Solved

RSA and Citrix

Posted on 2006-11-05
14
2,218 Views
Last Modified: 2008-02-01
Does anybody know how to configure Citrix Web Interface with RSA SecureID??? Can't find any docs about it and am well and truly stuck.

I have so far done the following.

Setup Citrix Web Interface in my DMZ, this is a DMZ created with ISA 2004. I have created the Inbound port rules for the HTTP XML listener pointing to the two Citrix PS4 servers in my LAN.
I have then created the UDP 5500 inbound rule for the RSA communication. I have assumed that I install RSA ACE Client on the web interface and have loaded the sdconf.rec file on the Web Interface as well.

So far when I try and authenticate I just get access denied message, when I goto the URL for web Interface I can enter my username and passcode but then get the same access denied message.

Do I need to install anything else, or install something on the DC's?

If anyone has a step by step guide this would be really useful.....as I am running out of time!
0
Comment
Question by:impoole
  • 7
  • 5
14 Comments
 
LVL 10

Expert Comment

by:chrisnewman01
Comment Utility
Have you tested authentication to the RSA server (via the control panel applet)?  Also, 5500 inbound is enabled from the Web Interface server to the ACE server(s)?  

http://support.citrix.com/article/CTX107404 <--  Integrating RSA SecureID 6.0 with Web Interface 4.x

Hope this helps,
Chris
0
 
LVL 10

Expert Comment

by:chrisnewman01
Comment Utility
Sorry, to clarify:  I meant 5500 UDP from Web Interface server --> RSA Server on Private LAN.  It wasn't clear if you had 5500 UDP open from the outside to the RSA server in the original message (which could've been a problem).
0
 

Author Comment

by:impoole
Comment Utility
sorry, it has taken me so long to get back - was talking to RSA. Got it working in the end and it was a problem with the RSA build (rebuilt this using the restore function and all worked)

Although the problem I know have is that it seems really slow to authenticate - about 35-40 seconds...is this right??
0
 
LVL 10

Expert Comment

by:chrisnewman01
Comment Utility
It should take 15-20 seconds or less, depending on the size of the environment and all of the paths for authentication.
0
 

Author Comment

by:impoole
Comment Utility
another thing is that I have my WI/SG in a DMZ which work correctly but my two PS4 servers are in my LAN and I can only publish one of them on the firewall (well I publish both but it will pick up the first rule). and I seem to have to open 1494 to the External network which seems to negate all the security?

I am a bit confused as I assumed I could use WI/SG for authentication and then the SG would control the access to the farm? so I only had 1494 open from the DMZ to the Citrix PS4 servers?

how does this work, and how do I balance between the two PS4 servers and not bypassing the RSA security??
0
 
LVL 10

Expert Comment

by:chrisnewman01
Comment Utility
If you have SG, all you need open from the outside is 443.  When you configure WI, make sure you tell it to use Secure Gateway Direct (DMZ settings), then configure all local connections (192.x, 172.x, 10.x <-- anything local) to use direct (not secure gateway direct).  This will bypass CSG for your local users -- if you want to set it up that way.  As long as you have the RSA agent installed on the CSG/WI server (and you have WI authentication set to use RSA), you will be covered.

[Internet User --> 443 to CSG/WI] --> [(DMZ) CSG/WI Server --> 80 (if you still use this for XML service), 1494, 2598 (session reliability)] --> Citrix servers.

Chris
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:impoole
Comment Utility
ok, so

i)   one published rule from External -> DMZ [443]
ii)  one rule allowing port 80 from DMZ -> Internal
iii) one rule allowing 1494 & 2598 from DMZ -> Internal

is that right?
0
 
LVL 10

Expert Comment

by:chrisnewman01
Comment Utility
Actually,

If you want users to access your page from the outside without having to type https://website.domain.com, you may want to open port 80, then have an immediate redirect to the https://website.domain.com (the https:// is actually CSG).  The next step would be to allow ports 80 (if you left XML service on the default port of 80 on the Citrix servers), 1494, and 2598 from the DMZ to the LAN.

Chris
0
 

Author Comment

by:impoole
Comment Utility
ok, the problem is after trying that both IIS and SG are trying to use 443 - so what do I do with IIS?

I have the certificate from Verisign for the FQDN and installed on the server....
0
 
LVL 10

Expert Comment

by:chrisnewman01
Comment Utility
You could put the IIS SSL port to 444, then verify the Secure Gateway configuration (run through CSG configuration with the advanced option) to make sure everything is set properly.  CSG is actually doing all the encryption with the SSL cert.
0
 

Author Comment

by:impoole
Comment Utility
Do the STA's have to be FQDN's? as I have them set as internal server names at the moment?
0
 
LVL 10

Accepted Solution

by:
chrisnewman01 earned 500 total points
Comment Utility
It's recommended they be FQDNs.  You can set them to any name you wish, as long as the CSG server can resolve them (whether it be through local DNS, or through a hosts file).  On the PS4 servers, is the XML/STA service running on port 80 (the default)?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Citrix XenDesktop, gold image, VMware, vSphere.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now