citrix xenapp 7 - · pdf file1 windows 10 end-point client with citrix receiver 2 windows...

13
Revised: 9 May 2016 Integration Guide Citrix XenApp 7.8

Upload: ngominh

Post on 13-Feb-2018

254 views

Category:

Documents


9 download

TRANSCRIPT

Page 1: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Revised: 9 May 2016

Integration Guide

Citrix XenApp 7.8

Page 2: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

About This Guide

Guide Type

Documented Integration — WatchGuard or a Technology Partner has provided documentation demonstrating integration.

Guide Details

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

Page 3: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Citrix XenApp Integration Overview

This document describes how to integrate Citrix XenApp 7.8 with your WatchGuard Firebox to support end-point client automatic authentication through the WatchGuard Terminal Services Agent (TO Agent). The Firebox enforces policies for traffic from endpoint clients after a user authenticates to the Firebox from the endpoint client with a specified user name and IP address.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

Firebox with Fireware v11.10.x installed. Citrix XenApp 7.8 and other software required for this integration installed on four virtual machines as

listed in the table below.

VM# Operating System Components

1 Windows 10 End-point client with Citrix Receiver

2 Windows Server 2012 R2 Citrix Delivery Controller, Studio, StoreFront, Database, and License server

3 Windows Server 2012 R2 Citrix Virtual Delivery Agent on the Master Image, WatchGuard TO Agent

4 Windows Server 2012 R2 Active Directory domain and run DNS and DHCP service

Page 4: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Configuration

To complete this integration, you must first deploy the Citrix XenApp 7.8 software shown in the Platform and Software section above)

VM Configuration Notes:

All VMs must be members of the Active Directory (AD) domain. In our integration the VMs get an IP address from a DHCP server on the AD server. The DHCP server could also be enabled on the Firebox interface or through DHCP relay configured on the Firebox interface as long as FQDN is working for all VMs.

The default gateway for all VMs must be the IP address of the Firebox trusted interface the network connects to. In our example integration, the IP address is 10.0.1.1.

FQDN must be working. WatchGuard Terminal Services Agent (TO Agent) and the Citrix Virtual Delivery Agent (VDA) must be

installed on the same server.

For information about how to set up the Citrix XenApp 7.8 environment, see the Citrix XenApp 7.8 Installation

Guide.

In this document, we describe how to set up WatchGuard Terminal Services Agent (TO Agent) to work with Citrix XenApp 7.8 so the Firebox can authenticate end-point clients.

WatchGuard Firebox

VM2: Citrix Delivery Controller

VM1: End-point client

VM4: Active Directory Domain

Trusted

VM3: Citrix Virtual Delivery Agent

ExternalInternet

10.0.1.7

10.0.1.6

10.0.1.8

eco.cdc.com

10.0.1.1

10.0.1.5

Page 5: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Set Up Citrix XenApp

Publish Apps on Citrix

For our integration example, we created a machine catalog and published four applications.

1. We created a Machine Catalog called <windows 2012 for Eco Traffic>, using the Master Image on VM2.

2. We created a Delivery Group to publish applications using the Machine Catalog <windows 2012 for Eco Traffic>.

Page 6: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

3. We published four applications. For this example, we published Calculator, Command Prompt, Iexplore, and Notepad.

Install the WatchGuard Terminal Services Agent (TO Agent)

To install and verify the TO Agent:

1. Install the WatchGuard TO Agent on the server where the Citrix Virtual Delivery Agent is installed. In our example integration, the TO agent is installed on VM3. For detailed instructions to install and configure the Terminal Services agent, see Fireware Help.

2. Use the netstat command to verify the TO Agent works correctly. If the TO Agent is correctly working, the netstat output should look similar to the example shown here.

Page 7: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Set Up the Firebox

Enable Terminal Services on the Firebox

After you install the TO Agent, you must add the TO Agent IP address to the Firebox configuration.

1. Log in to Fireware Web UI. 2. Select Authentication > Terminal Services. 3. In the text box below the Agent IP list, add the IP address of the machine where the TO Agent is

installed. In our example integration, the TO Agent is installed on VM3, at 10.0.1.6.

4. Click Add to add the specified IP address to the list. 5. Click Save to save the configuration.

Page 8: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Configure the Active Directory Server on the Firebox

1. Select Authentication > Servers > Active Directory. 2. Click Add. 3. Specify the Domain Name, Primary IP address, and Search Base for your Active Directory server.

The other settings are optional. For our integration, the Domain Name and IP address are the same as VM4, as shown in the image below.

Page 9: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Add Active Directory Authentication Users

You must add the Active Directory users on the Firebox before you can add them to a policy.

1. Select Authentication > Users and Groups.

2. Click Add.

3. In the Name text box, type the name of a user that exists in the Active Directory domain. The user name is case-sensitive. In our example integration, the user name is user1.

4. From the Authentication Server drop-down list, select the Authentication Server domain name. 5. Click OK 6. Click Save to save configuration.

Page 10: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Create a Policy for Authenticated Users

To add a policy for HTTP traffic from authenticated users:

1. Select Firewall > Firewall Policies. 2. Click Add Policy. 3. Add an HTTP packet filter policy. 4. Configure the policy to allow connections from firewall user user1 to Any-External.

5. Click Save to save the policy.

Page 11: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

Test Automatic Client Authentication

1. On a client machine that has Citrix Receiver installed, open a browser and go to the default Storefront URL: http://<servername>/Citrix/StoreWeb. In our example integration, the client machine is VM1, which has Windows 10 installed.

2. Login as domain user user1.

Page 12: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

3. Select Apps to see all published applications.

4. Click the Iexplore app to launch it. The Internet Explorer application window appears.

5. Type the URL for an internet site to visit. For example, we visited www.msn.com as shown below.

Page 13: Citrix XenApp 7 - · PDF file1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix ... WatchGuard Terminal ... Set Up Citrix XenApp Publish Apps on Citrix

Citrix XenApp Integration Guide

6. To verify that the user has authenticated, in Fireware Web UI, select System Status > Authentication

List. The user name appears on the Authenticated Users list.

Because the user is authenticated, the HTTP traffic for this user is enforced by the HTTP policy configured to allow traffic from this user.

To make sure that the Firebox does not allow outgoing traffic from users who are not authenticated, you must disable or remove the default Outgoing (TCP-UDP) policy that allows traffic from unauthenticated users. If you remove the Outgoing policy from your device configuration file, you must add policies to your configuration that allow outbound traffic. You can either add a separate policy for each type of traffic that you want to allow out through your firewall, or you can add the TCP-UDP packet filter or TCP-UDP-proxy policy.

For example, if you remove the Outgoing policy, and you want to allow authenticated users on your network to connect to websites, you must add an HTTP or HTTP-proxy policy for port 80, an HTTP or HTTPS-proxy policy for port 443, and a DNS policy for port 53 to allow DNS query resolution.