Citrix Secure Gateway Technical Training Presented by: Douglas A. Brown Systems Engineer, Northern California Citrix Systems, Inc.
Agenda By the end of this session, you should be able to: n n n Explain the role CSG plays in a Meta. Frame deployment Explain the role of SSL certificates Install and configure the CSG Gateway, Secure Ticket Authority, Nfuse 1. 61 and the 6. 20 ICA client to enable SSL connectivity through CSG 2
What Solution does CSG Enable? Securely and simply deliver published applications across the Internet Other components of this solution include: n NFuse 1. 61 or later (required) n Secure Web Server and/or Portal (e. g. Citrix XPS) n Replaceable authentication (e. g. Secur. ID, smart card) n SSL enabled clients 3
What is CSG? Gateway between an SSL enabled ICA client and one or more Meta. Frame servers Tunnels ICA traffic inside SSL Limited to ICA only – not a general purpose VPN. Runs independently from Meta. Frame, links into NFuse for authorization Three components: n Citrix Secure Gateway Server (“the gateway”) n Secure Ticket Authority (“STA”) n Modified NFuse Website 4
CSG Server with NFuse 5
CSG 1. 0 Technical Requirements Three Windows 2000 servers with SP 2: n CSG Gateway Server l n Secure Ticket Authority l n Server Certificate Microsoft Internet Information Server (IIS) NFuse 1. 61 (or a modified earlier version) l Microsoft Internet Information Server (IIS) Win 32, Java, Mac or Linux 6. 20 ICA client Meta. Frame Server Farm 6
CSG 1. 0 Marketing Requirements Subscription Advantage Customers Only n n n CSG is being offered as a value-add to the Subscription Advantage program Customers who bought Meta. Frame XP with Subscription Advantage will receive the option to download CSG from www. citrix. com/My. Citrix There is no technical enforcement of this requirement 7
CSG Versus SSL Relay 8 For ICA-SSL connectivity, CSG is easier to deploy than SSL Relay on the Meta. Frame servers: SSL Relay CSG SSL Server certificates needed On every Meta. Frame server On the CSG Gateway server only Unique external IP addresses needed For each Meta. Frame server For the CSG Gateway server only Certificate format conversion Install the certificate, export cert to file, convert file to PEM format using keytopem. exe, save beneath SSLRelay keystorecerts Just install the certificate Other Meta. Frame requirements XP with FR 1 and DNS name resolution enabled None (technically)
CSG Versus Extranet 9 Compared to Extranet, CSG is fairly limited. If you are already using Extranet, you don’t need CSG. Extranet CSG Types of traffic All TCP traffic ICA only Authentication methods Eleven possible methods of two-factor authentication Defers authentication to NFuse Client software required ICA client plus an Extranet client ICA client only ICA Lower security Secure ICA SSL Relay CSG Citrix Extranet Highest Security
Intro to SSL
Why SSL? The threats: n n Server masquerading Network sniffers Secure Sockets Layer (SSL) provides: n Authentication l l n Digital certificates prove identity on the Internet This prevents “man-in-the-middle” or DNS attacks Encryption Using 128 -bit key lengths This prevents network sniffers from viewing your information l l 11
SSL Certificates SSL Certificate requirements A new thing for many of our customers Need to be very careful – can be difficult Obtain certificates from: n Private Certificate Authority (CA) n Public CA n Evaluation cert from Public CA (Baltimore, Verisign) Possible need to install root CA on Client. Windows 6. 20 ICA client supports all Windows standard CA’s 12
Could I see some ID please? 13 SSL Certificates are like Driver’s Licenses Driver’s License SSL Certificate Issued to Individual citizens Individual users or servers Issued by Department of Motor Certifying Authority (CA) Vehicles (DMV) Verification DMV hologram, well-known mechanism license format Application Birth certificate, Social requirements security number, etc. Public usage Prove identity; operate a vehicle on public roads I trust it I trust the DMV to scrutinize because applicants CA digital signature, public key, thumbprint Business license, Dun & Bradstreet number, etc. Prove identity; operate a secure web server on public networks I trust the CA to scrutinize applicants
Server certificates 14 Server certificates are unique to a particular server name The “subject” of the certificate is the FQDN of the server Server certificates also include fields dictating what the certificate can be used for View the Certification Path to find out what CA issued this certificate (may be a chain of CA’s)
Root Certificates Root certificates (aka CA certificates) are selfsigned entities that are used to verify server certificates If you trust a CA, install their root certificate. Windows ships with many pre-installed CA certificates for wellknown CA’s: n Verisign n Entrust n Baltimore n RSA n Thawte 15
Client needs the root, server needs a cert Sample Certificate Placement 16
Default root certificates Root certificates need to be installed into the Windows operating system n To see what certificates are installed, use MMC or IE 17
Installing CSG
CSG installation steps Installation steps to follow: n Read The Friendly Manuals: l Getting Started Guide l Administrator’s Guide n Fill out the “Installation Checklist” n Install the software in the correct order: l 1. Secure Ticket Authority l 2. CSG Gateway Service l 19 3. CSG NFuse Extensions (or use Nfuse 1. 61 or Columbia 6. 0) 19
Important – Print the Checklist n n The CSG distribution includes an installation checklist that takes the guesswork out of installing the components It is recommended that you sketch your network, print this page, fill in the blanks, and then begin installing the servers 20
Extract the self expanding exe n n CSG comes in the form of a single, self expanding exe file “Setup. CSG. exe” Execute this file to expand its contents and start the installation process. 21
Example installation CSG uses three machines: 1. Secure Ticket Authority (STA) n Fully qualified domain name (FQDN): sta 01. company. com n Machine pre-loaded with Windows 2000 (SP 2) server and IIS 5. 0 2. CSG Gateway Server n FQDN: snowy 1. csg-gw. company. com n Machine pre-loaded with Windows 2000 (SP 2) 3. NFuse 1. 61 Server n FQDN: nfuse. company. com n Machine pre-loaded with Windows 2000 (SP 2) server and IIS 5. 0 n NFuse 1. 61 installed n CSG also includes example scripts and documentation to help you integrate CSG functionality into an existing Nfuse website. 22
Easy install--demo 23
Server Certificates Server Certificate Required A server certificate must be obtained and installed for your CSG Gateway machine. The certificate must be issued to the FQDN of the snowy gateway. The Snowy Administrator’s Guide provides indepth information regarding server certificates. 24
Checking installed Server Certificates Run MMC on the CSG gateway machine and add the “Certificates” snap-in. 25
Checking installed Server Certificates 26 Ensure that the server certificate is installed into the Local ComputerPersonalCertificates store
Checking installed Server Certificates Double click on the certificate shown to check that it is ok. 27
Connecting through CSG To launch an application, simply click on the application’s link as you would in NFuse normally. You can ensure that the connection is 128 bit SSL by opening the ICA connection center. Small Padlock 28
Connecting through CSG You can also see the security status of the connection via the Client Connection Status dialog on the client. 29
Relay Mode 30 If NFuse is not an option n Possible to install CSG in “relay mode”, where no STA ticket is required Not secure! Use this only when NFuse is not an option Impossible to switch between normal mode and relay mode—you must explicitly install CSG in relay mode. To do so: msiexec /i csg_gwy. msi RELAYMODE=1
Troubleshooting There is a great step-by-step troubleshooting section and detailed explanations of error messages in the Administrator’s Guide (RTFM). Troubleshooting tips: Ensure that you can ping all machines in your CSG system by their FQDN. l l l Using netstat, ensure that your CSG gateway machine is listening on port 443 (https). Using netstat, ensure that your Snowy Ticket Authority machine is listening on port 80 (http). Ensure that you are using version 6. 20 or higher of the ICA client. Check that all of your system clocks are in sync, this can lead to certificates being invalid. 31
Perfmon counters 32 On the Secure Gateway server: Active Session Count Client Connections Accepted Client Connections Failed Global Meta. Frame server to Gateway Packets Meta. Frame Connections Failed Meta. Frame Connections Successful Client Connections Timed Out Peak Active Clients Global Clients to Gateway Bytes Peak Client Connection Attempts Global Clients to Gateway Packets Peak STA Data Requests Global Gateway to Client(s) Bytes STA Data Requests Failed Peak STA Save Tickets Global Gateway to Meta. Frame server bytes STA Data Requests Successful Global Meta. Frame server to Gateway Bytes STA Save Tickets Successful STA Save Tickets Failed
Perfmon counters On the Secure Ticket Authority server: STA Bad Data Request Count STA Bad Save Request Count STA Good Data Request Count STA Good Save Request Count STA Good Ticket Request Count STA Peak Data Request Rate STA Peak Save Request Rate STA Peak Ticket Request Rate STA Save Request Rate STA Ticket Timeout Count 33
Further Reading Citrix Secure Gateway Administrator’s Guide Citrix Secure Gateway Getting Started Guide White paper: Using the Citrix SSL Relay Service SSL and TLS Essentials, by Stephen Thomas ISBN: 0 -471 -38354 -6 34
Thank You & Now Everything Computes Securely but wait… there is more
What is Project Columbia? Project Columbia 6. 0 is a sample NFuse 1. 6 website that has been customized by Citrix technical support to address common configuration issues. The web pages included in project Columbia 6. 0 are based on the default example site included with NFuse 1. 6, but have been customized to implement additional features. 36
Features of Project Columbia 37 Project Columbia adds support for the following: • Override the web server’s default Meta. Frame server farm address. • Identify multiple XML services per server farm for fault tolerance and load-balancing. • Merge application sets from multiple server farms. • Serve internal users and external users connecting through network address translation from the same web site. • Alter the size and layout of application icons. • Hide applications or folders by name. • Offer the user a menu of domains during logon.
Features of Project Columbia • Route ICA sessions through client-side SOCKS proxy servers. • Route users to multiple internal Meta. Frame servers through a single external IP address using port address translation. • Allow users to change expired NT 4 or Windows 2000 Active Directory domain passwords. • Force the installation or upgrade of ICA clients to windows users who do not already have an ICA client installed or have an old ICA client installed. 38
System Requirements The following requirements apply to the web server hosting the Project Columbia files: • Windows 2000 with IIS 5. 0 • NFuse 1. 6 • Active Directory Services Interface (ADSI) 2. 5 or later • VBScripting Engine 5. 0 or later • Active Server Pages 3. 0 or later 39
The Config. txt File Project Columbia includes a file named config. txt where you indicate your preferences regarding how the features of Columbia should be implemented. After making changes to the config. txt file, you must either restart the World Wide Web Publishing service or unload the ASP application in Internet Services Manager, then revisit the web site. 40
The Config. txt File Sample Config. txt entries include: NFuse_Farm=farm one, 1, server 2, server 3 NFuse_Number. Of. Columns=3 NFuse_Icon. Percent=50 NFuse_Domain. List=CITRIX, accounts NFuse_Internal. Networks=10. , 192. 168. NFuse_Port. Map=192. 168. 0. 1, 24. 25. 16. 203: 1494 NFuse_Ignore. Port. Maps=10. , 192. 168. NFuse_Change. Password. Mode=HTML NFuse_Push. Win 32 Web. Client=THIN NFuse_Win 32 Web. Client. Version=6, 20, 985, 0 NFuse_Embed. Applications=off NFuse_Embed. Method=3 41
How do I get a copy? Columbia 6. 0 is now available for download and discussion at the Citrix Developer Network site: www. citrix. com/cdn Watch this space for Columbia updates! Send feedback to: Project-Columbia@citrix. com 42
Скачать презентацию Citrix Secure Gateway Technical Training Presented by Douglas
6f0fc00ce1cfae2ce240075d718da825.ppt