nelson esteves npg escalation

Nelson Esteves

NPG Escalation

TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition

Integrating Repeater with Access Gateway Enterprise

Agenda

Integration with Microsoft SharePoint

Security Expressions and Smart Access

Including Advanced Troubleshooting

Branch Repeater Integration

Traffic between the client and the secure network is optimized before passing through the VPN tunnel

Optimized

Not Optimized

Deployment Architecture

Access Gateway Plugin

Branch Repeater Plugin

Remote and Mobile Workspaces

Data Center and Corporate Offices

Access GatewaySecure access to:•Applications•Desktops•Networks

Branch Repeater•Compression•Acceleration

File Shares and Web Applications


Repeater integration is enabled/disabled through a Traffic Profile


Redirector mode: A traffic policy expression must be created for the signaling IP address of the Repeater appliance

Transparent mode: A traffic policy must be created which covers all backend servers the client is accessing

Only one Repeater traffic policy will be evaluated when bound at the virtual server level or globally

Enabling Repeater in a traffic policy will disallow Single Sign-On, File Type Association and HTTP authorization features


Access Gateway Enterprise Edition 9.0 can rewrite content from a SharePoint site so that it is available to users without requiring the Access Gateway Plug-in.

This avoids administrators having to deploy VPN access to users that require access to SharePoint.

For the rewrite process to complete successfully, the Access Gateway must be configured with the Web address for each SharePoint server in your network.

In most environments where SharePoint is accessed externally administrators have to configure what is called Alternate Address Mapping


Alternate Address Mapping in SharePoint 2007

TOO COMPLEX!!!


New with Access Gateway Enterprise is the full support of Microsoft SharePoint via clientless access.

This basically means that no longer administrators will have to configure internet, intranet, etc.. addresses for a SharePoint site.

With Access Gateway Enterprise Edition you now have full access to SharePoint and its features without having to deploy VPN access.

How to implement it? All it takes is one single configuration entry and the powerful rewrite engine will make the necessary changes to the SharePoint pages.


Powerful rewrite engine at work

Sample source page from original SharePoint page:

Same page via Access Gateway Enterprise on clientless access:

Clientless Access to SharePoint

Version Supported

SharePoint Portal Server 2007 Yes

SharePoint Portal Server 2003 Yes

SharePoint Services for Windows 2003 Server R2 Yes

SharePoint Services Service Pack 2 Yes

Clientless Access to SharePoint

WISP Check-In

Check-Out Version History

View Properties Edit Properties

Delete Alert Me

Document download Document upload (single file)

Document upload (multiple files) Document check-out

Document check-in Single sign-on and graceful logout

Policy Expressions

allow_ftp DESTIP == 10.9.13.60 Allow DESTPORT == Port 21

Expression

Expressions:• Can be single or Compound• Consist of a Name, Qualifier and Operator• Evaluated by AGEE to determine if a policy is applied

Match All Expressions

Match All Expression will use the AND operator to form the expressionMatch All Expression will use the AND operator to form the expression

Resulting Expression:av_5_TrendMicro_11_25 && av_5_TrendMicroOfficeScan_7_3Resulting Expression:av_5_TrendMicro_11_25 && av_5_TrendMicroOfficeScan_7_3

Tabular Expressions

Tabular Expressions let you create custom compound expressions with the aid of graphical operators and a preview display

Tabular Expressions let you create custom compound expressions with the aid of graphical operators and a preview display

Advanced Free-Form

Expressions can be created and edited manuallyExpression must however be a valid rule

Expressions can be created and edited manuallyExpression must however be a valid rule

Useful for creating complex expressions, using custom qualifiers, using additional operators, and previewing an expression built using the other

methods

Useful for creating complex expressions, using custom qualifiers, using additional operators, and previewing an expression built using the other

methods

Virtual ServerVirtual Server

Policy APriority 10Policy A

Priority 10

Policy BPriority 20Policy B

Priority 20

Home pagewww.citrixsynergy.com

Home pagewww.citrix.com

Resulting Configuration



Split TunnelOFF

Single Sign-on-not set-

Split TunnelON

Single Sign-onON

Split Tunnel OFF

Single Sign-onON

Why?

Policy results are aggregated from all policies that are true

When the policy settings conflict, priority wins

When policy settings do not conflict, the results are cumulative

from all policies that are true

GlobalGlobal

Policy APriority 0Policy APriority 0


Resulting ConfigurationResulting ConfigurationHome page

www.sales.com

Split TunnelON


Split Tunnel OFF

Single Sign-onON


Policy BPriority 0Policy BPriority 0


Split Tunnel-not set-

Single Sign-onOFF

GroupGroup

Policy CPriority 0Policy CPriority 0

Home pagewww.sales.com

Split TunnelOFF

Single Sign-onON

GlobalGlobal

Policy APriority 0Policy APriority 0





Split TunnelON


Split Tunnel OFF

Single Sign-onON


Policy BPriority 0Policy BPriority 0



Single Sign-onOFF

GroupGroup

Policy CPriority 0Policy CPriority 0


Split TunnelOFF

Single Sign-onON

Why?

When policies are bound to different bind points with the same priority the lowest bind point wins

Global

Virtual Server

Group

User

GlobalGlobal


Priority 10Home page

www.citrix.com

Resulting ConfigurationResulting ConfigurationHome page

www.citrix.com



Split Tunnel OFF

Single Sign-onOFF




www.citrixsynergy.comSplit Tunnel

-not set-Single Sign-on

OFF

GroupGroup

Policy CPriority 30Policy C


www.sales.comSplit Tunnel

OFFSingle Sign-on

ON

GlobalGlobal



www.citrix.com






Split Tunnel ON

Single Sign-onOFF



Priority 20

Home pagewww.citrixsynergy.co

m


Single Sign-onOFF

GroupGroup

Policy CPriority 30Policy C


www.sales.comSplit Tunnel

ONSingle Sign-on

ON

Why?

Higher priority settings take precedence over bind point order

When policy settings do not conflict, the results are cumulative

from all policies that are true

External Internal DMZ

Basic Firewall and Port Rules

AGEE Admin

Remote End User

VIP

NSIP

XenApp WISTA

443,80* (HTTP/TCP)

NSIP

DNS

* Port 80 used for https redirect

NSIP

LDAP/LDAPS

SNIP or MIP

389/636 (TCP)

53 (UDP)

443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP)

80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)

External

Remote End User

LDAP

WI

Internal DMZ

STA and XML

44380/443

389/636

SmartAccess Workflow

EE returns EPA results to WI

Session policy EPA check results returned to AGEE

Web Interface sends credentials & EPA results to Citrix XML Service which validates them and returns user’s “smart access” application set to Web Interface.

Web Interface generates “Smart Access” application set page and sends the web page back to user.

Access Gateway passes credentials to Directory Service for validation.

EPA ActiveX sends results back to AGEEOn Pre-Authentication EPA success

AGEE returns login page

Post-AuthN AGEE Session policy EPA checks done with the existing EPA ActiveX

Web Interface Authenticates credentials provided via custom SSO AGCitrixBasic Header

AGEE Pre-AuthN EPA ActiveX download & client scan

1) AGEE does a HTTP redirect to the website configured in ‘-homepage’ option

2) Web Interface returns a 401 and AGEE detects that this is a Web Interface server.

User supplies credentials to logon page.User accesses AGEE VPN Virtual Server

3) Access Gateway next performs pass-through SSO to Web Interface via a custom AGCitrixBasic HTTP Header

4) A SessionToken is also provided

WI makes a XML callback to a preconfigured-on-WI AGEE VPN Virtual Server URL with the previously provided SessionToken to get the EPA Results

XenApp

Deeper Look at Security Scans – Pre-Auth

• Redirect to /epa/epa.html

• EPA client sends a GET for /epaq which causes the

• Access Gateway to return a 200 OK response with a HTTP header called CSE

• If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example:

• Web Interface then validates the credentials via a POST back to Access Gateway

• If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example:

Deeper Look Into Smart Access• Client logs in to Access Gateway and is redirected to Web Interface

• During this redirection the client sends a request to /auth/agesso.aspx

• Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header

How Did I Do That ????

Decrypting a Network Trace• In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway

appliance. This can easily be done via GUI:

• Or via the command line:

• Once the network trace has run it will be placed under /var/nstrace/

*** important: since this is SSL traffic the trace has to start before any request is made ***

• Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols:

• Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key>

• Once that is done the traffic will be decrypted and you will be able to analyze it.

What if private key is not available?

How to create a HTTP debug virtual server:

What if private key is secured?

If the private key was created with a passphrase, it can be decrypted via openssl:

External

Remote End User

XenApp

WI

Internal DMZ

STA and XML

443

80/443

80/443

1494/2598

User clicks application icon. Request is sent to Web Interface.

Web Interface contacts Citrix XML Service to determine least loaded XenApp server hosting application. XML Service returns XenApp IP address.

Web Interface contacts STA to exchange XenApp IP address for ticket.

Web Interface generates ICA file that includes Access Gateway FQDN and STA ticket. ICA file is sent back to client device.

ICA Client sends ICA request to Access Gateway.

Access Gateway contacts STA to validate ticket and exchange the ticket for the XenApp IP address.

Access Gateway contacts XenApp to initiate ICA session. ICA session is established.

Published Application Launch Process

XenApp Integration: Web Interface Site Type

Specify the URL to the Virtual Server’s FQDNWeb Interface must be able to resolve the FQDN

Specify the URL to the Virtual Server’s FQDNWeb Interface must be able to resolve the FQDN

Web Interface

XenApp

Access Gateway

XenApp Integration: Web Interface DMZ Settings

Set the DMZ Access Method to Gateway DirectSet the DMZ Access Method to Gateway Direct

Web Interface

XenApp

Access Gateway

Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server

Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server

XenApp Integration: Web Interface Gateway Settings

Web Interface

XenApp

Access Gateway

Enter the STA server URL addressEnter the STA server URL address

XenApp Integration: Web Interface Gateway Settings

Web Interface

XenApp

Access Gateway

URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform

URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform

ICA Proxy ON tells AGEE not to launch the Secure Access Client

ICA Proxy ON enables SSO to WI

ICA Proxy ON tells AGEE not to launch the Secure Access Client

ICA Proxy ON enables SSO to WI

Single Sign-On Domain defines the users domain name

Single Sign-On Domain defines the users domain name

Embedded Web Interface display formatFull or Compact

Embedded Web Interface display formatFull or Compact

XenApp Integration: Session Profile Configuration

The STA Server ID and State are monitored by AGEE

Multiple STA Servers can be defined for failover

The STA Server ID and State are monitored by AGEE

Multiple STA Servers can be defined for failover

XenApp Integration: Defining STA Server

Web Interface

XenApp

Access Gateway

Troubleshooting SSL Related Errors

Play Video

Session Takeaways

Only One Traffic Policy Evaluated at a time

Integration with SharePoint requires all hostnames used internally

SmartAccess requires the name of the virtual server and policy for XenApp policy to be applied

When decrypting a network trace start the trace before sending the first request

Private keys can be decrypted is password is known

HTTP Access Gateway Virtual Server can used for debugging

Partner Training & Certification

Build your product expertise and maximize your sales potential with the latest Citrix training and certification:

Access Gateway• CAG-200 Implementing Citrix Access Gateway 9.0 Enterprise Edition• CMB-204 Implementing Citrix XenApp 5.0 for Windows Server 2008 with Access Gateway Enterprise

Edition

• CCA for Citrix Access Gateway 9 Enterprise Edition

WANScaler• CTX-1741AI Citrix WANScaler 4.3 and Citrix Branch Repeater: Administration

• CCA for Citrix WANScaler 4

Visit www.citrix.com/partnertraining to view a complete list of discounted Partner offerings and learn how to maintain compliance with Citrix Certification.

Before you leave…

• Recommended related Summit breakout sessions: • TECH307: Advanced troubleshooting of Citrix NetScaler

• Premier Ballroom 310 2:30pm

• TECH305: Troubleshooting tools and methodology for Citrix XenApp 5 environments• Premier Ballroom 310 4:30pm

• Session surveys are available online at www.citrixsummit.com starting Monday, May 4• Feedback is requested (giveaway provided)

• Download presentations starting Tuesday, May 12, from your My Schedule Tool located in your My Synergy Microsite event account

nelson esteves npg escalation

Documents

clientless access

vpn access

access gateway plug

repeater traffic policy

sharepoint server

globallyenabling repeater

sharepoint site

sharepoint pages