Citrix Secure Gateway Technical Training

2 Agenda By the end of this session, you should be able to: n Explain the role CSG plays in a MetaFrame deployment n Explain the role of SSL certificates n Install and configure the CSG Gateway, Secure Ticket Authority, Nfuse 1.61 and the 6.20 ICA client to enable SSL connectivity through CSG

3 What Solution does CSG Enable? Securely and simply deliver published applications across the Internet Other components of this solution include: n NFuse 1.61 or later (required) n Secure Web Server and/or Portal (e.g. Citrix XPS) n Replaceable authentication (e.g. SecurID, smart card) n SSL enabled clients

4 What is CSG? Gateway between an SSL enabled ICA client and one or more MetaFrame servers Tunnels ICA traffic inside SSL Limited to ICA only – not a general purpose VPN. Runs independently from MetaFrame, links into NFuse for authorization Three components: n Citrix Secure Gateway Server (“the gateway”) n Secure Ticket Authority (“STA”) n Modified NFuse Website

5 CSG in a Nutshell Internal Network CSG Gateway Server ICA 6.20 Client MetaFrame Server CSG Gateway Server forwards unencrypted ICA traffic to MetaFrame. MetaFrame sees the CSG Server as a local client. Internet Client sends ICA- in-SSL packets to the CSG Gateway Server Encrypted with SSL

6 CSG Server with NFuse

7 CSG 1.0 Technical Requirements Three Windows 2000 servers with SP2: n CSG Gateway Server l Server Certificate n Secure Ticket Authority l Microsoft Internet Information Server (IIS) n NFuse 1.61 (or a modified earlier version) l Microsoft Internet Information Server (IIS) Win32, Java, Mac or Linux 6.20 ICA client MetaFrame Server Farm

8 CSG 1.0 Marketing Requirements Subscription Advantage Customers Only n CSG is being offered as a value-add to the Subscription Advantage program n Customers who bought MetaFrame XP with Subscription Advantage will receive the option to download CSG from n There is no technical enforcement of this requirement

9 CSG Versus SSL Relay For ICA-SSL connectivity, CSG is easier to deploy than SSL Relay on the MetaFrame servers: SSL RelayCSG SSL Server certificates needed On every MetaFrame server On the CSG Gateway server only Unique external IP addresses needed For each MetaFrame server For the CSG Gateway server only Certificate format conversion Install the certificate, export cert to file, convert file to PEM format using keytopem.exe, save beneath SSLRelay\ keystore\certs Just install the certificate Other MetaFrame requirements XP with FR1 and DNS name resolution enabled None (technically)

10 CSG Versus Extranet Compared to Extranet, CSG is fairly limited. If you are already using Extranet, you don’t need CSG. ExtranetCSG Types of traffic All TCP trafficICA only Authentication methods Eleven possible methods of two-factor authentication Defers authentication to NFuse Client software required ICA client plus an Extranet client ICA client only ICASecure ICA SSL Relay CSGCitrix Extranet Lower security Highest Security

Intro to SSL

12 Why SSL? The threats: n Server masquerading n Network sniffers Secure Sockets Layer (SSL) provides: n Authentication l Digital certificates prove identity on the Internet l This prevents “man-in-the-middle” or DNS attacks n Encryption l Using 128-bit key lengths l This prevents network sniffers from viewing your information

13 SSL Certificates SSL Certificate requirements A new thing for many of our customers Need to be very careful – can be difficult Obtain certificates from: n Private Certificate Authority (CA) n Public CA n Evaluation cert from Public CA (Baltimore, Verisign) Possible need to install root CA on Client. Windows 6.20 ICA client supports all Windows standard CA’s

14 Could I see some ID please? SSL Certificates are like Driver’s Licenses Driver’s LicenseSSL Certificate Issued to Individual citizensIndividual users or servers Issued by Department of Motor Vehicles (DMV) Certifying Authority (CA) Verification mechanism DMV hologram, well-known license format CA digital signature, public key, thumbprint Application requirements Birth certificate, Social security number, etc. Business license, Dun & Bradstreet number, etc. Public usage Prove identity; operate a vehicle on public roads Prove identity; operate a secure web server on public networks I trust it because I trust the DMV to scrutinize applicants I trust the CA to scrutinize applicants

15 Server certificates Server certificates are unique to a particular server name The “subject” of the certificate is the FQDN of the server Server certificates also include fields dictating what the certificate can be used for View the Certification Path to find out what CA issued this certificate (may be a chain of CA’s)

16 Root Certificates Root certificates (aka CA certificates) are self- signed entities that are used to verify server certificates If you trust a CA, install their root certificate. Windows ships with many pre-installed CA certificates for well- known CA’s: n Verisign n Entrust n Baltimore n RSA n Thawte

17 Client needs the root, server needs a cert Sample Certificate Placement

18 Default root certificates Root certificates need to be installed into the Windows operating system n To see what certificates are installed, use MMC or IE

Installing CSG

20 CSG installation steps Installation steps to follow: n Read The Friendly Manuals: l Getting Started Guide l Administrator’s Guide n Fill out the “Installation Checklist” n Install the software in the correct order: l 1. Secure Ticket Authority l 2. CSG Gateway Service l 3. CSG NFuse Extensions (or use Nfuse 1.61 or Columbia 6.0)

21 Important – Print the Checklist n The CSG distribution includes an installation checklist that takes the guesswork out of installing the components n It is recommended that you sketch your network, print this page, fill in the blanks, and then begin installing the servers

22 Extract the self expanding exe n CSG comes in the form of a single, self expanding exe file “SetupCSG.exe” n Execute this file to expand its contents and start the installation process.

23 Example installation CSG uses three machines: 1. Secure Ticket Authority (STA) n Fully qualified domain name (FQDN): sta01.company.com n Machine pre-loaded with Windows 2000 (SP2) server and IIS CSG Gateway Server n FQDN: snowy1.csg-gw.company.com n Machine pre-loaded with Windows 2000 (SP2) 3. NFuse 1.61 Server n FQDN: nfuse.company.com n Machine pre-loaded with Windows 2000 (SP2) server and IIS 5.0 n NFuse 1.61 installed n CSG also includes example scripts and documentation to help you integrate CSG functionality into an existing Nfuse website.

24 Easy install--demo

25 Server Certificates Server Certificate Required A server certificate must be obtained and installed for your CSG Gateway machine. The certificate must be issued to the FQDN of the snowy gateway. The Snowy Administrator’s Guide provides in- depth information regarding server certificates.

26 Checking installed Server Certificates Run MMC on the CSG gateway machine and add the “Certificates” snap-in.

27 Checking installed Server Certificates Ensure that the server certificate is installed into the Local Computer\Personal\Certificates store

28 Checking installed Server Certificates Double click on the certificate shown to check that it is ok.

29 Connecting through CSG To launch an application, simply click on the application’s link as you would in NFuse normally. You can ensure that the connection is 128bit SSL by opening the ICA connection center. Small Padlock

30 Connecting through CSG You can also see the security status of the connection via the Client Connection Status dialog on the client.

31 Relay Mode If NFuse is not an option n Possible to install CSG in “relay mode”, where no STA ticket is required n Not secure! Use this only when NFuse is not an option n Impossible to switch between normal mode and relay mode—you must explicitly install CSG in relay mode. To do so: msiexec /i csg_gwy.msi RELAYMODE=1

32 Troubleshooting There is a great step-by-step troubleshooting section and detailed explanations of error messages in the Administrator’s Guide (RTFM). Troubleshooting tips: l Ensure that you can ping all machines in your CSG system by their FQDN. l Using netstat, ensure that your CSG gateway machine is listening on port 443 (https). l Using netstat, ensure that your Snowy Ticket Authority machine is listening on port 80 (http). l Ensure that you are using version 6.20 or higher of the ICA client. l Check that all of your system clocks are in sync, this can lead to certificates being invalid.

33 Perfmon counters Active Session Count Client Connections Accepted Client Connections Failed Client Connections Timed Out Global Clients to Gateway Bytes Global Clients to Gateway Packets Global Gateway to Client(s) Bytes Global Gateway to MetaFrame server bytes Global MetaFrame server to Gateway Bytes Global MetaFrame server to Gateway Packets MetaFrame Connections Failed MetaFrame Connections Successful Peak Active Clients Peak Client Connection Attempts Peak STA Data Requests Peak STA Save Tickets STA Data Requests Failed STA Data Requests Successful STA Save Tickets Failed STA Save Tickets Successful On the Secure Gateway server:

34 Perfmon counters On the Secure Ticket Authority server: STA Bad Data Request Count STA Bad Save Request Count STA Good Data Request Count STA Good Save Request Count STA Good Ticket Request Count STA Peak Data Request Rate STA Peak Save Request Rate STA Peak Ticket Request Rate STA Save Request Rate STA Ticket Timeout Count

35 Further Reading Citrix Secure Gateway Administrator’s Guide Citrix Secure Gateway Getting Started Guide White paper: Using the Citrix SSL Relay Service SSL and TLS Essentials, by Stephen Thomas ISBN:

Thank You & Now Everything Computes Securely