Link to home
Start Free TrialLog in
Avatar of impoole
impooleFlag for United Kingdom of Great Britain and Northern Ireland

asked on

RSA and Citrix

Does anybody know how to configure Citrix Web Interface with RSA SecureID??? Can't find any docs about it and am well and truly stuck.

I have so far done the following.

Setup Citrix Web Interface in my DMZ, this is a DMZ created with ISA 2004. I have created the Inbound port rules for the HTTP XML listener pointing to the two Citrix PS4 servers in my LAN.
I have then created the UDP 5500 inbound rule for the RSA communication. I have assumed that I install RSA ACE Client on the web interface and have loaded the sdconf.rec file on the Web Interface as well.

So far when I try and authenticate I just get access denied message, when I goto the URL for web Interface I can enter my username and passcode but then get the same access denied message.

Do I need to install anything else, or install something on the DC's?

If anyone has a step by step guide this would be really useful.....as I am running out of time!
Avatar of chrisnewman01
chrisnewman01

Have you tested authentication to the RSA server (via the control panel applet)?  Also, 5500 inbound is enabled from the Web Interface server to the ACE server(s)?  

http://support.citrix.com/article/CTX107404 <--  Integrating RSA SecureID 6.0 with Web Interface 4.x

Hope this helps,
Chris
Sorry, to clarify:  I meant 5500 UDP from Web Interface server --> RSA Server on Private LAN.  It wasn't clear if you had 5500 UDP open from the outside to the RSA server in the original message (which could've been a problem).
Avatar of impoole

ASKER

sorry, it has taken me so long to get back - was talking to RSA. Got it working in the end and it was a problem with the RSA build (rebuilt this using the restore function and all worked)

Although the problem I know have is that it seems really slow to authenticate - about 35-40 seconds...is this right??
It should take 15-20 seconds or less, depending on the size of the environment and all of the paths for authentication.
Avatar of impoole

ASKER

another thing is that I have my WI/SG in a DMZ which work correctly but my two PS4 servers are in my LAN and I can only publish one of them on the firewall (well I publish both but it will pick up the first rule). and I seem to have to open 1494 to the External network which seems to negate all the security?

I am a bit confused as I assumed I could use WI/SG for authentication and then the SG would control the access to the farm? so I only had 1494 open from the DMZ to the Citrix PS4 servers?

how does this work, and how do I balance between the two PS4 servers and not bypassing the RSA security??
If you have SG, all you need open from the outside is 443.  When you configure WI, make sure you tell it to use Secure Gateway Direct (DMZ settings), then configure all local connections (192.x, 172.x, 10.x <-- anything local) to use direct (not secure gateway direct).  This will bypass CSG for your local users -- if you want to set it up that way.  As long as you have the RSA agent installed on the CSG/WI server (and you have WI authentication set to use RSA), you will be covered.

[Internet User --> 443 to CSG/WI] --> [(DMZ) CSG/WI Server --> 80 (if you still use this for XML service), 1494, 2598 (session reliability)] --> Citrix servers.

Chris
Avatar of impoole

ASKER

ok, so

i)   one published rule from External -> DMZ [443]
ii)  one rule allowing port 80 from DMZ -> Internal
iii) one rule allowing 1494 & 2598 from DMZ -> Internal

is that right?
Actually,

If you want users to access your page from the outside without having to type https://website.domain.com, you may want to open port 80, then have an immediate redirect to the https://website.domain.com (the https:// is actually CSG).  The next step would be to allow ports 80 (if you left XML service on the default port of 80 on the Citrix servers), 1494, and 2598 from the DMZ to the LAN.

Chris
Avatar of impoole

ASKER

ok, the problem is after trying that both IIS and SG are trying to use 443 - so what do I do with IIS?

I have the certificate from Verisign for the FQDN and installed on the server....
You could put the IIS SSL port to 444, then verify the Secure Gateway configuration (run through CSG configuration with the advanced option) to make sure everything is set properly.  CSG is actually doing all the encryption with the SSL cert.
Avatar of impoole

ASKER

Do the STA's have to be FQDN's? as I have them set as internal server names at the moment?
ASKER CERTIFIED SOLUTION
Avatar of chrisnewman01
chrisnewman01

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial