Access

CTX-Blog

powered by Ecki’s Place

Language
Pages
Search
Archives
Calendar
May 2012
M T W T F S S
« Oct    
 123456
78910111213
14151617181920
21222324252627
28293031  
Citrix Blogs & Links (deutsch)
Citrix Blogs & Links (english)
Sonstige Links
Tag Cloud
Citrix Access Gateway Presentation Server Download Update 4.5 CAG Advanced HotFix AAC LogonPoint Tuning Standard Registry web.config SAC Secure Access Client Optimierung Parameter GPO Revision Web Interface Installation Tool SmartCard Vista Support EPA Scan AMC Terminal Server Authentifizierung
Recent Posts
Recent Comments
Categories
Meta
Certifications
    CCEA
    CCEE
    MCSE 2003
    MCSA Messaging 2003
May 28, 2007

AAC tuning, part 2

By ecki

AAC admins that deploy LogonPoints with RSA SecureID, SafeWord or any other Two Factor Authentication solution know the dilemma. The token realy boosts security, but if the token isn’t at hand, there is no way to access internal resources. Fortunately this is not imperativ. A LogonPoint configured with Two Factor Authentication must not always require a One Time Password.

As in part 1, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

On a standard AAC server this is presumably:

C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure Two Factor Authentication such, that a One Time Password is not mandatory. All it needs is to change the following line below the <appSettings> section:

From
<add key=”SecondaryAuthenticationIsOptional” value=“false” />
to
<add key=”SecondaryAuthenticationIsOptional” value=“true” />

The section should look like this afterwards:

<appSettings>
<add key="DebugConsoleTrace" value="False" />
<add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
<add key="AdvancedGatewayClientActivationDelay" value="10" />
<add key="MaxConnectionsToAuthenticationService" value="20" />
<add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
<add key="DeployedBy" value="LACONFIG" />
<add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
<add key="SecondaryAuthenticationIsOptional" value="true" />
<!- -

After saving the changes, a user calling this manipulated LogonPoint will still see the prompt for RSA, SafeWord, or RADIUS passcode, but he is now able to leave this field empty and log in with just his username and password.

This manipulation creates a big hole in your security configuration, but this hole can be easily closed again. All that is needed is to reconfigure your filters and policies.

The filter for full access must require RSA, SafeWord, or RADIUS authentication. Therefore the filter generator allows to use the authentication strength as a criteria. Only users using strong authentication get access to all resources.

Authentication Strength

A user that has no access to his token is nevertheless able to authenticate without a One Time Password. But now an other filter is matched (you can create the same filter as for full acces, but without strong authentication) and an other, more restrictive policy becomes active. This way, the user is at least able to work in a restricted environment, then to stop working :-)

< < AAC tuning, part 1 AAC tuning, part 3 >>

!!! Please read the first comment to this post !!!

Regards
Ecki

Posted in °AAC, °Access Gateway, Citrix | 2 Comments
May 23, 2007

AAC tuning, part 1

By ecki

Is there any AAC admin happy with the way, EPA scans behave? Once you create just one EPA scan in the AMC (Access Management Console), the EPA scan gets started automatically on every LogonPoint, regardless whether this is wanted/needed or not.

This behavior is for example very annoying at OWA (Outlook Web Access) LogonPoints, that are created only to allow restricted access to the personal mail from anywhere. To operate “client less” from anyplace, anywhere, no EPA scans may be required. On a standard LogonPoint the EPA scan appears anyway with his download and installation directions. If you click on the “Skip Scan” button, you can proceed without scanning your PC, but the download of the EPA scan client still takes place in the background, steeling you valuable bandwidth. In addition, less computer versed users in an internet cafe with restricted PCs might end up trying to install the EPA scan client over and over without a chance to succeed…

Recently I stumbled upon an option that is able to stop this “misbehavior”. Well hidden and badly documented, the chances are good, that only few people discovered this option so far. The solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

On a standard AAC server this is presumably:

C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can disable EPA scans here. All it needs is to add the following line below the <appSettings> section:

<add key=”EndpointAnalysisDisabled” value=“true” />

The section should look like this afterwards:

<appSettings>
<add key="DebugConsoleTrace" value="False" />
<add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
<add key="AdvancedGatewayClientActivationDelay" value="10" />
<add key="MaxConnectionsToAuthenticationService" value="20" />
<add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
<add key="DeployedBy" value="LACONFIG" />
<add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
<add key="SecondaryAuthenticationIsOptional" value="false" />
<add key="EndpointAnalysisDisabled" value="True" />
<!- -

After saving the changes, a user calling this manipulated LogonPoint will now be forwarded immediately to the login prompt without seeing any EPA “nag screen” :-)

AAC tuning, part 2 >>

!!! Please read the first comment to this post !!!

Regards
Ecki

Posted in °AAC, °Access Gateway, °Clients, Citrix | 1 Comment
May 2, 2007

Secure Access Client Command Line Parameters

By ecki

It is a little known fact, that the Secure Access Client (4.2 and later, including net6vpn.exe) offers some interesting command line parameters. I will therefore present them here. The most intersting part is the ability to automate installation of the client via software deployment or simple batch script.

Note: These parameters are case-sensitive.

The following parameters are available:

  • -C Configure the Virtual Private Networking (VPN) client–bring up the GUI configuration screen
    Example: “CitrixSAClient.exe –C”
  • -H Connect to a specific server address and port (Syntax: -H SERVER_IP:PORT)
    Example: “CitrixSAClient.exe –H 192.168.1.1:443″
  • -p Connect with a proxy IP address and port (Syntax: -p PROXY_IP:PORT)
    Example: “CitrixSAClient.exe –p 192.168.1.1:8080″
  • -i Install the client. This is used in combination with other parameters for silent installations
    Example: “CitrixSAClient.exe –i”
  • -D Sets the URL for the desktop icon for Advanced Access Control mode (Syntax: -D AG_AAC_URL)
    Example: “CitrixSAClient.exe -D https://cag.company.com”
  • -Q Quiet mode parameter–this can only be used during an install (-i) or uninstall (-U). It must appear before all other parameters
    Example: “CitrixSAClient.exe –Q”
  • -U Uninstall the VPN client and drivers
    Example: “CitrixSAClient.exe –U”
  • -v Shows the version of the client you are launching
    Example: “CitrixSAClient.exe –v”

Below is a syntax example for a silent installation with Advanced Access Control integration:
CitrixSAClient.exe –Q –D https://AG_AAC_URL –i

A silent installation for Access Gateway Standard would look like that:
CitrixSAClient.exe –Q –H [AG_SYSTEM_FQDN]:[AG_SYSTEM_PORT] –i

From CTX108757.

Regards
Ecki

Posted in °AAC, °Access Gateway, °Clients, Citrix | No Comments
April 20, 2007

Citrix Access Gateway v4.5.2 released

By ecki

April 18. Citrix released Citrix Access Gateway (Standard and Advanced) v4.5.2. This update comprises a couple of interesting fixes. Beside others, the main improvements are IMHO the fixes of the following issues:

  • When the Secure Access Client is started from the desktop icon, the taskbar button displays “Shutting Down,” and the portal page is not displayed for a significant amount of time
  • Downloading files larger than 512 megabytes through the Access Gateway fail
  • When users attempt to log on using the Endpoint Analysis Client, they cannot log on if the Web site is not trusted
  • The Access Gateway fails when an invalid certificate is installed using the Administration Portal

A complete list of fixes and the download can be found here.

Regards
Ecki

Posted in °Access Gateway, Citrix | No Comments
April 4, 2007

Citrix Access Gateway Enterprise available

By ecki

Jay Tomlin wrote an excelent article on this topic. You can find it here:

Jay Tomlin – Timpanogos

Regards
Ecki

Posted in °Access Gateway, °NetScaler, Citrix | No Comments
March 14, 2007

Registry Scan (Watermark) for CAG 4.5.x Advanced

By ecki

Most people who know Citrix Access Gateway (CAG) with Advanced Access Control (AAC) for a while, especially version 4.2, know the “Citrix Watermark” End Point Analysis Scan (EPA Scan). A possibility to configure the security group membership of a PC withe a simple registry key. In contrast to MAC or Domain filters, this scan made it very easy to change the security context of a PC, very handy for product demonstrations, where you want to visualize different access scenarios.

The update to AAC version 4.2.5, eg. version 4.5 introduced a massive change for EPA Scans. Since then, every EPA Scan has to be signed, which renders the unsigned “Watermark” scan worthless. Every EPA Scan delivered with AAC 4.5 is now already signed by Citrix and if you try to create your own EPA Scans, you have to sign them too and build your own specific EPA Scan MSI package. Lots of customers try to avoid this effort and the costs associated with signing certificates. For Citrix partners, trying to build just a demo site, the effort and the costs are too high as well. If you do not intend to spend money on Custom Scans for example from EPAFactory, you are stuck with the scans provided by Citrix:-(

I will therefore show a way, how you can accomplish a working registry scan with the means provided by a standard setup of AAC. Most EPA Scans do in fact nothing else than reading predefined keys in the registry of the client PC. Therefore almost any EPA Scan can be used as registry scan. As an example i will use the “Citrix Scans for Windows Update” shipped with AAC. This scan reads on a client PC recursively all keys beneath:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\

and reports back the KB-numbers found. It must be pointed out, that keys directly below the “Updates”-key are NOT delivered back to the AAC server. You should therefore use an existing key like “SP2″ to create your own KB-number key. Knowing that, it is fairly simple to create your own registry scan. A detailed description with screen shots of this process can be found here (german only).

Regards
Ecki

Posted in °AAC, °Access Gateway, Citrix | 5 Comments
« Previous Page | Next Entries »

CTX-Blog is powered by WordPress | Using Tiga theme with a bit of Ozh