Download Citrix Access on SonicWALL SSL VPN

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts
no text concepts found
Transcript 
Citrix Access on SonicWALL SSL VPN
Document Scope
This document describes how to configure and use Citrix bookmarks to access Citrix through SonicWALL 
SRA 6.0. It also includes information about configuring relevant settings on a Citrix server.
This document contains the following sections:
•
“Feature Overview” section on page 1
•
“Administrator Tasks for Configuring Citrix Access” section on page 4
•
“User Tasks for Configuring Citrix Access” section on page 22
•
“Technical FAQs” section on page 27
•
“Glossary” section on page 28
Feature Overview
This section provides an introduction to accessing Citrix through the SonicWALL SRA appliance using
Citrix bookmarks. This section contains the following subsections:
•
“What are Citrix Bookmarks?” section on page 2
•
“Benefits of Citrix Bookmarks” section on page 2
•
“Accessing Citrix Applications via SSL VPN” section on page 2
•
“Supported Platforms” section on page 3
Citrix Access on SonicWALL SSL VPN
1
Feature Overview
What are Citrix Bookmarks?
The SonicWALL SRA appliance uses bookmarks to access Citrix services, which are supported as a
third-party application running on a separate server. Citrix is a remote access, application sharing service,
similar to Terminal Services such as RDP. It employs an application virtualization technology, in which an
application is hosted on a central server. There are many management capabilities over a Citrix deployment
such as allocation of priority and a minimum set of resources to certain users, and data synchronization
between different server farms.
Citrix uses the ICA protocol to communicate with the client. The Citrix ICA Client is now renamed as the
Citrix XenApp Web plug-in. With the Citrix XenApp Web plug-in, users can access Windows applications
as a service available from anywhere.
Benefits of Citrix Bookmarks
Using the SonicWALL SRA appliance to access Citrix provides the following benefits:
•
Secure access – The SonicWALL SRA appliance provides secure access from anywhere.
•
Granular Control – Bookmarks, access policies, and other SSL VPN features provide full access control.
•
Strong Authentication – The SonicWALL SRA appliance supports various strong authentication
methods which provides an added layer of security to your Citrix applications.
•
Consolidated access – The SonicWALL SRA appliance Virtual Office portal can provide multiple Citrix
bookmarks from a single location.
Some of the benefits of using Citrix to virtualize applications are the following:
•
Reduces the expense of individual application licenses for each user. You can purchase one copy of the
application for your Citrix server along with a limited number of access licenses. When the client access
limit is reached, clients must wait to connect to the Citrix server.
•
Facilitates auditing and reporting. You can track who uses which applications and when they are
accessed.
•
CPU-intensive applications can run on a powerful Citrix server, allowing access by less-powerful clients.
•
Operating system and file system security may be better on a Citrix server than on client systems or
systems accessed with RDP.
•
Citrix provides load balancing.
•
Citrix can act as a Web gateway providing comprehensive access policies.
Accessing Citrix Applications via SSL VPN
There are two ways to use Citrix that are supported by the SonicWALL SRA appliance:
•
The agent or client behaves seamlessly, accessing the application on the Citrix server as soon as the user
logs into the client. This method is supported by the SonicWALL SRA appliance NetExtender.
•
The user accesses the application on the remote Citrix server through a Web interface. SonicWALL 
SSL VPN Bookmarks support this access method.
The SonicWALL SRA appliance provides secure remote Citrix access in a fashion similar to Remote
Desktop access. This provides a subset of Citrix functionality, since it does not support Program
Neighborhood functionality, but is sufficient for access to any Citrix application or desktop.
2
Citrix Access on SonicWALL SSL VPN
Feature Overview
Citrix can be compared to applications that use the Remote Desktop Protocol (RDP), in that both allow
clients to access remote systems or servers. The fundamental difference is that RDP provides terminal
session access control with access to the remote desktop itself, including the C drive and system files,
whereas with Citrix, client access is usually restricted to application level access.
Access to the Citrix desktops and applications requires installation of client software, although this software
ranges from a full stand alone client fully integrated into Windows (Start Menu, Context menus) to a
lightweight installation of an ActiveX control or a download of a Java applet.
Citrix servers and applications are accessible through the Citrix NFuse portal. Access to the NFuse portal
is provided by the SonicWALL SRA appliance HTTP(S) reverse proxy feature. After configuring the Citrix
server, the SRA appliance administrator creates one or more Citrix (reverse proxy) bookmarks for use by
client users. Client users initiate a Citrix session by first logging into the SonicWALL SRA appliance Virtual
Office portal and then clicking on the Citrix bookmarks to the NFuse server. After authenticating with the
NFuse portal, the user will see the Citrix applications and desktops that are accessible to him/her. This
interface is provided by the Citrix server, but is reverse-proxied by the SRA appliance. When the user clicks
on an application icon, Internet Explorer launches an ActiveX control similar to the one used by Remote
Desktop, while other browsers use the Java version which launches an applet.
Citrix support requires Internet connectivity in order to download the ActiveX client or the Java applet from
the Citrix Web site. The server will automatically decide which Citrix client version to use. Citrix is accessed
from Internet Explorer using ActiveX by default, or from other browsers using Java. Java can be used with
Internet Explorer by selecting an option in the bookmark configuration in the SonicWALL SRA appliance.
For Citrix access using Java, the Java applet download uses HTTP which is likely to have outbound access
based on usual firewall deployments.
When using the Java applet, the local printers are available in the Citrix client. However, under some
circumstances it might be necessary to change the Universal Printer Driver to PCL mode.
Supported Platforms
Citrix access is supported with the SonicWALL SRA appliance 6.0 on SonicWALL SRA 4200 and 1200
appliances, and on the SRA Virtual Appliance.
Citrix access is also supported on previous releases of the SonicWALL SRA appliance. Citrix bookmarks
with ActiveX and Java applet Citrix support are available on the SonicWALL SRA appliance 2.0 or newer
for the SSL-VPN 2000 and 4000 appliances, and on the SonicWALL SRA appliance 3.5 and newer for the
SRA 4200, 1200, and Virtual Appliance. Citrix IPv6 is supported on the SonicWALL SRA appliance 3.5 and
higher.
NTLM/Windows Integrated authentication is supported if it is enabled on the Citrix server. Some Citrix
installations use NTLM instead of a login form to authenticate the user into the Web interface.
Note
Single Sign-On is not supported for Web Interface authentication or within the Citrix session.
On the SonicWALL SRA appliance 6.0, Citrix Portal Bookmarks have been tested and verified to support
the following Citrix Application Virtualization platforms through the Citrix Web Interface:
Servers:
•
XenApp Server 6.0
•
XenApp Server 5.0
•
XenApp Server 4.5
•
Presentation Server 4.0
•
MetaFrameXP Feature Release 3
Citrix Access on SonicWALL SSL VPN
3
Administrator Tasks for Configuring Citrix Access
Clients:
•
Receiver for Windows 3.0
•
Receiver for Java 10.1
•
XenApp Web Plug-in version 12.0.3 or earlier
•
Java client version 10.0 or earlier
Citrix client software is available as an ActiveX plugin (for Internet Explorer only) or a Java plugin. The
Citrix ActiveX client is supported on systems running Windows XP with Internet Explorer 6.0 or higher.
The Java plugin can be used with Internet Explorer, Firefox, Chrome, or Safari browsers on Windows, 7
Windows XP, Vista, Linux, or Mac OS client systems as noted in Table 1. For browsers requiring Java to run
Citrix, you must have Sun Java 1.6.0_10 or above.
Table 1
Citrix (Java 1.6.0_10+) Client - Supported Browsers per OS
Windows 7
Windows Vista
Windows XP
Internet Explorer
8.0 or higher
7.0 or higher
6.0 or higher
Firefox
4.0 or higher
4.0 or higher
4.0 or higher
Chrome
5.0 or higher
5.0 or higher
5.0 or higher
Linux
4.0 or higher 4.0 or higher
Safari
Note
Mac OS X
2 or 3
Citrix MetaFrame supports FireFox, Chrome, and Internet Explorer 7.x or earlier.
Administrator Tasks for Configuring Citrix Access
This section contains the following subsections:
4
•
“Deployment Scenario” section on page 5
•
“Assumptions and Dependencies” section on page 5
•
“Configuring Authentication on the Citrix Server” section on page 6
•
“Creating a Citrix Access Policy” section on page 13
•
“Creating a Citrix Bookmark” section on page 15
•
“Enabling Custom URLs for Citrix Client Downloads” section on page 16
•
“Configuring the Web Interface on the Citrix Server” section on page 19
•
“Editing a Citrix Bookmark” section on page 20
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Deployment Scenario
The recommended deployment scenario for Citrix environments places the Citrix server(s) on the LAN
behind a SonicWALL Unified Threat Management (UTM) appliance acting as the gateway firewall. A
SonicWALL SRA 4200 appliance is connected to a firewall interface in the DMZ. Traffic passing between
the SRA and the LAN passes through the UTM appliance where it is examined for threats.
SonicWALL UTM Firewall
X1
PRO 5060
X0
X2
Switch
Switch
Router
DMZ
Remote Users
LAN
X0
Secure Remote Access
Citrix Servers
SRA 4200
SRA 4200
Internet Zone
Apps, Email, AD, SQL
Assumptions and Dependencies
•
The administrator must have the Citrix Web Interface installed and functioning for the Citrix
installation.
•
Microsoft Loopback hotfix (KB884020) is required, although this can be avoided if the ActiveX control
does not use loopbacks higher than 127.0.0.1.
•
ActiveX: Users must have enough privileges in order to be able to install an ActiveX control if they
don’t already have one installed.
•
Java: JRE 1.6.0_10 and above is required by the Citrix Java client in the SonicWALL SRA appliance 6.0.
If a lower version is detected, the connection is refused and the user is advised to upgrade Java.
•
ActiveX & Java: Firewall rules must allow for Internet Explorer and for the JRE to be able to open
server sockets on the system.
•
Java: The SonicWALL SRA appliance must have a DNS server set up (critical).
Citrix Access on SonicWALL SSL VPN
5
Administrator Tasks for Configuring Citrix Access
Configuring Authentication on the Citrix Server
You can configure the Citrix server for anonymous or authenticated access. If you select anonymous access,
you can configure the Citrix server for explicit, or forms-based, authentication to make sure that there is at
least some type of authentication available for users.
See the following sections:
•
“Configuring Anonymous or Authenticated Access” on page 6
•
“Configuring Explicit Authentication on the Citrix Server” on page 10
Configuring Anonymous or Authenticated Access
Microsoft IIS Manager must be configured on the Citrix server to enable anonymous access for Citrix.
When Windows Integrated Authentication is configured on IIS and the Citrix server is accessed by a client
through the SonicWALL SRA appliance, the SRA appliance will display a message indicating that it does not
support the HTTPS authentication scheme used by Citrix.
To configure authentication for Citrix access through the SonicWALL SRA appliance, perform the following
steps:
Step 1
6
On the Citrix server (a Windows Server system), click Start > All Programs.
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Step 2
Select Administrative Tools > Internet Information Services (IIS) Manager.
Step 3
In the Internet Information Services (IIS) Manager window, expand the entries for the local computer,
Web Sites, Default Web Site, and Citrix.
Step 4
Under Citrix, right-click the service name, for example XenApp, and select Properties from the right-click
menu.
Step 5
In the Properties window, click the Directory Security tab.
Citrix Access on SonicWALL SSL VPN
7
Administrator Tasks for Configuring Citrix Access
Step 6
Under Authentication and access control, click Edit.
Step 7
For anonymous access to the Citrix server, select the Enable anonymous access check box in the
Authentication Methods window. (To configure authenticated access, skip to Step 12.)
Step 8
In the User name field, type in the account name to be used for anonymous access or click Browse to select
it from the account list.
Step 9
In the Password field, type in the password for this account.
Step 10 Click OK.
8
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Step 11 An IIS Manager dialog box warns that the anonymous authentication option will result in unencrypted
passwords being transmitted over the network except when HTTPS or SSL connections are used. Since we
are using HTTPS/SSL in this case, you can safely click Yes to continue.
Step 12 To configure authenticated access to the Citrix server rather than anonymous access as described above,
clear the Enable anonymous access check box in the Authentication Methods window.
Step 13 Under Authenticated access, select the Basic authentication (password is sent in clear text) check box.
Step 14 Click OK.
Citrix Access on SonicWALL SSL VPN
9
Administrator Tasks for Configuring Citrix Access
Configuring Explicit Authentication on the Citrix Server
Explicit, or forms-based, authentication is used in conjunction with the anonymous access setting on
Microsoft IIS to provide some form of authentication for users. The administrator selects the Explicit
authentication method on the Citrix server, if it is not already selected. If only anonymous authentication is
configured, Citrix may automatically detect it and force Explicit authentication, which will present a login
form to the user. Explicit authentication performs the necessary encryption.
To configure explicit authentication on the Citrix server, perform the following steps:
10
Step 1
Log in to the Citrix server as the administrator, open the Start menu, and click Access Suite Console for
Presentation Server.
Step 2
In the Citrix Web Interface Management window, select the XenApp URL, for example:
http://CTX-EDU-1.csm.demo/Citrix/XenApp1.
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Step 3
In the right pane under Edit Settings, click Authentication Methods. and then select the Explicit check
box in the Configure Authentication Methods window.
Step 4
Select the desired settings for Enforce 2-factor authentication and Allow user to change password.
Step 5
Click Next.
Step 6
For the Authentication Type step, select the Windows or NIS (UNIX) radio button.
Citrix Access on SonicWALL SSL VPN
11
Administrator Tasks for Configuring Citrix Access
Step 7
Click Next.
Step 8
For the Specify Authentication Type Settings step, under Domains, select the Display Domain field
radio button.
Step 9
Click the Add button and add your domain, if necessary.
Step 10 Select Selection in the Optionally, specify domains for drop-down list, and select your domain.
Step 11 Click Next.
12
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Step 12 For the Check Summary step, verify your settings and then click Finish.
Creating a Citrix Access Policy
You can configure access policies on the SonicWALL SRA appliance to provide different levels of access to
the Citrix server. There are three levels of access policies: global, group, and user. You can deny or permit
access to the Citrix server by creating access policies for a Citrix server IP address, an IP address range (for
a server farm), or a network object.
User policies take precedence over group policies and group policies take precedence over global policies,
regardless of the policy definition. For policies at the same level, the most specific policy takes precedence.
Tip
When using Citrix bookmarks, in order to restrict proxy access to a host, a Deny rule must be configured
for both Citrix and HTTP services.
For more information about access policies, including policy hierarchy rules, see the “Users Configuration”
chapter in the SonicWALL SRA Administrator’s Guide.
The procedure is the same for configuring user, group, or global access policies, except for the initial page
(Users > Local Users or Users > Local Groups) and the selection of either a user, a group, or the global
option for which to configure the policy.
To configure an access policy for a user, perform the following steps:
Step 1
In the SonicWALL SRA appliance management interface, navigate to Users > Local Users (or Users >
Local Groups).
Citrix Access on SonicWALL SSL VPN
13
Administrator Tasks for Configuring Citrix Access
Step 2
Click the configure icon next to the user (or group or Global Policies) that you want to configure.
Step 3
In the Edit User Settings window, select the Policies tab.
Step 4
Click Add Policy...to display the Add Policy window.
Step 5
In the Add Policy window, in the Apply Policy To drop-down list, select whether the policy will be applied
to an individual host, a range of addresses, or a network object. You can also select an IPv6 host or a range
of IPv6 addresses. The Add Policy dialog box changes depending on what type of object you select in the
Apply Policy To drop-down list.
Note
Step 6
14
The SonicWALL SRA appliance policies apply to the destination address(es) of the
SonicWALL SRA appliance connection (the Citrix server), not the source address. You
cannot permit or block a specific IP address on the Internet from authenticating to the
SonicWALL SRA appliance gateway with a policy created on the Policies tab. However, it
is possible to control source logins by IP address with a login policy created on the user's
Login Policies tab.
Type a descriptive name into the Policy Name field.
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Step 7
Step 8
Note
Step 9
Do one of the following, depending on your selection in the Apply Policy To field:
•
Type an IP address in the IP Address field.
•
Type a starting IP address in the IP Network Address field and type a subnet mask value in the Subnet
Mask field in the form 255.255.255.0.
•
Select the network object from the Network Object drop-down list. The port number is included in
the network object definition.
In the Port Range/Port Number field, optionally enter a port range or an individual port.
The Citrix Web interface and Citrix ICA server listen on different ports, typically 80/443 and
1494 respectively, which are both needed for a Citrix session. When creating a port-based
access policy, you will need to create two policies in order to specify both ports. Standard
TCP ports used by Citrix are mentioned in the knowledge base article available at:
http://support.citrix.com/article/CTX101810
In the Service drop-down list, optionally select one of the following:
•
Citrix Portal (Citrix) – Select this if the Citrix bookmark uses HTTP
•
Citrix Portal (Citrix_https) – Select this if the Citrix bookmark uses HTTPS
If the Citrix server can be accessed using either HTTP and HTTPS, then you may need to create two access
policies, one for each service. An IP address based policy may be simpler in this case.
Step 10 In the Status drop-down list, click on an access action, either ALLOW or DENY.
Step 11 Click Accept.
Creating a Citrix Bookmark
You can configure a Citrix bookmark for a user or for a group. The procedure is the same, except for the
initial page (Users > Local Users or Users > Local Groups) and the selection of either a user or a group
for which to configure the bookmark.
To configure a Citrix bookmark for a user, perform the following steps:
Step 1
In the SonicWALL SRA appliance management interface, navigate to Users > Local Users.
Step 2
Click the configure icon next to the user you want to configure.
Step 3
In the Edit User Settings window, select the Bookmarks tab.
Step 4
Click Add Bookmark...
Step 5
Enter a descriptive name for the bookmark in the Bookmark Name field.
Step 6
Enter the name or IP address of the bookmark in the Name or IP Address field.
Note
A Citrix bookmark will accept a port option with the IP address (IP_address:portnum).
Step 7
From the Service drop-down list, select Citrix Portal (Citrix). The display will change.
Step 8
To enable SSL encryption for communication between the SRA appliance and the Citrix server, select the
HTTPS Mode check box.
Citrix Access on SonicWALL SSL VPN
15
Administrator Tasks for Configuring Citrix Access
Step 9
Optionally select the Always use Java in Internet Explorer checkbox to use Java to access the Citrix Portal
when using Internet Explorer. Without this setting, a Citrix ActiveX client or plugin must be used with IE.
This setting lets users avoid installing a Citrix client or plugin specifically for IE browsers. Java is used with
Citrix by default on other browsers and also works with Internet Explorer. Enabling this check box leverages
this portability.
When using the Java applet, the local printers are available in the Citrix client. However, under some
circumstances it might be necessary to change the Universal Printer Driver to PCL mode.
Step 10 To explicitly set the Citrix ICA server address for the Citrix ICA session, select the Always use specified
Citrix ICA Server checkbox and then type the server IP address into the ICA Server Address field.
Some Citrix deployments have the Citrix Web Interface on one IP address and the ICA server listening on
a different address. If the Citrix Web Interface and Citrix ICA server do not share the same IP address, use
this setting to explicitly set the ICA server address.
Step 11 Click Add.
Enabling Custom URLs for Citrix Client Downloads
The Services > Settings page allows the administrator to configure custom URLs for Citrix Java or ActiveX
client downloads.
The administrator needs to host the clients on a local Web server so they are available for download at the
indicated URLs.
See the following sections:
16
•
“Hosting the Citrix Clients on a Local Web Server” on page 17
•
“Configuring Custom URLs on Services > Settings” on page 19
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Hosting the Citrix Clients on a Local Web Server
You can download the Citrix Java and ActiveX client packages from www.citrix.com, and place them on a
local Web server to make them available to your users.
To download the Citrix clients to your local Web server:
Step 1
In a browser on your local Web server, navigate to the Downloads page for Receiver on www.citrix.com.
Citrix Access on SonicWALL SSL VPN
17
Administrator Tasks for Configuring Citrix Access
18
Step 2
To download the ActiveX Receiver client, click Receiver for Windows 3.2.
Step 3
In the Receiver for Windows 3.2 popup, click Download.
Step 4
To download the Java Receiver client, click Receiver for Java 10.1 on the Citrix Downloads page (shown in
Step 1 on page 17.
Step 5
Click Download for either the .tar or the .zip package.
Step 6
In the Receiver for Java 10.1 popup, click Download.
Step 7
Move the files to the appropriate location on the Web server.
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Configuring Custom URLs on Services > Settings
The administrator needs to host the Citrix clients on a local Web server and have the SRA download these
clients from there.
You can configure the URLs for the Citrix Java or ActiveX client downloads on the Services > Settings page.
To configure custom URLs for Citrix Java or ActiveX client downloads, perform the following steps:
Step 1
In the SonicWALL SRA appliance management interface, navigate to the Services > Settings page
Step 2
Select the Enable custom URL for Citrix Java client downloads checkbox if you want your own HTTP
URL to be used to download the Citrix Java client. Fill-in the custom URL in the URL field. If this option
is not enabled, the default URL will be used. The default URL is shown in grey text in the URL field. The
maximum length for the custom URL is 255 characters.
Step 3
Select the Enable custom URL for Citrix ActiveX client downloads checkbox if you want your own
HTTP URL to be used to download the Citrix ActiveX client. Fill-in the custom URL in the URL field. If
this option is not enabled, the default URL will be used. The default URL is shown in grey text in the URL
field. The maximum length for the custom URL is 255 characters.
Step 4
Click Accept.
Configuring the Web Interface on the Citrix Server
In the Citrix Web Interface, you can configure the Preferences to use the native client rather than the Java
client. This prevents a possible error when the Java client is launched.
To configure use of the native client:
Step 1
Log in to the SSL VPN Virtual Office portal and click on a Citrix bookmark.
Step 2
Log in to the Citrix Web Interface.
Citrix Access on SonicWALL SSL VPN
19
Administrator Tasks for Configuring Citrix Access
Step 3
Right-click the site name, such as “MetaFrame”, and select Client Deployment from the right-click menu.
Step 4
In the dialog box, select Native Client.
Step 5
Alternatively, configure this setting in the Preferences options. Select Connection Preferences.
Step 6
Select Native for the client.
Step 7
For Fallback Behavior, also select the Native client.
Editing a Citrix Bookmark
You can edit an existing Citrix bookmark by clicking the edit icon on the Virtual Office page.
To edit an existing Citrix bookmark, perform the following steps:
20
Step 1
In the SonicWALL SRA appliance management interface, navigate to the Virtual Office page.
Step 2
Click Show Edit Controls to expose the Edit and Delete icons for each bookmark.
Step 3
Click the Edit icon for the bookmark you wish to edit.
Citrix Access on SonicWALL SSL VPN
Administrator Tasks for Configuring Citrix Access
Step 4
In the Edit Bookmark page, you can view information about the available settings.
Step 5
To make changes to the Bookmark Name, Name or IP Address, or Description fields, type in the new
value(s).
Step 6
To change ability of users to edit the bookmark, select a new value from the Allow user to edit/delete
drop-down list. The default is Use user policy.
Step 7
To set the default window size for Citrix sessions from the Edit Bookmark page, use the Resource
Window Size drop-down list to select the desired window size, as explained in step 8 on page 27.
Step 8
To enable SSL encryption for communication between the SRA appliance and the Citrix server, select the
HTTPS Mode check box.
Step 9
To force Internet Explorer to use the Citrix Java applet rather than the default ActiveX control, select the
Always use Java in Internet Explorer check box. This setting lets users avoid installing a Citrix ICA client
or MetaFrame Web plug-in specifically for Internet Explorer browsers.
When using the Java applet, the local printers are available in the Citrix client. However, under some
circumstances it might be necessary to change the Universal Printer Driver to PCL mode.
Step 10 To explicitly set the Citrix ICA server address for the Citrix ICA session, select the Always use specified
Citrix ICA Server checkbox and then type the server IP address into the ICA Server Address field.
Some Citrix deployments have the Citrix Web Interface on one IP address and the ICA server listening on
a different address. If the Citrix Web Interface and Citrix ICA server do not share the same IP address, use
this setting to explicitly set the ICA server address.
Step 11 Click OK.
Citrix Access on SonicWALL SSL VPN
21
User Tasks for Configuring Citrix Access
User Tasks for Configuring Citrix Access
Citrix is a remote access, application sharing service, similar to RDP. It enables users to remotely access files
and applications on a central computer over a secure connection. Access to the Citrix server and its shared
applications is provided with bookmarks on the SonicWALL SRA appliance Virtual Office portal. The
administrator may have created either ActiveX or Java bookmarks.
When the user launches a Citrix bookmark, the interaction is identical to reverse proxy browsing until an
application icon is clicked. At that point a window containing an ActiveX control or a Java applet will pop
up.
Users might encounter several warnings and dialog boxes the first time they launch a Citrix application. The
causes for these are certificate mismatches, applet security warnings, ActiveX security warnings, and pop-up
blocking.
For the ActiveX version to be functional, the Receiver for Windows 3.0 client or the MetaFrame Web plug-in
(which was previously called Windows ICA client) must be installed on the client machine. If the client
machine does not have a pre-installed Receiver, MetaFrame, or ICA client, then the ActiveX control invokes
an installer that downloads the necessary plugin and prompts the user for installation. The user has to go
through the installation process only once, and will not be prompted for installation again for future Citrix
sessions. This step requires connectivity to www.citrix.com or to the custom URL of a configured local Web
server from the SRA appliance.
See the following sections for information about using ActiveX or Java bookmarks for Citrix access:
•
“Using ActiveX Bookmarks” on page 22
•
“Using Java Bookmarks” on page 25
Using ActiveX Bookmarks
When using Internet Explorer, Citrix bookmarks launch the ActiveX Citrix client. The following steps
describe how to launch and use the ActiveX Citrix client to access applications on the Citrix server:
22
Step 1
Using an Internet Explorer browser, log in to the SonicWALL SRA appliance Virtual Office portal where
the Citrix bookmarks are available. Click on the Citrix bookmark. The first time you use a Citrix bookmark,
it will download and install the Citrix Web Client on your computer if you do not already have it.
Step 2
Click Download to download the client software.
Citrix Access on SonicWALL SSL VPN
User Tasks for Configuring Citrix Access
Step 3
If using Internet Explorer Security, click Allow to begin the download.
Step 4
To install XenApp software, open the downloaded file (default file name is XenAppWeb.exe).
Step 5
Wait for the Citrix Web Client to install.
Citrix Access on SonicWALL SSL VPN
23
User Tasks for Configuring Citrix Access
24
Step 6
Click Yes to the Citrix license agreement.
Step 7
When the Citrix Web Client has installed, click OK. If the Citrix Web Interface login window does not
display, restart your Web browser and launch the Citrix bookmark again.
Step 8
Enter your username, password, and domain in the Citrix Web Interface login window.
Step 9
The Citrix Web Interface home page is displayed. Click on the application you want to use.
Citrix Access on SonicWALL SSL VPN
User Tasks for Configuring Citrix Access
Step 10 You may be prompted to install additional Citrix software.
The shared application is now launched.
Using Java Bookmarks
When using browsers other than Internet Explorer, Citrix bookmarks launch the Java Citrix client. You can
also configure the SonicWALL SRA appliance to use the Java Citrix client even when Internet Explorer is
the user’s browser. The following steps describe how to launch and use the Java Citrix client.
Note
For more detailed, current information on Citrix Systems configuration and use, see the
Citrix Systems web site at www.citrix.com.
Step 1
Using any supported browser, log in to the SonicWALL SRA Virtual Office portal where the Citrix
bookmarks are available. Click on the Citrix bookmark. The login window displays.
Step 2
For Logon type, select either Anonymous or Explicit. Select Anonymous to login without providing a
user name. Note that you may not be able to access resources that require authentication. Select Explicit
to login with a user name and password. You may also be required to provide a domain name or NDS
context.
Citrix Access on SonicWALL SSL VPN
25
User Tasks for Configuring Citrix Access
26
Step 3
Click the Log On button. The Citrix Java applet displays. The default applications will display in the
Applications section in the middle of the window.
Step 4
Click on the Citrix application to launch it.
Step 5
Click on Preferences to customize the Citrix Java applet settings.
Step 6
Select Display Settings to change the language and to specify if Citrix hints should be displayed.
Citrix Access on SonicWALL SSL VPN
Technical FAQs
Step 7
Select Session Settings to customize the default window size for Citrix sessions.
Step 8
In the Window Size drop-down menu, select one of the following options:
Step 9
•
No preference: Uses the default setting configured by your administrator.
•
Full screen: Resources are maximized to fill your screen.
•
Seamless: Resources that support resizing appear in resizable windows.
•
Custom dimensions: Enables you to specify the width and height of the resource window in pixels.
•
Percentage of screen: Enables you to specify the percentage of your screen the resources will occupy.
Select Account Settings to configure the behavior of your sessions when you log out.
Step 10 Select the Log off all sessions checkbox to shut down all of your active resources when you log off from
the Citrix session. If you disable this checkbox, any active resources that are hosted on a remote server
continue to run when you log off. (Offline applications always continue to run when you log off from the
Citrix session.)
Technical FAQs
How do I find more technical information about Citrix?
Technical information is available at the following links:
•
http://www.citrix.com
•
http://en.wikipedia.org/wiki/Citrix
Citrix Access on SonicWALL SSL VPN
27
Glossary
Glossary
Basic Authentication – For Citrix bookmarks and other HTTP transactions, using basic authentication
means that the client requests a Web page, the server responds with an authentication request, the user sees
a popup login window and enters his or her credentials, the user name and password are encoded with the
Base 64 algorithm (not for security, but rather to encode non-HTTP-compatible characters), the encoded
credentials are appended to the Web page request and sent back to the server.
Citrix – A product by Citrix Inc. that provides Terminal Services-like access to a server farm. This product
allows desktop and application sharing, provides load balancing, Web gateway, and comprehensive access
policies. For more detail, see http://www.citrix.com.
Citrix ICA Client – ICA stands for Independent Computing Architecture. The Citrix ICA Client is the
client software that was later replaced by the Citrix MetaFrame plug-in and Citrix MetaFrame Web plug-in.
The Citrix Receiver client is the most recent client software.
Citrix Receiver Client – Citrix Receiver is a lightweight software client available for Mac OS, Windows,
Linux, iOS, iPhone, iPad, Android, BlackBerry, Windows Mobile, Chromebook, and other platforms. Users
can access hosted applications on a Citrix server from any of these devices. Receiver for Windows 3.0 is used
for Citrix ActiveX bookmarks, while Receiver for Java 10.1 is used for Citrix Java bookmarks.
Citrix Web Interface – The Citrix Web Interface provides the SonicWALL SRA appliance users with access
to MetaFrame Server applications and content through a standard Web browser. The Web Interface uses
Java and .NET technology to dynamically create an HTML representation of server farms for MetaFrame
Server sites. All applications published in the server farms can be made available and presented to users. The
Citrix Web Interface also provides user access through the Program Neighborhood Agent, but this is not
currently supported in the SonicWALL SRA appliance.
ICA file – A configuration file that adheres to the INI format. This file is used to launch Citrix clients and
contains all the options necessary for connection.
Integrated Windows Authentication – Integrated Windows Authentication (IWA) is more secure than
basic authentication, and can be selected when configuring Microsoft IIS. IWA is used in environments
where users have Windows domain accounts and the applications in use are Active Directory aware. When
using IWA, the user's domain logon credentials are encrypted and sent to the Web server with Web page
requests. The Kerberos authentication protocol is used, or if unavailable, NTLMSSP is used. If the domain
logon credentials cannot be used, the user is prompted to enter a user name and password. IWA cannot be
used over an HTTP proxy server, but works with most modern browsers. It can also be used with file
sharing, Windows service programs, and Microsoft SQL Server.
Java Applet – A Java application that runs in a limited environment in the Web browser. Unlike ActiveX, it
is platform independent.
MetaFrame XP – MetaFrame XP runs on a server and allows multiple users to log on and run applications
in separate, protected sessions. You install and publish the applications or other resources that you want to
deploy. You can group a number of servers together to form a MetaFrame XP server farm that you manage
as a single entity.
NFuse – NFuse Classic is a Web-based application deployment system that provides users with access to
MetaFrame and MetaFrame applications through a standard Web browser. Each user sees all the applications
published in the Citrix server farm for that user. NFuse provides centralized application management and
places complete control over the application deployment process in the hands of the administrator.
NTLM – NT LAN Manager is a Microsoft authentication protocol similar to MS-CHAP. NTLM is used
with the SMB protocol. The protocol uses a challenge-response sequence of three messages between a client
that wishes to authenticate and the server that is requesting authentication.
28
Citrix Access on SonicWALL SSL VPN
Glossary
Presentation Server – Presentation Server allows delivery of applications as a service, providing
on-demand access to users. It provides application virtualization and application streaming delivery.
Presentation Server runs on a server and allows multiple users to log on and run applications in separate,
protected sessions. You install and publish the applications or other resources that you want to deploy. You
can group a number of servers together to form a server farm that you manage as a single entity.
Program Neighborhood Agent – Program Neighborhood Agent is a feature in Citrix
MetaFrame/XenApp and Presentation Server products that allows applications to be assigned to users. The
name was originally inspired by Windows “Network Neighborhood” and was changed to “Citrix
Applications” in Citrix MetaFrame. The Program Neighborhood Agent client uses the Access Management
Console and published application settings to provide centralized management of the client settings. It also
provides pass-through authentication and integrates with the user's desktop and Start menu. It provides
client to server content redirection, changing the local Windows File Type Association so that local files
automatically launch the associated Citrix published application.
Reverse Proxy – Such a proxy is deployed between a remote user outside the intranet and a target Web
server within the intranet. The proxy intercepts packets flowing across it.
XenApp Server – Citrix XenApp™ is the new name for Citrix Presentation Server. Citrix XenApp™ is an
application virtualization solution. Virtualizing applications lets IT manage a single instance of each
application in the data center. Applications can be run on high-powered servers in the data center for online
access by remote clients, or delivered via application streaming directly to Windows PC’s.
XenApp Plug-in – Users run the Citrix XenApp Plug-in on their client devices to access resources
published on XenApp servers. The XenApp Plug-in requires the Citrix Web Interface. The Citrix XenApp
Plug-in allows users to access published resources from a Windows desktop environment, including the
Start menu and the Windows notification area, by icons that behave like local icons. The Citrix Receiver
client is more recent than XenApp.
XenApp Web Plug-in – Citrix XenApp Web Plug-in is a smaller plugin that can be installed from the
XenAppWeb.msi or the XenAppWeb.exe file. Users access published resources by clicking links on a Web
page you publish on your corporate intranet or the Internet.Solution Document Version History
Version Number
Date
Notes
1
4/19/2012
This document was created by Patricia Day.
P/N 232-002124-00 Rev A
5/2012
Citrix Access on SonicWALL SSL VPN
29
Glossary
30
Citrix Access on SonicWALL SSL VPN
Related documents
WebInterface
WebInterface
Access to Citrix for PC (see page 2 for Mac)
Access to Citrix for PC (see page 2 for Mac)
RAP Windows General User Instructions
RAP Windows General User Instructions
Example 1 - Sandbox Advisors
Example 1 - Sandbox Advisors
Connecting to CareConnect Playground with Citrix Web Interface
Connecting to CareConnect Playground with Citrix Web Interface
RGHS Citrix Connection for IE, Firefox, Safari or Chrome browsers
RGHS Citrix Connection for IE, Firefox, Safari or Chrome browsers
Connecting to nasoutions
Connecting to nasoutions
UNC Health Care Learning Management System
UNC Health Care Learning Management System
Kuldeep Pathak Wintel Server Engineer Mob: 962-044-0010
Kuldeep Pathak Wintel Server Engineer Mob: 962-044-0010
Protocols which provide Remote Desktop
Protocols which provide Remote Desktop