Archive

Archive for the ‘Access Gateway’ Category

Access Gateway 5.0 – a deeper look – Part 2

November 19, 2011 Leave a comment

 

Meanwhile Citrix released Access Gateway 5.0.3 you can find the download here. A mycitrix account is necessary.

So, in “Access Gateway 5.0 – a deeper look – Part 1” I gave you an overview and demonstrated how to install and configure the appliance, now let’s take a look at the basic configuration. This is a sample configuration, of course there are other ways, especially regarding the network configuration.

This is only about the basic logonpoint to grant access to your XenApp/XenDesktop farm via ICA/HDX. Smart access is coming next in part 3.

The first thing you have to think about is: How do I reach my Access Gateway via browser after setting an IP address in the DMZ. The CAG has two interfaces, you can use one or both. I always prefer both NIC’s, it’s more secure. The first NIC is for external communication only on port 443. The second NIC is used for management and internal communication (also VPN traffic). This doesn’t mean that this interface is connected to your LAN, don’t do that, because you will bypass the firewall. In our environments we often have a “private DMZ” , it’s a transfer net for traffic that has to be passed from the DMZ in the LAN. So the first NIC has a public internet IP address or you use NAT on your firewall and the second interface is in a private DMZ and communicates with the LAN. Of course both interfaces can also be in the same DMZ.
You can only define one standard gateway, this is used for the external interface, you have to define one or more static routes for your internal interface if you operate in two networks.

First you have to change the management NIC of the CAG in the console:

image

After changing the management interface to eth1 you can connect to this IP address with a client in the same subnet. You can’t connect with a client on the secure LAN because you have to static route configured yet and the default gateway is configured for the external interface! I use a Windows 2003 or XP VM on the same Hypervisor and connect an additional NIC to the DMZ network. This VM gets a static temporary IP address, just for the initial setup of the appliance.

Your CAG should look similar to this on your XenServer or ESX host. Alternatively you have both NIC’s connected in the same DMZ network.

image

After you configured a Windows VM you can use for administration, use your browser on this server and navigate to https://172.26.3.12/lp/adminlogonpoint (use your IP instead, of course). Remember you need flash installed! Login with admin, admin and go to Networking.

 image

Make sure you set the proper hostname, this is the fully qualified domain name, that your users enter in the browser to access the logon page, also keep in mind that the certificate for your Access Gateway must match with this hostname. The first NIC should be external and the second NIC is for internal traffic and management. The default gateway is used for the external NIC eth0.

Here is my network setup:

Internal IP address (management): 172.26.3.12/24
External IP address: 172.26.11.12/24
Default Gateway: 172.26.11.1
   
Static routes: 10.0.0.0/8 via 172.26.3.1
  172.16.0.0/12 via 172.26.3.1
  192.168.0.0/16 via 172.26.3.1
   
DNS: 172.27.10.1
  172.27.10.2
 

 
  Next we configure one or more static routes for the internal communication. Navigate to “Static Routes” and show the CAG the way to you secure LAN’s.

image

 

The deployment mode is “Appliance only”, we don’t use an Access Controller

Make sure the date and time settings are correct, use a NTP server if possible (Port 123).

For the Access Gateway you need at least a platform license, you can use the appliance as the license server or your Windows server with Citrix License Server 11.9. If you want to use the windows server you have to open port 27000 and 7279 (Vendor Daemon Port) on your firewall. If you want to use SSL VPN (Smart Access LP) you also need an Access Gateway Universal License.

image

Next we need authentication profiles. Let’s start with a profile for MS Active Directory (LDAP).
Type your profile name, NETBIOS domain name for single sign on and select Active Directory. I recommend to secure the connection to your domain controllers (port 639) and open it on the firewall. The DC needs a certificate. Add at least one domain controller with fully qualified domain name (must match the certificate). The administrator DN must be user@domain.com. For Base DN (location of users) you can take your entire domain (DC=domain,DC=com) or define a specific organization unit. Leave the rest as default.

image

Network resources, device profiles and smart groups are not necessary for a basic logonpoint.

Always make sure you configure an ICA access control list. You have to define all XenApp /XenDesktop servers the Access Gateway has to access. Define a list for ICA (port 1494) and or CGP (port 2598). Make sure to open these ports on your firewall.

Also define one or two Secure Ticket Authorities and use secure connections if possible. Open port 443 (80) on your firewall.

The last step is the configuration of the basic logonpoint. Select new, define the name and use basic as type. Type the URL of your web interface site that is configured for Gateway Direct connections. The primary authentication profile is LDAP. Select single sign on to web interface.

image

On your web interface server, make sure you create a web interface site and select Access Gateway for authentication. Type the authentication service URL of the Access Gateway (https://cag.domain.com/CitrixAuthService/AuthService.asmx). The web interface server must have access to port 443 of the CAG and must be able to resolve the FQDN (entry in the hosts file, use the internal CAG IP). Open port 443 from LAN to DMZ.

image 

Specify Gateway direct as access method and configure the CAG and STA.

image

The network configuration is finished, we only need a server certificate for the Access Gateway. Simply change to “Certificates” and make a signing request. Make sure the certificate matches the FQDN of the CAG. Install the issued certificate and make it active.

That’s it, you should be able to connect to your CAG now!

Citrix Access Gateway 5.0 and Access Controller available for download

October 27, 2010 1 comment

Today Citrix released CAG 5.0 and the new Access Controller Software (formerly known as Advanced Access Control). You can download the VPX for XenServer/VMWare, the Access Controller for Windows 2008/2008 R2 and an ISO image/upgrade image for the model 2010 hardware appliance here (MyCitrix account required).

In my post “Access Gateway 5.0 a deeper look Part 1” I already informed you about the new features and the basic configuration of the CAG, part 2 is coming soon, it’s about configuring the CAG for remote access. Part 3 will concentrate on the Access Controller, so stay tuned…

Access Gateway 5.0 – a deeper look – Part 1

October 25, 2010 1 comment

In my post Access Gateway 5.0 on the way I gave you a quick overview of the new CAG 5.0. This new release will be available soon at the end of October.

So now is the time to look more closely… First here are the new features of Access Gateway 5.0:

Read more…

Access Gateway 5.0 on the way

October 10, 2010 Leave a comment

In Berlin I took a deeper look on CAG 5.0. I looks very smart, a complete new admin interface and user experience. Jay Tomlin from Citrix showed me the improvements and changes.

There will be no “Standard” and “Advanced” edition any more, like we know it from now. You can do lots more with only the appliance but without an Advanced Access Control server. The AAC server is still present and only runs on Windows 2008 R2, but not necessarily required.

The admin interface is browser based and runs with flash. All the net6 stuff is thrown overboard. The login page looks very nice, but at the moment the admin can’t do any customization, this will be possible later next year. There are improvements in the authentication progress and endpoint analysis.

The CAG VPX (virtual appliance) will run on XenServer and VMWare, probably on Hyper-V next year. In the future Citrix plans, to introduce the new GUI to all VPX products, like NetScaler/Access Gateway Enterprise.

CAG 5 will be available at the end of October, I can’t wait to implement it…

Categories: Access Gateway, XenServer

Select the Logonpoints for the Citrix Access Gateway Advanced 4.5 Hotfix 5

August 31, 2010 Leave a comment

If you have multiple Logonpoints for your Access Gateway and you don’t want your users to know the each LP name or the url of every LP, then I have a solution for you:

I modified the Login.ascx file which is placed in the the root folder of each Logonpoint.

Find line 48 (<!– content end –>) and after, add these lines:

Read more…

Categories: Access Gateway

Citrix Access Gateway 5.0 and new AAC Server coming soon

August 31, 2010 Leave a comment

I heard about a new Access Gateway these days, there is also a beta test for some users going on, I can’t tell you much about it, but I think CAG 5.0 will be released soon. In Q4 there will also be a new Advanced Access Control Server. It’s really time for an update, installing AAC 4.5 with Hotfix 5 on Windows 2003 x86 is not up to date… I’m looking forward to the new releases and I will keep you informed.

Categories: Access Gateway

Citrix released Access Gateway VPX

February 7, 2010 Leave a comment

I already told you about running the Access Gateway on a XenServer or VMWare ESX host. Now Citrix officially released a virtual appliance based on the CAG 4.6.2, it has the same features and characteristics.

This virtual appliance is for XenServer only, Hyper-V and ESX are not supported yet, but this could change in a couple of weeks…

Citrix also changed the license, new customers of the Access Gateway VPX now get a new Access Gateway Platform License with one year of subscription. Connections made through CAG to XenApp hosted apps or XenDesktop are now supported with a single license.
The Universal Platform License is also getting cheaper. You can change your CAG Standard licence (CCU) to the new license for free.

Read more…

Categories: Access Gateway
%d bloggers like this: