16
Integrating and Troubleshooting Citrix Access Gateway

Integrating and Troubleshooting Citrix Access Gateway

Embed Size (px)

Citation preview

Page 1: Integrating and Troubleshooting Citrix Access Gateway

Integrating and Troubleshooting Citrix Access Gateway

Page 2: Integrating and Troubleshooting Citrix Access Gateway

External Internal DMZ

Basic Firewall and Port Rules

AGEE Admin

Remote End User

VIP

NSIP

XenApp WISTA

443,80* (HTTP/TCP)

NSIP

DNS

* Port 80 used for https redirect

NSIP

LDAP/LDAPS

SNIP or MIP

389/636 (TCP)

53 (UDP)

443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP)

80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)

Page 3: Integrating and Troubleshooting Citrix Access Gateway

External

Remote End User

LDAP

WI

Internal DMZ

STA and XML

44380/443

389/636

SmartAccess Workflow

EE returns EPA results to WI

Session policy EPA check results returned to AGEE

Web Interface sends credentials & EPA results to Citrix XML Service which validates them and returns user’s “smart access” application set to Web Interface.

Web Interface generates “Smart Access” application set page and sends the web page back to user.

Access Gateway passes credentials to Directory Service for validation.

EPA ActiveX sends results back to AGEEOn Pre-Authentication EPA success

AGEE returns login page

Post-AuthN AGEE Session policy EPA checks done with the existing EPA ActiveX

Web Interface Authenticates credentials provided via custom SSO AGCitrixBasic Header

AGEE Pre-AuthN EPA ActiveX download & client scan

1) AGEE does a HTTP redirect to the website configured in ‘-homepage’ option

2) Web Interface returns a 401 and AGEE detects that this is a Web Interface server.

User supplies credentials to logon page.User accesses AGEE VPN Virtual Server

3) Access Gateway next performs pass-through SSO to Web Interface via a custom AGCitrixBasic HTTP Header

4) A SessionToken is also provided

WI makes a XML callback to a preconfigured-on-WI AGEE VPN Virtual Server URL with the previously provided SessionToken to get the EPA Results

XenApp

Page 4: Integrating and Troubleshooting Citrix Access Gateway

Deeper Look at Security Scans – Pre-Auth

• Redirect to /epa/epa.html

• EPA client sends a GET for /epaq which causes the

• Access Gateway to return a 200 OK response with a HTTP header called CSE

• If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example:

Page 5: Integrating and Troubleshooting Citrix Access Gateway

• Web Interface then validates the credentials via a POST back to Access Gateway

• If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example:

Deeper Look Into Smart Access• Client logs in to Access Gateway and is redirected to Web Interface

• During this redirection the client sends a request to /auth/agesso.aspx

• Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header

How Did I Do That ????

Page 6: Integrating and Troubleshooting Citrix Access Gateway

Decrypting a Network Trace• In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway

appliance. This can easily be done via GUI:

• Or via the command line:

• Once the network trace has run it will be placed under /var/nstrace/

*** important: since this is SSL traffic the trace has to start before any request is made ***

• Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols:

• Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key>

• Once that is done the traffic will be decrypted and you will be able to analyze it.

Page 7: Integrating and Troubleshooting Citrix Access Gateway

What if private key is not available?

How to create a HTTP debug virtual server:

Page 8: Integrating and Troubleshooting Citrix Access Gateway

What if private key is secured?

If the private key was created with a passphrase, it can be decrypted via openssl:

Page 9: Integrating and Troubleshooting Citrix Access Gateway

External

Remote End User

XenApp

WI

Internal DMZ

STA and XML

443

80/443

80/443

1494/2598

User clicks application icon. Request is sent to Web Interface.

Web Interface contacts Citrix XML Service to determine least loaded XenApp server hosting application. XML Service returns XenApp IP address.

Web Interface contacts STA to exchange XenApp IP address for ticket.

Web Interface generates ICA file that includes Access Gateway FQDN and STA ticket. ICA file is sent back to client device.

ICA Client sends ICA request to Access Gateway.

Access Gateway contacts STA to validate ticket and exchange the ticket for the XenApp IP address.

Access Gateway contacts XenApp to initiate ICA session. ICA session is established.

Published Application Launch Process

Page 10: Integrating and Troubleshooting Citrix Access Gateway

XenApp Integration: Web Interface Site Type

Specify the URL to the Virtual Server’s FQDNWeb Interface must be able to resolve the FQDN

Specify the URL to the Virtual Server’s FQDNWeb Interface must be able to resolve the FQDN

Web Interface

XenApp

Access Gateway

Page 11: Integrating and Troubleshooting Citrix Access Gateway

XenApp Integration: Web Interface DMZ Settings

Set the DMZ Access Method to Gateway DirectSet the DMZ Access Method to Gateway Direct

Web Interface

XenApp

Access Gateway

Page 12: Integrating and Troubleshooting Citrix Access Gateway

Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server

Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server

XenApp Integration: Web Interface Gateway Settings

Web Interface

XenApp

Access Gateway

Page 13: Integrating and Troubleshooting Citrix Access Gateway

Enter the STA server URL addressEnter the STA server URL address

XenApp Integration: Web Interface Gateway Settings

Web Interface

XenApp

Access Gateway

Page 14: Integrating and Troubleshooting Citrix Access Gateway

URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform

URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform

ICA Proxy ON tells AGEE not to launch the Secure Access Client

ICA Proxy ON enables SSO to WI

ICA Proxy ON tells AGEE not to launch the Secure Access Client

ICA Proxy ON enables SSO to WI

Single Sign-On Domain defines the users domain name

Single Sign-On Domain defines the users domain name

Embedded Web Interface display formatFull or Compact

Embedded Web Interface display formatFull or Compact

XenApp Integration: Session Profile Configuration

Page 15: Integrating and Troubleshooting Citrix Access Gateway

The STA Server ID and State are monitored by AGEE

Multiple STA Servers can be defined for failover

The STA Server ID and State are monitored by AGEE

Multiple STA Servers can be defined for failover

XenApp Integration: Defining STA Server

Web Interface

XenApp

Access Gateway

Page 16: Integrating and Troubleshooting Citrix Access Gateway

Troubleshooting SSL Related Errors

Play Video