Citrix Technical Overview

Installing Citrix Secure Gateway

Andrew Wilmot
Citrix Technical Business Development Manager

IT
Citrix Secure Gateway Presentation

• Introduce Citrix Secure Gateway and explain how it

delivers secure access to applications and content from
the Internet.

• Review Citrix Portal products NFuse Classic, Enterprise

Services for NFuse, and NFuse Elite.

• Discuss the special requirements for configuring Citrix

Secure Gateway and NFuse on one Server.

• Go through the implementation step by step.

What is Citrix Secure Gateway?

• Citrix Secure Gateway is a secure

Internet gateway between MetaFrame®
servers and ICA Client workstations that
allows customers to simply and
securely deliver applications across the
Internet, on demand, to any device.
Introducing Citrix Secure Gateway 1.1

• Citrix Secure Gateway controls ICA traffic between the

Metaframe Server farm and the client on the Internet.

• It effectively ‘hides’ the Metaframe Server from the

Internet – access is obtained via a secure SSL
connection, brokered by CSG.

• CSG is a free product for users of Metaframe Xpa,s,e.

• Works in conjunction with NFuse Classic 1.7, NFuse

Elite 1.0, and Enterprise Services for NFuse 1.7.
NFuse Portal Products

• NFuse Classic 1.7

– Application Portal product providing end users with access
to published applications over the web.

• Enterprise Services for NFuse 1.7

– expands on NFuse Classic allowing you to publish
applications from multiple MetaFrame XP for Windows and
MetaFrame for UNIX server farms simultaneously.

• NFuse Elite 1.0

– Access Portal product that can be used as an Enterprise
Information Portal (EIP), combining information from many
sources in one place.
Why Secure Access?
• Remote Employee Access (B2E).
• Business Application Deployment (B2B).
• Consumer Applications (B2C).
• Business Continuity.
• Must be Secure.
• Must be Cost Effective.
• Must allow access from anywhere.
• Must support different client device types.
When to use Secure Gateway

• One or more servers to support.

• Want to hide internal network addresses.

• Want to secure from DMZ.

• Need highly secure remote access solution.

• Don’t want to use a VPN client.

• Need non-intrusive ICA client install i.e. access from

Internet cafes using JAVA client.
CSG Architecture

NAT 192.168.5.1-192.68.0.100

Secure Connectivity Authentication Access Mgmt

Citrix
Secure
Gateway

Client Citrix

ll a weri F
ll a weri F

Workstations NFuse

EXTERNAL DMZ LAN

csg.company.com 203.12.216.50 Citrix MF Server 192.168.0.100
citrix.company.com 203.12.216.51 Alt Address 192.168.5.1
ICA Port 1494
Ports to open Ports to open XML Port 8081
443 (Https and SSL) 80 (STA) IIS/STA Port 80
8081 (XML)
1494 (ICA)
CSG Traffic Flow
ICA/SSL DMZ
443
CSG ICA/1494 MetaFrame
ICA
ICA Client
Client
Server
Server Server Farm

.ICA file

Web Secure
Secure Web
Web
Browser 443 Server
Server

HTTP/S

Citrix XML
NFuse
NFuse
XML- Service
Service
HTTP/80
CSG Components
• CSG Service
– The CSG program itself.

• NFuse Classic or NFfuse Elite or ESNFuse

– Extensions are now built into NFuse and do not need to be installed separately
as they were in earlier versions.

• Secure Ticketing Authority

– Functions as a ticketing authority and issues ‘tickets’ to portal users client’s.
These form the basis of authentication and authorization for ICA connections
to a MetaFrame server.

• Single Server can be used for CSG/NFuse

– Certain steps must be taken to ensure that works successfully – see document
from Alstom.
CSG Ticketing

ICA/1494
ICA/SSL CSG
CSG
ICA
ICA Client
Client Server
Server Ticket MetaFrame
MetaFrame
Verification Server Farm
SSecure
ecure
ICA TTicketing
icketing
File Secure AAuthority
uthority
Web
Web Secure Web
Web
Browser
Browser Server
Server
Ticket Generation
Citrix XML
Service
Service
NFuse
NFuse Classic and CSG Connection Process
• User accesses NFuse Classic portal page over Https://
connection from Web browser and logs in.

• NFuse requests the published resources from the MF XML

Service, and the application page is populated with icons.

• User clicks on an application and address for the client is sent

to the Secure Ticket Authority (STA) and a ticket is requested.
The STA saves the IP address and issues the requested ticket
to CSG server.

• NFuse server generates an ICA file containing the ticket issued

by the STA and the FQDN of the CSG Server, and sends it to
the client’s Web browser.

• The Web browser passes the ICA file to the ICA Client, which
launches an SSL connection to the CSG server.
NFuse Classic and CSG Connection Process
• CSG server accepts the ticket from the ICA Client and uses
information in the ticket to identify and contact the STA for
ticket validation.

• If the STA is able to validate the ticket, it returns an IP

address of the MetaFrame server on which the requested
resource resides to the CSG server.

• CSG server receives the IP address for the MetaFrame server

and it establishes an ICA connection to the MetaFrame server.
CSG server monitors ICA data flowing through the connection,
and encrypts and decrypts client-server communication.
CSG Service
• Windows 2000 native Service
• Runs in DMZ, does not require IIS installed.
• Multi-threaded design (utilizes IO Completion Ports) for high
efficiency and throughput.
• Utilises Microsoft S-Channel for SSL functions.
• Server certificate required for SSL server authentication.
• Build large CSG arrays for scalability and fault tolerance using
industry standard external network load balancer.
• GUI configuration tool.
• Small benefit from PCI based SSL accelerators.
Secure Ticketing Authority

• Implemented as ISAPI DLL so requires IIS.

• Extremely lightly loaded.

• Easily configurable through UI tool.

• Redundant STAs can be defined.

• Should not be accessible from outside DMZ.

• Communicates with CSG and NFuse via XML protocol

over HTTP. Port configurable.
Encryption and Connectivity

• Secures ICA Traffic only.

• SSL v3.0 and TLS 1.0 with 128-bit encryption.

• Support for Public Key Infrastructure (PKIs).

• Single IP address is exposed to Internet.

• Ease of firewall traversal (uses port 443 only).

Citrix Secure
Gateway

ICA and SSL

ll a weri F

Citrix NFuse 1.6 Citrix MetaFrame XP w/

Technology Feature Release 1
SSL vs TLS
• SSL is an open, non-proprietary protocol that provides data
encryption, server authentication, message integrity, and
optional client authentication for a TCP/IP connection.

• TLS is the latest, standardised version of the SSL protocol. TLS

is an open standard and like SSL, TLS provides server
authentication, encryption of the data stream, and message
integrity checks.

• Support for TLS Version 1.0 is included in Feature Release 2 for

MetaFrame XP (Not in FR1) and clients from v6.30.

• Because there are only minor differences between SSL and

TLS, the server certificates you use for SSL in your MetaFrame
installation will also work for TLS.
New in CSG v1.1

• Windows 2000 certification.

• All logging to Windows system log.

• TLS v1.0 and SSL v3.0.

• No NFuse Extensions – Now native to NFuse Classic.

• Improved configuration Graphical User Interface –

NFuse Admin.

• Solaris edition.
CSG and Java Client

• Zero footprint Client – nothing to install on the local

machine.

• Client is downloaded and executed via the browser.

• Ideal for accessing applications securely from an

Internet Café.

• SSL Certificates from own MS Certificate Server as well

as commercial organisations can be used.
Installing Citrix Secure Gateway
• Configure DNS entries for NFuse/CSG Server.
• Install and configure W2K/Citrix Metaframe Server(s).
• Install and configure W2K/CSG/NFuse Server.
• Install MS Certificate Services on a W2K Server.
• Generate and Install Certificates.
• Install Secure Ticketing Authority.
• Install and configure NFuse.
• Install and configure Citrix Secure Gateway.
• Customise the NFuse login page.
Configure Network and DNS entries

• Open the ports required on the firewall.

• Reserve public IP addresses for CSG and NFuse.

• Configure A records in the DNS for citrix.company.com

and csg.company.com.
Install and Configure Metaframe Server

• Install Windows 2000 and IIS.

• Install Terminal Services in Application Compatibility

Mode.

• Install Service Pack 2.

• Install TS Post SP2 Hot Fix.

• Install Metframe XP – specify XML port as 8081 (if STA

on the same server).

• Add the Alternate Address (if NAT being used to DMZ) –

syntax is c:\altaddr /set 192.168.1.5

• Install the Secure Ticketing Authority.

Install and Configure CSG/NFuse Server

• Install Windows 2000 and IIS

• Install Windows 2000 Service Pack 2

• Dual Home the CSG/NFuse Server (second IP Address)

Configure CSG/NFuse Server - IIS

• Disable Socket Pooling

• Generate Certificate Requests

• Create Certificates using MS Certificate Authority

• Install Certificates
Certificate Server - Creating Certificates

• Install MS Certificate Services on a server.

• Select ‘Advanced’ use 1024 bit encryption.

• Issue Certifcate Request in IIS, use 1024 bit and name with
the domain name of the server eg. citrix.company.com.

• Issue another Certifcate request for eg. csg.company.com.

• Paste requests into Certicate Server.

• Generate Certificate and the Root Certificate.

• Install Certifcates on the CSG/NFuse Server.

Certificate Refresher

• How do I determine a • How do I determine a

person’s identity? server’s identity?
Server Certificates

• Server certificates are

unique to a particular
server name.

• The ‘subject’ of the

certificate is the FQDN
of the server.

• View the Certification

Path to find out which
certification authority
(CA) issued this
certificate.
Root Certificates
• Root certificates (CA
certificates) are self-signed
entities that are used to verify
server certificates.

• If you trust a CA, install their

root certificate.

• Windows ships with many pre-

installed CA certificates for
well-known CA’s.
–Verisign
–Baltimore
–RSA
–Thawte
Generating the Certifcate Requests

• Generate the requests from within IIS Admin on the

CSG/NFuse Server.
Installing the MS Certificate Server

• Use Add/Remove Programs>Windows Components, to

install MS Certificate Services on a Windows 2000
Server.
Creating the Certificate

• Go to URL http://[server]/certsrv to access the

Certificate Server.
Issue and Save the Certificate

• Use the MMC to issue pending certificates, then use the

Certificate Server to create and save them.
Creating the Root Certificate

• Go to the Certificate Server URL and select ‘Retrieve the

CA Certificate’.
Adding the Root Certificate

• Copy the Root Certificate to the machines and double

click on it to add it to the CSG/NFuse Server and the
Clients who will be connecting via CSG/NFuse.
Adding the Server Certificates in IIS

• From within IIS Admin, choose the Directory Security

TAB to install the Certificate.
Configure IIS to accept only SSL

• From within IIS Admin, choose Web Site TAB, and add
the SSL port 443. Then choose the Directory Security
TAB and ‘Edit’ under Secure Communications area.
Certificates Required – Web and CSG
• A Certificate is required for the NFuse web site, ie
https://citrix.company.com and also for the client to
authenticate using SSL to the CSG server, using the FQDN of
the CSG Server ie csg.company.com.

• To generate a second certificate, follow the procedure

discussed and instead of the ‘Default Web Site’, use the
‘Administration Site’ under IIS to generate the Certificate
Request and accept the created Certificate.

• There should be two certificates, plus a root certificate from the

Certification Authority generated.
– citrix.company.com (install under Default Web Site)
– csg.company.com (install under Administration Site)
– Root certificate
CSG/NFuse Server - Install NFuse

• Run the executable to install NFuse on the CSG/NFuse

Server.
CSG/NFuse Server - Install CSG

• Run the installation routine.

• Select the Certificate to use eg. csg.company.com.

• Set the IP Address that CSG will listen to port 443 on.

• Set the IP Address of the STA.

• Other settings can be left as default.

Installing the CSG Service

• Install the CSG Service - run the executable to install it

on the CSG/NFuse Server.
Installing the STA Service

• Run the executable to install the STA on the Metaframe

Server.
Configuring NFuse using NFuse Admin

• Graphical Administration Utility that edits nfuse.conf file

where configuration settings are stored.

• Default page http://[server]/Citrix/NFuseadmin.

• Specify Metaframe Server Address, XML Port.

• Configure for Citrix Secure Gateway here if required.

• Control ICA Client deployment, and Java client.

• Configure Server and Client side firewall settings.

NFuse Admin
NFuse Admin CSG Settings – MF Server

• Specify the address of the Metaframe Server and the

XML port.
NFuse Admin Settings - CSG

• Check ‘Citrix Secure Gateway’.

NFuse Admin Settings - CSG

• The FQDN of CSG server, ‘use alternate address of

Metaframe servers’ checked (if using NAT), as well as
address of the STA should be specified.
NFuse Classic 1.7 Login Page

• Default Page is http://server/Citrix/NFuse17

• NFuse.conf file is an ‘ini’ file that controls NFuse – edit

using NFuse Admin or manually.

• NFuse.conf is located under c:\Program

Files\Citrix\NFuse\conf directory.

• Can be customised – use a html editor eg FrontPage

and edit the login.asp file.
Default page for ‘citrix.company.com’

• Rather than change your web server document root,

create a file ‘default.asp’ and save under
c:\inetpub\wwwroot directory.

• Edit this file and add the line of code below:

<% Response.Redirect “/Citrix/Nfuse17/” %>

NFuse Classic 1.7 Login Page
NFuse Applications
NFuse Client Settings
Verify SSL Connectivity

• ICA Systray Icon, or the active Citrix window– right

click and choose properties or mouse over the
connection to display the encryption status.
MS Lockdown Tool for Security

• Microsoft IIS Lockdown tool can be used to secure an

IIS web server.

• Can be obtained from:

http://download.microsoft.com/download/iis50/
Utility/2.1/NT45/EN-US/iislockd.exe

• Choose ‘Advanced’ lockdown mode.

• Uncheck the option to disable support for ASP pages.

Redundancy using Two Nfuse Installations

• Reconfigure the DNS record to point to an alternate

server if one goes down.

• Configure a DNS record to round robin between the

Nfuse Servers. Disadvantage is that some users will not
be able to connect until the downed box is removed
from the DNS record.

• Use a network load balancer – best option but most

expensive.

• Utilise Network load balancing with Windows 2000

Advanced Server - similar to the solution above.
Citrix Portal Summary

• Citrix Portal solutions allow you to securely access your

applications from anywhere you can get to a PC with a
browser and an Internet connection.

• They are excellent solutions to use for Remote Access,

Wireless Mobility, Rapid Application Deployment and Business
Continuity purposes.

• CSG is a simple and cost effective solution to enable remote

access to Metaframe published applications when compared
to hardware/software based VPNs.

• NFuse Elite is a fully featured, flexible, easy to configure

Access Portal product, for use as an Enterprise Information
Portal.