Presentation is loading. Please wait.

Presentation is loading. Please wait.

TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition Nelson Esteves NPG Escalation.

Published byChester Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition Nelson Esteves NPG Escalation."— Presentation transcript:

1 TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition
Nelson Esteves NPG Escalation

2 Agenda Integrating Repeater with Access Gateway Enterprise
Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting

3 Integrating Repeater with Access Gateway Enterprise
Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting

4 Branch Repeater Integration
Traffic between the client and the secure network is optimized before passing through the VPN tunnel Optimized Not Optimized When both the WANScaler client and Access Gateway client are installed on a user’s system, traffic between the client and the secure network is optimized by WANScaler before traversing the VPN tunnel. After passing through the Access Gateway, optimized traffic flows through a WANScaler appliance en route to servers on the secure network. WANScaler optimization alters TCP traffic in such a way that HTTP headers and cookies will become unrecognizable by the Access Gateway. Therefore any traffic which requires in-flight modification by Access Gateway (such as single sign-on or File Type Association) must be excluded from WANScaler optimization. An initial analysis of WANScaler and Access Gateway features and use cases suggests that WANScaler optimization needs to be enabled or disabled dynamically on a per-connection basis.

5 Deployment Architecture
Data Center and Corporate Offices Remote and Mobile Workspaces Access Gateway Secure access to: Applications Desktops Networks Branch Repeater Compression Acceleration The WANScaler will be co-deployed with AGEE in the way shown in Figure 1. The remote-side WANScaler functionality is integrated into client PC, and the server-side WANScaler is configured as inline mode and sit right in front of the application servers. AGEE is still located in DMZ. The WANScaler Client will operate in inline mode, which means that it will preserve the source and destination IP addresses and port numbers of connections that traverse through it. The deployment will also be transparent, in the sense that the AG-EE appliance does not need any special configuration, and it can be oblivious to the presence or absence of the WANScaler Appliance. The AG-EE Agent on the client will auto-detect the presence of WANScaler Client software (if it is installed) and configure it appropriately. The presence or absence of the WANScaler appliance is automatically detected by the WANScaler Client software if the appliance were to go down, its relay will flip causing it to become like an ethernet wire (existingconnections will be dropped, and new connections will not be accelerated). Branch Repeater Plugin Access Gateway Plugin File Shares and Web Applications

6 Branch Repeater Integration
Repeater integration is enabled/disabled through a Traffic Profile WANScaler optimization alters TCP traffic in such a way that HTTP headers and cookies will become unrecognizable by the Access Gateway. Therefore any traffic which requires in-flight modification by Access Gateway (such as single sign-on or File Type Association) must be excluded from WANScaler optimization. Traffic policies can be bound at any of the four levels (Global, Virtual Server, Group, User) If Wanscaler is enabled by a traffic action for a particular IP address then SSO,FTA and HTTP authorization features will not work because the Wanscaler may compress the data and SSO,FTA and HTTP authorization require that Netscaler look at the HTTP headers and parse it.

7 Branch Repeater Integration
Design considerations Redirector mode: A traffic policy expression must be created for the signaling IP address of the Repeater appliance Transparent mode: A traffic policy must be created which covers all backend servers the client is accessing Only one Repeater traffic policy will be evaluated when bound at the virtual server level or globally The following information was obtained through the functional spec document for this feature:  In case of Redirector mode a traffic action needs to be configured with the rule as “DESTIP == <signaling ip of the wanscaler appliance>” and wanscaler option should be turned on in this trafficaction.In case of Redirector mode.In case of the Transparent mode of operation there should be one traffic action configured for each of the backend servers which are behind the Wanscaler appliance which the client is accessing. In case there are multiple trafficpolicies bound to the vpn vserver or vpn global ,then the traffic policy with the highest priority will take effect and the configuration in that traffic action will decide whether we have to preserve the TCP options or not.If two policies have the same priority then the configuration order will decide as to which of the two policies will take effect. If Wanscaler is enabled by a traffic action for a particular IP address then SSO,FTA and HTTP authorization features will not work because the Wanscaler may compress the data and SSO,FTA and HTTP authorization require that Netscaler look at the HTTP headers and parse it. May want to mention here that TCP flow control is not currently available for WS clients connecting through AG. The AG+WS integration provides compression only at this time. Enabling Repeater in a traffic policy will disallow Single Sign-On, File Type Association and HTTP authorization features

8 Integration with Microsoft SharePoint
Integrating Repeater with Access Gateway Enterprise Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting

9 Integration with Microsoft SharePoint
Access Gateway Enterprise Edition 9.0 can rewrite content from a SharePoint site so that it is available to users without requiring the Access Gateway Plug-in. This avoids administrators having to deploy VPN access to users that require access to SharePoint. For the rewrite process to complete successfully, the Access Gateway must be configured with the Web address for each SharePoint server in your network. In most environments where SharePoint is accessed externally administrators have to configure what is called Alternate Address Mapping

10 Integration with Microsoft SharePoint
Alternate Address Mapping in SharePoint 2007 TOO COMPLEX!!!

11 Integration with Microsoft SharePoint
New with Access Gateway Enterprise is the full support of Microsoft SharePoint via clientless access. This basically means that no longer administrators will have to configure internet, intranet, etc.. addresses for a SharePoint site. With Access Gateway Enterprise Edition you now have full access to SharePoint and its features without having to deploy VPN access. How to implement it? All it takes is one single configuration entry and the powerful rewrite engine will make the necessary changes to the SharePoint pages.

12 Integration with Microsoft SharePoint
Powerful rewrite engine at work Sample source page from original SharePoint page: Same page via Access Gateway Enterprise on clientless access:

13 Clientless Access to SharePoint
Version Supported SharePoint Portal Server 2007 Yes SharePoint Portal Server 2003 SharePoint Services for Windows 2003 Server R2 SharePoint Services Service Pack 2

14 Clientless Access to SharePoint
Supported sharepoint features WISP Check-In Check-Out Version History View Properties Edit Properties Delete Alert Me Document download Document upload (single file) Document upload (multiple files) Document check-out Document check-in Single sign-on and graceful logout

15 Security Expressions and Smart Access
Integrating Repeater with Access Gateway Enterprise Integration with Microsoft SharePoint Security Expressions and Smart Access Including Advanced Troubleshooting

16 Presentation Title Goes Here
Insert Version Number Here Policy Expressions Expressions: Can be single or Compound Consist of a Name, Qualifier and Operator Evaluated by AGEE to determine if a policy is applied Expression add authorization policy allow_ftp "DESTIP == ALLOW The unary expression is the basic building block of policies. It is created with a unique name, that should be descriptive of what it examines. For example, an expression that looks for IE6 browsers by examining the user-agent string in the HTTP header could be named IE_6_Cli. This name can be used to refer to the expression when creating compound expressions or when binding it as a rule. The qualifiers specify what is to be examined. The operator defines how it is to be examined, and the value specifies what the qualifier is compared with. allow_ftp DESTIP == Allow DESTPORT == Port 21 Name Qualifier Operator Action © 2003 Citrix Systems, Inc.—All rights reserved.

17 Match All Expressions Match All Expression will use the AND operator to form the expression Resulting Expression: av_5_TrendMicro_11_25 && av_5_TrendMicroOfficeScan_7_3

18 Tabular Expressions Tabular Expressions let you create custom compound expressions with the aid of graphical operators and a preview display

19 Advanced Free-Form Expressions can be created and edited manually
Expression must however be a valid rule Useful for creating complex expressions, using custom qualifiers, using additional operators, and previewing an expression built using the other methods When using Advanced Free-Form you type the expression directly into the expression window.

20 Policy results are aggregated from all policies that are true
Why? Virtual Server Policy A Priority 10 Policy results are aggregated from all policies that are true When the policy settings conflict, priority wins When policy settings do not conflict, the results are cumulative from all policies that are true Home page Split Tunnel OFF Single Sign-on -not set- Policy B Priority 20 Home page Split Tunnel ON Single Sign-on ON *** remember to explain while playing animation **** When policy settings do not conflict, the results are cumulative from all policies that are true Home page Split Tunnel OFF Single Sign-on ON Resulting Configuration

21 Resulting Configuration
Global Policy A Priority 0 Home page Split Tunnel ON Single Sign-on -not set- Virtual Server Policy B Priority 0 Home page Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 0 Home page Split Tunnel OFF Single Sign-on ON Home page Split Tunnel OFF Single Sign-on ON Resulting Configuration

22 Resulting Configuration
Why? When policies are bound to different bind points with the same priority the lowest bind point wins Global Virtual Server Group User Global Policy A Priority 0 Home page Split Tunnel ON Single Sign-on -not set- Virtual Server Policy B Priority 0 Home page Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 0 Home page Split Tunnel OFF Single Sign-on ON Home page Split Tunnel OFF Single Sign-on ON Resulting Configuration

23 Resulting Configuration
Global Policy A Priority 10 Home page Split Tunnel -not set- Single Sign-on -not set- Virtual Server Policy B Priority 20 Home page Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 30 Home page Split Tunnel OFF Single Sign-on ON Home page Split Tunnel OFF Single Sign-on OFF Resulting Configuration

24 Higher priority settings take precedence over bind point order
Why? Higher priority settings take precedence over bind point order When policy settings do not conflict, the results are cumulative from all policies that are true Global Policy A Priority 10 Home page Split Tunnel -not set- Single Sign-on -not set- Virtual Server Policy B Priority 20 Home page Split Tunnel -not set- Single Sign-on OFF Group Policy C Priority 30 Home page Split Tunnel ON Single Sign-on ON Home page Split Tunnel ON Single Sign-on OFF Resulting Configuration

25 Basic Firewall and Port Rules
External DMZ Internal DNS 53 (UDP) LDAP/ LDAPS NSIP 443,80* (HTTP/TCP) NSIP 389/636 (TCP) XenApp WI STA Remote End User VIP SNIP or MIP 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP) * Port 80 used for https redirect RCB: merge with later slide NSIP 443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP) AGEE Admin

26 SmartAccess Workflow LDAP WI STA and XML XenApp External Internal DMZ
Remote End User LDAP WI Internal DMZ STA and XML 389/636 443 80/443 WI makes a XML callback to a preconfigured-on-WI AGEE VPN Virtual Server URL with the previously provided SessionToken to get the EPA Results 3) Access Gateway next performs pass-through SSO to Web Interface via a custom AGCitrixBasic HTTP Header 4) A SessionToken is also provided User accesses AGEE VPN Virtual Server AGEE does a HTTP redirect to the website configured in ‘-homepage’ option 2) Web Interface returns a 401 and AGEE detects that this is a Web Interface server. Web Interface Authenticates credentials provided via custom SSO AGCitrixBasic Header Web Interface generates “Smart Access” application set page and sends the web page back to user. User supplies credentials to logon page. Access Gateway passes credentials to Directory Service for validation. Post-AuthN AGEE Session policy EPA checks done with the existing EPA ActiveX Session policy EPA check results returned to AGEE AGEE Pre-AuthN EPA ActiveX download & client scan Web Interface sends credentials & EPA results to Citrix XML Service which validates them and returns user’s “smart access” application set to Web Interface. EPA ActiveX sends results back to AGEE On Pre-Authentication EPA success AGEE returns login page EE returns EPA results to WI XenApp

27 Deeper Look at Security Scans – Pre-Auth
Redirect to /epa/epa.html EPA client sends a GET for /epaq which causes the Access Gateway to return a 200 OK response with a HTTP header called CSE If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example:

28 Deeper Look Into Smart Access
Client logs in to Access Gateway and is redirected to Web Interface During this redirection the client sends a request to /auth/agesso.aspx Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header Web Interface then validates the credentials via a POST back to Access Gateway If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example: The behavior of the EPA client when being invoked after authentication, meaning that it will either be used for Smart Access or quarantining the user, is the same as pre-authentication. The biggest misconception is that you need to have a security scan in order to achieve Smart Access. This is not the case. Smart Access can be performed by simply using the name of the virtual server in question and the session policy being used. Let's take a look How Did I Do That ????

29 Decrypting a Network Trace
In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway appliance. This can easily be done via GUI: Or via the command line: Once the network trace has run it will be placed under /var/nstrace/ *** important: since this is SSL traffic the trace has to start before any request is made *** Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols: Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key> Once that is done the traffic will be decrypted and you will be able to analyze it.

30 What if private key is not available?
How to create a HTTP debug virtual server: In the previous slide you were shown how to decrypt a network trace. But what if the private key for the certificate was not available? What if the private key was encrypted or even worse, what if you don't know or lost the private key password? If you are facing these problems the easiest way is to create a temporary virtual server FOR DEBUGGING PURPOSES ONLY using HTTP instead of HTTPS

31 What if private key is secured?
If the private key was created with a passphrase, it can be decrypted via openssl: In the previous slide you were shown how to decrypt a network trace. But what if the private key for the certificate was not available? What if the private key was encrypted or even worse, what if you don't know or lost the private key password? If you are facing these problems the easiest way is to create a temporary virtual server FOR DEBUGGING PURPOSES ONLY using HTTP instead of HTTPS

32 Published Application Launch Process
External Remote End User XenApp WI Internal DMZ STA and XML 1494/2598 443 80/443 80/443 User clicks application icon. Request is sent to Web Interface. Web Interface contacts Citrix XML Service to determine least loaded XenApp server hosting application. XML Service returns XenApp IP address. Web Interface contacts STA to exchange XenApp IP address for ticket. Web Interface generates ICA file that includes Access Gateway FQDN and STA ticket. ICA file is sent back to client device. ICA Client sends ICA request to Access Gateway. Access Gateway contacts STA to validate ticket and exchange the ticket for the XenApp IP address. Access Gateway contacts XenApp to initiate ICA session. ICA session is established.

33 XenApp Integration: Web Interface Site Type
Access Gateway Web Interface XenApp Instructor: Emphasize the difference between direct mode and AAC mode. Note important to talk about the actual URL srting (too confusing) but talk about what we are doing and how its different. Important points to remember: WI can point to any vpn vserver, not necessarily the one where users connect. WI must be able to resolve the FQDN of the virtual server WI must be able to route to the virtual server IP over HTTPS WI must trust the SSL certificate from a machine level. Specify the URL to the Virtual Server’s FQDN Web Interface must be able to resolve the FQDN

34 XenApp Integration: Web Interface DMZ Settings
Access Gateway Web Interface XenApp Instructor: Explain what this changes for Web Interface Set the DMZ Access Method to Gateway Direct

35 XenApp Integration: Web Interface Gateway Settings
Access Gateway Web Interface XenApp Mention that STA can use an alternative port and SSL Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server

36 XenApp Integration: Web Interface Gateway Settings
Access Gateway Web Interface XenApp Mention that STA can use an alternative port and SSL Enter the STA server URL address

37 XenApp Integration: Session Profile Configuration
ICA Proxy ON tells AGEE not to launch the Secure Access Client ICA Proxy ON enables SSO to WI URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform Embedded Web Interface display format Full or Compact Instructor: Recap Policy vs Profile on this slide. Ask the audience the difference again. Instructor: Reiterate the difference between ICA Proxy ON and OFF. Ask audience to think about why you would use these options. Provide Examples SmartAccessNT Domain name: is the NT Domain name when the UPN is not extracted from AD Single Sign-On Domain defines the users domain name 37

38 XenApp Integration: Defining STA Server
Access Gateway Web Interface XenApp Instructor: Explain why we need to define a STA server on AGEE? The STA Server ID and State are monitored by AGEE Multiple STA Servers can be defined for failover

39 Troubleshooting SSL Related Errors
During this side the audience will learn how the Escalation team goes about troubleshooting SSL Errors There will be a video running while the presenter speaks about the steps being taken Play Video

40 Session Takeaways Only One Traffic Policy Evaluated at a time
Integration with SharePoint requires all hostnames used internally SmartAccess requires the name of the virtual server and policy for XenApp policy to be applied When decrypting a network trace start the trace before sending the first request Private keys can be decrypted is password is known HTTP Access Gateway Virtual Server can used for debugging

41 Partner Training & Certification
Build your product expertise and maximize your sales potential with the latest Citrix training and certification: Access Gateway CAG-200 Implementing Citrix Access Gateway 9.0 Enterprise Edition CMB-204 Implementing Citrix XenApp 5.0 for Windows Server 2008 with Access Gateway Enterprise Edition CCA for Citrix Access Gateway 9 Enterprise Edition WANScaler CTX-1741AI Citrix WANScaler 4.3 and Citrix Branch Repeater: Administration CCA for Citrix WANScaler 4 Visit to view a complete list of discounted Partner offerings and learn how to maintain compliance with Citrix Certification.

42 Before you leave… Recommended related Summit breakout sessions:
TECH307: Advanced troubleshooting of Citrix NetScaler Premier Ballroom 310 2:30pm TECH305: Troubleshooting tools and methodology for Citrix XenApp 5 environments Premier Ballroom 310 4:30pm Session surveys are available online at starting Monday, May 4 Feedback is requested (giveaway provided) Download presentations starting Tuesday, May 12, from your My Schedule Tool located in your My Synergy Microsite event account

43

Download ppt "TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition Nelson Esteves NPG Escalation."

Similar presentations

What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Direct Access, Do’s and Don’ts

Direct Access, Do’s and Don’ts
Citrix Technical Overview

Citrix Technical Overview
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
NETOP REMOTE CONTROL What’s new in version 9.5? DECEMBER 09 NETOP REMOTE CONTROL1.

NETOP REMOTE CONTROL What’s new in version 9.5? DECEMBER 09 NETOP REMOTE CONTROL1.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation

Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
NetScaler Gateway with Citrix Desktops & Apps

NetScaler Gateway with Citrix Desktops & Apps
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.

Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Similar presentations

Ads by Google