Transcript Slide 1

Integrating and Troubleshooting Citrix
Access Gateway
Basic Firewall and Port Rules
External
DMZ
Internal
53 (UDP)
443,80*
(HTTP/TCP)
389/636
(TCP)
VIP
Remote End User
* Port 80 used for https
redirect
SNIP or MIP
80, 8080, 443 (HTTP/TCP)
1494, 2598 (TCP)
DNS
LDAP/
LDAPS
XenApp
WI
STA
443,80 (TCP/HTTP)
3010, 3008 ,22 (TCP)
AGEE Admin
SmartAccess Workflow
External
DMZ
Internal
LDAP
389/636
443
80/443
Remote
End User
WI makes a XML callback to a
3) Access
Gateway next performs
passpreconfigured-on-WI
AGEE
VPN
Virtual
1) AGEE
does
a
HTTP
redirect
to
the
Web
Interface
Authenticates
credentials
User accesses AGEE VPN Virtual
through
SSO
to
Web
Interface
via
a
Web
Interface
“Smart Access”
Server
URL generates
withinthe
previously
provided
website
configured
‘-homepage’
provided
via
custom
SSO
AGCitrixBasic
Access
Gateway
passes
Server
User
supplies
credentials
to credentials
logon page.to
custom
AGCitrixBasic
HTTP
Header
application
set page
andthe
sends
the
web
SessionToken
to get
EPA
Results
Post-AuthN
AGEE
Session
policy
EPA
option
Header
Directory Service
for
validation.
page
back
to user.
Session
policy
EPA
check results
4) A
SessionToken
is also
provided
checks
done
with
the existing
EPA
Web Interface
sends
credentials
& EPA
AGEE
Pre-AuthN
EPA
ActiveX
EPA ActiveX
sends
results
back
to
2) Citrix
WebXML
Interface
returns
401 and
returned to AGEE
ActiveX
results to
Service
whichavalidates
download
& client scan
AGEE
On Pre-Authentication
EPA success
AGEEuser’s
detects
that this
is a Web
them and returns
“smart
access”
AGEE returns login page
Interface
returns
EPA
results to WI
applicationEE
set
to Webserver.
Interface.
WI
STA and
XML
XenApp
Deeper Look at Security Scans – Pre-Auth
• Redirect to /epa/epa.html
• EPA client sends a GET for /epaq which causes the
• Access Gateway to return a 200 OK response with a HTTP header called CSE
• If the security scan passes, the very next GET from the client will contain a value
of 0 for the CSEC header. If the scan fails, the value will be 3. Example:
Deeper Look Into Smart Access
• Client logs in to Access Gateway and is redirected to Web Interface
• During this redirection the client sends a request to /auth/agesso.aspx
• Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx
but this time with an authentication header
• Web Interface then validates the credentials via a POST back to Access Gateway
• If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information
needed by Web Interface. Example:
How Did I Do That ????
Decrypting a Network Trace
• In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway
appliance. This can easily be done via GUI:
• Or via the command line:
• Once the network trace has run it will be placed under /var/nstrace/
*** important: since this is SSL traffic the trace has to start before any request is made ***
• Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then
Preferences. Select SSL under Protocols:
• Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key>
• Once that is done the traffic will be decrypted and you will be able to analyze it.
What if private key is not available?
How to create a HTTP debug virtual server:
What if private key is secured?
If the private key was created with a passphrase, it can be decrypted via openssl:
Published Application Launch Process
External
DMZ
Internal
XenApp
1494/2598
443
80/443
WI
Remote
End User
80/443
Web
Interface
Web
Interface
contacts
generates
Citrix
XML
ICA
Service
file
that
toincludes
User
clicks
application
icon.
Request
is
ICA
Client
Access
sends
Gateway
ICA
request
contacts
to
STA
Access
to validate
Web
Interface
contacts
STA
to
exchange
Access
Gateway
contacts
XenApp
to ticket
initiateand
ICA session.
determine
Access
least
Gateway
loaded
XenApp
FQDN
and
STA
hosting
ticket.
ICA
sent
to Web
Interface.
Gateway.
the
ticket
for
the
XenApp
IP address.
XenApp
IP exchange
address
ticket.
ICA for
session
isserver
established.
application.
file is sent
XML back
Service
to client
returns
device.
XenApp IP
address.
STA and
XML
XenApp Integration: Web Interface Site Type
Web Interface
Access Gateway
XenApp
Specify the URL to the Virtual Server’s FQDN
Web Interface must be able to resolve the FQDN
XenApp Integration: Web Interface DMZ Settings
Web Interface
Access Gateway
XenApp
Set the DMZ Access Method to Gateway Direct
XenApp Integration: Web Interface Gateway Settings
Web Interface
Access Gateway
XenApp
Specify the Access Gateway Virtual Server’s FQDN as the
Gateway Server
XenApp Integration: Web Interface Gateway Settings
Web Interface
Access Gateway
XenApp
Enter the STA server URL address
XenApp Integration: Session Profile Configuration
ICA Proxy ON tells AGEE not to launch the Secure
Access Client
ICA Proxy ON enables SSO to WI
URL to the Web Interface site e.g.
HTTP(S)://wiserver/citrix/accessplatform
Embedded Web Interface display format
Full or Compact
Single Sign-On Domain
defines the users domain name
XenApp Integration: Defining STA Server
Web Interface
Access Gateway
XenApp
The STA Server ID and State are monitored by AGEE
Multiple STA Servers can be defined for failover
Troubleshooting SSL Related Errors
Play Video