Readme for Citrix Access Gateway 8.0, Enterprise Edition (Build 45.4)
Introduction
Readme Version: 1.4
Notes:
For information about new features and system requirements, see the Citrix Access Gateway Enterprise Edition Administrator's Guide.
To view, search, and print the PDF documentation, you need Adobe Reader (supported
versions: Acrobat Reader 5.0.5 with Search through Adobe Reader 7.0). You can
download Adobe Reader for free from the Adobe
Systems Web site. Documentation is available on the Citrix
Knowledge Center Web site (select Product Documentation). Updates to Citrix
technical manuals are posted on the Web site.
To provide feedback on the documentation, go to www.citrix.com and click Support > Knowledge Center > Product Documentation. To access the feedback form, click the Submit Documentation Feedback link.
Client Documentation
The user guides for the Access Gateway clients is available from the Configuration Utility.
Licensing Documentation
Licensing documentation is available in the Citrix Access Gateway Enterprise Edition Administrator's Guide.
Citrix provides technical support primarily through Citrix Solutions Advisor.
Contact your supplier for first-line support or use Citrix Online Technical
Support to find the nearest Citrix Solutions Advisor.
Citrix offers online technical support services on the Citrix
Support Web site. The Support page includes links to downloads, the Citrix
Knowledge Center, Citrix Consulting Services, and other useful support pages.
For more information about support options, see the Citrix Access Gateway Enterprise Edition Administrator's Guide.
The following is a list of known issues in this release. READ IT CAREFULLY
BEFORE INSTALLING THE PRODUCT.
- No access scenario fallback - Client security checks cannot be used to determine whether a user qualifies for the Secure Access Client or is limited to Citrix Presentation Server access.
- You can configure up to 32 subnets on the Access Gateway. If more than 32 subnets are entered, the Access Gateway ignores the additional subnets.
- The portal file transfer tool is designed to download small files. If you want to download large files (over 500MB), use Windows Explorer.
- If client devices are using Windows XP, you can install one version of the Secure Access Client from either Access Gateway Standard Edition or Access Gateway Enterprise Edition. The two versions of the Secure Access Client use different drivers, and if they co-exist on the client device, a session using either client could fail. Citrix recommends installing and running one version only of the Secure Access Client on client devices.
[#24320]
- When the ICA proxy is set to on and a post-authentication client security check fails, quarantine groups cannot be used to grant the user an alternate access scenario.
[#26303]
- The ActiveX client plug-in cannot be installed automatically on Windows Server 2003.
To manually install the plug-in on Windows Server 2003
- Click Start, click Control Panel, and click Add or Remove Programs.
- Click Add New Programs and then click CD or Floppy.
- Click Next and when the search on the floppy or CD drives is finished, a page appears asking for the program you want to run. Click Browse, navigate to nsvpnc_setup.exe, and click Next to start the installation.
[#26684]
- If the Access Gateway appliance fails, the logon prompt does not reappear until the core file on the appliance is completely saved.
[#27372]
- If the address record of a name server is missing on the Access Gateway, the DNS queries are sent to IP address 0.0.0.0 instead of the configured IP address.
[#27394]
- When using the File Transfer Utility and downloading a file larger than 1.4 gigabytes (GB), the file size appears as a negative number.
[#27439]
- In the ActiveX client plug-in profile, the IP address list on the Domain tab is not saved.
[#27460]
- When upgrading the Access Gateway using the Configuration Utility, the SSH connection might close during the upgrade and the upgrade fails. If this occurs, try installing the upgrade again using the Configuration Utility or the command line interface.
[#27573]
- The Access Gateway supports three custom HTTP headers. If the number exceeds this limit, an error message appears.
[#27624]
- If the ActiveX client plug-in is installed on a Windows Server 2003, the session time-out is two or three minutes, instead of the default 30 minutes.
[#27931]
- When configuring the Web Interface and Secure Ticket Authority (STA), the entire fully-qualified domain name (FQDN) must be used.
[#28268]
- When trying to install the ActiveX client plug-in and the Web address is allowed in the pop-up blocker, the user receives a 3005 error message. If automatic prompting for Active X controls is disabled in Internet Explorer, the ActiveX plug-in is blocked by the browser. To fix the problem, enable automatic prompting.
[#28377]
- The Secure Access Client is not supported on 64-bit versions of Windows.
[#28380]
- The license file can be corrupted if the characters ^M (CTRL+M) are in the file.
[#28431]
- If you are configuring double-source authentication on the Access Gateway, using a second password for client authentication is not supported for Secure Access Client application programming interface (API) logon in this release.
[#28509]
- If a client device is connected using a wireless connection and the ActiveX client plug-in, and the client device goes into standby, the Access Gateway session does not resume when the client device comes out of standby.
[#28578]
- If Norton Personal Firewall is installed on a client device, when users log on using the Secure Access Client, they receive a message from Norton Personal Firewall to allow or block nsload.exe. Users should select allow.
[#28709]
- If you have the Access Gateway Model 9000 with the FIPS option, it allows only FIPS-approved ciphers to be configured on virtual servers. The ciphers are:
Cipher Name: SSL3-DES-CBC3-SHA
Description: SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Cipher Name: SSL3-DES-CBC-SHA
Description: SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
Cipher Name: TLS1-AES-256-CBC-SHA
Description: TLSv1 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
Cipher Name: TLS1-AES-128-CBC-SHA
Description: TLSv1 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
The only non-FIPS cipher that can be configured on the Access Gateway FIPS model is RC4-SHA.
If you are using cipher redirection in addition to the FIPS-approved ciphers, RC4-SHA and RC4-MD5 are supported. The following ciphers are not supported with cipher redirection:
- All export ciphers
- All DSA/DSS ciphers
- All ciphers using DH as the key exchange
- IDEA and RC2 ciphers
[#29050]
- The ActiveX plug-in fails after the user logs on. The error message 1008, report to admin appears.
[#29104]
- When a users logs off from the Secure Access Client, the user receives an error message that the session timed out.
[#29378]
Installing Secure Access Client and the ActiveX Client Plug-in
When the Secure Access Client and ActiveX client plug-in are installed for the first time on a client device, the user must either be logged on as an administrator or be able to provide administrator credentials during installation.
If the Secure Access Client or ActiveX client plug-in are upgraded from an earlier version, users do not need to be logged onto the device as an administrator nor are administrator credentials required.
The Java client plug-in does not require administrator credentials when installing the plug-in for the first time or if it is upgraded to a newer version.
Installing Licenses on the Access Gateway
Before the Access Gateway can be configured to support user sessions, the appliance must be licensed. The Access Gateway Universal license enables the appliance to support a specific number of concurrent users. The total number of concurrent user sessions on the appliance cannot exceed the license count defined in the Access Gateway Universal license. When multiple Access Gateway licenses are installed on a single appliance, the license capacity is equal to the sum of the licenses. For example, there are two licenses installed on a single Access Gateway appliance: one for 100 concurrent users and one for 175 concurrent users. The results in a total licensed capacity of 275 concurrent users.
The Access Gateway universal license is obtained by activating a license authorization code using the Citrix Activation System on MyCitrix.com. The license authorization code is electronically sent to you when the Access Gateway Universal license is purchased.
Assuming the appliance is successfully connected to the network and you have received your license authorization code, you can install the license on the appliance. When you are installing the license, you need to have the host name of the Access Gateway appliance.
Note The host name is not the same as the fully-qualified domain name (FQDN) of the Access Gateway.
To install the universal license on the Access Gateway
- Connect the Access Gateway to a computer using the serial cable or connect using an SSH client (such as PuTTY) to connect to the command line interface of the appliance. Log on using administrator credentials.
- At a command prompt, type:
set ns hostName host name of the appliance
save config
shell
cd /nsconfig
echo hostname=\"host name of the appliance\" > rc.conf
mkdir license
rm hosts
reboot
- On MyCitrix.com, navigate to the Citrix Activation System by going to My Tools > Activation System/Manage Licenses
- Select Activate/Allocate and follow the directions. Use the host name of the appliance as it was set in Step 2.
- In the Access Gateway Configuration Utility, in the left pane, click System > Licenses.
- Click Manage Licenses and then click Add.
- Navigate to the license file, select it, and click OK.
- Click OK to restart the Access Gateway.
After the Access Gateway restarts, check that the license is correctly installed.
To verify license installation
- In the Configuration Utility, in the left pane, click System > Licenses.
- In the right pane, verify that there is a green check mark next to SSL VPN and that Maximum SSL VPN Users Allowed accurately shows the number of purchased licenses.
Configuring Web Interface Failover
When an Access Gateway is not licensed as a load balancer, you can configure a virtual server with one real server bound to it. Multiple real servers cannot be load balanced, but the virtual server can provide health monitoring and failover capabilities. You can use the capability to configure failover to multiple servers running the Web Interface. For example, you configured two servers running the Web Interface with the IP addresses 172.16.100.81 and 172.16.100.82. These are called WISRV01 and WISRV02. If WISRV01 fails, the Access Gateway can automatically route Web Interface requests to WISRV02.
To configure failover to the Web Interface
- In the Configuration Utility, in the navigation pane, expand the Virtual Servers and Services node.
- Click Services and then click Add.
- In Service Name, type the name of the service, such as WISRV01.
- In Server, type the IP address of the server running the Web Interface and click Create.
- Repeat Steps 3 and 4 to create the service for a second server running the Web Interface, click Create, and then click Close.
- Click Virtual Servers and then click Add.
- In Name, type a name for the virtual server.
- On the Services tab, select one of the Web Interface services, and click Create.
- Repeat Steps 7 and 8, selecting the second Web Interface service.
- Clear Directly Addressable because this virtual server does not require a specific IP address. Click Create and then click Close.
- Select the first virtual server and click Open.
- On the Advanced tab, in Backup Virtual Server, select the second virtual server and click OK.
When the Access Gateway is configured to use Web Interface failover, when these steps are complete, use the primary virtual server address instead of the Web Interface address when configuring the home page in global settings or as part of a session policy. All Web Interface traffic goes to the first virtual server you configured. If this server fails and the second virtual server is running, users automatically failover to the second virtual server.
Access Gateway Enterprise Edition Administrator's Guide
The Access Gateway Enterprise Edition, Version 8.0, includes AppCompress technology that provides bidirectional compression of TCP and HTTP-based network traffic.
SmartAccess End Point Authentication Configuration
Administration Guide, pages 176, 182,
set vpn parameter -wiMode CSG -homepage http://ipaddress/path
The configuration parameter for configuring end point authentication is incorrect. The correct parameter is set vpn param icaProxy [ON|OFF].
Configuring Group Extraction from LDAP and RADIUS Authentication Servers
The Access Gateway Enterprise Edition can extract groups from LDAP and RADIUS authentication servers. When a user logs on, group membership is extracted from the server when logon is successful.
Configuring LDAP
To configure LDAP servers, you need the following:
- Group Attribute Name (-groupAttrName)
- SubAttribute Name (-subAttributeName)
The parameters can be set globally using the following commands:
set aaaldapparams
add authentication ldapaction
The following assumptions are made on the LDAP server:
- Group information is attached to the user object
- Group names are formatted where name is the attribute name and value is a DN in the format of [subattributename]=groupname
When a subattribute name is configured, the value that comes after it up to the comma delimiter is taken to be the group name. The Access Gateway does not check for any other delimiter.
The subattribute name is an optional parameter. If it is not used, the attribute value is used for the group name.
An example is:
memberOf: CN=corporate, OU=NS-Group, OU=Engineering, DC=engineering, DC=AccessGateway, DC=com
In this example, the group attribute name is memberOf, the subattribute name is CN, and the group name is corporate.
To use authorization to work with a group, the group must be configured on the Access Gateway with authorization rules. When a user belonging to the group logs on successfully, the authorization rules specific for the group are inherited.
An example is:
Set aaa ldapparams serverip -serverport -authtimeout -ldapbase dc=,dc=, -ldapBindDn cn=Manager,dc=,dc= -ldaploginname sAMAccountName groupAttrName memberOf subAttributeName CN
Configuring RADIUS
When configuring RADIUS, the group names are stored in vendor-specific attributes of a user entry. The parameters are:
- RADIUS Vendor ID (-radVendorID)
- RADIUS attribute type (-radAttributeType)
These parameters can be configured globally using the following commands:
set aaa radiusparams
add aaa policy
An example of a user configured on a RADIUS server is:
Ascend-Group-Name = Engineer
This is defined in the dictionary files. In the present example, Ascend is the vendor whose ID is 629 and the attribute type is 149.
RADIUS does not use a subattribute. The RADIUS attribute is used as the group name. Only one group name is in the attribute value. The Access Gateway does not parse the group name.
An example configuration is:
Set aaa radiusparams serverip ipAddress, -serverport port -authtimeout value -radkey NodeSecret -radVendorID value -radAttributeType value
Citrix Access Gateway Enterprise Edition 8.0: Installation and Configuration Guide
Configuring Licensing
Pages 24 and 25
The license files are located in the /nsconfig/license folder on the Access Gateway. The guide states the licenses are located in the /nsconfig directory.
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale,
Florida 33309 USA
954-267-3000
http://www.citrix.com/
Copyright © 2007 Citrix Systems, Inc.
