subject: 1Y0-A05 XenApp Study Guide Part 2 [print this page] 1Y0-A05 XenApp Study Guide Part 2 1Y0-A05 XenApp Study Guide Part 2
Installing and Configuring Web Interface
Web Interface in the Network Environment
The recommended design for aWeb Interface with Access Gateway Advanced Edition installation:
* The Access Gateway server should be placed behind the first firewall in the DMZ.
* The Web Interface server should be placed behind the second firewall in the internal network.
Placing the Web Interface server (the server with IIS) in the internal network is more secure than leaving it in the DMZ where some security experts consider it a major risk.
In the case that theSecure Gateway is in the DMZ and the Web Interface is in the internal network:
* Use Citrix SSL Relay to secure Citrix XML traffic.
* Be sure that port 443 is open on the firewall between the Secure Gateway (in the DMZ) and the Web Interface (on the internal network) since Citrix SSL Relay uses port 443 by default.
This port number can be changed using the SSL Relay Configuration utility.
By placingSecure Gateway as well as Web Interface in the DMZ:
* No unauthenticated traffic can reach the secure, internal network.
* If a user fails to authenticate, the user traffic will not pass beyond the DMZ.
In this case, the Secure Gateway and Web Interface can be located on the same server or separate servers.
Web Interface Communication Path
Plain vanilla Web Interface implementation communication path:
* When a user logs into the Web Interface, the Web Interface forwards the logon credentials to the Citrix XML Service on the XenApp server.
* The Citrix XML Service retrieves a list of applications (the application set) that the user can access based on the supplied credentials.
The communication process of a Web Interface with Secure Gateway implementation:
* A remote user types the URL address of the Secure Gateway into a web browser.
* The Secure Gateway receives the request and relays it to the web interface.
* The web interface responds by sending the logon page to the web browser.
* The user submits credentials to the Secure Gateway server.
* The Secure Gateway sends the credentials to the Web Interface.
* The Web Interface sends the user credentials to the XML Service in the server farm which obtains the list of published resources the user is authorized to access and returns the list to the Web Interface.
The Citrix XML Service retrieves the resource set from the Independent Management Architecture (IMA) system.
* The Web Interface populates the web page with the list of published resources that the user is authorized to access.
* The user clicks a published resource and the Web Interface sends the request to the Secure Ticket Authority (STA).
* XenApp identifies the least busy server hosting the application and provides the IP address and port of that server to the STA.
* The STA saves the IP address and port number and issues the requested ticket to the Web Interface.
* The Web Interface generates an ICA file containing the ticket issued by the STA and the FQDN of the Secure Gateway server and sends it to the client device through the Secure Gateway.
* The web browser on the client device uses the ICA file it receives from the Web Interface to open a XenApp plugin and connect to the Secure Gateway server identified in the ICA file.
* The initial SSL/TLS handshaking is performed to establish the identity of the Secure Gateway server.
* The Secure Gateway receives the session ticket from the plugin and contacts the Secure Ticket Authority (STA) for ticket validation.
* The STA returns the IP address of the server hosting the published application to the Secure Gateway.
* The Secure Gateway establishes an ICA connection to the client device and begins encrypting and decrypting data flowing through the connection.
Web Interface Authentication
The following browsers can log on to the Web Interface:
* Internet Explorer 6.x and 7.0 (32-bit)
* Safari 2.0 or 3.x
* Firefox 2.x or 2.0
* Mozilla 1.7
* Symbian Browser
* Pocket IE
By enablingActive Directory Federation Services (ADFS), an administrator in a resource domain can create sites for users in an account partner's domain and the users in the account partner's domain will have single sign-on access to the published applications in the resource domain.
Web Interface can be configured with:
* Pass-through with smart card
* Anonymous
* Pass-through
* Smart card
* Explicit authentication
Web Interface with Secure Gateway or Access Gateway
Secure Gateway can:
* Secure large server environments.
* Provide Internet access to servers in a server farm with a single point of encryption.
* Keep the internal IP addresses of servers hidden.
* Use two-factor authentication support through Web Interface.
* Keep costs and management lower than Access Gateway.
If users access a site directly or throughAccess Gateway Enterprise Edition, you can enablepublished resource URL support.
* Published resource URL support allows users to create persistent links to published resources accessed using the Web Interface.
These links can be added to the user's shortcut list or desktop.
When Secure Gateway or Access Gateway is used, the followingaccess methods can be configured:
* Direct access (Gateway direct), which sends the actual address of the XenApp server to the Access Gateway or Secure Gateway, is typically configured in situations where:
Internal users connect from trusted environments, such as a corporate intranet.
There is no need to keep the address of the XenApp server private.
* Alternate access (Gateway alternate), which sends the alternate address assigned to the XenApp server to the Access Gateway or Secure Gateway, is configured in situations where:
The IP address of the XenApp server must be kept private from users.
If multiple servers are being used to provide application access, translated access would be used.
An administrator must configure XenApp to use an alternate address by using theALTADDR command.
* Translated access (Gateway translated), which uses the address translation mappings set in the Web Interface to determine which address is sent to the Access Gateway or Secure Gateway, is configured in situations where:
The IP address of the XenApp server must be kept private from users.
Multiple servers in the server farm are used to provide application access.
When a firewall is used, Web Interface must be configured with the appropriate IP address in the client files.
To configureGateway translation:
* In theAccess Management Console click theManage secure client access task and clickEdit secure client access settings.
* On theSpecify Access Methods page, clickAdd to add a new access route.
Or select an entry from the list and clickEdit to edit an existing route.
* SelectTranslated from theAccess method list.
* Enter the network address and subnet mask that identify the client network.
* Use theMove Up andMove Down buttons to place the access routes in order of priority in theClient addresses table and clickNext.
* On theSpecify Address Translations page, clickAdd to add a new address translation
Or select an entry from the list and clickEdit to edit an existing address translation.
* In theAccess Type area, selectClient route translation if you want the plugin to use the translated address to connect to the Citrix server.
Or selectClient and gateway route translation if you already configured a gateway translated route in theClient addresses table and want both the plugin and the gateway server to use the translated address to connect to the Citrix server.
In asingle-hop DMZ deployment of Secure Gateway:
* Aserver certificate must be installed on
The Secure Gateway Server
Web Interface Server
XenApp servers
Where communication must be secured between the Secure Gateway and Secure Ticket Authorities.
* Aroot certificate will be installed on:
The Secure Gateway
The Web Interface servers
Secure Ticket Authority URL
The URL of the STA is entered in the Secure Gateway configuration.
The URL of the STA can be changed based on whether or not IIS/XML port sharing is used or XML is being run on a different port.
* If theXML port is changed from the default port 80, be sure toconfigure the STA URL with the new port number when configuring Secure Gateway.
If the port were changed to 778, the URL would look like this:
http://servername:778/Scripts/CtxSta.dll
XenApp Web and Services Site
AXenApp Web site allows users to access published resources through a web browser.
* If users are going to access the applications through Web Interface, only XenApp Web sites can be configured.
AXenApp Services site allows users to access published resources through the Citrix XenApp plugin.
An administrator can create a XenApp Web site or a XenApp Services site using:
* The Access Management Console
The XenApp Web site configuration information is stored in a local file.
If a scenario calls for users to be able to access applications that areinstalled on serversin the server farmand access other applications that arestreamed to servers or the desktops of client devicesthrough Web Interface, there are two solutions:
* OneXenApp Web site must be configured to useDual mode streaming.
Or
* TwoXenApp Web sites must be configured:
One site must be configured to use theRemote application type.
The other site must be configured to use theStreaming application type.
If a scenario calls for users to be able to access applications that areinstalled on serversin the server farmand access other applications that arestreamed to servers or the desktops of client devicesthrough Citrix XenApp plugin, there are two solutions:
* OneXenApp Services site must be configured to useDual mode streaming.
* TwoXenApp Web sites must be configured:
One site must be configured to use theRemote application type.
The other site must be configured to use theStreaming application type.
To restrictaccess based on domains:
* ClickDomain Restriction in the left pane of theAccess Platform authentication methods properties.
* ChooseRestrict domains to the following domains.
* Add the domains that are allowed access.
To configure aXenApp Web site to work with Secure Gateway:
* In theAccess Management Console click theManage secure access task.
* ClickEdit gateway settings and type the FQDN of the Secure Gateway server in theAddress (FQDN) field.
* Configure session reliability.
* Configure the STA settings.
* ClickOK.
Configure Application Streaming on Web Interface
Web Interface can be configured using either:
* Settings in the Access Management Console.
* Editing the WEBINTERFACE.CONF file.
After creating a XenApp Web site, the administrator configures the initial settings. During the initial configuration, the administrator can configure one of three settings for the type of applications made available to users:
* Remote
Only allows users to access applicationsprovided by a server.
Through anICAor RDP connection.
* Streaming
Only allows users to access applicationsstreamed to client devices.
* Dual mode streaming
Allows users to access applicationsstreamed to the client device orprovided by the server.
Through anICA connection only.
ICAFiles
Use the default.ica or template.ica file to override hotkeys for applications that users connect to through Web Interface.
Web Interface Troubleshooting
Issue: A user browses to the main Web Interface web page, successfully logs in, but isnot presented with a list of applications.
Probably cause: The user does not have access to any applications.
Solution:The user's account must be added to the correct groups in Active Directory that give the users access to the published applications.
Issue: Aremote user is given instructions tosecurely browse http://apps.abcxyzcompany.com/, login and launch the applications that she will regularly use. She followed the instructions closely. She is unable to connect to the Web Interface web site and instead receives an error page.
Probable cause: The instructions were incorrect.
Solution:The remote users should make a secure connection using Secure HTTP, so the URL should behttps://apps.abcxyzcompany.com/.
Issue: Web Interface users are reporting that when they enter their username and password in the appropriate fields of the initial web page that they always browse to for their applications they are receiving an error that the XenApp servers cannot process their request at this time.
Probable cause:In the Web Interface communication process, when a user enters their logon credentials in the login screen of Web Interface, the login credentials are forwarded to the Citrix XML Service in the server farm to determine whether the login credentials are valid or invalid. Since the users made it to the login screen, it is obvious that the Web Interface server is not offline. The more likely issue is thatthe Citrix XML Service on the dedicated XenApp server in the server farm has stopped.
Solution: Manually restart the Citrix XML Service or reboot the server and if it still does not work, a different XenApp server should be designated as the dedicated Citrix XML Service server.
Issue: Alternate addressing is configured for connections through the firewall to the XenApp servers. Users who connect to their applications through Web Interface report that, after logging in and receiving a list of applications in their web browser, they click on an application to launch it but it fails every time with an error that there is no server available at the specified address.
Probable cause: The Web Interface automatically generates an ICA file with information about the XenApp server that the client device is supposed to connect to. The ICA file is delivered to the web browser on the client device from the Web Interface. If the connection information in the ICA file is incorrect, the XenApp plugin on the client device will not be able to make a connection to the published application. The wrong IP address for the XenApp server was most likely configured when configuring the alternate IP address, so the wrong IP address is on the ICA file.
Solution: An administrator should check the ICA file and make any corrections needed on the Web Interface server.
If you experience problems with a XenApp Web site, try using the Web InterfaceRepairoption to fix the problem.
* On Windows IIS, Web Interface has aRepair option that you can try to fix problems with your XenApp Web sites.
To repair Web Interface: run theWebInterface.exe file, selectRepair, clickNextand follow the instructions on screen.
* If that still doesn't work, or theRepair option doesn't exist because of being a Java web server installation, try uninstalling and reinstalling Web Interface.
If you have to uninstall and reinstall Web Interface you will have to recreate all of the XenApp Web sites.
