imprivata onesign and xenapp and xendesktop 7.6 healthcare

34
Prepared by: Citrix Solutions Lab Imprivata OneSign and XenApp and XenDesktop 7.6 Healthcare Design Guide Streamlining Access to Critical Patient Information This document is intended to be a guide for deploying Imprivata’s enterprise Single Sign-On (SSO) solution on XenApp and XenDesktop for Citrix customers, partners, and field teams.

Upload: ngoanh

Post on 31-Dec-2016

258 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Prepared by: Citrix Solutions Lab

Imprivata OneSign and XenApp and XenDesktop 7.6 Healthcare Design Guide Streamlining Access to Critical Patient Information

This document is intended to be a guide for deploying Imprivata’s enterprise Single Sign-On (SSO) solution on XenApp and XenDesktop for Citrix customers, partners, and field teams.

Page 2: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

2 citrix.com

Section 1: Overview ................................................................................... 4

Project overview ........................................................................................................ 5

Section 2: Solution Benefits........................................................................ 7

Benefits of Imprivata OneSign ...................................................................................... 7

Benefits of Citrix solutions ............................................................................................ 7

Section 3: Architecture Overview ............................................................... 8

Architecture components .............................................................................................. 9

Authentication and SSO ............................................................................................ 9

Imprivata OneSign appliances................................................................................ 9

Authentication modality .......................................................................................... 9

Imprivata OneSign agent ........................................................................................ 9

Software ..................................................................................................................... 10

Hardware .................................................................................................................... 11

Servers .................................................................................................................... 11

Physical Networking ................................................................................................ 11

Virtual Networking ................................................................................................... 12

Hypervisor Pool/Cluster Configurations ................................................................... 12

NetScaler VPX on XenServer Specifications .......................................................... 12

Storage .................................................................................................................... 12

Access devices........................................................................................................ 13

Citrix Infrastructure .................................................................................................. 13

Virtual Desktops ...................................................................................................... 13

Section 4: Execution ................................................................................. 14

Citrix XenDesktop/XenApp Setup .............................................................................. 14

XenDesktop ............................................................................................................. 14

XenApp ................................................................................................................... 14

Pass-Through Authentication Setup and PNAgent ................................................. 14

Imprivata Appliance .................................................................................................... 15

Deployment ............................................................................................................. 15

Setup ....................................................................................................................... 16

Page 3: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

3 citrix.com

User Sync - Active Directory ................................................................................... 21

Imprivata Computer Policies ................................................................................... 22

Computers ............................................................................................................ 22

Citrix XenApp Fast Connect ................................................................................. 22

Citrix XenApp Auto-launch ................................................................................... 22

Citrix XenDesktop Auto-launch............................................................................. 23

Imprivata User Policies ............................................................................................ 23

Citrix XenApp Fast Connect ................................................................................. 23

Citrix XenApp Auto-launch ................................................................................... 23

Citrix XenDesktop Auto-launch............................................................................. 24

Fast-Connect Specific Configuration ....................................................................... 25

Virtual Desktop Configuration .................................................................................. 26

Imprivata Agent Setup ............................................................................................. 26

Wyse Terminals ......................................................................................................... 27

Windows 7 Embedded Setup .................................................................................. 27

Windows 7 Embedded Imprivata Agent Setup ........................................................ 27

Xenith 2.0 Setup ...................................................................................................... 29

Xenith DHCP Settings ............................................................................................. 29

Xenith Xen.ini File ................................................................................................... 29

Verification .............................................................................................................. 30

Section 5: Appendix ................................................................................. 32

Appendix A ................................................................................................................. 32

Company Sites ........................................................................................................ 32

Products .................................................................................................................. 32

Support .................................................................................................................... 32

Page 4: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

4 citrix.com

Section 1: Overview The Challenge – Enabling Technology to Enhance Patient Care

Despite the healthcare industry’s reputation as a slow-moving sector, hospitals are continuing to adopt desktop virtualization technologies at a fast rate. While desktop virtualization initiatives are often driven by IT organizations struggling to support applications on diverse client environments, the IT benefits alone do not explain why desktop virtualization has such widespread acceptance in the clinical community once it’s deployed.

Desktop virtualization has the potential to enhance and streamline patient care. Organizations see greater adoption rates and increased productivity and clinical satisfaction along with improved security the more their virtual desktop environment supports those objectives. However, with the increase in security and compliance concerns, new technology can be seen as a barrier to patient care.

We’ve seen the physician juggling and typing 5 different passwords, authenticating 10 times, remembering to log out to protect patient records and her own email, and simply waiting for workstations and/or applications to load. The ongoing thought process about patient treatment is continually interrupted by these actions. Magnify this process by the typical physician workload, and some troubling patterns emerge:

• Wasted time: With as many as 70 distinct logins per day, a clinician care provider spends a great deal of time simply waiting. In the hospital, care providers may spend between 30 to 60 minutes each day simply logging into workstations and applications.

• Cognitive disruption: Coming up with the right account and password, waiting for an application to load, finding the patient record and remembering to log off – each action interrupts the focus on the patient.

• Frustration: When you add complex passwords and frequent password change policies, it’s easy to imagine physicians becoming frustrated with the technology. Security and compliance requirements typically pit care providers – who need fast access to patient data – against IT and compliance officers, who need to protect authentication and track access.

The Solution - Imprivata and Citrix: smooth roaming with No Click Access™

By combining strong authentication and single sign-on from Imprivata OneSign with desktop and application virtualization using XenDesktop and XenApp, hospitals can implement desktop virtualization in a way that speeds care provider adoption and enhances patient care. XenDesktop and XenApp offer care providers personalized desktops and applications that retain their state even as physicians and nurses change locations and workstations (smooth roaming desktop and/or smooth roaming applications). The care provider experiences a consistent user interface; no matter what client they use to connect. This is particularly important in the hospital environment, where care providers work from many different devices and locations. Imprivata OneSign adds several essential capabilities to this environment:

Strong authentication: Imprivata OneSign has built-in support for multiple authentication technologies, including fingerprint biometrics, smart cards and proximity cards. This makes it easy for hospitals to require strong, two-factor authentication for the initial logon to the workstation.

No Click Access™: Once someone has logged onto their virtual desktop, they can retrieve it from any location with Virtual Desktop Access (VDA) using just the tap of a badge or swipe of a fingerprint. This eliminates time spent remembering and typing passwords.

Single sign-on: With integrated single sign-on, care providers do not have to log on individually to each application they want to use – the single logon connects them to everything they need.

Page 5: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

5 citrix.com

Secure walk-away: When care providers leave shared workstations, OneSign automatically locks the session, using facial recognition to restart seamlessly if the same, authenticated user reappears at the workstation.

Signing: Another tap of a badge or swipe of a fingerprint can serve to sign medication orders or e-prescriptions.

The purpose of the following design guide is to provide a common architecture for the healthcare industry that highlights how an integrated deployment of Citrix XenDesktop and/or XenApp with Imprivata OneSign overcomes the new technology barriers by streamlining clinical workflow with VDA to a smooth roaming desktop along with the ability to auto-launch and roam virtualized applications or published/shared desktops. Security and compliance are ‘built into’ the virtual desktop and application environment rather than imposed on the care provider. The result is a healthcare environment that reclaims time and focus from technology so it’s available for patient care.

About Citrix XenApp & XenDesktop: XenApp is the industry-leading solution for virtual application delivery, providing Windows apps to workers on any device, anywhere. By centralizing control with XenApp, companies can give their team the freedom of mobility while increasing security and reducing IT costs. XenDesktop is a desktop virtualization solution that makes businesses borderless by giving employees the freedom to work from anywhere while cutting IT costs. With XenApp built in, XenDesktop can deliver full desktops or just apps to any device.

About Imprivata OneSign virtual desktop access: With more than 4 million users and 1,200 healthcare customers, Imprivata is the #1 provider of secure access and collaboration solutions for healthcare. By strengthening user authentication, streamlining application access and simplifying compliance reporting across multiple computing environments, customers realize improved workflows, increased security and compliance with government regulations.

Project overview

The Citrix Solutions Lab combined forces with Imprivata to design and deploy a customer centric solution that focused on validating three hospital centric use cases. These use cases focus on:

Citrix XenApp Fast Connect Workflow: In this use case, we tested a user authenticating to Imprivata OneSign through multiple authentication methods including a badge tap and fingerprint biometric, etc., on the endpoint device. The user was automatically connected to Citrix XenApp via the Fast Connect API available in specific versions of the Citrix Online Plugin and Citrix Receiver. The user was then able to manually launch published applications and/or desktops via the desktop or start menu icons. Citrix sessions were able to roam when configured.

This was tested with various connection methods

Online Plugin

Citrix Receiver

This use case was also tested with various endpoint types

Windows with OneSign agent installed

Citrix XenApp Auto-launch Workflow: In this use case, a user was able to authenticate to Imprivata OneSign via a tap of a badge, swipe of a fingerprint, or other authentication modalities, and one or more Citrix published applications or a published desktop was automatically launched. Citrix sessions were able to roam when configured.

This was tested with various connection methods

Online Plugin

Page 6: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

6 citrix.com

Citrix Receiver

This was tested with various endpoint types

Windows with OneSign agent installed

Wyse WTOS/Xenith

Imprivata ProveID Embedded Device

Citrix XenDesktop Auto-launch Workflow: In this use case, a user was able to authenticate to OneSign with the tap of a badge, swipe of a fingerprint, or other authentication modality. A Citrix XenDesktop virtual desktop was automatically launched and the session was able to roam when configured.

This was tested with various connection methods

Online Plugin

Citrix Receiver

This was tested with various endpoint types

Windows with OneSign agent installed

Wyse WTOS/Xenith

Imprivata ProveID Embedded Device

Each use case was deployed in a real world hospital environment and successfully validated by the Citrix Solutions Lab team. The following sections discuss the design aspects of the solution complete with screen shots showing the deployment as well as successful validation of the solution.

Note: Not all features described are available under certain operating systems; please consult Imprivata for the most current information.

Page 7: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

7 citrix.com

Section 2: Solution Benefits

Benefits of Imprivata OneSign Imprivata’s healthcare products are specifically designed to streamline healthcare workflows allowing clinicians to spend less time with technology and more time with patients. The Imprivata OneSign solution suite helps hospitals meet meaningful use objectives by improving adoption and clinician acceptance with simplified, secure access to patient data and applications.

With more than four million healthcare users, Imprivata is the #1 independent provider of single sign-on and access management solutions for healthcare, government, finance and other regulated industries. By strengthening user authentication, streamlining application access and simplifying compliance reporting across multiple computing environments, customers realize improved workflows, increased security and compliance with government regulations.

Simplify login with No Click Access™

Secure logon with the swipe of an ID badge or fingerprint

Save time with every logon and remove risk of mistyped and forgotten passwords

Imprivata customers report time savings of 15 minutes per day, per clinician

Improved clinician productivity and satisfaction

Reduce password reset helpdesk costs

Imprivata customers able to reduce password related helpdesk calls by over 80%

Redeploy helpdesk resources to new projects

Increased patient record security and HIPAA compliance

Take the task of remembering passwords away from the clinician

Enforce strong passwords for logon and applications – automatically change on a regular basis

o Comply with HIPAA regulations

Eradicate sticky notes with passwords

Centralized reporting for compliance adherence

Benefits of Citrix solutions By combining Citrix XenApp/XenDesktop with your Imprivata SSO implementation, you have the ability to extend the single sign-on capabilities to all applications, virtual desktops, and shared data within your current organizational portfolio, not just the ones that are local to the desktop. Whether it is accessing EMRs or corporate desktops, Citrix enables the user to authenticate seamlessly to the required resources while adding additional useful features. For example, Session Parking provides quick access to patient specific content while roaming from exam room to exam room, or from ambulatory facility to hospital. Access and security is controlled in real time using Citrix Receiver. XenApp and XenDesktop also provide granular security features like allowing administrators to control the location where certain security-sensitive features can be utilized, such as printing and file saving. These features are just a few of the benefits that Citrix has designed with specific Healthcare workflows in mind, building on the company philosophy of securing apps and data without impeding the workflows required by physicians and clinicians within your organization.

Page 8: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

8 citrix.com

Section 3: Architecture Overview The goal of this design is to show the integration and use of Imprivata OneSign with Citrix XenDesktop and XenApp to lay the foundation for enterprise level single sign-on in the healthcare environment. The environment uses Citrix XenDesktop and XenApp 7.6 with Provisioning Services 7.6 streaming hosted shared desktops (HSD) and dedicated VDI desktops (VDI), running on Microsoft Hyper-V 2012 R2. Imprivata OneSign will be utilized in the environment as the third party single sign-on (SSO) solution framework.

The environment utilized four physical Microsoft Hyper-V 2012 R2 servers in a cluster with centralized SAN storage for VM and virtual appliance storage. In addition, eight physical Dell Wyse Thin clients (comprised of both Windows Embedded and Linux based OSes) to provide end-point access to the XenDesktop/XenApp environment. Each physical Dell Wyse Thin Client had attached an Imprivata Proximity Card Reader to provide tap and go access. Traditional password authentication was also available as a default.

Page 9: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

9 citrix.com

Architecture components

Authentication and SSO

Imprivata OneSign appliances

Provide secure, hardened Linux-based appliances with fast simple installation and configuration. One appliance supports up to 25,000 concurrent connections, with automated failover and recovery, and can be distributed across sites for failover. Appliances are available as physical or virtual.

Authentication modality

Imprivata offers broad support for strong authentication technologies such as:

Fingerprint identification (no requirement to enter a username)

Fingerprint authentication (uses fingerprint as password)

ID badges

Proximity cards

OTP tokens

Phone and text based authentication

Imprivata OneSign agent

The client-side part of the OneSign system, installed on a computer running Microsoft Windows or integrated into firmware on thin PCs or zero client devices. In a single sign-on environment, the OneSign Agent recognizes an authentication challenge screen presented by a OneSign-profiled application and responds by proxying the user’s credentials into one or more input fields on the user’s behalf. Each computer that supports one or more enabled users requires a OneSign Agent.

The OneSign Agent permits authentication of users through finger biometrics, ID tokens, smart cards, proximity cards, and passwords. It downloads user and policy information from the OneSign server at logon and then checks for updates again periodically at an interval you set in the OneSign Administrator.

Page 10: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

10 citrix.com

Software The following table lists the software and appropriate versions that were utilized:

Component Version

Virtual Desktop Broker XenDesktop 7.6 with Hotfixes

VDI Desktop Provisioning 1 PVS 7.6 with Hotfixes

Physical Endpoint OS 1 Windows 7 Embedded

Physical Endpoint OS 2 Wyse Xenith 2.0

Physical Endpoint Client 1 Citrix Receiver 4.2 for Windows

Physical Endpoint Client 2 Integrated Citrix Receiver

User Profile Management Citrix User Profile Manager with XD 7.6

Web Portal Citrix StoreFront 2.6

Licensing Citrix License Server 11.12.1

Workload Generator Login VSI 4.1.3

Office Microsoft Office 2013 Service Pack 1

Virtual Desktop OS (Dedicated VDI)

Microsoft Windows 8.1 Update 1

Virtual Desktop OS (Hosted Shared Desktops)

Microsoft Windows Server 2012 R2 Datacenter Update 1

Database Server Microsoft SQL Server 2012

VDI Hypervisor Management Microsoft SCVMM 2012 R2

VDI Hypervisor Microsoft Windows 2012 R2 U1 with Hyper-V

NetScaler Software NetScaler VPX on XenServer - 10.5

HDX Insight NetScaler Insight Center 10.5

Imprivata OneSign Virtual Appliance

5.0 SP1

Imprivata OneSign Agent 5.0 SP1 HF2

Page 11: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

11 citrix.com

Hardware

Servers

The server hardware used were 4 rack mount servers configured as described:

Dual 12 core Intel Xeon 2.7 Ghz

384 GB hard drive

16 SAS drives

2 10 gigabit NICs

2 1 gigabit NICs

Each was installed with Windows Server 2012 R2. The OS was installed on a mirror of 2 SAS drives and a RAID 10 configured for the remaining 14 SAS drives.

The 4 rack mount servers were configured as a single cluster, this cluster hosted XenApp HSD and dedicated XenDesktop VDI virtual machines. The network configuration was performed via SCVMM and Logical Switches. The following list defines the NIC to network configuration on the hypervisor hosts:

1. NIC 1 – 1 gigabit

a. Infrastructure VLAN

2. Teamed NICs – 10 gigabit

a. Storage VLAN

b. Guest VM VLAN

c. PVS VLAN

Physical Networking

Below is the network flow concept for the environment data center. Client layer details are not shown on this diagram.

Page 12: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

12 citrix.com

The networks used were a host management network, an infrastructure network, a storage network with a single VLAN for all storage connections, a VM Guest network, and a PVS VLAN. Refer to the diagram below:

Virtual Networking

Hypervisor Pool/Cluster Configurations

Networking was configured using SCVMM 2012

2 Logical Networks – Management and Guest

2 VM Networks – Management and Guest

Logical Switches deployed on Hyper-V hosts

NetScaler VPX on XenServer Specifications

NetScaler VPX were utilized as external gateway and to load balance StoreFront. The physical servers included a single server as a hypervisor host for NetScaler VPX.

VPX 3000 License, 3 PE

4 vCPU

8 GB RAM

20 GB hard drive

NetScaler systems were monitored by NS Insight Center VPX and Command Center 5.2.

Storage

The data center storage used was EMC XtremIO X-brick v3, which handled the storage for dedicated VDI VMs, HSD VMs with their associated Write Cache, as well as storage for the Infrastructure VMs. Connections were accomplished via iSCSI to each host in the Windows cluster over a dedicated storage network.

Page 13: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

13 citrix.com

Access devices

The environment was a single data center location utilizing Dell Wyse thin clients to test single sign-on.

Citrix Infrastructure

The environment was configured in a secured model following the details in the Healthcare Design Guide and Healthcare Implementation Guide. These two documents are the reference material for the XenDesktop and XenApp setup discussed in this document.

Virtual Desktops

Two types of virtual desktops were deployed in the environment:

1. Hosted Shared Desktops – multi user

a. Configured with 5 vCPU, 16 GB RAM, 60 GB VHD

b. 20 VMs

c. Users per VM to be determined

d. PVS Streamed

e. 2 NICs – DC Guest and DC PVS

f. All HSD desktops are PVS Streamed VMs

2. Dedicated VDI – as private desktops, assigned on first use

a. initial configuration to be adjusted as needed

i. Configured with 2 vCPU, 4 GB RAM, 40 GB VHD file

ii. 15 VMs

iii. 1 user per VM

iv. Static VMs

v. 1 NIC on DC Guest

b. All dedicated desktops are static VMs

For PVS “RAM Cache with Overflow to Disk”, RAM on the VMs might be adjusted higher, possibly adding several GB to allow for the cache.

Page 14: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

14 citrix.com

Section 4: Execution

Citrix XenDesktop/XenApp Setup

XenDesktop

The XenDesktop setup followed the design and security considerations in http://docs.citrix.com/content/dam/docs/en-us/solutions/industries/downloads/healthcare-design-guide.pdf and http://docs.citrix.com/content/dam/docs/en-us/solutions/industries/downloads/healthcare-implementation-guide.pdf. In addition, optimizations from https://www.citrix.com/blogs/2014/02/06/windows-8-and-server-2012-optimization-guide/ were utilized to provide the best optimized environment. The VDI itself was built upon Windows 8.1. As the VDI is intended to have all necessary applications already installed, there was no need for further configuration. Additional installation of the OneSign Agent was required to allow for automated launching of published desktops and applications once the initial published desktop was launched. While this feature was not required for the scenarios referenced, it is included as a reminder.

XenApp

The XenApp setup followed the design and security considerations in http://docs.citrix.com/content/dam/docs/en-us/solutions/industries/downloads/healthcare-design-guide.pdf and http://docs.citrix.com/content/dam/docs/en-us/solutions/industries/downloads/healthcare-implementation-guide.pdf. In addition optimizations from https://www.citrix.com/blogs/2014/02/06/windows-8-and-server-2012-optimization-guide/ were utilized to provide the best optimized environment. The HSD itself was built upon Windows Server 2012 R2. Additional installation of the OneSign Agent was required to allow for automated launching of published desktops and applications once the initial published desktop was launched. While this feature was not required for the scenarios referenced, it is included as a reminder.

Pass-Through Authentication Setup and PNAgent

Pass-Through Authentication is used to allow the initial logon (badge tap, fingerprint, biometric, etc.) to be passed through Citrix Receiver to authenticate and either populate or launch a published application or desktop via PNAgent or Self Service via Citrix Receiver.

The default Citrix Receiver installation does not enable support for single sign-on, and a new installation/reinstallation of Citrix Receiver will need to be performed, using the correct command switch, to enable this feature. In order to facilitate single sign-on, the StoreFront and XenDesktop Controller(s) need to be configured for pass-through authentication support as well.

StoreFront will require the enablement of Legacy Services and Pass-Through authentication to facilitate the single sign-on through Receiver. Additionally, the XenDesktop Controller(s) will require modification to the XML Service port trust settings. These modifications are required to allow the full solution to operate as expected as Imprivata relies on the PNAgent services for auto-launch of applications and desktops. Additionally, FastConnect will utilize these features to enable access to published applications and desktops.

Full details and procedure for these changes are documented here: http://support.citrix.com/article/CTX200157

Page 15: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

15 citrix.com

Imprivata Appliance The Imprivata virtual appliance was used to provide the Imprivata OneSign functionality for the environment. This appliance is available directly from Imprivata and runs on both VMware ESX and Microsoft Hyper-V.

The Imprivata virtual appliance is also the primary component used when implementing a fully unified ESSO environment based around Imprivata. Information relating to the Imprivata appliance and the additional advanced features can be found at http://support.imprivata.com (Imprivata logon required).

Deployment

Installation will follow the Imprivata documentation found at http://support.imprivata.com under Documentation > Managing Imprivata Appliances > Virtual Appliance > Deploying Imprivata Virtual Appliances

The process for deployment will require the import of the virtual appliance (downloaded from Imprivata) into your hypervisor. The current deployment information is presented below; for the most current information, consult the documentation at http://support.imprivata.com.

Page 16: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

16 citrix.com

Setup

After deployment, the appliance must be setup for your environment. The Windows Domain and Citrix environments must be fully configured prior to the setup of the Imprivata OneSign appliance.

Initial setup will require configuration of basic network settings through the appliance console in the hypervisor. Details on the configuration can be found at http://support.imprivata.com/ under Documentation > Managing Imprivata Appliances > Virtual Appliance > Configuring Imprivata Virtual Appliances

Additional configurations to connect the appliance into your existing Active Directory as well as perform a basic setup are displayed below:

Page 17: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

17 citrix.com

Acceptance of the license agreement(s) is shown below.

It is assumed that this will be the first Imprivata appliance in the environment and as such, a new enterprise would be created. Additional Imprivata appliances can be added to the environment after initial configuration. Details of this procedure can be found at http://support.imprivata.com .

Page 18: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

18 citrix.com

Enter an appropriate site name pertinent to your environment.

Select a superadmin and admin password for the Imprivata appliance. The superadmin and admin passwords should be unique and not identical to any other passwords used in the environment.

.

Page 19: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

19 citrix.com

Configuration of DNS, NTP, and SMTP servers is shown above. An SMTP server is only necessary for receiving email from the Imprivata Appliance. An entry for setup is required but it does not need to be a live server as seen below.

Page 20: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

20 citrix.com

If you receive a SMTP error as shown, you can ignore it as defined by Imprivata.

Successful completion of the Imprivata appliance setup will generate this message. From here, you can continue on to the configuration of connecting to Active Directory, or to the appliance console itself. It is best to finish the Active Directory configuration prior to additional configurations.

Page 21: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

21 citrix.com

User Sync - Active Directory

Active Directory User Sync was used to import pre-existing Active Directory users into the OneSign appliance. There can be stand-alone Imprivata users, however integration with Active Directory is the recommended method. Additionally, a decision has to be made on where to control the user accounts themselves. User account status (enable/disable) can be controlled either through Active Directory or through Imprivata for the control of users. This decision needs to be made at the time of Active Directory User Sync and will be dependent upon your own needs.

Page 22: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

22 citrix.com

Imprivata Computer Policies

In order to facilitate configuration under User Policies, it is important to configure the Computer Policies to provide access to published applications and desktops prior to user policy modification. The previously configured Legacy PNAgent servers need to be configured for both XenApp and XenDesktop. This configuration is accomplished as follows:

Computers

Virtual desktops > Citrix XenDesktop

o Enter the PNAgent site

o Allow authentication from XenDesktop-enabled devices

Virtual desktops > Citrix XenApp

o Enter the PNAgent site

o Add the application(s) and authentication type

o Allow authentication from XenApp-enabled devices

Depending on the configuration required, multiple policies need to be created. Below is a summary of the policies created for each specific use case, outlined in this document. A full listing of the options for computer policies is available at http://support.imprivata.com under Documentation > Managing Endpoint Computers > Computer Policies. If ThinOS based systems are to be utilized it is necessary to have a complete PNAgent site address, including /config.xml.

Changes to the computer policies are required to provide connectivity to the Citrix environment. The included default Computer Policy was utilized as a base template for the changes and additions made toward the custom policies used in testing. Unless otherwise noted, default settings from the default Computer Policy were kept. These are the minimum required additions to the default computer policy to enable the features needed for the three scenarios.

Citrix XenApp Fast Connect

General > Display Name Format

o Modified to display user name only

General > Agent Upgrade

o Selected Do Nothing when upgrade available

General > Card Readers

o Selected Beep card reader when user taps card

Remaining Fast Connect configuration is handled at the Domain level via GPO.

Citrix XenApp Auto-launch

General > Display Name Format

o Modified to display user name only

General > Agent Upgrade

o Selected Do Nothing when upgrade available

General > Card Readers

o Selected Beep card reader when user taps card

Page 23: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

23 citrix.com

Virtual Desktops

o Citrix XenApp sections

o Automated access was enabled for XenApp and the appropriate previously configured PNAgent address was selected.

Citrix XenDesktop Auto-launch

General > Display Name Format

o Modified to display user name only

General > Agent Upgrade

o Selected Do Nothing when upgrade available

General > Card Readers

o Selected Beep card reader when user taps card

Virtual Desktops

o Citrix XenDesktop sections

o Automated access was enabled for XenDesktop and the appropriate previously configured PNAgent address was selected.

Imprivata User Policies

Depending on the configuration required there will need to be multiple policies created. Below is a summary of the policies created for each specific use case, outlined in this document. A full listing of the options for user policies is available at http://support.imprivata.com under Documentation > Managing Users > User Policies.

Changes to the user policies are required to provide connectivity to the Citrix environment. The included default User Policy was utilized as a base template for the changes and additions made toward the custom policies used in testing. Unless otherwise noted, default settings from the default User Policy were kept. These are the minimum required additions to the default user policy to enable the features needed for the three scenarios.

Citrix XenApp Fast Connect

Authentication > Desktop Access Authentication

o Added Proximity Card with no second factor

Remaining Fast Connect configuration is handled at the Domain level via GPO.

Citrix XenApp Auto-launch

Authentication > Desktop Access Authentication

o Added Proximity Card with no second factor

Virtual Desktops

o Enable virtual desktop automation (Requires configuration under Computers > Virtual Desktops as previously detailed)

Page 24: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

24 citrix.com

o Select automated access to apps or published desktops

Select the application or published desktop established under Virtual Desktops to launch on the endpoint.

Citrix XenDesktop Auto-launch

Authentication > Desktop Access Authentication

o Added Proximity Card with no second factor

Virtual Desktops

o Enable virtual desktop automation (Requires configuration under Computers > Virtual Desktops as previously detailed)

o Select automated access to full VDI desktops

Select the Citrix VDI desktops.

A separate policy is required for each of the XenDesktop and XenApp configurations.

Page 25: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

25 citrix.com

Fast-Connect Specific Configuration

Citrix Fast-Connect requires additional configuration to allow for the automated population of applications and desktops provided by StoreFront through Self Service (formerly PNAgent) as part of Citrix Receiver on the client machine. The optimal method to apply these configurations is to utilize group policy through Windows Active Directory. The additional installation of the Citrix Receiver ADMX templates will need to be completed on the domain controllers.

All base configurations needed to implement self-service were documented in the Pass-through Authentication and PNAgent setup section above. The additional configuration needed is to apply the StoreFront accounts that will be available to the user. These accounts are configured by the Citrix Receiver ADMX template.

In Group Policy Editor: Computer Configuration > Administrative Templates > Citrix Components > Citrix Receiver > Storefront is the StoreFront accounts list setting. Under this setting, when enabled, the listed StoreFront accounts will be available. The syntax is as follows:

StoreName;StoreURL;StoreEnabledState;Description

Imprivata;https://Healthcare.citrix.com/Citrix/Store;On;Healthcare Applications

Page 26: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

26 citrix.com

Virtual Desktop Configuration

Citrix XenDesktop and XenApp server connections were made via Computers > Virtual Desktops under the Imprivata Appliance. These connections utilized PNAgent sites via the StoreFront server. The StoreFront servers modified to provide the PNAgent functionality can be the existing secure StoreFront servers, or dedicated StoreFront PNAgent servers, depending on individual needs and security concerns. The XenDesktop Controllers will also need to be modified to achieve PNAgent launching. See Pass-Through Authentication Setup to enable PNAgent sites in StoreFront and to configure the XenDesktop Controller to accept these connections.

Imprivata Agent Setup

The Imprivata Agent is required to be installed on all endpoint and XenApp servers. The agent allows for assignment of user and computer policies on the endpoints and XenApp servers. Additionally, the usage of SSO features on the XenApp server, which are passed from the initial sign-on at the endpoint rely on this client as well. The Imprivata Agent can be downloaded from the Imprivata Appliance and then run on the computers that require the agent installation. The option to choose below will depend on the type of server that the agent is being installed on.

Single User Computer

Select this client installation for a workstation or terminal that will be used by a single user logon or a single user at a time. This agent requires a full user logoff for another user to then logon, also closing any running applications at that time.

Shared Kiosk Workstation

Select this client installation for a shared workstation or kiosk system where multiple users will be logging on. This agent allows a single workstation to support multiple users utilizing fast user switching to maintain the logged on users session. Each session will still be present and active on the system, removing the need for a new logon and profile load each time a user logs on.

Citrix or Terminal Server

Select this client installation for a Citrix XenApp or Windows Terminal server.

Page 27: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

27 citrix.com

Wyse Terminals

Windows 7 Embedded Setup

All configurations on Wyse terminals were conducted from a clean base re-imaged system for Windows-based terminals. The terminals were domain-joined with only the default domain GPOs applied to them. These Windows-based terminals then had Citrix Receiver updated. An additional step was required during the reinstallation of Citrix Receiver to enable the SSO feature, which by default is disabled on a standard installation.

The switch; /IncludeSSON, was appended to the Receiver.exe upon launch for installation. This switch will install and enable the SSO features found in Receiver without further interaction. This step is included in the Pass-Through Authentication documentation at: http://support.citrix.com/article/CTX200157

An issue can be encountered when installing Citrix Receiver or Imprivata on the Windows client where an out of space error can occur. This occurs because of the limited size of the Ramdisk (100MB default). In order to complete installation/reinstallation, the Ramdisk of the Wyse terminal will need to be expanded (512MB maximum).

Windows 7 Embedded Imprivata Agent Setup

Windows-based Wyse Terminals require the Imprivata Agent to be installed locally. The agent then allows for expanded logon options and provides communication back to the Imprivata appliance which then allows the use of single sign-on and the ability to apply computer policies. It is from these and the user policies where the specific auto-launching can be configured as detailed above.

Download the appropriate agent from the Imprivata appliance: Computers > Deploy Agents.

Page 28: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

28 citrix.com

Install the Agent on the terminal.

Select the installation as a Single User Computer.

.

Page 29: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

29 citrix.com

Xenith 2.0 Setup

The second type of terminal utilized is the Dell Wyse Xenith 2.0 Linux based devices. These systems come preconfigured to support both Citrix and Imprivata software. Additionally, all required drivers are preinstalled. A clean base image of the systems was utilized and all configuration was accomplished utilizing configuration files.

Xenith DHCP Settings

Dell Wyse Xenith terminals utilize several DHCP scope options in order to provide file and server locations for the files necessary for the terminal’s configuration. Dell Wyse Xenith documentation provides a full listing of the available options. Below are the minimum options used to provide configuration for this project. Wyse Device Manager is not specifically needed for configuration, but does provide more efficient management of the terminals.

DHCP Scope Option:

161 - File Server address for xen.ini or wnos.ini file access

This option is needed to provide a location for either a xen.ini or wnos.ini file to the terminal. This option supports HTTP/HTTPS/FTP for the protocol. Anonymous access will be used by the terminal unless specified differently. If an SSL secured connection is to be used, the associated SSL certificate needs to be installed on the terminal.

186 - WDM server address for terminal management

This option is used to identify the location of the WDM (Wyse Device Manager) server. This component is not necessary but is convenient for image and machine management.

Xenith Xen.ini File

A xen.ini file is required to configure a Xenith Terminal for use as an Imprivata OneSign device. In addition to the file, a web server that is capable of supporting either HTTP/HTTPS/FTP is required to allow the terminal to pull the .ini file. If an SSL-secured connection is to be used, the associated SSL certificate needs to be installed on the terminal.

Wyse Xenith terminals have the required Imprivata OneSign components already present on the device. A xen.ini file is used to configure the Imprivata server address. Reference the Wyse Xenith Admin Guide (https://support.citrix.com/servlet/KbServlet/download/24292-102-647331/Xenith_Admin_Guide_MAY2010.pdf) for additional xen.ini file parameters and configuration.

The parameters for Imprivata are as follows:

OneSignServer=https://<Server IP or FQDN>

This parameter is used in the xen.ini file to establish the location of the OneSign Server. This address should be HTTPS and will require the OneSign Server SSL certificate to be present on the terminal.

SignOn=<Yes|No>

This parameter is used in the xen.ini file to enable or disable single sign-on.

Page 30: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

30 citrix.com

Verification

In order to verify that the Imprivata single sign-on is functioning correctly, an optional message can be presented at the time of log on. This message can display several different variations of the user’s name or login to confirm that the log on correctly occurred with Imprivata.

Initial Login Screen:

Page 31: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

31 citrix.com

Successful log on with Imprivata will yield a confirmation screen, as shown below:

Successful log on with Imprivata single sign-on will produce the below message. After this point, the single sign-on capabilities can be fully utilized.

Utilizing the basic single sign-on infrastructure configured from this document, the process to reduce physician and clinician logon complexity and time begins; refocusing their attention onto their primary responsibility, the patient. At the same time, we begin to eliminate the frustration of juggling multiple complex logons while simultaneously increasing patient electronic record security. A standardized set of applications or desktops can now be provided dependent on location or responsibility.

The Imprivata Single Sign-On solution offers multiple secure authentication methods from a configured endpoint. Utilizing RFID technology now removes the possibility of a password being forgotten or lost, and allows for tap to sign-in authentication. This, combined with application auto-launch, now provides the ability for a single tap to authenticate and launch needed applications with no further interaction on the physician or clinician’s part.

Page 32: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

32 citrix.com

Section 5: Appendix

Appendix A

Company Sites

http://www.citrix.com/

http://www.imprivata.com/

Products

NetScaler:

http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html

StoreFront

http://www.citrix.com/downloads/storefront-web-interface/product-software/storefront-30.html

XenApp

http://www.citrix.com/products/xenapp/overview.html

XenDesktop

http://www.citrix.com/products/xendesktop/go-overview.html

OneSign

http://www.imprivata.com/

Support

Citrix Online Documentation:

http://docs.citrix.com/

Imprivata Support Site:

https://support.imprivata.com

How to Configure Citrix Receiver Pass-Through Authentication for StoreFront or Web Interface:

http://support.citrix.com/article/CTX200157

How to Remove Client Files Remaining on System after Uninstalling Receiver for Windows:

http://support.citrix.com/article/CTX325140

Page 33: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

33 citrix.com

Corporate Headquarters

Fort Lauderdale, FL, USA

Silicon Valley Headquarters

Santa Clara, CA, USA

EMEA Headquarters

Schaffhausen, Switzerland

India Development Center

Bangalore, India

Online Division Headquarters

Santa Barbara, CA, USA

Pacific Headquarters

Hong Kong, China

Latin America Headquarters

Coral Gables, FL, USA

UK Development Center

Chalfont, United Kingdom

About Citrix

Citrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking

and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure,

mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network

and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100

million users globally. Learn more at www.citrix.com

Page 34: Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare

Imprivata OneSIgn and XenApp and XenDesktop 7.6 Healthcare Design Guide

Copyright © 2015 Citrix Systems, Inc. All rights reserved. NetScaler, StoreFront, XenApp and XenDesktop are trademarks of Citrix Systems,

Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned

herein may be trademarks of their respective companies.