Transcript Slide 1
Integrating and Troubleshooting Citrix Access Gateway Basic Firewall and Port Rules External DMZ Internal 53 (UDP) 443,80* (HTTP/TCP) 389/636 (TCP) VIP Remote End User * Port 80 used for https redirect SNIP or MIP 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP) DNS LDAP/ LDAPS XenApp WI STA 443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP) AGEE Admin SmartAccess Workflow External DMZ Internal LDAP 389/636 443 80/443 Remote End User WI makes a XML callback to a 3) Access Gateway next performs passpreconfigured-on-WI AGEE VPN Virtual 1) AGEE does a HTTP redirect to the Web Interface Authenticates credentials User accesses AGEE VPN Virtual through SSO to Web Interface via a Web Interface “Smart Access” Server URL generates withinthe previously provided website configured ‘-homepage’ provided via custom SSO AGCitrixBasic Access Gateway passes Server User supplies credentials to credentials logon page.to custom AGCitrixBasic HTTP Header application set page andthe sends the web SessionToken to get EPA Results Post-AuthN AGEE Session policy EPA option Header Directory Service for validation. page back to user. Session policy EPA check results 4) A SessionToken is also provided checks done with the existing EPA Web Interface sends credentials & EPA AGEE Pre-AuthN EPA ActiveX EPA ActiveX sends results back to 2) Citrix WebXML Interface returns 401 and returned to AGEE ActiveX results to Service whichavalidates download & client scan AGEE On Pre-Authentication EPA success AGEEuser’s detects that this is a Web them and returns “smart access” AGEE returns login page Interface returns EPA results to WI applicationEE set to Webserver. Interface. WI STA and XML XenApp Deeper Look at Security Scans – Pre-Auth • Redirect to /epa/epa.html • EPA client sends a GET for /epaq which causes the • Access Gateway to return a 200 OK response with a HTTP header called CSE • If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example: Deeper Look Into Smart Access • Client logs in to Access Gateway and is redirected to Web Interface • During this redirection the client sends a request to /auth/agesso.aspx • Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header • Web Interface then validates the credentials via a POST back to Access Gateway • If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example: How Did I Do That ???? Decrypting a Network Trace • In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway appliance. This can easily be done via GUI: • Or via the command line: • Once the network trace has run it will be placed under /var/nstrace/ *** important: since this is SSL traffic the trace has to start before any request is made *** • Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols: • Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key> • Once that is done the traffic will be decrypted and you will be able to analyze it. What if private key is not available? How to create a HTTP debug virtual server: What if private key is secured? If the private key was created with a passphrase, it can be decrypted via openssl: Published Application Launch Process External DMZ Internal XenApp 1494/2598 443 80/443 WI Remote End User 80/443 Web Interface Web Interface contacts generates Citrix XML ICA Service file that toincludes User clicks application icon. Request is ICA Client Access sends Gateway ICA request contacts to STA Access to validate Web Interface contacts STA to exchange Access Gateway contacts XenApp to ticket initiateand ICA session. determine Access least Gateway loaded XenApp FQDN and STA hosting ticket. ICA sent to Web Interface. Gateway. the ticket for the XenApp IP address. XenApp IP exchange address ticket. ICA for session isserver established. application. file is sent XML back Service to client returns device. XenApp IP address. STA and XML XenApp Integration: Web Interface Site Type Web Interface Access Gateway XenApp Specify the URL to the Virtual Server’s FQDN Web Interface must be able to resolve the FQDN XenApp Integration: Web Interface DMZ Settings Web Interface Access Gateway XenApp Set the DMZ Access Method to Gateway Direct XenApp Integration: Web Interface Gateway Settings Web Interface Access Gateway XenApp Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server XenApp Integration: Web Interface Gateway Settings Web Interface Access Gateway XenApp Enter the STA server URL address XenApp Integration: Session Profile Configuration ICA Proxy ON tells AGEE not to launch the Secure Access Client ICA Proxy ON enables SSO to WI URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform Embedded Web Interface display format Full or Compact Single Sign-On Domain defines the users domain name XenApp Integration: Defining STA Server Web Interface Access Gateway XenApp The STA Server ID and State are monitored by AGEE Multiple STA Servers can be defined for failover Troubleshooting SSL Related Errors Play Video