|
|
Tech Note: 005
Securing Citrix Via SmartGate:
Information and Setup.
Applies to: SmartGate 4.x and later.
Last updated: March 27th, 2001.
SUMMARY
Setting up your SmartGate server, and SmartPass clients to secure and transfer traffic for Citrix Metaframe and Nfuse servers.
INSTRUCTIONS
On the Remote Client:
- First
install the Citrix ICA client. Currently we are installing
version 779 (wfplug32.exe and ne000779.exe)
- Extract
the SmartPass Client and edit setup.ini to your needs and install
the client.
- OLR
to the SmartGate Server
On the SmartGate Server:
- Open
up SmartAdmin and configure the following
- Enable
the new user in the USERS tab
- Go
TCP Access tab and add in your Citrix rules
- Click
ADD
- Assign
the OWNER according to the USER or the user's GROUP
- TYPE=
Path Permission
- Destination
Host will be the IP Addy or the DNS name of the METAFRAME
Server
(If you have LOAD BALANCING Servers then you can use wild
carding ex. 192.168.111.* )
- For
SERVICE select other. Dest Port= 1494 Server port=
2023
- Client
port= 1494
- Click
OK
- If
you are LOAD BALANCING then you need to add one more rule for
the UDP Service
- Click
ADD
- Assign
the OWNER according to the USER or the user's GROUP
- TYPE=
Path Permission
- Destination
Host will be the IP Addy or the DNS name of the METAFRAME
Server (If you have LOAD BALANCING Servers then you can use
wild carding ex. 192.168.111.* )
- For
SERVICE select other
- Dest
Port= 1604
- Server
port= 2023
- Client
port= 1604
- If
you are LOAD BALANCING then you need to configure the Server to
recognize that port 1604 is UDP. Go to your CONFIGURATION
tab
- Click
on the SYSTEM DEFINITION tab
- Type
in 1604 in the
UDP port list field
- Go
to the Control panel and click on SERVICES, make sure the
UDP Service is running
On the SmartPass Client side:
- Refresh
your ACL's in the SmartPass Client, and make sure you have the
access permissions you created on the Server. When the server
name is selected under Network Outbound, your access permission
should appear on the right. If they do not, choose Refresh ACLs
from the menu.
- Load
up the Citrix Program Neighborhood Client
- We
need to create a ICA file, so click on ADD ICA Connection
- Select
type of connection (Local Area Network), click Next
- Type
in your description of the ICA Connection
- Leave
TCP/IP in the protocol field
- For
a Single server connection, type in the IP Addy
or DNS name of the METAFRAME Server. If you have LOAD BALANCING
Servers, then you can click on the DOWN ARROW drop
down box, and it will browse for a Server.
- After
all that is setup, click on Next
- If
you don't have LOAD BALANCING Servers, you don't need SOCKS, so
click Next. If you do have LOAD BALANCING Servers
you need SOCKS, so check the box. For the Server
field put in 127.0.0.1,
and in the Port field put in 1080
- Click
Next
- Enter
in your User name, Password, and Domain,
then click Next
- Choose
your window size and color, then click Next
- Choose
your Application, and working Directory, then click
Next
- Now
your connection has bee setup, so click finish
Create a Custom ICA connection file For LOAD BALANCING Servers, you can also create your own ICA file to connect.
EXAMPLE ICA FILE:
[WFClient]
Version=2
TcpBrowserAddress=192.168.11.151
TcpBrowserAddress2=192.168.11.152
[ApplicationServers]
Winword=
[Winword]
Address=Winword
InitialProgram=#Winword
DesiredHRES=640
DesiredVRES=480
DesiredColor=2
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
ICASOCKSProtocolVersion=5
ICASOCKSProxyHost=127.0.0.1
ICASOCKSProxyPortNumber=1080
BrowserTimeout=20000
EOD
It is very important to make sure BrowserTimeout= value is larger than 10000.
Save the file as a ***.ica file
How to setup NFUSE:
Run SmartAdmin to create a Web Access Permission (ACL):
- Click
on the Web Access tab, and click add
- Assign
the OWNER according to the USER or the user's GROUP
- Type
in the IP Addy or the DNS Name into the URL field
- Leave
Server port as 2080,
and click OK
- Go
Back to the SmartPass Client, and refresh ACL list
- Load
up the browser and connect to the NFUSE Web Server
 back to Technical Notes Archives
|
|
