Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2250
  • Last Modified:

RSA and Citrix

Does anybody know how to configure Citrix Web Interface with RSA SecureID??? Can't find any docs about it and am well and truly stuck.

I have so far done the following.

Setup Citrix Web Interface in my DMZ, this is a DMZ created with ISA 2004. I have created the Inbound port rules for the HTTP XML listener pointing to the two Citrix PS4 servers in my LAN.
I have then created the UDP 5500 inbound rule for the RSA communication. I have assumed that I install RSA ACE Client on the web interface and have loaded the sdconf.rec file on the Web Interface as well.

So far when I try and authenticate I just get access denied message, when I goto the URL for web Interface I can enter my username and passcode but then get the same access denied message.

Do I need to install anything else, or install something on the DC's?

If anyone has a step by step guide this would be really useful.....as I am running out of time!
0
impoole
Asked:
impoole
  • 7
  • 5
1 Solution
 
chrisnewman01Commented:
Have you tested authentication to the RSA server (via the control panel applet)?  Also, 5500 inbound is enabled from the Web Interface server to the ACE server(s)?  

http://support.citrix.com/article/CTX107404 <--  Integrating RSA SecureID 6.0 with Web Interface 4.x

Hope this helps,
Chris
0
 
chrisnewman01Commented:
Sorry, to clarify:  I meant 5500 UDP from Web Interface server --> RSA Server on Private LAN.  It wasn't clear if you had 5500 UDP open from the outside to the RSA server in the original message (which could've been a problem).
0
 
impooleAuthor Commented:
sorry, it has taken me so long to get back - was talking to RSA. Got it working in the end and it was a problem with the RSA build (rebuilt this using the restore function and all worked)

Although the problem I know have is that it seems really slow to authenticate - about 35-40 seconds...is this right??
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
chrisnewman01Commented:
It should take 15-20 seconds or less, depending on the size of the environment and all of the paths for authentication.
0
 
impooleAuthor Commented:
another thing is that I have my WI/SG in a DMZ which work correctly but my two PS4 servers are in my LAN and I can only publish one of them on the firewall (well I publish both but it will pick up the first rule). and I seem to have to open 1494 to the External network which seems to negate all the security?

I am a bit confused as I assumed I could use WI/SG for authentication and then the SG would control the access to the farm? so I only had 1494 open from the DMZ to the Citrix PS4 servers?

how does this work, and how do I balance between the two PS4 servers and not bypassing the RSA security??
0
 
chrisnewman01Commented:
If you have SG, all you need open from the outside is 443.  When you configure WI, make sure you tell it to use Secure Gateway Direct (DMZ settings), then configure all local connections (192.x, 172.x, 10.x <-- anything local) to use direct (not secure gateway direct).  This will bypass CSG for your local users -- if you want to set it up that way.  As long as you have the RSA agent installed on the CSG/WI server (and you have WI authentication set to use RSA), you will be covered.

[Internet User --> 443 to CSG/WI] --> [(DMZ) CSG/WI Server --> 80 (if you still use this for XML service), 1494, 2598 (session reliability)] --> Citrix servers.

Chris
0
 
impooleAuthor Commented:
ok, so

i)   one published rule from External -> DMZ [443]
ii)  one rule allowing port 80 from DMZ -> Internal
iii) one rule allowing 1494 & 2598 from DMZ -> Internal

is that right?
0
 
chrisnewman01Commented:
Actually,

If you want users to access your page from the outside without having to type https://website.domain.com, you may want to open port 80, then have an immediate redirect to the https://website.domain.com (the https:// is actually CSG).  The next step would be to allow ports 80 (if you left XML service on the default port of 80 on the Citrix servers), 1494, and 2598 from the DMZ to the LAN.

Chris
0
 
impooleAuthor Commented:
ok, the problem is after trying that both IIS and SG are trying to use 443 - so what do I do with IIS?

I have the certificate from Verisign for the FQDN and installed on the server....
0
 
chrisnewman01Commented:
You could put the IIS SSL port to 444, then verify the Secure Gateway configuration (run through CSG configuration with the advanced option) to make sure everything is set properly.  CSG is actually doing all the encryption with the SSL cert.
0
 
impooleAuthor Commented:
Do the STA's have to be FQDN's? as I have them set as internal server names at the moment?
0
 
chrisnewman01Commented:
It's recommended they be FQDNs.  You can set them to any name you wish, as long as the CSG server can resolve them (whether it be through local DNS, or through a hosts file).  On the PS4 servers, is the XML/STA service running on port 80 (the default)?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now