Sunday, July 3, 2022

CVAD smart access basic setup with ICA proxy

 Smart Access Basic setup with ICA proxy enabled.

 

 

 

One thing I learned is that the Gateway vServer doesn't really need ICA Proxy unchecked, for what I am trying to do. I am not using EPA scans or anything advanced yet. But you could do it so save a step later. Now I understand this may not be the best way. But sometimes you have to do what you need to do to secure things.

 

 

  1. Check the Trust Request on the Brokers and enabled it if it’s not enabled.

  2. Open POSH and add asnp citrix* and Run Get-brokersite. If it’s set to false, then run #3 command

  3. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

 

Machine generated alternative text:PS get-brokersite 8 as eOLl Sr Oker Servi ceGroupUid : b3493067-oc6b-4438-84e3-b6664469e655 01 or Depth TwentyFour8it onfigLastChangeTime : 7/16/2020 PM onfigurat ion Servi ceGroupLlid ff9d3 cfa-Id33-449c- a 717-85 b9a6fe2d96 on nectionLeasi ngEnabIed False DefaultMinimumFunctionaILeveI Desktop-Grouplconuid DnsResoIutionEnabIed False Is Secondary8roker False Li censeEdition PCT L i censeGr aceSessionsRenai ni ng L i censeNodeI . Concurrent L i censeServerName : vsIctxIicOI Li censeServerPort : 27000 Li censedSessionsActive Licensing8urnIn : 2020.0415 Licensing8urnInDate : 4/14/2020 8:00:00 PM L i censi ngGr aceHoursLeft Li censi ngGr acePer iodAct i ve False L i cens i ngOutOf80xGr acePer iodActi ve False L HostCacheEnabIed True et adat am ap Name : VyStar PeakConcurrentLi censeUsers Reus&achinesWithoutShutdownInOutageAI lowed : False SecurelcaRequired False otaILlni queLi censeusers . 1036 rustManag edAn onymousXmI Servi ceRequ ests False TrustRequestsSentTcT extr Servi ceport . True UseVert1ca Sca 1 ngForR sLaunc es . Fa se

 

 

  1.  Create a NetScaler gateway Dummy VIP (Some organizations don’t allow SF to talk back to the DMZ NetScaler's vServer, If yours does, then use the current Gateway and ignore the dummy VIP/vServer

Machine generated alternative text:Q Search in Menu System AppExpert Traffic Management Optimization Security Citrix Gateway Global Settings Virtual Servers Portal Themes user Administration KCD Accounts Resources Authentication Integrate with Citrix Products Unified Gateway XenMobile Citrix Gateway / Citrix Gateway Virtual Servers Citrix Gateway Virtual Servers Add Statistics Microsoft. EMS/lntune Integration ND action > Q Click here to search or you can enter Key Value format Name State 'OUT OF SERVICE 'OUT OF SERVICE STA status Protocol 443 443 443 443

 

  1. Added IP and Port

Machine generated alternative text:VPN Virtual Server Basic Settings Name Port ROP server Profile PCDIP vseruer Profile Double Hop Down State Flush AppFlow Logging Logout On Smart Card Removal Certificate 1 No Maximum Users Max Login Attempts Failed Login Timeout ICA only Enable Authentication Windows EPA Plugin upgrade Linux EPA Plugin upgrade Mac EPA Plugin upgrade ICA Proxy Session Migration Enable Device Certificate true true true false

  1. Add STA Brokers

Machine generated alternative text:Published Applications No server 6

 

Machine generated alternative text:VPN Virtual Server STA Server Binding Add Binding Q Click here to search or you can entel Secure Ticket Authority Server Secure Ticket Authority Server Address Type State

 

  1. Added DNS Record.

 

Machine generated alternative text:Neuu Host Name (uses parent domain name if blank): Callback Fully qualified domain name (FQDN): IP address: Create associated pointer (PTR) record Allow any authenticated user to update DNS records with the same owner name Time to live (TTL): (DDDDD:HH.MM.ss) Add Host Cancel

 

 

  1. Go to StoreFront Servers > click on Manage Citrix Gateways

 

Machine generated alternative text:Create Store Ex ort Multi-Store Provisioning File Manage Citrix Gateways Manage Beacons Set Default Website Refresh Help

  1. Click edit

Machine generated alternative text:Manage Citrix Gateways Add, edit or remcwe the Citrix Gateway appliances through which remote access is prcr.'ided. Remote access through a Citrix Gateway cannot be applied to unauthenticated stores. Alternatively, Citrix Gateway appliances can be imported from file. Citrix Gateways: Display Name StoreFront Role Authenticati... Remove Used by Sto... URL Close

  1. Add the Call Back URL ( For me is the Dummy VIP I created)  Which resolved to a layer 2 IP address on the same Subnet as my Citrix Environment.

 

Machine generated alternative text:Edit Citrix Gateway appliance - StoreFront Authentication Settings These settings specify how the remote user provides authentication credentials StoreFront General Settings Secure Ticket Authority Authentication Settings Version: VServer IP address: (optional) Logon type O Smart card fallback: Callback URL: O (optional) 10.0 (Build 69.4) or later v70.o: None /CitrixAuthService/AuthService.asmx

 

  1. Propagate changes on Storefront

 

Machine generated alternative text:opagate Chang Propagating changes... Details Synchrt: Propag

 

 

  1. Go to the DDC, and create a policy. For me, I used the baked in one from Citrix called " Security Control"

  2. Machine generated alternative text:Policies SmartAcCes Secuöty Policy VyStar External Smart.Acces Security policy Auto comwct client user setting - ICÄ\Fde Redirection Disabled (Default: Enabled' Auto-create client printers Usersetting - Printers DO not auto-create client printers (Default: Auto-create a" client printers) Client clipboard redirection User setting - ICA Prohibited (Default: Client COM port redirection user setting - ICA\Port Redirection Prohibited (Default: Prohibited) Client drive redirection user setting - ICA\FiIe Redirection Prohibited (Default: Allowed) Client fixed drives user setting - ICA\File Redirection Prohibited (Default: Allowed) Client LPT port redirection User setting - ICA\Port Redirection Prohibited (Default: Prohibited) Client network drives user setting - ICA\FiIe Redirection Prohibited (Default: Allo•.Qed) Client optical drives User setting - ICA\FlIe Redirection Prohibited (Defauit: Allowed) Client printer redirection User setting - ICA\Pnnting prohibited (Default: Allowed) Client removable drives User setting - ICA\FiIe Redirection Prohibited (Default: Allowed) Client TWAIN device redirection user setting - ICA\TWAIN Devices Prohibited (Default: Allowed) Client USB device redirection User setting - ICA\USB Devices

 

Machine generated alternative text:Edit VyStar Citrix VADs Default Policy Studio Settings Users and Machines Summary Assign policy t' •Selected - 9b User and machine oWects: 2 selected Acces control Applies to user settings only Client IP address Applies to user settings only Client name Applies to user settings only C) All objects in the site View selected o UnæsÉgn Assign

 

Machine generated alternative text:Assi n Poli Access control Applies to: Virtual Delivery Agent: 5.6, 7.0 Server OS 7.0 Desktop OS 7.1 Server OS, 7.1 Desktop OS, 7.5 Server OS, 7.5 Desktop OS, 7.6 Server OS, 7.6 Desktop OS 7.7 Server as, 7.7 Desktop as, 7.8 Server OS 7.8 Desktop as, 7.9 Server OS 7.9 Desktop OS, 7.11 Server OS 7.11 Desktop OS, 7.12 Server OS, 7.12 Desktop as, 7.13 Server as, 7.13 Desktop as, 7.14 Sen,er as, 7.14 Desktop OS, 7.15 Server OS 7.15 Desktop OS 7.16 Server as: 7.16 Desktop OS, 7.17 Server as, 7.17 Desktop OS, 7.18 Server OS 7.18 Desktop OS, 1808 Server OS 1808 Desktop OS, 1811 Server as, 1811 Desktop OS 1903 Server OS, 1903 Desktop OS, 1906 Server OS, 1906 Desktop OS 1909 Multi-session as, 1909 Single-session OS, 1912 Multi-session OS, 1912 Single-session OS Apply policy based on the access control conditions through which a client connects. Access control elements: Mode Enable Connection Vpe NetScaIer Gateway farm name Access condition

  • Remember the Allow or Deny mode is a bit confusing. Allow means that the settings in the policy are to be applied to the NetScaler Gateway connection.

  • Deny, the settings prohibiting something will not be applied to users connecting via Citrix Gateway.

 

My bandwidth went up some when I applied more Security settings, Red is applying the filter, and green is off.

 

Machine generated alternative text:oaulsra dauism 4319 ms 1174 Kbps

 

 

On

Machine generated alternative text:SESSION TYPE Desktop DD ms Desktop DD ms DD ms Desktop DD ms DD ms Desktop DD ms DD ms 241 Mg 241 Mg WAN LATENCY OC LATENCY 42 46 BANDWIDTH PER INTERVAL Kbps 9154 Kbps Kbps 1103B Kbps SESSION BANDWIDTH Kbps 9154 Kbps Kbps 1103B Kbps TOTAL BYTES IDIDB2 Kg BYTES PER INTERVAL START TIME 7/16/2020. PM 7/16/2020. PM 7/16/2020. PM 7/16/2020. PM

 

 

Off

Machine generated alternative text:SESSION TYPE Desktop DD ms WAN LATENCY OC LATENCY D ms BANDWIDTH PER INTERVAL 1171 Kbps SESSION BANDWIDTH TOTAL BYTES Mg BYTES PER INTERVAL START TIME 7/16/2020. PM

 

 

 

  1. Testing with it off (Deny the Policy

Machine generated alternative text:Apply policy based on the access control conditions through which a client connects. Access control elements: Mode Connection type NetScaIer Gateway farm name Access condition

  1. Here is my local machine printers

Machine generated alternative text:Printers & scanners Fax Fax - HP OfficeJet 5200 series HPBD4876 (HP OfficeJet 5200 series) Default, App available for this device Microsoft Print to PDF Microsoft XPS Document Writer OneNote for Windows 10 Send To OneNote 2013 Send To OneNote 2016

 

 

  1. Now log into the VDA

Machine generated alternative text:s Test Desktop - Desktop Viewuer Settings Home Devices Printers & scanners Connected devices Mouse & touchpad Typing AutoPlay USB Fax - HP OfficeJet 5200 series (from MUSTANG2007) HPBD4876 (HP OfficeJet 5200 series) (from MUSTANG20.. Microsoft Print to PDF (from MUSTANG2007)

 

 

  1. Now let se the Filter to allow ( Allow the policy)

Machine generated alternative text:control elements: Mode Enable Connection type NetScaIer Gateway farm name Access condition

 

  1. Now log into the VDA

No printers from my local machine were able to come in.

Machine generated alternative text:Add a printer or scanner Printers & scanners Fax ITOLaser01 on jhqprt01 Laserfiche Snapshot Microsoft Print to PDF Microsoft XPS Document Writer ent Capture Sapture (color) Print to DocuSign RightFax Fax Printer Send To OneNote 2016 TWRPPRNT

 

  1. Remember this is a very basic setup, and it’s just to show what it can do. There is much more than what I am showing here.

 

 

Sources

Basic Guide

 

https://dennisspan.com/making-limited-use-of-citrix-smartaccess-without-universal-licenses/#comment-11123

 

Little more advanced

https://c4rm0.wordpress.com/improve-security-with-netscaler-smartaccess/

https://support.citrix.com/article/CTX227055

 

 

Then my research and questions on Slack ( If you're not on this, you're missing out) A lot of really sharp guys on here.
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)