The Access Gateway 4.5 with Advanced Access control is the Platinum product’s preferred access portal, called the “Access Navigator Portal”, or the “Nav” portal for short. Configuring the Access gateway with AAC (Advanced Access Control) and with the Presentation Server Farm in 4.5 is a little more involved than it had been in 4.2, and the order of the steps can be critical. Below is a fully worked out and replicable implementation, with the CAG 4.5, AAC 4.5, and Citrix Presentation Server 4.5 with a Web Interface.
The roadmap is:
- WI 45 install & configure (unsecure)
- configure Web Interface for use with Advanced Access control in AMC for WI site.
- configure web resource for Web Interface (set as “integrated windows auth”, “WI42 or later resource”)
- integrate CPS farm into AAC farm, with farm, server, XML, and pick which Web Interface (from the web resource), at the logon point in the AMC.
- create a policy to grant access to Web Interface resource (now it should integrate WI 45, but insecure)
- add security to the WI45 site (enter FQDN of Access Gateway appliance, and URL of Secure Ticket Authority (STA); set DMZ settings to “secure gateway direct”)
- power on the Access Gateway appliance and import it into AAC farm
- add at least one secure ticket authority (STA) to Access Gateway tab in AMC for AAC server
- configure ‘accessible networks’ in AG tab; add “entire network” resource to default policy, (or some subset of the network that contains the resources to be provided).
In order to integrate Presentation server applications into AAC, the Web Interface 4.5 must be installed and configured properly, as explained in the chapter on Web Interface advanced configuration in CPS 4.5.
There is an item in the task pane of the 4.5 Web Interface site called “manage access method”, and under that pane the Web Interface can be configured either for “direct” access, where the users enter the URL of the Web Interface, or else “using the advanced access control”, where the users enter the URL of the AAC web server, (or the Access Gateway enters it on their behalf). The task in the roadmap is the simple modification of this property page, to point to the Advanced Access Control server.
The Web Interface site will no longer work when contacted through the Web Interface URL, because it is now supposed to be accessed through the portal. We will have users authenticating to the portal, so we probably want to let the authentication PASS THROUGH to the Web Interface. This is done later in the AMC of the Advanced Access Control server, but in the Web Interface site configuration we need to leave “prompt users for password” unchecked.
In the AMC of the Advanced Access Control server we need to create a new web resource, since nothing can be accessed through the portal without being first created as a resource, then also associated with a security policy.
The Web Interface 4.5 gets integrated into the AAC portal as a special type of web resource, by using the drop down menu in the resource creation window, and choosing “Citrix Web Interface 4.2 or later”.
To get the third pane in the Access Gateway portal, on the left, we need to “publish” the web interface as a web resource, and we need to add the exact URL of the Web Interface server, even though that site no longer works when we contact it directly with a browser – it is now set only to listen to this AAC server, over port 80.
Any resource created in the farm becomes an available resource in the farm security policies, unselected by default, so we can either create a new policy for the new web resource, or more practically modify an existing policy to allow access to one more web resource.
To add the resource to a policy we go to the policy in the AMC and click “edit”. On the resources tab, there is a new web resource available, and to grant the same access this policy is granting for other web resources on the web interface, we only need to click the box next to the resource, in the heart of the AG/AAC.
Any number of logon points can be created in the AAC farm, and any number of them can be associated with Presentation Server farms, but by default no logon point allows access to Presentation Server, and so the special web resource we just configured can’t work yet. In the AMC of the AAC server, at the farm level, the Presentation Server Farm has to be added, with a designated XML server and an XML port. This has to be done AFTER the addition of the web resource, because we pick which “Web Interface” from a list of web interface-type web resources in the farm.
The Presentation Server farm that is added to the AAC farm needs to be added to the logon point, after being configured at the farm level, in the AMC.
Then we go to the logon point with any configured browser, and automatically get the three pane default configuration of the Access Gateway 4.5 portal, with the Web Interface applications enumerated in the left-most pane. Pass-through authentication from the AAC web server to the Web Interface was accomplished by creating the “Citrix Web Interface 4.2 or later” resource-type, and by choosing “Integrated Windows Authentication”.
Securing Advanced Access Control with the Access Gateway appliance
The portal we have configured has two different pieces that need to be secured, even if we are using the same Access Gateway device to secure both of them.
The left pane with Web Interface published apps are secured in a manner very similar to the Secure Gateway software – the Web Interface AMC is used, under DMZ settings, to give out “secure Gateway Direct” IP addresses, (or “Secure Gateway Translated”, if the appliance itself is behind a NAT router). Then we put in the FQDN of the CAG and the URL of an STA. The only difference from the CSG implementation is that instead of configuring an STA on the CSG, we configure the STA on the CAG appliance settings, in the AMC of the AAC server.
The right side of the Access Gateway portal – the file shares – we secure separately, not in the AMC of the Web Interface site, as above, but in the AMC of the AAC server, in the farm properties, Presentation Server farm integration properties, in a unique interface, where we also configure DMZ settings, for “Access Gateway Direct”, then enter the FQDN of the CAG, and an authentication service, NOT an STA as in the Web Interface screen.
The settings in the AAC AMC affect how the Citrix apps will run if they are “launched” by hitting the “Launch” button under the drop-down menu, which appears when File Type Association (FTA) is configured.
To configure the Web Interface – left pane – for SSL/TLS, we go to the DMZ settings of the Web Interface site we are integrating, and change from the default of “Direct”, (referring to direct, or “internal, non-routable”, IP addresses of Citrix servers), to “Secure Gateway Direct”, meaning we will get the IP address of whatever secure gateway device we configure in the next screen. The next screen is one click down from DMZ settings; the “edit gateway settings” tab.
There are two critical components being configured here, that need to be configured precisely, over precise ports. The first is the Fully Qualified Domain Name of the Access Gateway appliance. This will be configured on the appliance itself in the CAG admin tool, and the name of the certificate on the appliance will have to match.
The second component we need to integrate here is the Secure Ticket Authority (STA), which runs on any Presentation Server 4 or 4.5 over the designated XML port. If the XML port is anything other than “80”, which it usually is, the URL will not work without having the port added into the URL after the server name.
These two configurations, both under “manage secure client access” in the AMC of the Web Interface site, constitute “adding security to the WI45 site”. Now that we have told the Web Interface to send out ICA files that point to the AG appliance, we will have to power up the appliance and begin to configure it.
The appliance ships with a CD which is a backup of the firmware, and should be backed up and saved. This CD can be placed in the appliance at any time to reset the system back to the factory defaults. Configuration information stored on the Access Gateway can be backed up to a file through the graphical access gateway administration tool, and restored later. When the machine is set to factory defaults, its IP address is 10.20.30.40, the root user’s password is ‘rootadmin’, and there is no license on the device and so it is incapable of accepting regular traffic.
On the back of the server there are the typical connections for keyboard, mouse, and video, but these connections are not to be used on the Citrix Access Gateway appliance. The serial port is a special case, and can be used for direct basic administration, just to change the IP address to something on the network so that it can be managed with a more comprehensive utility.
To get where we need to go with the Access Gateway, we have a roadmap of several steps, across several utilities.
- power on the appliance and connect with a crossover serial cable from a Windows machine running “HyperTerminal”, hit “enter” and login as root, rootadmin, to set an IP address and default gateway on the subnet. This is the “serial Console”.
- plug the CAG into the network using a network cable, use a browser to go to the Access Gateway over TCP/IP to the address just given to it, and port 9001. This is the “CAG Admin portal”. From here we download the CAG Admin tool. (From here we can also run a Linux desktop on the appliance that monitors all traffic through the appliance in a Citrix management console.)
- With the admin tool downloaded to the desktop of a Windows workstation, we install the admin tool and log in to the IP address of the appliance as root, rootadmin.
- In the admin tool, we set the DNS server for the appliance, set an FQDN, and go to the “Advanced Settings” tab to configure all other settings to come from “Advanced Access control”, and then name the AAC server that can “discover” the appliance.
- create a DNS record in the domain for the appliance, that the Web Interface and the AAC web server are able to resolve.
- Discover the appliance in the AMC of the AAC server, in order to configure “accessible network” and “secure ticket authority”.
The Access Gateway comes with one serial null-modem cable, which can be connected to the back of the Access Gateway, and to a PC on the other end. The PC needs to be a Windows machine running HyperTerminal, and the baud rate of the new connection needs to be set to 9600. Hitting enter a couple of times should produce a login prompt. The only valid account is root, and the password is rootadmin.
From the “Express Setup”, only IP address, subnet mask, and default gateway can be set. The IP address is being set for “eth0” only, which is the first of the two LAN connections on the back. Any DNS information has to be configured in another utility; this tool is only to make it easier to get to the next utility. From here the administration port on the Access Gateway can be closed, further securing the appliance.
The next step is to connect to the new IP address of the Access Gateway from a browser on the intranet, at port 9001, using https; (there is a pre-configured private certificate on the Access Gateway when it ships).
https://<ag ‘s new IP address>:9001
The Administration Portal is only the next step along the way to the main administration utility. The admin portal is be used to download the next tool, which is called the Access Gateway Admin tool.
There is also an Access gateway desktop that can be downloaded from here, for administrative use. The desktop is a Linux X—Windows desktop that runs several GNU utilities including Ethereal, and a Citrix tool called the Citrix Real time monitor.
The Access Gateway Administration Tool is the main administration tool if the Access Gateway is used as a stand-alone device, without the Advanced Access Control feature. Even with the Advanced Access Control feature, with policies managed in an Access Management Console snap-in, there is still critical work to be done in the Access Gateway Administration Tool.
The tool downloads and installs onto a Windows 2000 or higher machine, and manages either a single appliance or a cluster.
The critical tasks on an Access Gateway in an Advanced Access Control implementation are all on the “This Gateway” tab under the “Access Gateway Cluster” tab at the top of the admin tool. On the first screen, “general networking”, an FQDN for the gateway needs to be set, and the network card can be fixed to full duplex at the same time.
Clicking “submit” causes the Access Gateway to go to a reboot. The Admin tool can remain open, and in about two to three minutes the gateway will be able to be contacted again. On the “Name Service Providers” tab the DNS server can be set.
On the “Routes” tab, the choice is between “Static” or “dynamic” (RIP II) routing. Static is the default and there is a table for the input of static routes.
The Administration tab is the place to shutdown and restart the Access Gateway, not with the button on the front or the power cable on the back. This is also the tab for managing certificates from a CA. Certificate requests can be generated at the “Generate CSR” tab.
Most critically for the Advanced Access Control implementation, there is an “Advanced” tab, on the Access Gateway 4.2 (and up)firmware only, that allows the Gateway appliance to receive its configuration information either from this utility, or from the Advanced Access Control configuration on a SQL or SQL Express database.
When the Advanced Access Control option is chosen, all the tabs other than “Access Gateway Cluster” become grayed out
The entire Citrix web implementation is extremely dependent upon DNS, and we will need an internal DNS record for whatever we want to call the AG appliance.
Finally, as the Access Gateway reboots knowing about its Advanced Access Control server, the AMC on the AAC server can run a discovery and automatically discover the appliance. Once discovered, we can configure the critical “accessible networks” and “secure ticket authority” settings.
By going into the “Edit gateway appliance properties” page, we can configure the critical appliance settings that are otherwise configured on the gateway appliance itself, when the appliance runs in “Standard” mode. Specifically, we need to enter the IP Addresses that are allowed to be accessed through the gateway appliance. Also, by setting the STA, we are saying what server authenticates tickets that were given out by the Web Interface, so we MUST choose here the same STA server(s) that we chose in the Web Interface security pages.
The Secure Ticket Authority interface is completely different from all the other places it is entered. In the Web Interface, it was entered as a URL, pointing to “:8080”, the XML port. Here, we point to the same server, over the same port, but we do not use a URL to configure it.
At this point we should be able to run any Presentation Server app, through the Web Interface pane of the Access Gateway portal, with SSL/TLS protection over all ICA traffic.
CM, Citrix Training Instructor
Unitek Citrix Training