Nelson Esteves NPG Escalation
description
Transcript of Nelson Esteves NPG Escalation
![Page 1: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/1.jpg)
Nelson Esteves
NPG Escalation
TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition
![Page 2: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/2.jpg)
Integrating Repeater with Access Gateway Enterprise
Agenda
Integration with Microsoft SharePoint
Security Expressions and Smart Access
Including Advanced Troubleshooting
![Page 3: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/3.jpg)
Integrating Repeater with Access Gateway Enterprise
Integrating Repeater with Access Gateway Enterprise
Integration with Microsoft SharePoint
Security Expressions and Smart Access
Including Advanced Troubleshooting
![Page 4: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/4.jpg)
Branch Repeater Integration
Traffic between the client and the secure network is optimized before passing through the VPN tunnel
Optimized
Not Optimized
![Page 5: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/5.jpg)
Deployment Architecture
Access Gateway Plugin
Branch Repeater Plugin
Remote and Mobile Workspaces
Data Center and Corporate Offices
Access GatewaySecure access to:•Applications•Desktops•Networks
Branch Repeater•Compression•Acceleration
File Shares and Web Applications
![Page 6: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/6.jpg)
Branch Repeater Integration
Repeater integration is enabled/disabled through a Traffic Profile
![Page 7: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/7.jpg)
Branch Repeater Integration
Redirector mode: A traffic policy expression must be created for the signaling IP address of the Repeater appliance
Transparent mode: A traffic policy must be created which covers all backend servers the client is accessing
Only one Repeater traffic policy will be evaluated when bound at the virtual server level or globally
Enabling Repeater in a traffic policy will disallow Single Sign-On, File Type Association and HTTP authorization features
![Page 8: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/8.jpg)
Integrating Repeater with Access Gateway Enterprise
Integration with Microsoft SharePoint
Integration with Microsoft SharePoint
Security Expressions and Smart Access
Including Advanced Troubleshooting
![Page 9: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/9.jpg)
Integration with Microsoft SharePoint
Access Gateway Enterprise Edition 9.0 can rewrite content from a SharePoint site so that it is available to users without requiring the Access Gateway Plug-in.
This avoids administrators having to deploy VPN access to users that require access to SharePoint.
For the rewrite process to complete successfully, the Access Gateway must be configured with the Web address for each SharePoint server in your network.
In most environments where SharePoint is accessed externally administrators have to configure what is called Alternate Address Mapping
![Page 10: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/10.jpg)
Integration with Microsoft SharePoint
Alternate Address Mapping in SharePoint 2007
TOO COMPLEX!!!
![Page 11: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/11.jpg)
Integration with Microsoft SharePoint
New with Access Gateway Enterprise is the full support of Microsoft SharePoint via clientless access.
This basically means that no longer administrators will have to configure internet, intranet, etc.. addresses for a SharePoint site.
With Access Gateway Enterprise Edition you now have full access to SharePoint and its features without having to deploy VPN access.
How to implement it? All it takes is one single configuration entry and the powerful rewrite engine will make the necessary changes to the SharePoint pages.
![Page 12: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/12.jpg)
Integration with Microsoft SharePoint
Powerful rewrite engine at work
Sample source page from original SharePoint page:
Same page via Access Gateway Enterprise on clientless access:
![Page 13: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/13.jpg)
Clientless Access to SharePoint
Version Supported
SharePoint Portal Server 2007 Yes
SharePoint Portal Server 2003 Yes
SharePoint Services for Windows 2003 Server R2 Yes
SharePoint Services Service Pack 2 Yes
![Page 14: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/14.jpg)
Clientless Access to SharePoint
WISP Check-In
Check-Out Version History
View Properties Edit Properties
Delete Alert Me
Document download Document upload (single file)
Document upload (multiple files) Document check-out
Document check-in Single sign-on and graceful logout
![Page 15: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/15.jpg)
Integrating Repeater with Access Gateway Enterprise
Security Expressions and Smart Access
Integration with Microsoft SharePoint
Security Expressions and Smart Access
Including Advanced Troubleshooting
![Page 16: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/16.jpg)
Policy Expressions
allow_ftp DESTIP == 10.9.13.60 Allow DESTPORT == Port 21
Expression
Expressions:• Can be single or Compound• Consist of a Name, Qualifier and Operator• Evaluated by AGEE to determine if a policy is applied
![Page 17: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/17.jpg)
Match All Expressions
Match All Expression will use the AND operator to form the expressionMatch All Expression will use the AND operator to form the expression
Resulting Expression:av_5_TrendMicro_11_25 && av_5_TrendMicroOfficeScan_7_3Resulting Expression:av_5_TrendMicro_11_25 && av_5_TrendMicroOfficeScan_7_3
![Page 18: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/18.jpg)
Tabular Expressions
Tabular Expressions let you create custom compound expressions with the aid of graphical operators and a preview display
Tabular Expressions let you create custom compound expressions with the aid of graphical operators and a preview display
![Page 19: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/19.jpg)
Advanced Free-Form
Expressions can be created and edited manuallyExpression must however be a valid rule
Expressions can be created and edited manuallyExpression must however be a valid rule
Useful for creating complex expressions, using custom qualifiers, using additional operators, and previewing an expression built using the other
methods
Useful for creating complex expressions, using custom qualifiers, using additional operators, and previewing an expression built using the other
methods
![Page 20: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/20.jpg)
Virtual ServerVirtual Server
Policy APriority 10Policy A
Priority 10
Policy BPriority 20Policy B
Priority 20
Home pagewww.citrixsynergy.com
Home pagewww.citrix.com
Resulting Configuration
Resulting Configuration
Home pagewww.citrixsynergy.com
Split TunnelOFF
Single Sign-on-not set-
Split TunnelON
Single Sign-onON
Split Tunnel OFF
Single Sign-onON
Why?
Policy results are aggregated from all policies that are true
When the policy settings conflict, priority wins
When policy settings do not conflict, the results are cumulative
from all policies that are true
![Page 21: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/21.jpg)
GlobalGlobal
Policy APriority 0Policy APriority 0
Home pagewww.citrix.com
Resulting ConfigurationResulting ConfigurationHome page
www.sales.com
Split TunnelON
Single Sign-on-not set-
Split Tunnel OFF
Single Sign-onON
Virtual ServerVirtual Server
Policy BPriority 0Policy BPriority 0
Home pagewww.citrixsynergy.com
Split Tunnel-not set-
Single Sign-onOFF
GroupGroup
Policy CPriority 0Policy CPriority 0
Home pagewww.sales.com
Split TunnelOFF
Single Sign-onON
![Page 22: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/22.jpg)
GlobalGlobal
Policy APriority 0Policy APriority 0
Home pagewww.citrix.com
Resulting Configuration
Resulting Configuration
Home pagewww.sales.com
Split TunnelON
Single Sign-on-not set-
Split Tunnel OFF
Single Sign-onON
Virtual ServerVirtual Server
Policy BPriority 0Policy BPriority 0
Home pagewww.citrixsynergy.com
Split Tunnel-not set-
Single Sign-onOFF
GroupGroup
Policy CPriority 0Policy CPriority 0
Home pagewww.sales.com
Split TunnelOFF
Single Sign-onON
Why?
When policies are bound to different bind points with the same priority the lowest bind point wins
Global
Virtual Server
Group
User
![Page 23: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/23.jpg)
GlobalGlobal
Policy APriority 10Policy A
Priority 10Home page
www.citrix.com
Resulting ConfigurationResulting ConfigurationHome page
www.citrix.com
Split Tunnel-not set-
Single Sign-on-not set-
Split Tunnel OFF
Single Sign-onOFF
Virtual ServerVirtual Server
Policy BPriority 20Policy B
Priority 20Home page
www.citrixsynergy.comSplit Tunnel
-not set-Single Sign-on
OFF
GroupGroup
Policy CPriority 30Policy C
Priority 30Home page
www.sales.comSplit Tunnel
OFFSingle Sign-on
ON
![Page 24: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/24.jpg)
GlobalGlobal
Policy APriority 10Policy A
Priority 10Home page
www.citrix.com
Resulting Configuration
Resulting Configuration
Home pagewww.citrix.com
Split Tunnel-not set-
Single Sign-on-not set-
Split Tunnel ON
Single Sign-onOFF
Virtual ServerVirtual Server
Policy BPriority 20Policy B
Priority 20
Home pagewww.citrixsynergy.co
m
Split Tunnel-not set-
Single Sign-onOFF
GroupGroup
Policy CPriority 30Policy C
Priority 30Home page
www.sales.comSplit Tunnel
ONSingle Sign-on
ON
Why?
Higher priority settings take precedence over bind point order
When policy settings do not conflict, the results are cumulative
from all policies that are true
![Page 25: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/25.jpg)
External Internal DMZ
Basic Firewall and Port Rules
AGEE Admin
Remote End User
VIP
NSIP
XenApp WISTA
443,80* (HTTP/TCP)
NSIP
DNS
* Port 80 used for https redirect
NSIP
LDAP/LDAPS
SNIP or MIP
389/636 (TCP)
53 (UDP)
443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP)
80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)
![Page 26: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/26.jpg)
External
Remote End User
LDAP
WI
Internal DMZ
STA and XML
44380/443
389/636
SmartAccess Workflow
EE returns EPA results to WI
Session policy EPA check results returned to AGEE
Web Interface sends credentials & EPA results to Citrix XML Service which validates them and returns user’s “smart access” application set to Web Interface.
Web Interface generates “Smart Access” application set page and sends the web page back to user.
Access Gateway passes credentials to Directory Service for validation.
EPA ActiveX sends results back to AGEEOn Pre-Authentication EPA success
AGEE returns login page
Post-AuthN AGEE Session policy EPA checks done with the existing EPA ActiveX
Web Interface Authenticates credentials provided via custom SSO AGCitrixBasic Header
AGEE Pre-AuthN EPA ActiveX download & client scan
1) AGEE does a HTTP redirect to the website configured in ‘-homepage’ option
2) Web Interface returns a 401 and AGEE detects that this is a Web Interface server.
User supplies credentials to logon page.User accesses AGEE VPN Virtual Server
3) Access Gateway next performs pass-through SSO to Web Interface via a custom AGCitrixBasic HTTP Header
4) A SessionToken is also provided
WI makes a XML callback to a preconfigured-on-WI AGEE VPN Virtual Server URL with the previously provided SessionToken to get the EPA Results
XenApp
![Page 27: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/27.jpg)
Deeper Look at Security Scans – Pre-Auth
• Redirect to /epa/epa.html
• EPA client sends a GET for /epaq which causes the
• Access Gateway to return a 200 OK response with a HTTP header called CSE
• If the security scan passes, the very next GET from the client will contain a value of 0 for the CSEC header. If the scan fails, the value will be 3. Example:
![Page 28: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/28.jpg)
• Web Interface then validates the credentials via a POST back to Access Gateway
• If that connection succeeds, the Access Gateway then returns a 200 OK containing all the Smart Access information needed by Web Interface. Example:
Deeper Look Into Smart Access• Client logs in to Access Gateway and is redirected to Web Interface
• During this redirection the client sends a request to /auth/agesso.aspx
• Web interface denies access and requests credentials. Access Gateway then sends another request to /auth/agesso.aspx but this time with an authentication header
How Did I Do That ????
![Page 29: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/29.jpg)
Decrypting a Network Trace• In order to be able to analyze the data on the previous slide I had to run a network trace on the Access Gateway
appliance. This can easily be done via GUI:
• Or via the command line:
• Once the network trace has run it will be placed under /var/nstrace/
*** important: since this is SSL traffic the trace has to start before any request is made ***
• Once the trace is downloaded to a workstation that has Wireshark installed, open Wireshark click on Edit and then Preferences. Select SSL under Protocols:
• Under RSA Key List you enter: <target IP>,<port>,<protocol>,<path to private key>
• Once that is done the traffic will be decrypted and you will be able to analyze it.
![Page 30: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/30.jpg)
What if private key is not available?
How to create a HTTP debug virtual server:
![Page 31: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/31.jpg)
What if private key is secured?
If the private key was created with a passphrase, it can be decrypted via openssl:
![Page 32: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/32.jpg)
External
Remote End User
XenApp
WI
Internal DMZ
STA and XML
443
80/443
80/443
1494/2598
User clicks application icon. Request is sent to Web Interface.
Web Interface contacts Citrix XML Service to determine least loaded XenApp server hosting application. XML Service returns XenApp IP address.
Web Interface contacts STA to exchange XenApp IP address for ticket.
Web Interface generates ICA file that includes Access Gateway FQDN and STA ticket. ICA file is sent back to client device.
ICA Client sends ICA request to Access Gateway.
Access Gateway contacts STA to validate ticket and exchange the ticket for the XenApp IP address.
Access Gateway contacts XenApp to initiate ICA session. ICA session is established.
Published Application Launch Process
![Page 33: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/33.jpg)
XenApp Integration: Web Interface Site Type
Specify the URL to the Virtual Server’s FQDNWeb Interface must be able to resolve the FQDN
Specify the URL to the Virtual Server’s FQDNWeb Interface must be able to resolve the FQDN
Web Interface
XenApp
Access Gateway
![Page 34: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/34.jpg)
XenApp Integration: Web Interface DMZ Settings
Set the DMZ Access Method to Gateway DirectSet the DMZ Access Method to Gateway Direct
Web Interface
XenApp
Access Gateway
![Page 35: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/35.jpg)
Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server
Specify the Access Gateway Virtual Server’s FQDN as the Gateway Server
XenApp Integration: Web Interface Gateway Settings
Web Interface
XenApp
Access Gateway
![Page 36: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/36.jpg)
Enter the STA server URL addressEnter the STA server URL address
XenApp Integration: Web Interface Gateway Settings
Web Interface
XenApp
Access Gateway
![Page 37: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/37.jpg)
URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform
URL to the Web Interface site e.g. HTTP(S)://wiserver/citrix/accessplatform
ICA Proxy ON tells AGEE not to launch the Secure Access Client
ICA Proxy ON enables SSO to WI
ICA Proxy ON tells AGEE not to launch the Secure Access Client
ICA Proxy ON enables SSO to WI
Single Sign-On Domain defines the users domain name
Single Sign-On Domain defines the users domain name
Embedded Web Interface display formatFull or Compact
Embedded Web Interface display formatFull or Compact
XenApp Integration: Session Profile Configuration
![Page 38: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/38.jpg)
The STA Server ID and State are monitored by AGEE
Multiple STA Servers can be defined for failover
The STA Server ID and State are monitored by AGEE
Multiple STA Servers can be defined for failover
XenApp Integration: Defining STA Server
Web Interface
XenApp
Access Gateway
![Page 39: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/39.jpg)
Troubleshooting SSL Related Errors
Play Video
![Page 40: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/40.jpg)
Session Takeaways
Only One Traffic Policy Evaluated at a time
Integration with SharePoint requires all hostnames used internally
SmartAccess requires the name of the virtual server and policy for XenApp policy to be applied
When decrypting a network trace start the trace before sending the first request
Private keys can be decrypted is password is known
HTTP Access Gateway Virtual Server can used for debugging
![Page 41: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/41.jpg)
Partner Training & Certification
Build your product expertise and maximize your sales potential with the latest Citrix training and certification:
Access Gateway• CAG-200 Implementing Citrix Access Gateway 9.0 Enterprise Edition• CMB-204 Implementing Citrix XenApp 5.0 for Windows Server 2008 with Access Gateway Enterprise
Edition
• CCA for Citrix Access Gateway 9 Enterprise Edition
WANScaler• CTX-1741AI Citrix WANScaler 4.3 and Citrix Branch Repeater: Administration
• CCA for Citrix WANScaler 4
Visit www.citrix.com/partnertraining to view a complete list of discounted Partner offerings and learn how to maintain compliance with Citrix Certification.
![Page 42: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/42.jpg)
Before you leave…
• Recommended related Summit breakout sessions: • TECH307: Advanced troubleshooting of Citrix NetScaler
• Premier Ballroom 310 2:30pm
• TECH305: Troubleshooting tools and methodology for Citrix XenApp 5 environments• Premier Ballroom 310 4:30pm
• Session surveys are available online at www.citrixsummit.com starting Monday, May 4• Feedback is requested (giveaway provided)
• Download presentations starting Tuesday, May 12, from your My Schedule Tool located in your My Synergy Microsite event account
![Page 43: Nelson Esteves NPG Escalation](https://reader036.fdocuments.in/reader036/viewer/2022062423/56814d58550346895dba93e0/html5/thumbnails/43.jpg)