Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Citrix Access on SonicWALL SSL VPN Document Scope This document describes how to configure and use Citrix bookmarks to access Citrix through SonicWALL SSL VPN 3.5. It also includes information about configuring relevant settings on a Citrix server. This document contains the following sections: • “Feature Overview” section on page 1 • “Administrator Tasks for Configuring Citrix Access” section on page 4 • “User Tasks for Configuring Citrix Access” section on page 16 • “Technical FAQs” section on page 22 • “Glossary” section on page 23 Feature Overview This section provides an introduction to accessing Citrix through SonicWALL SSL VPN using Citrix bookmarks. This section contains the following subsections: • “What are Citrix Bookmarks?” section on page 1 • “Benefits of Citrix Bookmarks” section on page 2 • “Accessing Citrix Applications via an SSL VPN” section on page 2 • “Supported Platforms” section on page 3 What are Citrix Bookmarks? SonicWALL SSL VPN uses bookmarks to access Citrix services, which are supported as a third-party application running on a separate server. Citrix is a remote access, application sharing service, similar to Terminal Services such as RDP. It employs an application virtualization technology, in which an application is hosted on a central server. There are many management capabilities over a Citrix deployment such as allocation of priority and a minimum set of resources to certain users, and data synchronization between different server farms. Citrix uses the ICA protocol to communicate with the client. The Citrix ICA Client is now renamed as the Citrix XenApp Web plug-in. With the Citrix XenApp Web plug-in, users can access Windows applications as a service available from anywhere. Citrix Access on SonicWALL SSL VPN 1 Feature Overview Benefits of Citrix Bookmarks Using SonicWALL SSL VPN to access Citrix provides the following benefits: • Secure access – SonicWALL SSL VPN provides secure access from anywhere. • Granular Control – Bookmarks, access policies, and other SSL VPN features provide full access control. • Strong Authentication – SonicWALL SSL VPN supports various strong authentication methods which provides an added layer of security to your Citrix applications. • Consolidated access – The SonicWALL SSL VPN Virtual Office portal can provide multiple Citrix bookmarks from a single location. Some of the benefits of using Citrix to virtualize applications are the following: • Reduces the expense of individual application licenses for each user. You can purchase one copy of the application for your Citrix server along with a limited number of access licenses. When the client access limit is reached, clients must wait to connect to the Citrix server. • Facilitates auditing and reporting. You can track who uses which applications and when they are accessed. • CPU-intensive applications can run on a powerful Citrix server, allowing access by less-powerful clients. • Operating system and file system security may be better on a Citrix server than on client systems or systems accessed with RDP. • Citrix provides load balancing. • Citrix can act as a Web gateway providing comprehensive access policies. Accessing Citrix Applications via an SSL VPN There are two ways to use Citrix that are supported by SonicWALL SSL VPN: • The agent or client behaves seamlessly, accessing the application on the Citrix server as soon as the user logs into the client. This method is supported by SonicWALL SSL VPN NetExtender. • The user accesses the application on the remote Citrix server through a Web interface. SonicWALL SSL VPN Bookmarks support this access method. SonicWALL SSL VPN provides secure remote Citrix access in a fashion similar to Remote Desktop access. This provides a subset of Citrix functionality, since it does not support Program Neighborhood functionality, but is sufficient for access to any Citrix application or desktop. Citrix can be compared to applications that use the Remote Desktop Protocol (RDP), in that both allow clients to access remote systems or servers. The fundamental difference is that RDP provides terminal session access control with access to the remote desktop itself, including the C drive and system files, whereas with Citrix, client access is usually restricted to application level access. Access to the Citrix desktops and applications requires installation of client software, although this software ranges from a full stand alone client fully integrated into Windows (Start Menu, Context menus) to a lightweight installation of an ActiveX control or a download of a Java applet. Citrix servers and applications are accessible through the Citrix NFuse portal. Access to the NFuse portal is provided by the SonicWALL SSL VPN HTTP/HTTPS reverse proxy feature. After the Citrix server is configured, the SonicWALL SSL-VPN appliance administrator creates one or more Citrix (reverse proxy) bookmarks for use by client users. Client users initiate a Citrix session by first logging into the SonicWALL SSL VPN Virtual Office portal and then clicking on the Citrix bookmarks to the NFuse server. After authenticating with the NFuse portal, the user will see the Citrix applications and desktops that are accessible to him/her. This interface is provided by the Citrix server, but is reverse-proxied by the SSL-VPN 2 Citrix Access on SonicWALL SSL VPN Feature Overview appliance. When the user clicks on an application icon, Internet Explorer launches an ActiveX control similar to the one used by Remote Desktop, while other browsers use the Java version which launches an applet. Citrix support requires Internet connectivity in order to download the ActiveX client or the Java applet from the Citrix Web site. The server will automatically decide which Citrix client version to use. Citrix is accessed from Internet Explorer using ActiveX by default, or from other browsers using Java. Java can be used with Internet Explorer by selecting an option in the bookmark configuration in SonicWALL SSL VPN. For Citrix access using Java, the Java applet download uses HTTP which is likely to have outbound access based on usual firewall deployments. When using the Java applet, the local printers are available in the Citrix client. However, under some circumstances it might be necessary to change the Universal Printer Driver to PCL mode. Supported Platforms Citrix bookmarks with ActiveX and Java applet Citrix support are available on SonicOS SSL VPN 2.0 or newer for the SSL-VPN 2000 and 4000 appliances, and on SonicOS SSL VPN 3.5 and newer for the SRA 4200. The following XenApp or Presentation Servers are supported: • Presentation Server 4.5 (with Web Interface 4.5) • Presentation Server 4.0 • MetaFrameXP Feature Release III Citrix client software is available as either an ActiveX plugin (for Internet Explorer only) or a Java plugin. The Citrix ActiveX client is supported on systems running Windows XP with Internet Explorer 6.0 or higher. The Java plugin can be used with Internet Explorer, Firefox, Safari, or Opera browsers on Windows XP, Vista, Linux, or Mac OS client systems as noted in Table 1. For browsers requiring Java to run Citrix, you must have Sun Java 1.4 or above. Table 1 Citrix (Java 1.4+) Client - Supported Browsers per OS Windows XP Windows Vista Internet Explorer 6.0 or higher 7.0 or higher Firefox 2 or 3 2 or 3 Linux Mac OS X 2 or 3 2 or 3 2 Safari Opera 9 1 9 1 1. MetaFrameXP FR3 works, but Presentation Server 4 login screen is not accessible. The following Presentation Server clients are supported: • XenApp Web Plug-in (previously called Windows ICA client) version 11.0 or earlier • ICA Java client version 9.0 or earlier • The minimum supported version of the Citrix ICA Client for Vista is 10.0 Single sign-on is not supported for the Web Interface authentication or within the Citrix session. Citrix Access on SonicWALL SSL VPN 3 Administrator Tasks for Configuring Citrix Access Administrator Tasks for Configuring Citrix Access This section contains the following subsections: • “Deployment Scenario” section on page 4 • “Assumptions and Dependencies” section on page 5 • “Configuring Authentication on the Citrix Server” section on page 5 • “Creating a Citrix Access Policy” section on page 12 • “Creating a Citrix Bookmark” section on page 14 • “Editing a Citrix Bookmark” section on page 15 Deployment Scenario The recommended deployment scenario for Citrix environments places the Citrix server(s) on the LAN behind a SonicWALL Unified Threat Management (UTM) appliance acting as the gateway firewall. A SonicWALL SSL-VPN or SRA 4200 appliance is connected to a firewall interface in the DMZ. Traffic passing between the SSL-VPN and the LAN passes through the UTM appliance where it is examined for threats. SonicWALL UTM Firewall X1 PRO 5060 X0 X2 Switch Switch Router DMZ Remote Users LAN X0 Secure Remote Access Citrix Servers SRA 4200 SRA 4200 Internet Zone Apps, Email, AD, SQL 4 Citrix Access on SonicWALL SSL VPN Administrator Tasks for Configuring Citrix Access Assumptions and Dependencies • The administrator must have the Citrix Web Interface installed and functioning for the Citrix installation. • Microsoft Loopback hotfix (KB884020) is required, although this can be avoided if the ActiveX control does not use loopbacks higher than 127.0.0.1. • ActiveX: Users must have enough privileges in order to be able to install an ActiveX control if they don’t already have one installed. • Java: JRE 1.4.x and above is required by the Citrix Java client. If a lower version is detected, the connection is refused and the user is advised to upgrade Java. • ActiveX & Java: Firewall rules must allow for Internet Explorer and for the JRE to be able to open server sockets on the system. • Java: The SonicWALL SSL-VPN appliance must have a DNS server set up (critical). Configuring Authentication on the Citrix Server You can configure the Citrix server for anonymous or authenticated access. If you select anonymous access, you can configure the Citrix server for explicit, or forms-based, authentication to make sure that there is at least some type of authentication available for users. See the following sections: • “Configuring Anonymous or Authenticated Access” on page 5 • “Configuring Explicit Authentication on the Citrix Server” on page 9 Configuring Anonymous or Authenticated Access Microsoft IIS Manager must be configured on the Citrix server to enable anonymous access for Citrix. When Windows Integrated Authentication is configured on IIS and the Citrix server is accessed by a client through the SonicWALL SSL-VPN, the SSL-VPN will display a message indicating that it does not support the HTTPS authentication scheme used by Citrix. To configure authentication for Citrix access through SonicWALL SSL VPN, perform the following steps: Step 1 On the Citrix server (a Windows Server system), click Start > All Programs. Citrix Access on SonicWALL SSL VPN 5 Administrator Tasks for Configuring Citrix Access 6 Step 2 Select Administrative Tools > Internet Information Services (IIS) Manager. Step 3 In the Internet Information Services (IIS) Manager window, expand the entries for the local computer, Web Sites, Default Web Site, and Citrix. Step 4 Under Citrix, right-click the service name, for example MetaFrame, and select Properties from the right-click menu. Step 5 In the MetaFrame Properties window, click the Directory Security tab. Citrix Access on SonicWALL SSL VPN Administrator Tasks for Configuring Citrix Access Step 6 Under Authentication and access control, click Edit. Step 7 For anonymous access to the Citrix server, select the Enable anonymous access check box in the Authentication Methods window. (To configure authenticated access, skip to Step 12.) Step 8 In the User name field, type in the account name to be used for anonymous access or click Browse to select it from the account list. Step 9 In the Password field, type in the password for this account. Step 10 Click OK. Citrix Access on SonicWALL SSL VPN 7 Administrator Tasks for Configuring Citrix Access Step 11 An IIS Manager dialog box warns that the anonymous authentication option will result in unencrypted passwords being transmitted over the network except when HTTPS or SSL connections are used. Since we are using HTTPS/SSL in this case, you can safely click Yes to continue. Step 12 To configure authenticated access to the Citrix server rather than anonymous access as described above, clear the Enable anonymous access check box in the Authentication Methods window. Step 13 Under Authenticated access, select the Basic authentication (password is sent in clear text) check box. Step 14 Click OK. 8 Citrix Access on SonicWALL SSL VPN Administrator Tasks for Configuring Citrix Access Configuring Explicit Authentication on the Citrix Server Explicit, or forms-based, authentication is used in conjunction with the anonymous access setting on Microsoft IIS to provide some form of authentication for users. The administrator selects the Explicit authentication method on the Citrix server, if it is not already selected. If only anonymous authentication is configured, Citrix may automatically detect it and force Explicit authentication, which will present a login form to the user. Explicit authentication performs the necessary encryption. To configure explicit authentication on the Citrix server, perform the following steps: Step 1 Log in to the Citrix server as the administrator, open the Start menu, and click Access Suite Console for Presentation Server. Step 2 In the MetaFrame Presentation Server window, expand Suite Components > Configuration Tools > Web Interface, and then select the MetaFrame URL, for example: http://CTX-EDU-1.csm.demo/Citrix/MetaFrame. Citrix Access on SonicWALL SSL VPN 9 Administrator Tasks for Configuring Citrix Access 10 Step 3 In the middle pane under Common Tasks, click Configure Authentication Methods. Step 4 In the Configure Authentication Methods window, for the Specify Authentication Methods step, select the Explicit check box. Step 5 Select the desired settings for Enforce 2-factor authentication and Allow user to change password. Step 6 Click Next. Citrix Access on SonicWALL SSL VPN Administrator Tasks for Configuring Citrix Access Step 7 For the Define Selected Method Settings step, select the Windows or NIS (UNIX) radio button. Step 8 Click Next. Step 9 For the Specify Authentication Type Settings step, under Domains, select the Display Domain field radio button. Step 10 Click the Add button and add your domain, if necessary. Step 11 Select Selection in the Optionally, specify domains for drop-down list, and select your domain. Step 12 Click Next. Citrix Access on SonicWALL SSL VPN 11 Administrator Tasks for Configuring Citrix Access Step 13 For the Check Summary step, verify your settings and then click Finish. Creating a Citrix Access Policy You can configure access policies on the SonicWALL SSL-VPN appliance to provide different levels of access to the Citrix server. There are three levels of access policies: global, group, and user. You can deny or permit access to the Citrix server by creating access policies for a Citrix server IP address, an IP address range (for a server farm), or a network object. User policies take precedence over group policies and group policies take precedence over global policies, regardless of the policy definition. For policies at the same level, the most specific policy takes precedence. Tip When using Citrix bookmarks, in order to restrict proxy access to a host, a Deny rule must be configured for both Citrix and HTTP services. For more information about access policies, including policy hierarchy rules, see the “Users Configuration” chapter in the SonicWALL SSL VPN 3.5 Administrator’s Guide. The procedure is the same for configuring user, group, or global access policies, except for the initial page (Users > Local Users or Users > Local Groups) and the selection of either a user, a group, or the global option for which to configure the policy. To configure an access policy for a user, perform the following steps: Step 1 12 In the SonicWALL SSL VPN management interface, navigate to Users > Local Users (or Users > Local Groups). Citrix Access on SonicWALL SSL VPN Administrator Tasks for Configuring Citrix Access Step 2 Click the configure icon next to the user (or group or Global Policies) that you want to configure. Step 3 In the Edit User Settings window, select the Policies tab. Step 4 Click Add Policy...to display the Add Policy window. Step 5 In the Add Policy window, in the Apply Policy To drop-down list, select whether the policy will be applied to an individual host, a range of addresses, or a network object. You can also select an IPv6 host or a range of IPv6 addresses. The Add Policy dialog box changes depending on what type of object you select in the Apply Policy To drop-down list. Note Step 6 The SonicWALL SSL VPN policies apply to the destination address(es) of the SonicWALL SSL VPN connection (the Citrix server), not the source address. You cannot permit or block a specific IP address on the Internet from authenticating to the SonicWALL SSL VPN gateway with a policy created on the Policies tab. However, it is possible to control source logins by IP address with a login policy created on the user's Login Policies tab. Type a descriptive name into the Policy Name field. Citrix Access on SonicWALL SSL VPN 13 Administrator Tasks for Configuring Citrix Access Step 7 Step 8 Note Step 9 Do one of the following, depending on your selection in the Apply Policy To field: • Type an IP address in the IP Address field. • Type a starting IP address in the IP Network Address field and type a subnet mask value in the Subnet Mask field in the form 255.255.255.0. • Select the network object from the Network Object drop-down list. The port number is included in the network object definition. In the Port Range/Port Number field, optionally enter a port range or an individual port. The Citrix Web interface and Citrix ICA server listen on different ports, typically 80/443 and 1494 respectively, which are both needed for a Citrix session. When creating a port-based access policy, you will need to create two policies in order to specify both ports. Standard TCP ports used by Citrix are mentioned in the knowledge base article available at: http://support.citrix.com/article/CTX101810 In the Service drop-down list, optionally select one of the following: • Citrix Portal (Citrix) – Select this if the Citrix bookmark uses HTTP • Citrix Portal (Citrix_https) – Select this if the Citrix bookmark uses HTTPS If the Citrix server can be accessed using either HTTP and HTTPS, then you may need to create two access policies, one for each service. An IP address based policy may be simpler in this case. Step 10 In the Status drop-down list, click on an access action, either PERMIT or DENY. Step 11 Click Add. Creating a Citrix Bookmark You can configure a Citrix bookmark for a user or for a group. The procedure is the same, except for the initial page (Users > Local Users or Users > Local Groups) and the selection of either a user or a group for which to configure the bookmark. To configure a Citrix bookmark for a user, perform the following steps: Step 1 In the SonicWALL SSL VPN management interface, navigate to Users > Local Users. Step 2 Click the configure icon next to the user you want to configure. Step 3 In the Edit User Settings window, select the Bookmarks tab. Step 4 Click Add Bookmark... Step 5 Enter a descriptive name for the bookmark in the Bookmark Name field. Step 6 Enter the name or IP address of the bookmark in the Name or IP Address field. Note 14 A Citrix bookmark will accept a port option with the IP address (IP_address:portnum). Step 7 From the Service drop-down list, select Citrix Portal (Citrix). The display will change. Step 8 To enable SSL encryption for communication between the SSL-VPN appliance and the Citrix server, select the HTTPS Mode check box. Citrix Access on SonicWALL SSL VPN Administrator Tasks for Configuring Citrix Access Step 9 Optionally select the Always use Java in Internet Explorer checkbox to use Java to access the Citrix Portal when using Internet Explorer. Without this setting, a Citrix ICA client or XenApp Web plug-in (an ActiveX client) must be used with Internet Explorer. This setting lets users avoid installing a Citrix ICA client or XenApp Web plug-in specifically for Internet Explorer browsers. Java is used with Citrix by default on other browsers and also works with Internet Explorer. Enabling this check box leverages this portability. When using the Java applet, the local printers are available in the Citrix client. However, under some circumstances it might be necessary to change the Universal Printer Driver to PCL mode. Step 10 Click Add. Editing a Citrix Bookmark You can edit an existing Citrix bookmark by clicking the edit icon on the Virtual Office page. To edit an existing Citrix bookmark, perform the following steps: Step 1 In the SonicWALL SSL VPN management interface, navigate to the Virtual Office page. Step 2 Click Show Edit Controls to expose the Edit and Delete icons for each bookmark. Step 3 Click the Edit icon for the bookmark you wish to edit. Citrix Access on SonicWALL SSL VPN 15 User Tasks for Configuring Citrix Access Step 4 In the Edit Bookmark page, you can view information about the available settings. Step 5 To make changes to the Bookmark Name, Name or IP Address, or Description fields, type in the new value(s). Step 6 To change ability of users to edit the bookmark, select a new value from the Allow user to edit/delete drop-down list. The default is Use user policy. Step 7 To enable SSL encryption for communication between the SSL-VPN appliance and the Citrix server, select the HTTPS Mode check box. Step 8 To force Internet Explorer to use the Citrix Java applet rather than the default ActiveX control, select the Always use Java in Internet Explorer check box. This setting lets users avoid installing a Citrix ICA client or XenApp Web plug-in specifically for Internet Explorer browsers. When using the Java applet, the local printers are available in the Citrix client. However, under some circumstances it might be necessary to change the Universal Printer Driver to PCL mode. Step 9 Click OK. User Tasks for Configuring Citrix Access Access to the Citrix server and its shared applications is provided with bookmarks on the SonicWALL SSL VPN Virtual Office portal. The administrator may have created either ActiveX or Java bookmarks. When the user launches a Citrix bookmark, the interaction is identical to reverse proxy browsing until an application icon is clicked. At that point a window containing an ActiveX control or a Java applet will pop up. Users might encounter several warnings and dialog boxes the first time they launch a Citrix application. The causes for these are certificate mismatches, applet security warnings, ActiveX security warnings, and pop-up blocking. 16 Citrix Access on SonicWALL SSL VPN User Tasks for Configuring Citrix Access For the ActiveX version to be functional, the XenApp Web plug-in (which was previously called Windows ICA client) must be installed on the client machine. If the client machine does not have a pre-installed ICA client, then the ActiveX control invokes an installer that downloads the necessary plugin and prompts the user for installation. The user has to go through the installation process only once, and will not be prompted for installation again for future Citrix sessions. This step requires connectivity to www.citrix.com from the SSL-VPN appliance. See the following sections for information about using ActiveX or Java bookmarks for Citrix access: • “Using ActiveX Bookmarks” on page 17 • “Using Java Bookmarks” on page 21 Using ActiveX Bookmarks To access applications on the Citrix server with a Citrix(ActiveX) bookmark, perform the following steps: Step 1 Using an Internet Explorer browser, log in to the SonicWALL SSL-VPN Virtual Office portal where the Citrix bookmarks are available. Step 2 Click the desired bookmark to access the Citrix server, such as the Web Interface for MetaFrame Presentation Server. Step 3 Type your Citrix credentials into the User name and Password fields, select the approriate domain from the Domain drop-down list, and click the Log In button. Citrix Access on SonicWALL SSL VPN 17 User Tasks for Configuring Citrix Access Step 4 If pop-ups are blocked when the MetaFrame Presentation Server applications are displayed, you will see a warning from your Internet Explorer browser. Click OK in the dialog box, and then enable pop-ups for this site. To enable pop-ups, perform the following steps: 18 a. In your browser, navigate to Tools > Internet Options. b. In the Internet Options window, click the Privacy tab. c. Under Pop-up Blocker, click the Settings button. d. In the Pop-up Blocker Settings window, type the IP address of the Citrix server into the Address of website to allow field, click Add, and then click Close. e. In the Internet Options window, click OK. Step 5 In the Citrix Web Interface window, click the desired application, such as Microsoft Word. Step 6 If you see a warning that the page contains both secure and nonsecure items, click Yes in the dialog box to display all items. Citrix Access on SonicWALL SSL VPN User Tasks for Configuring Citrix Access Step 7 The Citrix Web Client (an ActiveX control) must be running on your system in order to access the application. If this ActiveX control is not installed on your system, the Citrix server attempts to download it for you. The server displays a message to wait while the Citrix Web Client loads. If you see a warning in a yellow bar at the top of the display, click in the yellow bar and select Install ActiveX Control in the popup menu. Step 8 In the Security Warning dialog box, click Install. Step 9 You are prompted to log in to the Citrix server. Enter your credentials (you do not have to be an Administrator) and select the domain, and click OK. Citrix Access on SonicWALL SSL VPN 19 User Tasks for Configuring Citrix Access Step 10 The shared application opens and you may begin using it. Step 11 When you are finished, save your changes and close the application. On the Citrix Web Interface page, click the Log Off button to log off the MetaFrame Presentation Server. 20 Citrix Access on SonicWALL SSL VPN User Tasks for Configuring Citrix Access Using Java Bookmarks To access applications on the Citrix server with a Citrix(Java) bookmark, perform the following steps: Step 1 Using any supported browser, log in to the SonicWALL SSL-VPN Virtual Office portal where the Citrix bookmarks are available. Step 2 Click the desired bookmark to access the Citrix server, such as the Web Interface for MetaFrame Presentation Server. Step 3 If you see a certificate warning such as those shown below, click the Yes or Run button to continue. Step 4 In the Citrix Web Interface window, type your Citrix credentials into the User name and Password fields, select the approriate domain from the Domain drop-down list, and click the Log In button. Citrix Access on SonicWALL SSL VPN 21 Technical FAQs Step 5 Click the desired application, such as Microsoft Word. Step 6 You are prompted to log in to the Citrix server. Enter your credentials (you do not have to be an Administrator) and select the domain, and click OK. Step 7 If you are using Internet Explorer with Java, you may see a warning dialog that the page uses Java. Click OK. Step 8 The application opens and you may begin using it. Step 9 When you are finished, save your changes and close the application. On the Citrix Web Interface page, click the Log Off button to log off the MetaFrame Presentation Server. Technical FAQs How do I find more technical information about Citrix? Technical information is available at the following links: 22 • http://www.citrix.com • http://en.wikipedia.org/wiki/Citrix Citrix Access on SonicWALL SSL VPN Glossary Glossary Basic Authentication – For Citrix bookmarks and other HTTP transactions, using basic authentication means that the client requests a Web page, the server responds with an authentication request, the user sees a popup login window and enters his or her credentials, the user name and password are encoded with the Base 64 algorithm (not for security, but rather to encode non-HTTP-compatible characters), the encoded credentials are appended to the Web page request and sent back to the server. Citrix – A product by Citrix Inc. that provides Terminal Services-like access to a server farm. This product allows desktop and application sharing, provides load balancing, Web gateway, and comprehensive access policies. For more detail, see http://www.citrix.com. Citrix ICA Client – ICA stands for Independent Computing Architecture. The Citrix ICA Client is the client software that is now replaced by the Citrix XenApp plug-in and Citrix XenApp Web plug-in. Citrix Web Interface – The Citrix Web Interface provides SonicOS SSL VPN users with access to MetaFrame Presentation Server applications and content through a standard Web browser. The Web Interface uses Java and .NET technology to dynamically create an HTML representation of server farms for MetaFrame Presentation Server sites. All applications published in the server farms can be made available and presented to users. The Citrix Web Interface also provides user access through the Program Neighborhood Agent, but this is not currently supported in SonicOS SSL VPN. ICA file – A configuration file that adheres to the INI format. This file is used to launch Citrix clients and contains all the options necessary for connection. Integrated Windows Authentication – Integrated Windows Authentication (IWA) is more secure than basic authentication, and can be selected when configuring Microsoft IIS. IWA is used in environments where users have Windows domain accounts and the applications in use are Active Directory aware. When using IWA, the user's domain logon credentials are encrypted and sent to the Web server with Web page requests. The Kerberos authentication protocol is used, or if unavailable, NTLMSSP is used. If the domain logon credentials cannot be used, the user is prompted to enter a user name and password. IWA cannot be used over an HTTP proxy server, but works with most modern browsers. It can also be used with filesharing, Windows service programs, and Microsoft SQL Server. Java Applet – A Java application that runs in a limited environment in the Web browser. Unlike ActiveX, it is platform independent. MetaFrame XP – MetaFrame XP runs on a server and allows multiple users to log on and run applications in separate, protected sessions. You install and publish the applications or other resources that you want to deploy. You can group a number of servers together to form a MetaFrame XP server farm that you manage as a single entity. NFuse – NFuse Classic is a Web-based application deployment system that provides users with access to MetaFrame applications through a standard Web browser. Each user sees all the applications published in the MetaFrame server farm for that user. NFuse provides centralized application management and places complete control over the application deployment process in the hands of the administrator. Presentation Server – Presentation Server allows delivery of applications as a service, providing on-demand access to users. It provides application virtualization and application streaming delivery. Presentation Server runs on a server and allows multiple users to log on and run applications in separate, protected sessions. You install and publish the applications or other resources that you want to deploy. You can group a number of servers together to form a server farm that you manage as a single entity. Program Neighborhood Agent – Program Neighborhood Agent is a feature in Citrix MetaFrame and Presentation Server products that allows applications to be assigned to users. The name was originally inspired by Windows “Network Neighborhood” and was changed to “Citrix Applications” in Citrix XenApp. The Program Neighborhood Agent client uses the Access Management Console and published application settings to provide centralized management of the client settings. It also provides pass-through Citrix Access on SonicWALL SSL VPN 23 Glossary authentication and integrates with the user's desktop and Start menu. It provides client to server content redirection, changing the local Windows File Type Association so that local files automatically launch the associated Citrix published application. Reverse Proxy – Such a proxy is deployed between a remote user outside the intranet and a target Web server within the intranet. The proxy intercepts packets flowing across it. XenApp Server – Citrix XenApp™ is the new name for Citrix Presentation Server. Citrix XenApp™ is an application virtualization solution. Virtualizing applications lets IT manage a single instance of each application in the data center. Applications can be run on high-powered servers in the data center for online access by remote clients, or delivered via application streaming directly to Windows PC’s. XenApp Plug-in – Users run the Citrix XenApp Plug-in on their client devices to access resources published on XenApp servers. The XenApp Plug-in requires the Citrix Web Interface. The Citrix XenApp Plug-in allows users to access published resources from a Windows desktop environment, including the Start menu and the Windows notification area, by icons that behave like local icons. XenApp Web Plug-in – Citrix XenApp Web Plug-in is a smaller plugin that can be installed from the XenAppWeb.msi or the XenAppWeb.exe file. Users access published resources by clicking links on a Web page you publish on your corporate intranet or the Internet. Solution Document Version History 24 Version Number Date Notes 1 2/5/2009 This document was created by Susan Weigand. 2 10/15/2009 Added content from functional spec and screenshots. 3 11/6/2009 Incorporated feedback and added user bookmark access sections, Explicit auth section, deployment diagram, info from Citrix Support spec. Added supported browsers, glossary items. Citrix Access on SonicWALL SSL VPN 232-000704-00 Rev A