How it Works
Citrix Systems
Loading...
9000
User Manual
67 pgs1.23 Mb0
Table of contents
Loading...

Citrix Systems 9000 User Manual

Citrix NetScaler Application Switch
SSL VPN User’s Guide for the Windows® Platform
Release 7.0
Citrix Systems, Inc.
© CITRIX SYSTEMS, INC., 2005. ALL RIGHTS RESERVED. NO PART OF THIS DOCU­MENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMA­TION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE AC­CURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IM­PLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITH­OUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been test­ed and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction man­ual, may cause harmful interference to radio communications. Operation of this equipment in a res­idential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interfer­ence stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment.
Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScal­er Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Pos­kanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights re­served. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 Uni­versity of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights re­served.
Part No. VPN-UG-AX-70-0806
Last Updated: August 2006
Contents
Chapter 1 - SSL VPN Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
1.1 SSL VPN : Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Chapter 2 - Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.2 Using the SSL VPN Browser Plug-in . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.3 Using the SSL VPN Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
2.4 Terminating the SSL VPN Session. . . . . . . . . . . . . . . . . . . . . . . . . .2-10
2.4.1 Terminating the Session for the Agent . . . . . . . . . . . . . . . . . . . .2-11
2.4.2 Terminating the Session for the Browser Plug-in . . . . . . . . . . . . .2-13
2.5 Understanding the Cleanup Process . . . . . . . . . . . . . . . . . . . . . . . .2-13
2.5.1 Understanding the Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . .2-13
2.5.2 Cleanup Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16
2.5.3 Cleanup Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16
Chapter 3 - Using the SSL VPN Portal . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.1 Using Portal Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.1.1 Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.1.2 File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
3.1.3 Themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Chapter 4 - Configuring the SSL VPN Client . . . . . . . . . . . . . . . . . . . 4-1
4.1 Configuring Login Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
4.1.1 Using Native Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
4.1.2 Configuring Native Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
4.1.3 Setting the SSL VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
4.1.4 Configuring Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
4.1.5 Configuring Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
4.1.6 Configuring a Secondary Password . . . . . . . . . . . . . . . . . . . . . . 4-7
4.2 Configuring Interception Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
4.2.1 Configuring Split Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
4.2.2 Configuring Split DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-10
SSL VPN User’s Guide i
Contents
4.2.3 Managing Domain Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . .4-11
4.2.4 Managing Network Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . .4-13
4.2.5 Local LAN Access When Split Tunneling is Disabled . . . . . . . . . . .4-14
Chapter 5 - Troubleshooting the SSL VPN Client . . . . . . . . . . . . . . . 5-1
5.1 Debugging the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
5.2 SSL VPN Session Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.3 Compression Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
5.4 Connection Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-11
Chapter 6 - FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Appendix A - Uninstalling the SSL VPN Clients . . . . . . . . . . . . . . . . A-1
A.1 Uninstalling the Browser Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
A.2 Uninstalling the Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
ii SSL VPN User’s Guide
Chapter 1

SSL VPN Overview

SSL VPN is a secure remote access solution that provides point-to-point com­munication between remote users, such as mobile employees, partners, or resellers, and a private enterprise network. It does so by creating a secure SSL-based tunnel between a user's computer and the SSL VPN gateway. This allows authorized remote users to gain access to critical business resources such as corporate intranets, shared file systems, native client/server applica­tions, and terminal services.

1.1 SSL VPN : Architecture

To log on to a remote network, you need to log on to the SSL VPN gateway. To do this, you typically need to use a client provided by the service provider. For instance, if you are trying to log on to your office network, you will first need to install a VPN client on your home PC or laptop and then use it to log on. Alternately, some service providers allow you to log on to the remote network via an Internet portal. Once logged on, an SSL VPN plug-in is installed on your computer. This plug-in then establishes a secure tunnel between your com­puter and the SSL VPN gateway.
Figure 1-1 Basic functioning of SSL VPN
The Citrix NetScaler SSL VPN solution provides both modes of access. These are the agent and the plug-in. These modes, however, are configured by the SSL VPN administrator on the gateway. If the SSL VPN administrator config­ures the gateway to allow the users access via the plug-in only, the plug-in is downloaded every time the user logs on to the gateway.
SSL VPN User’s Guide 1-1
SSL VPN Overview
The agent is installed on your computer when you log on for the first time. You can configure it to log on directly to the gateway, without having to log on via the Web portal. This is known as the native login mode. Alternately, you can also log on to the gateway via the SSL VPN login page.
The SSL VPN browser plug-in is an ActiveX control. While the feature set sup­ported by the plug-in is identical to that supported by the agent, it does not support native login.
When either version of the SSL VPN client is downloaded on to your computer and permitted to execute, it creates a secure channel of communication between the local system and the SSL VPN gateway, and allows you to access resources on the intranet that you are authorized to use. When a TCP or a UDP application, like Telnet or Microsoft Outlook, tries to connect to a server in the intranet, the client intercepts the connection, secures it using SSL encryption, and redirects it to the server through the secure SSL VPN tunnel. This behavior extends to several applications such as FTP clients, Web browsers, soft phones, e-mail clients, etc. You can also use ping and traceroute. This behav­ior may vary based on the Split Tunneling configuration. For details, refer to the Configuring Split Tunneling section.
Note By default, the TDI interception mechanism is used. When it fails, the client uses
the Winsock interception mechanism. This is also applicable for scenarios where you do not have administrative privileges on the computer. As a result, TCP com­pression, UDP interception, NetBios interception, HTTP delta, etc., will not be supported.
The SSL VPN client supports both SSL 2.0, SSL 3.0, and TLS 1.0 protocols. Based on the cipher settings on the SSL VPN gateway, the client can perform up to 2048 bit encryption. In addition, the SSL VPN administrator can also configure the client to ensure that certain personal firewalls and AntiVirus applications are running on your computer. You can configure the client to delete cached Internet files, generated on your computer during the SSL VPN session, after the session ends.
1-2 SSL VPN User’s Guide
Chapter 2

Getting Started

The preceding chapter covered the architectural details of the SSL VPN client. In this chapter you will learn to use both versions of the SSL VPN client and log on to the gateway and access intranet resources.

2.1 System Requirements

The system requirements for the SSL VPN client are:
Operating system: Microsoft Windows 98, Windows 2000, Windows NT, Win­dows XP, or Windows 2003 Server.
Web browser: Internet Explorer, Firefox, Mozilla, NetScape, and Opera.
Note When accessing the SSL VPN on Linux or Mac OS, your computer will automati-
cally download and install the multi-platform version of the plug-in. For details on accessing the SSL VPN on these platforms, refer to the SSL VPN Users Guide for Windows, LINUX, Mac OS, and UNIX Platforms.

2.2 Using the SSL VPN Browser Plug-in

SSL VPN allows you to access authorized resources, on a remote intranet, over a secure connection. To establish the secure connection, you must first log on to the SSL VPN via the login page. Contact your SSL VPN administrator for the URL and the login credentials. The typical format of such a URL is as follows: https://companyname.com. The following procedure lists the steps to initiate an SSL VPN session via the browser plug-in.
1. Type the URL of the SSL VPN login page in the browser window. If the SSL VPN administrator has not configured a trusted SSL certificate that identi­fies the server, the browser will prompt you with a security alert asking your permission to access the login page.
SSL VPN User’s Guide 2-1
Getting Started
Figure 2-1 Security Alert window
The security alert indicates that there might be discrepancies in the certificate. The possible issues are:
The certificate has expired.
The domain name in the certificate does not match the domain name of the server.
The certificate is not trusted.
Click
No and contact your SSL VPN administrator. If the SSL VPN administrator
instructs you to click Yes, this alert is again displayed after you log on as shown in Figure 2-5.
2. The login page is displayed as shown in the following figure.
2-2 SSL VPN User’s Guide
Getting Started
Figure 2-2 SSL VPN Login page
3. Enter your user name and password and click Login. When you log on to the SSL VPN gateway for the first time, a security warning is displayed as shown in the following figure. This warning prompts you to download the browser plug-in.
Figure 2-3 Security warning
SSL VPN User’s Guide 2-3
Getting Started
Note On a Windows XP-based system, the following dialog box is displayed.
Figure 2-4 Security warning on a Windows XP-based computer
4. Click Yes. The Secure Remote Access Session window is displayed as shown in the following figure, and the plug-in begins to download. A "Load­ing..." message is also displayed in this window.
Figure 2-5 Browser plug-in being loaded
2-4 SSL VPN User’s Guide
Getting Started
5. When the download has completed, the Secure Remote Access Session window displays the following message: "Closing this window will exit SSL VPN Session". This indicates that the SSL VPN session is now active. The portal page configured by the SSL VPN administrator is displayed in the main browser window, as shown in the following figure.
Figure 2-6 Session window with the portal page in the background
Note If you are not automatically prompted to download the plug-in after successfully
logging in, click the "Click here" hyperlink in the alternative page that is dis­played. This alternative page is shown in the following figure.
SSL VPN User’s Guide 2-5
Figure 2-7 Download prompt page
Getting Started
Note For details on working with a pop-up blocker, especially for a computer running
Windows XP with SP2, consult the SSL VPN administrator.
You can now access resources on the remote site. For example, if you have logged on to your office network, you can launch your e-mail client and access your messages.

2.3 Using the SSL VPN Agent

SSL VPN allows you to access authorized resources, on a remote intranet, over a secure connection. To establish the secure connection, you must first log on to the SSL VPN via the login page. Contact the SSL VPN administrator for the URL and the login credentials. The typical format of such a URL is as follows: https://companyname.com. The following procedure lists the steps to initiate an SSL VPN session via the agent.
1. Type the URL of the SSL VPN login page in the browser window. If the SSL VPN administrator has not configured a trusted SSL certificate that identi­fies the server, the browser will prompt you with a security alert asking your permission to access the login page.
2-6 SSL VPN User’s Guide
Getting Started
Figure 2-8 The Security Alert window
The security alert indicates that there might be discrepancies in the certificate. The possible issues are:
The certificate has expired.
The domain name in the certificate does not match the domain name of the server.
The certificate is not trusted.
Click
No and contact the SSL VPN administrator. If the SSL VPN administrator
instructs you to click Yes, this alert is again displayed after you log on as shown in Figure 2-5.
2. The login page is displayed as shown in the following figure.
SSL VPN User’s Guide 2-7
Figure 2-9 SSL VPN Login page
Getting Started
3. Enter your user name and password and click Login. When you log on for the first time, the following download page is displayed. Click the link to download and install the agent.
2-8 SSL VPN User’s Guide
Getting Started
Figure 2-10 Download page
4. When the agent is successfully installed, a security alert is displayed as shown in the following figure.
Figure 2-11 Security warning
SSL VPN User’s Guide 2-9
Getting Started
5. Click Yes. The portal page configured by the SSL VPN administrator is dis­played in the main browser window with the agent displayed in the system tray, as shown in the following figure.
Figure 2-12 Portal page
You can now access resources on the remote site. For example, if you have logged on to your office network, you can launch your e-mail client and access your messages.

2.4 Terminating the SSL VPN Session

You can choose to terminate the SSL VPN session by either logging out or by closing the client application. If you are using the browser plug-in, you can close the plug-in window to terminate the session.
The temporary files generated on the client computer during an SSL VPN ses­sion could pose a security threat. These files can be misused to obtain confi­dential information. To eliminate this threat, the client supports the cleanup of the files after the session is closed. This feature, however, needs to be enabled by the SSL VPN administrator. The following procedures list the steps to termi-
2-10 SSL VPN User’s Guide
Getting Started
nate an SSL VPN session.
2.4.1 Terminating the Session for the Agent
The following procedure covers the steps to terminate the session for the agent.
1. Check the Windows system tray for the icon. This indicates that the agent is active and that you are currently logged on. Right-click the icon and select shown in the following figure.
Figure 2-13 Confirmation message box
2. Click Yes. The Citrix Windows Cleanup dialog box is displayed as shown in the following figure.
Logout from the short-cut menu. A message box is displayed as
Figure 2-14 Citrix Windows Cleanup dialog box
SSL VPN User’s Guide 2-11
Getting Started
3. Select a cleanup option from the Select Cleanup Level box and click
Cleanup. The cleanup process is initiated and the status is displayed on the
dialog box as shown in the following figure.
Figure 2-15 Cleanup dialog box with details
4. Once the cleanup process is completed successfully, click Exit. The follow-
ing message is displayed and the icon changes to in the Windows sys-
tem tray.
Figure 2-16 Exit message
2-12 SSL VPN User’s Guide
Getting Started
2.4.2 Terminating the Session for the Browser Plug-in
The following procedure covers the steps to terminate the session for the agent.
1. Click
Figure 2-17 Confirmation message box
2. Click OK. The Citrix Windows Cleanup dialog box is displayed as shown in
3. Select a cleanup option from the Select Cleanup Level box and click
4. Once the cleanup process is completed successfully, click
Logout on the plug-in window. The following message box is dis-
played.
Figure 2-14.
Cleanup. The cleanup process is initiated and the status is displayed on the
dialog box as shown in Figure 2-15.
Exit.

2.5 Understanding the Cleanup Process

The administrator of the SSL VPN gateway controls the cleanup process. As a result, the cleanup dialog box is displayed only if the SSL VPN administrator has configured the gateway to do so. In addition, the SSL VPN administrator can also configure the gateway to delete specific data sets, from your com­puter, when you exit the session. The options corresponding to these data sets are disabled on the List pane of the Citrix Windows Cleanup dialog box. The remaining options are either grayed out or activated based on the cleanup level that you have chosen.
2.5.1 Understanding the Data Sets
As mentioned earlier, the data generated during the SSL VPN session can be misused to obtain confidential information. For example, you can configure the client to delete all passwords and auto complete data stored by the browser.
To select the data set, you need to access the List pane on the Citrix Windows Cleanup dialog box by clicking the List tab. The List pane is shown in the fol­lowing figure.
SSL VPN User’s Guide 2-13
Loading...
+ 46 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use