NOTE: Citrix has published a comprehensive guide to deploying around the chip cards. I highly recommend this guide to reference, as it contains a wealth of information.
This guide covers configuring a NetScaler Gateway (NSG), formerly known as Access Gateway Enterprise Edition (AGED) for CAC authentication StoreFront (SF). It also applies to PIV cards and chips ISPR. There is an assumption that the reader is already somewhat familiar with both SF and NSG and that both products are already installed in the environment.
Storefront
Enable Authentication method
- In StoreFront console, go to Citrix StoreFront-> Authentication .
- from the Actions pane, click Add / Remove methods .
- See Pass-through NetScaler Gateway . (NSG was formerly known as Access Gateway Enterprise Edition, AGED) Click OK.
- from the Actions pane, click Delegated Authentication Set .
- sure entirely delegate the validation of credentials NetScaler Gateway is checked. Click OK .
Add Gateway NetScaler
- In StoreFront console, go to Citrix StoreFront-> NetScaler Gateway .
- from the Actions pane, click Add NetScaler Gateway Appliance .
- Enter the information for NetScaler Gateway environment. Note that this example uses a separate vserver recall. In fact, the client certificate setting on the NetScaler will be set to Required . To use the same vserver should be set to Optional . NOTE: The NSG URL can not be the same as the Storefront URL. They must be different! Click Next .
- At Secure Ticket Authority (STA) window, click Add and add the STAs for the environment. Set the rest of the settings according to the environment. Click Create .
Enable remote access to store
- In StoreFront console, navigate Citrix StoreFront -> Shops .
- Select to existing store that must be configured. In Actions pane click Enable remote access .
- from the Enable remote access window set Remote Access type of tunnel No VPN . Check NSG appropriate use for the store (new NSGs can also be added by using the Add ). If more than one NSGs were added, select By default device for use in the store. Click OK .
Configuring NetScaler Gateway
Creating a new virtual server
If there is an existing virtual server to change, this section can be skipped. Tweaking Go to the section of the virtual server.
- Log on to the Web management GUI NetScaler. All given positions require operational type was set to NetScaler ADC when connecting.
- Go to NetScaler Gateway node. It was then under the / tab Configuration section.
- Click Configure NetScaler Gateway for Enterprise Store .
- In the window that pops up, click Create new NetScaler Gateway top right.
- Enter a name and IP address of the virtual server. Click Continue .
- Select Certificate to use as a server certificate for this virtual server. Click Continue .
- Set Primary authentication to Certificate . If there is an existing certificate authentication profile on the NetScaler to CAC / PIV, select it. Otherwise, select Configuring a new . The Username field must be SubjectAltName: PrincipalName . Click Continue .
- Set Enterprise Store Settings to XenApp / XenDesktop . Set Deployment type to StoreFront . Enter the StoreFront server and store information. Make sure to use the same as in STA StoreFront. More STAs may be added later. Click Done .
- The pop-up window can now be closed and you will be returned to the Web management GUI NS (assuming it is always the next window in the back -plan).
Tweaking the virtual server
- Access NetScaler Gateway-> Virtual Servers . Double-click the virtual server to open.
- In Certificates tab, use the triangle to the right of the Add to add each CA needed to validate the CAC / PIV cards. All CA up to and including the root is required. Do not click OK again!
- Also under the Certificates tab, click SSL Settings . In Other section verification Client Authentication and set client certificate to required . (This causes the need for a separate callback URL) Click OK to close the SSL Settings windows. Do not click OK to the virtual server window again!
- Within Policies tab there should be two Session Policies . We will start "PL_WB". This is for the receiver to the web. Since Receiver for Web does not yet support authentication smart card, right click and untie the policy. Double-click the policy that begins "PL_OS". This is for native receivers (OS = Operating System).
- from the Policy Session , change the rules of expression match all the expressions . Do not click OK yet.
- On Request Profile line, click Change . Make sure the following items are fixed on each tab. Others may also already be defined from the wizard.
- Network Configuration
- tab
- Alter nothing !!!
- Customer Experience
- tab
- Clientless Access - Global Replace - Leave
- plug -In kind - Replaces World - Java
- SSON for Web applications - World override - Checked (Index credential should be secondary with interface configurations Web)
- security
- tab
- action by lack of authorization - Replaces World - Allow
- published applications
- tab
- ICA Proxy - global Override - On
- WI Address - global replace - URL basis of SF server (https: // FQDN); no way to store as
- SSON Domain - Uncheck Override world and leave blank
- account address Services -. Global Override - server SF base url (https: // FQDN)
- Network Configuration
- Click OK to close the profile session window. Click OK to close the Session Policy window. Do not click OK to the virtual server window again!
- Within Published Applications tab add additional STAs that may be required for the environment. Click OK to close the virtual server window.
Creating the Callback Virtual Server
The recall is used for purposes of SSON. Since the virtual server to a client certificate StoreFront set to mandatory, a call to this URL StoreFront will be rejected by the NSG as it does not present a client certificate.
- Access NetScaler Gateway-> Virtual Servers . Click Add button.
- Enter Name and IP for the virtual callback server. Under the tab Certificates , add a server certificate. Click Create when finished.
Troubleshooting
- There is an application log for StoreFront in Event Viewer. Check here for the error messages.
- Ensure that all appropriate CA are added to the NSG virtual server to authenticate the card / CAC PIV in use. The entire chain must be added.
- Ensure that all appropriate CA are installed on the client device when using Windows. OSX and Linux can have the same requirement. Mobile devices do not.
- Look ns.log the file on the NetScaler when a client attempts to connect. It can indicate problems such as missing certificates CA. "From /var/log/ns.log tail" in an SSH session to watch in real time.
- Middleware is not needed on the StoreFront server.
0 Komentar