Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages:

Configuring Smart Access for Published Applications

Document ID: CTX108638   /   Created On: Jan 20, 2006   /   Updated On: Mar 19, 2007
Average Rating: 5

Overview

This describes how to configure Smart Access with Published Applications in the Citrix Presentation Server farm using Access Gateway, Advanced Access Control, and Web Interface. It basically provides configuration steps for the following setup:

Access Gateway > Advanced Access Control > Web Interface > Presentation Server

After configuring Smart Access, the end user UI displays Citrix Presentation Server applications published via the Web Interface. It can be viewed in the default user interface provided with Advanced Access Control as shown below. It can also be configured to display only published applications.

Products and Components Required

    • Citrix Presentation Server 4.0
    This was released in June 2005.

    • Web Interface v 4.2
    This version can be obtained from the Downloads section within MyCitrix (https://secureportal.citrix.com.) To install Web Interface version 4.2 there is no need to install earlier versions of Web Interface first. Also, you can install Web Interface 4.2 on a server that has earlier versions installed; version 4.2 will be installed side by side to the earlier versions.

    • Access Suite Console Hotfix ASC400W004
    This hotfix can be obtained from http://support.citrix.com/article/CTX108237. It should be installed on the machine that has the Access Suite Console for Presentation Server.

    • Access Gateway 4.2 and Advanced Access Control 4.2
    This was released in December 2005. If you have already purchased Access Gateway and Advanced Access Control along with Subscription Advantage, these new versions can be obtained from MyCitrix (https://secureportal.citrix.com).

Smart Access

The idea of Smart Access revolves around the idea of providing or limiting Presentation Server applications and/or functionality of applications based on certain conditions of a connecting client machine through Access Gateway and Advanced Access Control.

There are truly only two areas in which the actual Smart Access capabilities are configured. From the Advanced Access Control we provide the conditions that are being checked for, and from the Presentation Server we apply those conditions to certain resources we want to allow or deny. The other areas to configure simply allow for the full front-to-end spectrum of Smart Access to be realized.

From the Advanced Access Control, the conditions are represented by Logon Point, Authentication Strength, End Point Analysis output, and Client Certificates. These conditions are all characteristics of a filter. Creating a filter in Advanced Access Control specifies a type of “Access Scenario” which states: “If the conditions in the filter are satisfied, then whatever policy or resource this filter is applied to will be invoked.”

For example, create a Filter for Logon Point X and apply the Filter to Policy allowing Email. A user logs on to Logon Point X and is allowed Email. If logging on to Logon Point Y, the user does not have access to Email.

Smart Access Works much the same way. However, on the Presentation Server, the Advanced Access Control filters are applied in the “Access Control” section of a Presentation Server Application or Application Policy.

For example, assign the Advanced Access Control Farm and the Filter that was created above to a published application such as Notepad. A user logs on to Logon Point X, they get Email and also Notepad in the Embedded Web Interface. The user logs on to Logon Point Y, they do not get Email, nor do they see Notepad in Web Interface.

This is Smart Access.

Configuration Steps

Once you have all the relevant products and components installed perform the following configuration steps.

Presentation Server

1. In the Management Console for Presentation Server configure the application properties for Access Control as shown below. Allow connections made through MetaFrame Secure Access Manager (version 4.0 or later) needs to be selected in order to turn on Access Control configuration. Selecting Any connection that meets the following filters will hide the application from users that do not satisfy the listed conditions if those users are connecting from Advanced Access Control 4.0 or later. In the example below the intent is to display Word as a published application only if the Advanced Access Control farm “MyAAC” sends the filter named “External” when requesting the list of published applications.

Allow all other connections allow users connecting from earlier versions of Advanced Access Control to launch the application regardless of how they are accessing this application.

Perform steps 2 and 3 if you want to configure Presentation Server policies based on Advanced Access Control Filters.

2. Create Presentation Server policies that you would like to apply based on Advanced Access Control filters. In the example below the intent is to disable client drive mapping if the application is being accessed from an external network. The Presentation Server policy named disableclientdrive will disable client drive mapping to apps to which this policy is applied.

3. Apply this policy based on the Access Control filter. By doing this the policy will be applied whenever the Advanced Access Control farm “MyAAC” sends the condition “External.”
Note: The Access Control filter is case-sensitive! It must be entered exactly as it was created in Access Control.

Web Interface

    1. Create a Web Interface Site from the Access Suite Console for Presentation Server.

    2. Select the Using Advanced Access Client access method and point to the Advanced Access Control server. It can also be accessed from the ‘Manage Access Method’ task if the site has already been created.

    3. Set the servers by pointing to the Presentation Server farm; be sure to specify the correct port that the XML Service is running on.


    4. After the site is created, set the DMZ settings. Create a new client route, specify the external (WAN side) IP address of Access Gateway, set the mask to 255.255.255.255 and specify the Access Method to Secure Gateway Direct.


    5. Set the Secure Gateway Settings.

      a. Ensure that the Secure Gateway address field is set with the FQDN that will be used for accessing Access Gateway.

      b. Add the Secure Ticket Authority URL and specify the port it’s listening on (it is the same port on which the XML Service is listening). For example, http://cpsserver:8080/scripts/ctxsta.dll if you have XML Service in standalone mode and http://cpsserver:80/scripts/ctxsta.dll if you have port sharing of XML Service with IIS enabled, where <cpsserver> is the server hosting your XML Service on the Presentation Server.

Advanced Access Control

1. Create a web resource by right-clicking on the Web Resources node and selecting the Create new web resource task in the Access Suite Console (not the Access Suite Console for Presentation Server):

    a. Add a new URL pointing to the Web Interface site created above.

    b. Set the Application type to be Citrix Web Interface 4.2 or later.

    c. Select the box for Integrated Windows authentication.

    d. After creating the URL, set the Home page to the Web Interface site created above.

2. Create or edit an Access Policy:

    a. Select the Web Interface web resource created in step 1 above.

    b. Select the Web Resource policy Setting called Access and set it to Allow.

3. Select the Gateway Appliances node > Edit gateway appliances properties.

4. Specify the Secure Ticketing Authority. This has to be the same as configured in step 5b for Web Interface Configuration steps:

    a. Specify the name of the Presentation Server hosting the Secure Ticket Authority and XML Service.

    b. Specify the port on which the STA and XML Service is configured.

    c. Leave the STA path unaltered.

This configuration requirement for the STA and XML Service is important as it provides the validation of ICA Connections being launched as well as handling all info regarding Smart Access capabilities.

Access Gateway

    1. In the Access Gateway Administration Tool > Access Gateway Cluster > Advanced Options tab select the Advanced Access Control option.

    2. Specify the FQDN of the Advanced Access Control server. Ensure that a DNS server is already configured under the Name Service Providers tab which can resolve the Advanced Access Control FQDN.

    3. Install certificates:

      a. Root Certificate - Upload your root certificate obtained from the certificate authority in the Administration tab by selecting the Manage trusted root CA Certificates button.

      b. Server Certificate:

        i. Generate CSR using a key length of 1024 from Access Gateway by selecting the Generate CSR Tab. Ensure that the Common Name field is the FQDN that will be used for accessing Access Gateway.

        ii. Submit a certificate request to your certificate authority using the generated .csr file. Ensure that certificate is base64 encoded.

        iii. Upload the certificate in the Access Gateway Administration Tool > Access Gateway Cluster > Administration tab> Upload a signed Certificate.

Client

1. Ensure that the root CA certificate is installed on the client device in the Trusted Root store.

Frequently Asked Questions

Does Web Interface 4.2 upgrade Web Interface 4.0 or 4.1 installations?

No it does not. Web Interface versions are installed side by side. It’s fine to have them coexist side by side. The sites created with 4.0 or 4.1 will have to be migrated to 4.2. See question 3) below for details.

Can Advanced Access Control and Web Interface be installed on the same server?

Yes, both the server and console components can be installed on the same server. Note that Advanced Access Control is configured using the Access Suite Console while Web Interface is configured using the Access Suite Console for Presentation Server.

How can I transfer my configuration from my Web Interface 4.0 sites to Web Interface 4.2?

1. On the Web Interface 4.0 site select the Export configuration task and save the generated configuration file.

2. Remove the site.

3. Create a new 4.2 site (finish the wizard by leaving the default values).

4. Select the Import configuration task and point to the configuration file just created.

5. To enable smart access on this site modify the “Access Method” to specify that it should use a particular Advanced Access Control server.

What is the difference between port sharing mode and standalone mode of Citrix XML Service?

In standalone mode, the XML Service is its own service. With port-sharing, it’s an ISAPI DLL within IIS. If you want to use SSL to talk to the XML Service, you have to do port-sharing and secure IIS. If you want to use the standalone, you have to use XML Relay, which Advanced Access Control does not support (Web Interface does, though).

Does the XML Service also do the job of STA?

In Presentation Server 4.0 the STA is part of the XML Service if you use the standalone service. If you port share, then you see the different ISAPI extensions.

When should you modify the STA path in Edit Gateway Appliance Properties > Secure Ticket Authority page?

If you are using port sharing and changed the path to scripts directory you need to modify the STA path.


This document applies to:

  • Advanced Access Control 4.2
  • Presentation Server 4.0 for Microsoft Windows 2000
  • Presentation Server 4.5 for Windows Server 2003
  • Presentation Server 4.0 x64 Edition
  • Presentation Server 4.0 for Microsoft Windows 2003
  • Presentation Server 4.5 for Windows Server 2003 x64 Edition
Search
Knowledge Center
Advanced Search
Presentation Server
Presentation Server Clients (ICA)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Citrix Developer Community
©1999-2008 Citrix Systems, Inc. All rights reserved.