Example: marketing

Citrix XenApp 7 - WatchGuard

Revised: 9 May 2016 Integration Guide Citrix XenApp Citrix XenApp Integration Guide About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. Citrix XenApp Integration Guide Citrix XenApp Integration Overview This document describes how to integrate Citrix XenApp with your WatchGuard Firebox to support end-point client automatic authentication through the WatchGuard Terminal Services Agent (TO Agent).

Citrix XenApp Integration Guide About This Guide Guide Type Documented Integration — WatchGuard or a Technology Partner has provided documentation demonstrating

Tags:

  Citrix, Citrix xenapp, Xenapp, Watchguard, Citrix xenapp 7

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Citrix XenApp 7 - WatchGuard

1 Revised: 9 May 2016 Integration Guide Citrix XenApp Citrix XenApp Integration Guide About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. Citrix XenApp Integration Guide Citrix XenApp Integration Overview This document describes how to integrate Citrix XenApp with your WatchGuard Firebox to support end-point client automatic authentication through the WatchGuard Terminal Services Agent (TO Agent).

2 The Firebox enforces policies for traffic from endpoint clients after a user authenticates to the Firebox from the endpoint client with a specified user name and IP address. Platform and Software The hardware and software used to complete the steps outlined in this document include: Firebox with Fireware installed. Citrix XenApp and other software required for this integration installed on four virtual machines as listed in the table below. VM# Operating System Components 1 Windows 10 End-point client with Citrix Receiver 2 Windows Server 2012 R2 Citrix Delivery Controller, Studio, StoreFront, Database, and License server 3 Windows Server 2012 R2 Citrix Virtual Delivery Agent on the Master Image, WatchGuard TO Agent 4 Windows Server 2012 R2 Active Directory domain and run DNS and DHCP service Citrix XenApp Integration Guide Configuration To complete this integration, you must first deploy the Citrix XenApp software shown in the Platform and Software section above) VM Configuration Notes: All VMs must be members of the Active Directory (AD) domain.

3 In our integration the VMs get an IP address from a DHCP server on the AD server. The DHCP server could also be enabled on the Firebox interface or through DHCP relay configured on the Firebox interface as long as FQDN is working for all VMs . The default gateway for all VMs must be the IP address of the Firebox trusted interface the network connects to. In our example integration, the IP address is FQDN must be working. WatchGuard Terminal Services Agent (TO Agent) and the Citrix Virtual Delivery Agent (VDA) must be installed on the same server. For information about how to set up the Citrix XenApp environment, see the Citrix XenApp Installation Guide. In this document, we describe how to set up WatchGuard Terminal Services Agent (TO Agent) to work with Citrix XenApp so the Firebox can authenticate end-point clients. WatchGuard FireboxVM2: Citrix Delivery ControllerVM1: End-point clientVM4: Active Directory DomainTrustedVM3: Citrix Virtual Delivery Citrix XenApp Integration Guide Set Up Citrix XenApp Publish Apps on Citrix For our integration example, we created a machine catalog and published four applications.

4 1. We created a Machine Catalog called <windows 2012 for Eco Traffic>, using the Master Image on VM2. 2. We created a Delivery Group to publish applications using the Machine Catalog <windows 2012 for Eco Traffic>. Citrix XenApp Integration Guide 3. We published four applications. For this example, we published Calculator, Command Prompt, Iexplore, and Notepad. Install the WatchGuard Terminal Services Agent (TO Agent) To install and verify the TO Agent: 1. Install the WatchGuard TO Agent on the server where the Citrix Virtual Delivery Agent is installed. In our example integration, the TO agent is installed on VM3. For detailed instructions to install and configure the Terminal Services agent, see Fireware Help. 2. Use the netstat command to verify the TO Agent works correctly.

5 If the TO Agent is correctly working, the netstat output should look similar to the example shown here. Citrix XenApp Integration Guide Set Up the Firebox Enable Terminal Services on the Firebox After you install the TO Agent, you must add the TO Agent IP address to the Firebox configuration. 1. Log in to Fireware Web UI. 2. Select Authentication > Terminal Services. 3. In the text box below the Agent IP list, add the IP address of the machine where the TO Agent is installed. In our example integration, the TO Agent is installed on VM3, at 4. Click Add to add the specified IP address to the list. 5. Click Save to save the configuration. Citrix XenApp Integration Guide Configure the Active Directory Server on the Firebox 1.

6 Select Authentication > Servers > Active Directory. 2. Click Add. 3. Specify the Domain Name, Primary IP address, and Search Base for your Active Directory server. The other settings are optional. For our integration, the Domain Name and IP address are the same as VM4, as shown in the image below. Citrix XenApp Integration Guide Add Active Directory Authentication Users You must add the Active Directory users on the Firebox before you can add them to a policy. 1. Select Authentication > Users and Groups. 2. Click Add. 3. In the Name text box, type the name of a user that exists in the Active Directory domain. The user name is case-sensitive. In our example integration, the user name is user1. 4. From the Authentication Server drop-down list, select the Authentication Server domain name.

7 5. Click OK 6. Click Save to save configuration. Citrix XenApp Integration Guide Create a Policy for Authenticated Users To add a policy for HTTP traffic from authenticated users: 1. Select Firewall > Firewall Policies. 2. Click Add Policy. 3. Add an HTTP packet filter policy. 4. Configure the policy to allow connections from firewall user user1 to Any-External. 5. Click Save to save the policy. Citrix XenApp Integration Guide Test Automatic Client Authentication 1. On a client machine that has Citrix Receiver installed, open a browser and go to the default Storefront URL: http://<servername>/ Citrix /StoreWeb.

8 In our example integration, the client machine is VM1, which has Windows 10 installed. 2. Login as domain user user1. Citrix XenApp Integration Guide 3. Select Apps to see all published applications. 4. Click the Iexplore app to launch it. The Internet Explorer application window appears. 5. Type the URL for an internet site to visit. For example, we visited as shown below. Citrix XenApp Integration Guide 6. To verify that the user has authenticated, in Fireware Web UI, select System Status > Authentication List. The user name appears on the Authenticated Users list. Because the user is authenticated, the HTTP traffic for this user is enforced by the HTTP policy configured to allow traffic from this user.

9 To make sure that the Firebox does not allow outgoing traffic from users who are not authenticated, you must disable or remove the default Outgoing (TCP-UDP) policy that allows traffic from unauthenticated users. If you remove the Outgoing policy from your device configuration file, you must add policies to your configuration that allow outbound traffic. You can either add a separate policy for each type of traffic that you want to allow out through your firewall, or you can add the TCP-UDP packet filter or TCP-UDP-proxy policy. For example, if you remove the Outgoing policy, and you want to allow authenticated users on your network to connect to websites, you must add an HTTP or HTTP-proxy policy for port 80, an HTTP or HTTPS-proxy policy for port 443, and a DNS policy for port 53 to allow DNS query resolution.


Related search queries