Presentation Server.

On the the local CPS1 machine we created

local users local000srv1 and local001srv1 and

added them to the RemoteDesktopUsers

group.

If we were going to use the Active Directory Domain

Controller, we would have created a group

named cps1, and added users cps1user1, and

cps1user2 to that group.

All of these users, local or domain, will only

have access to Citrix Presentation Server Srv1.

Add Users and Groups to Presentation Server

On the CPS machine or Active Directory Domain Controller, Add users and a group that will be given access to this Citrix Presentation Server. In this example, we created a group named cps1, and added users cps1user1, and cps1user2 to that group. These users will only have access to Citrix Presentation Server Srv1. (for testing we used a password of netscaler1!).

Tip:For a Local Authentication implementation on the Local Citrix Presentation Server, as we did in this example, you do not need to add users and a group to the Domain Controller, but will add the users and group to the local CPS. When logging into the Web Interface, instead of typing in a Domain, you will type in the Server name. In this example, it would be Srv1 instead of Citrixlabs.

Note:Be sure to add the cps1 group to be a member of Remote Desktop Users group, otherwise the Application will not launch from CPS. The Terminal Services right is automatically a part of the Remote Desktop Users group, which is necessary to launch CPS.

31

16) On the local Citrix Presentation Server, open the Group Remote Desktop Users and add the same group. In this example, we added group cps1.

If we were using Active Directory, we would have to authenticate to the Domain Controller.

Note:By default on Windows Server 2003, members of the Administrators and Remote Desktop Users groups can connect using Windows Terminal Services. The Remote Desktop Users group contains no users when it is initially created; you must manually add any users or groups who require Windows Terminal Services access. If the users are not already members of the computers local group, you must also add them. Unlike Windows 2000 Server policies, the Allow log on locally policy (a Computer local policy under User rights) no longer provides access to Terminal Service connections. For additional information, see the Windows Server 2003 online documentation.

32

17a) Add the cps1 group (& users) to the

Application in Citrix Presentation Server.

From the Access Management Console,

navigate to Citrix Resources > Presentation

Server > > Applications >

right-click > Modify Application

Properties > Modify Users.

17b) Select Allow only configured users

and click Add.

Then double clock the domain to add users

from. In this example SRV1, the local machine.

Double click on Users and select the check

box Show Users.

Double click on the group to add it to this CPS

Application, giving access to the users in that group.

In this example, we added Remote Desktop Group, which gives local users local000srv1 and local001srv1 access to

this CPS Application.

Note:If we were using Active Directory, we would use the domain Citrixlabs, and add users from the Domain Controller.

33

18a) To test the Citrix Presentation Server installation locally, change the Secure Client Access method from Gateway Direct back to Direct and the launch the web interface http://localhost/Citrix/AccessPlatform on the CPS server locally.

Use the login credentials for the local user, in this example, user:local000srv1, pass:local000srv1, domain:srv1.

If we were using a Domain Controller, we would login using domain credentials, user:cps1user1, pass:netscaler1!, domain:citrixlabs.

18b) Successful login.

34

18c) Now, To run the Citrix Presentation Server

through the NetScaler SSL VPN Gateway, change

the Secure Client Access method from Direct

back to Gateway Direct and then launch a web interface remotely from a client machine to the

NetScaler virtual server.

In this example https://10.217.104.102.

(This is our public facing VIP).

In this example, the credentials to authenticate

with the NetScaler SSL VPN Local Db are

u: user1, p: user1.

Upon successful authentication the user

is passed through to the Citrix Presentation

Server web interface for authentication on

the local domain, where we again Use the login credentials for the user

added to the domain controller. In this example,

user:local000srv1, pass:local000srv1,

domain: srv1.

A successful logon will look something like this:

35

Connecting a second Citrix Presentation ServerTo provide connectivity to a second Citrix Presentation Server farm, through the NetScaler SSL VPN Gateway based on authentication credentials requires the following:

a. Add another user and group to the NetScaler SSL VPN. In this example we used user2 and partner2.

b. Add another SessionPolicy and SessionProfile on the NetScaler SSL VPN that points to the second Citrix Presentation Server farm. In this example, we used SessionPolicySrv2 & SessionProfileSrv2. The difference this time is we pointed the Client to the backend Citrix Presentation Server home page at http://Srv2.citrixlabs.com/Citrix/AccessPlatform/.

c. Install and Configure the second CPS on a different server. In this example, the Second CPS resides on a different server at IP Address 169.145.92.152, and on VLAN 92. We followed the same installed steps for CPS Srv1, only substituting Srv2, and IP Address 169.145.92.152.

Routing users based on authentication credentialsWhen completely finished, and accessing the NetScaler SSL VPN Gateway at https://10.217.104.102, the user1 will be directed to CPS Srv1 upon authentication. Additional authentication into the Srv1 domain will be required at Srv1 through the CPS Web Interface.

In addition, launching another browser at https://10.217.104.102, logging in as user2 will be directed to CPS Srv2 upon authentication at the NetScaler SSL VPN Gateway. Here again, this user will have to authenticate into Srv2 domain through the CPS Web Interface.

CPS Host VLAN Tagging compatibilityMake sure the server that CPS is installed on has a NIC that supports VLAN tagging if you are going to plug it into a 802.1q tagged switchport. To simplify troubleshooting, it helps to change the MAC address on the CPS host to contain the VLAN ID.

In this example, our first CPS host we turned on VLAN Tagging support, and set the MAC address to 000000000091 to match the VID. When it shows up in the arp & bridge table in the NetScaler, we know we are routing/bridging traffic correctly.

36

Securing Traffic Flows between portals/users

To keep users on CPS farm1 from peeking into what is going on in CPS farm2, this is an important step. It is also important to make sure VLANs are setup correctly on the Layer 2 switch, along with Trunking on the Layer 2 switch port that connects to the NetScaler backend interface.

19) On the NetScaler GUI, backend interface 1/4,

Trunking must be enabled.

Navigate to NetScaler > Network > Interfaces.

Rght-click on interface 1/4 > Open.

Select Trunk, and Ok.

20) Layer 2 Mode and Layer 3 Mode

(IP Forwarding) must be disabled on the

NetScaler, otherwise traffic from VLAN 91 can be

forwarded to VLAN 92.

On the NetScaler GUI, navigate to

NetScaler > System > Settings > Modes.

Disable Layer 2 Mode and Layer 3 Mode.

37

The effect of this is to prevent users/partners from portal1, or CPS farm1 from roaming or hacking over into other portals or CPS farms, such as CPS farm2. In this example, user1 cannot access any server resources on the CPS farm in user2s portal.

user1

user2

user1 blocked from VLAN 92

VLAN 92

VLAN 91

Citrix NetScaler

https://10.217.104.102

Citrix Presentation

Server


0x91


0x92

VlanTrunk

Save your configurationsOn the NetScaler, in the GUI select the Save button. It is a good idea to navigate to NetScaler > System > Diagnostics, and view the running configuration. You can select the save button to save a copy to your local machine.

Switch vendors allow the use of tftp to upload configuration files, and its a good idea to create a backup.

38

Appendix A - NetScaler Application Switch Configuration> #NS8.0 Build 49.2

set ns config -IPAddress 10.217.104.100 -netmask 255.255.255.0

enable ns feature LB CMP SSLVPN SSL

enable ns mode FR MBF Edge USNIP PMTUD

set lacp -sysPriority 32768

set system user nsroot 1026cbfab43a92237d72589b731c0550f12e58620767770af -encrypted

add system user partner1 12b38e42ad995b82900545e47a8f058e0e880422896dc3843 -encrypted

add system user sap1 10f68ca83f0b251be45f9c06292285974a68a86fb07dc5832 -encrypted

add system group partner1

add system group sap1

set interface 0/1 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0




set interface 1/4 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk ON -lacpMode DISABLED -throughput 0

add ns ip 10.217.104.101 255.255.255.0 -type MIP -vServer DISABLED


add ns ip 169.145.91.239 255.255.255.0 -vServer DISABLED


add ns ip 10.217.104.102 255.255.255.255 -type VIP -snmp DISABLED



add vlan 2

39

add vlan 4

add vlan 91

add vlan 92

bind vlan 4 -ifnum 1/4 -tagged


bind vlan 91 -IPAddress 169.145.91.240 255.255.255.0


bind vlan 92 -IPAddress 169.145.92.240 255.255.255.0

add route 0.0.0.0 0.0.0.0 10.217.104.1 65535

set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label Organization

add cr policy sessionID -rule REQ.HTTP.HEADER Cookie CONTAINS sessionid=11*

add aaa user sslvpn -password cd3c1c5667c9 -encrypted

add aaa user user2 -password cb3c155225 -encrypted

add aaa user user_vpn -password cb3c155248d1322d -encrypted




add aaa group partner1

add aaa group partner2

add aaa group grp3

add vpn trafficAction test1 tcp

add vpn trafficAction Flowprofile91 tcp

add vpn intranetApplication route_migrate_1 ANY 192.168.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT

add authorization policy sfg ns_true ALLOW

add authorization policy v91 REQ.VLANID == 91 ALLOW

add authorization policy v92 REQ.VLANID == 92 ALLOW

add authorization policy v92not REQ.VLANID != 92 DENY

add vpn trafficPolicy block-IP-10 REQ.IP.SOURCEIP == 10.1.0.0 -netmask 255.255.0.0 test1

add vpn trafficPolicy Flow91 REQ.IP.SOURCEIP == 0.0.0.0 -netmask 0.0.0.0 && REQ.IP.DESTIP == 169.145.91.0 -netmask 255.255.255.0

40

Flowprofile91

add vpn vserver coilgw.citrixlabs.com SSL 10.217.104.102 443 -maxAAAUsers 30 -downStateFlush DISABLED

set ns rpcNode 10.217.104.100 -password 8a7b474124957776a0cd31b862cbe4d72b5cbd59868a136d4bdeb56cf03b28 -encrypted -srcIP 10.217.104.100

set responder param -undefAction NOOP

set rewrite param -undefAction NOREWRITE

add dns nameServer 10.217.120.2 -state DISABLED

add dns nameServer 10.217.104.10 -state DISABLED

set dns parameter -nameLookupPriority DNS

add dns addRec srv2.citrixlabs.com 169.145.92.152 -TTL 3600

add dns addRec srv1.citrixlabs.com 169.145.91.151 -TTL 3600

add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key

add ssl certKey citrix -cert /nsconfig/ssl/citrix.cert -key /nsconfig/ssl/citrix.key

add ssl certKey ssltest -cert /nsconfig/ssl/ssltest.cert -key /nsconfig/ssl/ssltest.key

add ssl certKey coilgw_citrixlabs_com.cer -cert /nsconfig/ssl/coilgw_citrixlabs_com.cer.cert -key /nsconfig/ssl/coilgw_citrixlabs_com.cer.key

set ssl service nshttps-169.145.92.239-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED

set ssl service nsrpcs-169.145.92.239-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED










set ssl service nsrpcs-10.217.104.101-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect

41

DISABLED

set ssl service nskrpcs-127.0.0.1-3009 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED



set cache parameter -memLimit 0 -via NS-CACHE-8.0: 100 -verifyUsing HOSTNAME_AND_IP -maxPostLen 0 -prefetchMaxPending 4294967294 -enableBypass YES

set cache contentGroup BASEFILE -relExpiry 86000 -maxResSize 256 -memLimit 2

set cache contentGroup DELTAJS -relExpiry 86000 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES

set aaa parameter -maxAAAUsers 25

add vpn sessionAction nssessionprofile1 -defaultAuthorizationAction ALLOW -homePage Citrix001 -icaProxy ON -ntDomain DEMO

add vpn sessionAction nssessionprofile2 -defaultAuthorizationAction ALLOW -homePage Citrix002 -icaProxy ON -ntDomain DEMO

add vpn sessionAction SGProfile1 -homePage Citrix001 -icaProxy ON -ntDomain DEMO

add vpn sessionAction SessionProfileSrv1 -homePage http://srv1.citrixlabs.com/Citrix/AccessPlatform -icaProxy ON -ntDomain Srv1

add vpn sessionAction SessionProfileSrv2 -homePage http://Srv2.citrixlabs.com/Citrix/AccessPlatform -icaProxy ON -ntDomain Srv2

add vpn sessionPolicy name1 ns_true nssessionprofile1

add vpn sessionPolicy SessionPolicy1 ns_true SGProfile1

add vpn sessionPolicy SessionPolicySrv1 ns_true SessionProfileSrv1

add vpn sessionPolicy SessionPolicySrv2 ns_true SessionProfileSrv2

set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true

set vpn parameter -splitDns BOTH -proxyLocalBypass DISABLED -forceCleanup none -clientOptions all -clientConfiguration all -SSO OFF -windowsAutoLogon OFF -clientDebug OFF -icaProxy OFF -epaClientType PLUGIN

set audit syslogParams -serverIP 10.210.100.151 -logLevel ALL

bind aaa user user2 -policy SessionPolicySrv2

bind aaa user user_vpn -policy SessionPolicySrv1

bind aaa user user1 -policy SessionPolicySrv1

bind aaa group partner2 -userName user2

bind aaa group partner1 -userName user1

bind aaa group partner1 -policy Flow91 -priority 1

bind aaa group partner1 -policy SessionPolicySrv1 -priority 2

bind aaa group partner2 -policy v92

42

bind aaa group partner2 -policy v92not

bind aaa group partner2 -policy SessionPolicySrv2

bind system user partner1 network 0

bind system user sap1 network 0

bind system group partner1 -userName partner1

bind system group sap1 -userName sap1

bind system group sap1 -policyName network 0

bind tunnel global ns_tunnel_cmpall_gzip

bind vpn global -policyName name1

bind vpn global -policyName SessionPolicy1

bind vpn global -policyName SessionPolicySrv1

bind vpn global -policyName SessionPolicySrv2

bind vpn global -intranetApplication route_migrate_1

bind vpn vserver coilgw.citrixlabs.com -staServer http://169.145.92.152:8080

bind vpn vserver coilgw.citrixlabs.com -staServer http://169.145.91.151:8080

add ns acl Access91 ALLOW -destIP = 169.145.91.0-255.255.255.0 -vlan 91 -priority 10 -kernelstate SFAPPLIED61

apply ns acls

set rnat 10.251.31.0 255.255.255.0 -natIP 10.217.104.101

set lb sipParameters -addRportVip ENABLED

set bridgetable -bridgeAge 60

bind ssl service nshttps-169.145.92.239-443 -certkeyName ns-server-certificate

bind ssl service nsrpcs-169.145.92.239-3008 -certkeyName ns-server-certificate








43




bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate



bind ssl vserver coilgw.citrixlabs.com -certkeyName coilgw_citrixlabs_com.cer

add appfw profile Basic

add appfw profile Advanced

set appfw profile Advanced -startURLAction block learn log stats -startURLClosure ON -cookieConsistencyAction block learn log stats -fieldConsistencyAction block learn log stats -crossSiteScriptingAction block learn log stats -SQLInjectionAction block learn log stats -fieldFormatAction block learn log stats

bind appfw profile Basic -startURL ^[^?]+[.](html?|shtml|js|gif|jpg|jpeg|png|swf|pif|pdf|css|csv)$

bind appfw profile Basic -startURL ^[^?]+[.](cgi|aspx?|jsp|php|pl)([?].*)?$

bind appfw profile Basic -denyURL /core(/.*)?$ -comment Unix core file attacks -state DISABLED

bind appfw profile Basic -denyURL [\/]etc[\/](passwd|group|hosts) -comment Unix file attacks -state DISABLED

bind appfw profile Basic -denyURL ([ /=]|\t|\n)(ls|rm|cat)([ ;\\\\&].*)?$ -comment Command injection attack -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*[+][.]htr -comment HTR source disclosure -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/[?][SM]=[AD] -comment Apache possible directory index disclosure vulnerability -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/[?]wp- -comment Netscape enterprise server directory indexing vulnerability -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/NULL[.]printer -comment Printer buffer overflow -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/default[.]ida[?]N+ -comment CodeRed -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/publisher -comment Netscape enterprise server web publishing vulnerability -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*Admin[.]dll -comment Nimbda-3 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/winnt/ -comment Nimbda-4 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*[+]dir -comment IIS executable file parsing vulnerability-1 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/georgi[.]asp -comment IIS executable file parsing vulnerability-2 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*[.](bat|ini|exe)(|[?].*)$ -comment IIS executable file parsing vulnerability-3 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|] -comment Script exploit -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*[.]asp\.* -comment Microsoft IIS UNC mapped virtual host vulnerability -state DISABLED

44

bind appfw profile Basic -denyURL ^[^?]*[.]htx -comment Microsoft IIS UNC path disclosure vulnerability -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*[.]id[aq] -comment Index server buffer overflow -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$ -comment Access attacks -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$ -comment Password file attacks -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*dvwssr[.]dll -comment Front Page server extensions buffer overflow-1 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*fp30reg[.]dll -comment Front Page server extensions buffer overflow-2 -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*null[.]htw -comment Webhits source disclosure -state DISABLED

bind appfw profile Basic -denyURL debug[.][^/?]*(|[?].*)$ -comment Debug attacks -state DISABLED

bind appfw profile Basic -denyURL system( |\t|\n)*[(] -comment System command attacks -state DISABLED

bind appfw profile Basic -denyURL ^[^?]*/_vti_bin/shtml[.] -comment Front Page server extensions path disclosure vulnerability -state DISABLED

bind appfw profile Advanced -denyURL /core(/.*)?$ -comment Unix core file attacks -state DISABLED

bind appfw profile Advanced -denyURL [\/]etc[\/](passwd|group|hosts) -comment Unix file attacks -state DISABLED

bind appfw profile Advanced -denyURL ([ /=]|\t|\n)(ls|rm|cat)([ ;\\\\&].*)?$ -comment Command injection attack -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*[+][.]htr -comment HTR source disclosure -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/[?][SM]=[AD] -comment Apache possible directory index disclosure vulnerability -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/[?]wp- -comment Netscape enterprise server directory indexing vulnerability -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/NULL[.]printer -comment Printer buffer overflow -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/default[.]ida[?]N+ -comment CodeRed -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/publisher -comment Netscape enterprise server web publishing vulnerability -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*Admin[.]dll -comment Nimbda-3 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/winnt/ -comment Nimbda-4 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*[+]dir -comment IIS executable file parsing vulnerability-1 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/georgi[.]asp -comment IIS executable file parsing vulnerability-2 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*[.](bat|ini|exe)(|[?].*)$ -comment IIS executable file parsing vulnerability-3 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|] -comment Script exploit -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*[.]asp\.* -comment Microsoft IIS UNC mapped virtual host vulnerability -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*[.]htx -comment Microsoft IIS UNC path disclosure vulnerability -state DISABLED

45

bind appfw profile Advanced -denyURL ^[^?]*[.]id[aq] -comment Index server buffer overflow -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$ -comment Access attacks -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$ -comment Password file attacks -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*dvwssr[.]dll -comment Front Page server extensions buffer overflow-1 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*fp30reg[.]dll -comment Front Page server extensions buffer overflow-2 -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*null[.]htw -comment Webhits source disclosure -state DISABLED

bind appfw profile Advanced -denyURL debug[.][^/?]*(|[?].*)$ -comment Debug attacks -state DISABLED

bind appfw profile Advanced -denyURL system( |\t|\n)*[(] -comment System command attacks -state DISABLED

bind appfw profile Advanced -denyURL ^[^?]*/_vti_bin/shtml[.] -comment Front Page server extensions path disclosure vulnerability -state DISABLED

set ns hostName ns

Done

>

46

Appendix B - Layer 2 Switch ConfigurationSwitch Configuration

! Any Layer 2 switch will work as long as it supports 802.1Q VLANs and Trunking.

! The following is the configuration used on our switch in the lab.

! Trunk port connecting to NetScaler interface 1/4

interface FastEthernet0/11

switchport trunk encapsulation dot1q

switchport mode trunk

! Port connecting to NetScaler Public VIP


! VLAN 91 interface connecting to CPS farm 1


switchport access vlan 91

! VLAN 92 interface connecting to CPS farm 2


switchport access vlan 92

Port VLAN Memberships

VLAN Name PortsNote: Port Fa0/11 is not listed because it is a Trunk port

1 default Fa0/1...Fa0/10, Fa0/12...Fa0/14,Fa0/15, Fa0/16

91 VLAN91-to-CPSSrvFarm1 Fa0/21

92 VLAN92-to-CPSSrvFarm2 Fa0/23

www.citrix.com

Citrix WorldwideWorldwide headquarters

Citrix Systems, Inc.851 West Cypress Creek RoadFort Lauderdale, FL 33309USAT +1 800 393 1888T +1 954 267 3000

Regional headquarters

AmericasCitrix Silicon Valley4988 Great America ParkwaySanta Clara, CA 95054USAT +1 408 790 8000

EuropeCitrix Systems International GmbHRheinweg 98200 SchaffhausenSwitzerlandT +41 52 635 7700

Asia PacificCitrix Systems Hong Kong Ltd.Suite 3201, 32nd FloorOne International Finance Centre1 Harbour View StreetCentralHong KongT +852 2100 5000

Citrix Online division5385 Hollister AvenueSanta Barbara, CA 93111USAT +1 805 690 6400

www.citrix.com

About CitrixCitrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion.

Citrix, NetScaler, GoToMyPC, GoToMeeting, GoToAssist, Citrix Presentation Server, Citrix Password Manager, Citrix Access Gateway, Citrix Access Essentials, Citrix Access Suite, Citrix SmoothRoaming and Citrix Subscription Advantage and are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX is a registered trademark of The Open Group in the U.S. and other countries. Microsoft, Windows and Windows Server are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

citrix sslvpn cps deploymentguide

Documents

citrix products

citrix systems

ssl vpn policy

netscaler ip addresses

netscaler root certificate

warranties of merchantability

product names

product documentation