Integrating and Troubleshooting Citrix Access Gateway.

Slides:



Advertisements
Similar presentations
What’s New in Fireware XTM v11.3.4
Advertisements

Enabling Secure Internet Access with ISA Server
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Citrix Technical Overview
Module 5: Configuring Access to Internal Resources.
NETOP REMOTE CONTROL What’s new in version 9.5? DECEMBER 09 NETOP REMOTE CONTROL1.
Module 5: Configuring Access for Remote Clients and Networks.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
NetScaler Gateway with Citrix Desktops & Apps
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
1 Enabling Secure Internet Access with ISA Server.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition Nelson Esteves NPG Escalation.
Course 201 – Administration, Content Inspection and SSL VPN
Smart Card Single Sign On with Access Gateway Enterprise Edition
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
LANDesk Management Gateway
Access Gateway Operation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e
Chapter 6: Packet Filtering
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Enabling Embedded Systems to access Internet Resources.
Troubleshooting Windows Vista Security Chapter 4.
SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.
Wireless Networks and the NetSentron By: Darren Critchley.
What’s New in Fireware v11.9.5
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
Name Company A Day in the Life… A Demonstration of Application Delivery.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Module 10: Windows Firewall and Caching Fundamentals.
Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
NetScaler Gateway and StoreFront
Contents Software components All users in one location:
Installing TMG & Choosing a Client Type
Module 3: Enabling Access to Internet Resources
Training Objectives About D2F Download Installation Configuration
Enabling Secure Internet Access with TMG
Securing the Network Perimeter with ISA 2004
Implementing TMG Server Publishing
Introduction to Networking
1Y0-253 Exam Implementing Citrix NetScaler 10.5 for App and Desktop Solutions
IIS.
WI / XA Integration with NetScaler Gateway: How it works
Chapter 10: Advanced Cisco Adaptive Security Appliance
HACKIN G CITRIX.
Computer Networks Protocols
Presentation transcript:

Integrating and Troubleshooting Citrix Access Gateway

External Internal DMZ Basic Firewall and Port Rules AGEE Admin Remote End User VIP NSIP XenApp WI STA 443,80* (HTTP/TCP) NSIP DNS * Port 80 used for https redirect NSIP LDAP/ LDAPS SNIP or MIP 389/636 (TCP) 53 (UDP) 443,80 (TCP/HTTP) 3010, 3008,22 (TCP) 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)

External Remote End User LDAP WI Internal DMZ STA and XML / /636 SmartAccess Workflow EE returns EPA results to WI Session policy EPA check results returned to AGEE Web Interface sends credentials & EPA results to Citrix XML Service which validates them and returns user’s “smart access” application set to Web Interface. Web Interface generates “Smart Access” application set page and sends the web page back to user. Access Gateway passes credentials to Directory Service for validation. EPA ActiveX sends results back to AGEE On Pre-Authentication EPA success AGEE returns login page Post-AuthN AGEE Session policy EPA checks done with the existing EPA ActiveX Web Interface Authenticates credentials provided via custom SSO AGCitrixBasic Header AGEE Pre-AuthN EPA ActiveX download & client scan 1)AGEE does a HTTP redirect to the website configured in ‘-homepage’ option 2) Web Interface returns a 401 and AGEE detects that this is a Web Interface server. User supplies credentials to logon page. User accesses AGEE VPN Virtual Server 3) Access Gateway next performs pass- through SSO to Web Interface via a custom AGCitrixBasic HTTP Header 4) A SessionToken is also provided WI makes a XML callback to a preconfigured-on-WI AGEE VPN Virtual Server URL with the previously provided SessionToken to get the EPA Results XenApp

Deeper Look at Security Scans – Pre-Auth Redirect to /epa/epa.html EPA client sends a GET for /epaq which causes the Access Gateway to return a 200 OK response with a HTTP header called CSE If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example:

Web Interface then validates the credentials via a POST back to Access Gateway If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example: Deeper Look Into Smart Access Client logs in to Access Gateway and is redirected to Web Interface During this redirection the client sends a request to /auth/agesso.aspx Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header How Did I Do That ????

Decrypting a Network Trace In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway appliance. This can easily be done via GUI: Or via the command line: Once the network trace has run it will be placed under /var/nstrace/ *** important: since this is SSL traffic the trace has to start before any request is made *** Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols: Under RSA Key List you enter:,,, Once that is done the traffic will be decrypted and you will be able to analyze it.

What if private key is not available? How to create a HTTP debug virtual server:

What if private key is secured? If the private key was created with a passphrase, it can be decrypted via openssl:

External Remote End User XenApp WI InternalDMZ STA and XML / /2598 User clicks application icon. Request is sent to Web Interface. Web Interface contacts Citrix XML Service to determine least loaded XenApp server hosting application. XML Service returns XenApp IP address. Web Interface contacts STA to exchange XenApp IP address for ticket. Web Interface generates ICA file that includes Access Gateway FQDN and STA ticket. ICA file is sent back to client device. ICA Client sends ICA request to Access Gateway. Access Gateway contacts STA to validate ticket and exchange the ticket for the XenApp IP address. Access Gateway contacts XenApp to initiate ICA session. ICA session is established. Published Application Launch Process

XenApp Integration: Web Interface Site Type Specify the URL to the Virtual Server’s FQDN Web Interface must be able to resolve the FQDN Specify the URL to the Virtual Server’s FQDN Web Interface must be able to resolve the FQDN Web Interface XenApp Access Gateway

XenApp Integration: Web Interface DMZ Settings Set the DMZ Access Method to Gateway Direct Web Interface XenApp Access Gateway

Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server XenApp Integration: Web Interface Gateway Settings Web Interface XenApp Access Gateway

Enter the STA server URL address XenApp Integration: Web Interface Gateway Settings Web Interface XenApp Access Gateway

URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform ICA Proxy ON tells AGEE not to launch the Secure Access Client ICA Proxy ON enables SSO to WI Single Sign-On Domain defines the users domain name Embedded Web Interface display format Full or Compact Embedded Web Interface display format Full or Compact XenApp Integration: Session Profile Configuration

The STA Server ID and State are monitored by AGEE Multiple STA Servers can be defined for failover The STA Server ID and State are monitored by AGEE Multiple STA Servers can be defined for failover XenApp Integration: Defining STA Server Web Interface XenApp Access Gateway

Troubleshooting SSL Related Errors Play Video