Citrix Services

Citrix Deployments Modes - Unticketed and Ticketed

Unticketed Mode

In the recommended Unticketed Mode scenario:

• The remote access user logs into the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. user portal

• Using the Mobile Access Web interface, the user is directed to the Citrix Web Interface server and then has access to the Presentation server.

Ticketed Mode

In the Ticketed Mode scenario:

• The remote access user logs into the Mobile Access user portal.

• Using the Mobile Access Web interface, the user is directed to the Citrix Web Interface server.

The user logs into the Citrix Web Interface server and is assigned a secure ticket by the Secure Ticket Authority. This ticket allows the user to access the Presentation server once it is verified by the Mobile Access Web Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

You do not need to use Secure Ticketing authority (STA) servers because Mobile Access implements its own STA engine.

Configuring Citrix Services

To configure a new Citrix Service:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer (Ctrl+E).

2. Click New Custom Application/Site > Mobile Application > Citrix Services.

   The Citrix Services window opens.

Before Configuring Citrix Services

The server certificate for Mobile Access must be based on a FQDN (Fully Qualified Domain Name) and issued to the Mobile Access FQDN. For example www.sample.com.

Before you configure Citrix Services, change the Mobile Access server certificate to one that was issued to the FQDN. This is necessary to comply with the Citrix standards for server certificates. Additionally, end-users must browse to Mobile Access using the FQDN that is routable from their network.

Note - Make sure that the certificate is Server Certificates.

If your Web Interface server is configured to deploy ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. Web clients and the Mobile Access server certificate is issued by a private CA, the certificate's public key must be installed on the client side browser for the ICA Web Client to function properly. The Mobile Access certificate public key is located under: $CVPNDIR/var/ssl/server.crt

Citrix Service - Web Interface page

1. Go to the Web Interface page of the Citrix Service object.

2. Fill in the fields on the page:

   • Servers are the machine(s) or DNS Name(s) on which the Web Interface server is hosted. Choose either a single Host or DNS name, or Multiple hosts. In order to keep the environment simple, it is recommended to configure a single Web Interface server per Citrix Application.

   • Services must match the settings on the Web Interface server. Select http or https, as required. Other services are NOT supported.

Citrix Service - Link in Portal Page

1. Go to the Link In Portal page of the Citrix Service object.

2. Fill in the fields on the page:

   • Link text (multi-language) - Shows in the Mobile Access Portal. If more than one link is configured with the same (case insensitive) name, only one of them will be shown in the portal.

   • URL - The link to the location of the application, or to a sub-directory of the application.

   • Tooltip (multi-language) - Gives additional information. The text appears automatically when the user holds the cursor over the link. It disappears when the user clicks a mouse button or moves the cursor away from the link.

Citrix Service - STA Servers Page

1. Go to the STA servers page of the Citrix Service object.

2. Get the Host from the current settings on the Web Interface (WI) server.

3. Get the STA ID from the Secure Ticketing Authority (STA) servers.

Note - Mobile Access implements its own Secure Ticketing authority (STA) engine. STA servers are not necessary.

To get the host name or IP address:

1. Login to the Web Interface Citrix administration page.

2. Click Server-Side Firewall.

3. Scroll to the Secure Ticket Authority list.

   • If the field is blank, you are in unticketed mode and you do not need to define any STA Servers on Mobile Access.

   • If the field contains entries, you are in ticketed mode. Each entry in this list is a URL containing the IP or FQDN of a Citrix server. Every entry in the Secure Ticket Authority list must be separately entered into Mobile Access.

To get the STA ID:

1. Login to the STA server.

2. From the Windows Start menu, select Programs > Citrix > Citrix Secure Gateway > Secure Ticket Authority Configuration.

3. Click Next.

The STA ID is shown in the Enter the STA ID field.

Citrix Service - XenApp Servers Page

Use the XenApp Servers page to configure access to the XenApp Servers.

Note - If you select Restrict access to these servers only,

1. Define the servers using an IP address or Fully Qualified Domain Name (FQDN).

2. Make sure that the definition matches the configuration made on the Metaframe server farm.

   If you do not, Mobile Access may not authorize the connection. (The XenApp server configuration affects one of the parameters in the ICA file that is received by the client).

Citrix Service - Single Sign On Page

Single Sign On increases application security.

To configure Single Sign On:

1. Go to the Single Sign On page of the File Share Application object.

2. Select Turn on single Sign On for this application.

   Configure the sign on method for the application.

Citrix Service - Protection Level Page

1. Go to the Protection Level page of the Citrix Service object.

2. Enter data in these fields:

   Security Requirements for Accessing this Application lets you:

   • Allow access to this application to any endpoint that complies with the security requirements of the Security Gateway,

   • OR make access to the application conditional on the endpoint being compliant with the selected Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Profile.

   Note - The Citrix architecture requires ICA files and ActiveX executables to be temporarily cached by the client-side browser. As a result, Mobile Access's Protection Level settings do not apply to these files.

3. Get the Host and the STA ID of the Secure Ticketing Authority (STA) servers from the current settings on the Web Interface (WI) server.

   Note - Mobile Access implements its own Secure Ticketing authority (STA) engine. STA servers are not necessary.

To get the hostname or IP address:

1. Login to the Web Interface Citrix administration page.

2. Click Server-Side Firewall.

3. Scroll to the Secure Ticket Authority list.

   • If the field is blank, you are in unticketed mode and you do not need to define any STA Servers on Mobile Access.

   • If the field contains entries, you are in ticketed mode. Each entry in this list is a URL containing the IP or FQDN of a Citrix server. Every entry in the Secure Ticket Authority list must be separately entered into Mobile Access.

To get the STA ID:

1. Login to the STA server.

2. From the Windows Start menu, select Programs > Citrix > Citrix Secure Gateway > Secure Ticket Authority Configuration.

3. Click Next.

   The STA ID is shown in the Enter the STA ID field.

Completing the Configuration of the Citrix Service

To complete the configuration, add the Citrix Service to a policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. and install policy from SmartConsole.

For Unified Access Policy, see Mobile Access and the Unified Access Policy.

For legacy policy, see Getting Started with Mobile Access.