You can configure a user to enable the single sign-on feature of Novell Access Manager when accessing published Citrix applications through SSL VPN. To enable single sign-on, you must configure a custom login policy and protect the Citrix Application Server with the Access Gateway. If you are using the ESP-enabled Novell SSL VPN, you must install an Access Gateway in order to protect the Citrix server. The following sections discuss the configuration process:
NFuse server
MetaFrame server
Identity Server
The MetaFrame server must be placed in the protected network. The SSL VPN server must use its private network interface adapter to communicate with the network interface of the MetaFrame server.
Access Gateway
Configure SSL VPN to use the same Identity Server as the Access Gateway.
Download the Citrix_Script.js file from the Additional Resources section on the Novell Documentation site and copy it to a Web server that is protected by the Linux Access Gateway.
Access Manager can be configured to provide single sign-on for Citrix clients. Figure 5-1 illustrates this process for the Citrix Web client.
Figure 5-1 Citrix Client Configuration
The client specifies the public DNS name of the Access Gateway that accelerates the Web Interface login page of the Citrix MetaFrame Presentation Server.
The Access Gateway redirects the user to the Identity Server for authentication, because the URL is configured as a protected resource.
The Identity Server authenticates the user’s identity.
The Identity Server propagates the session information to the Access Gateway through the Embedded Service Provider.
The Access Gateway has been configured with a Form Fill policy, which invokes the SSL VPN servlet along with the corresponding policy information for that user. The SSL VPN servlet creates a secure tunnel between the client and the SSL VPN server.
On successful SSL VPN connection, the Access Gateway performs a single sign-on to the Citrix MetaFrame Presentation Server. The user is authenticated to both the Citrix Presentation Server and to the SSL VPN server.
The Web session containing the list of published applications in the Citrix Presentation erver is served to the client through the Access Gateway.
When the user connects to the published application, the data goes through the secure tunnel that is formed between the client and the SSL VPN server.
A custom login policy must be configured to enable users to use a browser to access Citrix applications protected by Access Manager.This is because the browser settings of the client need to be modified so that connections to Citrix applications can happen through SSL VPN.
The following procedure configures a sample custom login policy for Citrix where all Linux users connecting from the Firefox browser on Linux are redirected to a page that modifies the browser settings and then redirects the user to the SSL VPN/login URL:
In the Administration Console, click
> .Select
from the policies section.Click
in the section.Specify the following information in the
dialog box.Custom Action Name: Specify a name for the custom login policy. For example, modify_firefox_properties
Redirect Condition:
Specify Firefox as the browser.
Specify Linux as the Operating Software.
Redirect URL: Specify the redirect URL as http://<sslvpn-url>/sslvpn/pages/sslvpn-citrix.jar!configure_browser.html.
Click
.Specify /login as the default URL. The user is redirected to this URL if none of the conditions are met.
To save your modifications, click
, then click on the Configuration page.To enable users to access Citrix applications through SSL VPN, you must create a protected resource to protect the Citrix login page.
In the Administration Console, click
> > > .The reverse proxy can be set up to require SSL or not.
Click
> > .When you configure the protected resource, set up the following:
Select a contract that requires authentication. Usually this is a Name/Password contract, but it can be a certificate contract if your NFuse server is configured to use certificates.
For the URL Path List, specify the URL to the Citrix login page. This URL should include the filename of this login page.
For more information, see Configuring Protected Resources
in the.Novell Access Manager 3.1 SP2 Access Gateway Guide
On the Server Configuration page, click
, then click .You need to create a Form Fill policy and assign it to the protected resource for the Citrix login page.
In the Administration Console, click
> > > .Click
> > .Name the Citrix policy, select
as the type, then click .In the
section, click > .In the
section, identity the form on the Citrix login page.In the
section, create the following:Username input field
Password input field
(Optional) If your login page requires a domain, add a domain input field.
Configure the following
options:Select
.Select
.Click Additional Resources section in the Novell Documentation site.
. Copy the Citrix Script found in theIn the script, replace <ag-url> with the following:
For a Traditional SSL VPN, use the hostname of the Access Gateway that is accelerating the SSL VPN server.
For an ESP-enabled SSL VPN, use the hostname of the SSL VPN server.
Change the protocol to HTTPS if the secure protocol is used.
Replace <Webserver-path> with the location of the Web server on which the Citrix_Script.js javaScript file is located. When this JavaScript file is used, it connects users from the outside through SSL VPN.
Change the URL as follows, if you want to use the custom login method:
http://<ag-url>/sslvpn/custom-login
Configure any other options to match your form and your network.
For more information, see Creating Form Fill Policies
in the Novell Access Manager 3.1 SP2 Policy Guide.
In the
section, click > .Specify the procedures you want followed when login fails.
For more information, see Login Failure Policy in the Novell Access Manager 3.1 SP2 Policy Guide.
Citrix displays login failures via the query string, so you need to use CGI matching
Click
, then click .Click
.You should return to the Form Fill page for the protected resource.
Select the policy you just created, then click
.Click
, then click .On the Server Configuration page, click
, then click .