4.4 Configuring SSL VPN for Citrix Clients

You can configure a user to enable the single sign-on feature of Access Manager when accessing published Citrix applications through the SSL VPN. To enable single sign-on, you must configure a custom login policy and protect the Citrix Application Server with the Access Gateway. If you are using the ESP-enabled SSL VPN, you must install an Access Gateway in order to protect the Citrix server. The following sections discuss the configuration process:

4.4.1 Prerequisites

  • NFuse server

  • MetaFrame server

  • Identity Server

    The MetaFrame server must be placed in the protected network. The SSL VPN server must use its private network interface adapter to communicate with the network interface of the MetaFrame server.

  • Access Gateway

  • Configure the SSL VPN to use the same Identity Server as the Access Gateway.

  • Download the Citrix_Script.js file from the Additional Resources section on the NetIQ Documentation site and copy it to a Web server that is protected by the Access Gateway.

4.4.2 How It Works

Access Manager can be configured to provide single sign-on for the Citrix clients. Figure 4-1 illustrates this process for the Citrix Web client.

Figure 4-1 Citrix Client Configuration

  1. The client specifies the public DNS name of the Access Gateway that accelerates the Web Interface login page of the Citrix MetaFrame Presentation Server.

  2. The Access Gateway redirects the user to the Identity Server for authentication, because the URL is configured as a protected resource.

  3. The Identity Server authenticates the user’s identity.

  4. The Identity Server propagates the session information to the Access Gateway through the Embedded Service Provider.

  5. The Access Gateway has been configured with a Form Fill policy, which invokes the SSL VPN servlet along with the corresponding policy information for that user. The SSL VPN servlet creates a secure tunnel between the client and the SSL VPN server.

  6. On successful SSL VPN connection, the Access Gateway performs a single sign-on to the Citrix MetaFrame Presentation Server. The user is authenticated to both the Citrix Presentation Server and to the SSL VPN server.

  7. The Web session containing the list of published applications in the Citrix Presentation erver is served to the client through the Access Gateway.

  8. When the user connects to the published application, the data goes through the secure tunnel that is formed between the client and the SSL VPN server.

4.4.3 Configuring a Custom Login Policy for Citrix Clients

A custom login policy must be configured to enable users to use a browser to access Citrix applications protected by Access Manager. This is because the browser settings of the client need to be modified so that connections to Citrix applications can happen through the SSL VPN.

The following procedure configures a sample custom login policy for Citrix where all Linux users connecting from the Firefox browser on Linux are redirected to a page that modifies the browser settings and then redirects the user to the SSL VPN/login URL:

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Client Policies from the policies section.

  3. Click New in the Custom Login section.

  4. Specify the following information in the New dialog box.

    Custom Action Name: Specify a name for the custom login policy. For example, modify_firefox_properties

    Redirect Condition:

    • Specify Firefox as the browser.

    • Specify Linux as the Operating Software.

    Redirect URL: Specify the redirect URL as http://<sslvpn-url>/sslvpn/pages/sslvpn-citrix.jar!configure_browser.html.

  5. Click OK.

  6. Specify /login as the default URL. The user is redirected to this URL if none of the conditions are met.

  7. To save your modifications, click OK, then click Update on the Configuration page.

4.4.4 Configuring the Access Gateway to Protect the Citrix Server

To enable users to access Citrix applications through the SSL VPN, you must create a protected resource to protect the Citrix login page.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

    The reverse proxy can be set up to require SSL or not.

  2. Click Name of Proxy Service > Protected Resources > New.

  3. When you configure the protected resource, set up the following:

    • Select a contract that requires authentication. Usually this is a Name/Password contract, but it can be a certificate contract if your NFuse server is configured to use certificates.

    • For the URL Path List, specify the URL to the Citrix login page. This URL should include the filename of this login page.

    For more information, see Configuring Protected Resources in the.NetIQ Access Manager 3.2 SP1 Access Gateway Guide

  4. On the Server Configuration page, click OK, then click Update.

4.4.5 Configuring Single Sign-On between Citrix and SSL VPN

You need to create a Form Fill policy and assign it to the protected resource for the Citrix login page.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

  2. Click Form Fill > Manage Policies > New.

  3. Name the Citrix policy, select Access Gateway: Form Fill as the type, then click OK.

  4. In the Actions section, click New > Form Fill.

  5. In the Form Selection section, identity the form on the Citrix login page.

  6. In the Fill Options section, create the following:

    • Username input field

    • Password input field

    • (Optional) If your login page requires a domain, add a domain input field.

  7. Configure the following Submit options:

    1. Select Auto Submit.

    2. Select Enable JavaScript Handling.

    3. Click Statements to Execute on Post. Copy the Citrix Script found in the Additional Resources section in the NetIQ Documentation site.

    4. In the script, replace <ag-url> with the following:

      • For a Traditional SSL VPN, use the hostname of the Access Gateway that is accelerating the SSL VPN server.

      • For an ESP-enabled SSL VPN, use the hostname of the SSL VPN server.

    5. Change the protocol to HTTPS if the secure protocol is used.

    6. Replace <Webserver-path> with the location of the Web server on which the Citrix_Script.js javaScript file is located. When this JavaScript file is used, it connects users from the outside through the SSL VPN.

    7. Change the URL as follows, if you want to use the custom login method:

      http://<ag-url>/sslvpn/custom-login

  8. Configure any other options to match your form and your network.

    For more information, see Creating Form Fill Policies in the NetIQ Access Manager 3.2 Policy Guide.

  9. In the Actions section, click New > Form Login Failure.

  10. Specify the procedures you want followed when login fails.

    For more information, see Login Failure Policy in the Novell Access Manager 3.1 SP4 Policy Management Guide.

    Citrix displays login failures via the query string, so you need to use CGI matching

  11. Click OK, then click Apply Changes.

  12. Click Close.

    You should return to the Form Fill page for the protected resource.

  13. Select the policy you just created, then click Enable.

  14. Click Configuration Panel, then click OK.

  15. On the Server Configuration page, click OK, then click Update.