Professional Documents
Culture Documents
325-1622
Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included on your product CD-ROM. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. 2005 Citrix Systems, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, and Program Neighborhood are registered trademarks, and SpeedScreen and Access Gateway are trademarks of Citrix Systems, Inc. in the United States and other countries. RSA Encryption 1996-1997 RSA Security Inc., All Rights Reserved. This product includes software developed by The Apache Software Foundation (http://www.apache.org/) Win32 Client: Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc. 1998. (CJKV Information Processing, by Ken Lunde. ISBN: 1565922247.) All rights reserved. Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright 2005 Macrovision Corporation. All rights reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners. Document Code: September 8, 2005 (KW)
C ONTENTS
Contents
Chapter 1
Introduction
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Integration with Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Double Source Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Knowledge Center Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Chapter 2
Chapter 3
Installing the Access Gateway in a Four-Post Rack . . . . . . . . . . . . . . . . . . . . . . . .25 Installing the Access Gateway in a Two-Post Rack. . . . . . . . . . . . . . . . . . . . . . . . .26
Chapter 4
C HAPTER 1
Introduction
This chapter describes who should read Getting Started with Access Gateway, new features, and related documentation. Before installing the Access Gateway, review the Access Gateway PreInstallation Checklist. The checklist provides a single place to record the necessary information for successfully setting up the Access Gateway.
Audience
This guide is intended for service technicians who install the Access Gateway and for administrators who need to troubleshoot the Access Gateway hardware.
New Features
The following is a brief description of the new features in Access Gateway 4.2. For details about configuring these options, see the Access Gateway Administrators Guide.
Advanced Access Control: Ensures that connections to your network and resources are safe, trusted, and secure Add granularity to policy-based access control Allows you to set differing levels of access permission based on evidence you gather about the connecting client device Allows users to connect to Advanced Access Control using the Secure Access Client Allows fallback to secure clientless access if the client device fails logon requirements
When Advanced Access Control is added to your network, you can configure the Access Gateway using the Access Suite Console. For more information, see Access Gateway Configuration Using Advanced Access Control on page 20 or the Access Gateway with Advanced Access Control Administrators Guide.
Chapter 1 Introduction
Security bulletins Online problem reporting and tracking (for users with valid support contracts)
Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organizations Citrix products.
Subscription Advantage
Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. Not only do you get automatic delivery of feature releases, software upgrades, enhancements, and maintenance releases that become available during the term of your subscription, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at http://www.citrix.com/services/ (select Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Network for more information.
Related Documentation
For additional information about the Access Gateway, refer to these documents: Access Gateway Administrators Guide Access Gateway Pre-Installation Checklist Access Gateway Readme
For additional information about Advanced Access Control, refer to these documents: Advanced Access Control Administrators Guide Upgrade Guide for Advanced Access Control Advanced Access Control Readme
C HAPTER 2
Citrix Access Gateway is a universal SSL virtual private network (VPN) that provides secure, always on, single-point-of-access to any information resource. It combines the best features of IP Security (IPSec) and typical SSL VPNs without the costly and cumbersome implementation and management to make access easy for users, secure for the company, and low cost for IT administrators. Key features include: Hardened appliance that supports up to 2000 concurrent users at 300 megabits per second (Mbps) Supports all applications and protocols, including Voice over IP Industry standard encryption that secures and protects information with SSL/TLS encryption Desk-like access provides users with the same network and application access as if they are physically connected to the network Integrated endpoint security provides a combination of logon time and continuous real-time monitoring to ensure that the device is safe to remain connected to the network Integration with Citrix Presentation Server providing integrated secure gateway functionality and support for Presentation Server-hosted applications Integration with Advanced Access Control providing secure, single-point access to any enterprise resource, including email, applications, network file services, Internet and intranet sites, and documents
The Access Gateway installs in any network infrastructure without requiring changes to the existing hardware or back-end software. It works with other networking products such as server load balancers, cache engines, firewalls, routers, and IEEE 802.11 wireless devices. Installed in the corporate demilitarized zone (DMZ), the Access Gateway participates on two networks: a private network and a public network with a publicly routable IP address. The Access Gateway can also partition local area
10
networks internally in the organization for access control and security between wired or wireless and data and voice networks.
Note For detailed information about Access Gateway configuration and security considerations, see the Access Gateway Administrators Guide. If you are using Advanced Access Control, see the Advanced Access Control Administrators Guide.
The following topics describe how to prepare for and perform the installation of the Access Gateway: Preparing for Installation Setting Up the Access Gateway Hardware
For a connection to a local area network, use the following items: One network cable to connect the Access Gateway inside of a firewall or to a server load balancer Two network cables to connect the Access Gateway located in the demilitarized zone (DMZ) to the public and private networks
Collect the following network information: If locating the Access Gateway inside the firewall, identify the Access Gateway internal and external IP addresses and subnet masks
11
The IP address of your firewall (the default gateway device) The port to be used for connections
If the Access Gateway is in the DMZ: The Access Gateway internal IP address and subnet mask The Access Gateway external IP address and subnet mask The Access Gateway external IP address or host name for network address translation (NAT) The IP address of your firewall (the default gateway device) The port to be used for connections If the Access Gateway is in front of a router and you want to create static routes rather than having the Access Gateway listen for dynamic routes
If connecting the Access Gateway to a server load balancer: The Access Gateway IP address and subnet mask The IP address of the server load balancer (the default gateway device) The fully qualified domain name (FQDN) of the server load balancer to be used as the External Public Address of the Access Gateway The port to be used for connections
Note The Access Gateway does not work with Dynamic Host Configuration Protocol (DHCP). The Access Gateway requires the use of static IP addresses.
12
Getting Started with Citrix Access Gateway To physically connect the Access Gateway
1.
Install the Access Gateway in a rack if it is rack-mounted. For more information, see Access Gateway Rack Mounting Kit on page 23.
2. 3.
Connect the power cord to the AC power receptacle. Choose one of the following ways to perform the initial configuration of the Access Gateway. The preconfigured IP address of the Access Gateway is 10.20.30.40.
Access Gateway connection options using a cross-over cable, a network switch, or terminal emulation
To connect the Access Gateway using network cables
If you use a cross-over cable or two network cables and a switch, power on the Access Gateway. After about three minutes, the Access Gateway is ready for its initial configuration with your network. Continue with Using the Access Gateway Administration Tool on page 14.
To connect the Access Gateway using a serial cable
1.
Connect the null-modem cable to the 9-pin serial port on the Access Gateway and connect the cable to a computer that is capable of running terminal emulation software. On the computer, start a terminal emulation application such as HyperTerminal. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional. Turn on the Access Gateway. The serial console appears on the computer terminal after about three minutes.
2. 3. 4.
13
5. 6.
On the serial console, enter the default administrator credentials. The user name is root and the default password is rootadmin. To set the IP address and subnet mask and the default gateway device for Interface 0, type 0 and press Enter to choose Express Setup. After you respond to the prompts, the information you entered appears. To commit your changes, type y; the Access Gateway restarts. To verify that the Access Gateway can ping a connected network device, type 1 and enter the IP address of the device. Remove the serial cable and connect the Access Gateway to a Windows computer using either a cross-over cable or network cable and then turn on the Access Gateway. Configure the Access Gateway using the Administration Tool.
7. 8.
9.
1.
From a Web browser on the computer connected to the Access Gateway, enter the default Web address of https://10.20.30.40:9001. The administration port is 9001. If a certificate is not installed on the Access Gateway, a security alert dialog box appears. Click Yes. The Access Gateway Administration Portal appears.
2.
14
If you see a Security Warning dialog box, click Yes to download the required ActiveX Helper client. 3. When prompted, enter root for user name and rootadmin for password.
ActiveX Helper
When the user connects to the Web Interface portion of the Access Gateway and logs on, net6helper.cab, an ActiveX control is installed. This file provides three main functions: It launches the client from the Web page instead of having to manually download the executable and then launching the Secure Access Client. It performs pre-authentication checks for the Web page. It provides single sign-on for the full client. When the Secure Access Client is started from the Web page, the Secure Access Client does not prompt the user to log on again.
1. 2. 3.
In the Access Gateway Administration Portal, click Downloads. Under Administration, click Download Administration Tool Installer. The Administration Tool is installed on your computer. To open the Administration Tool, on the desktop, double-click the icon.
Note If you are upgrading to Version 4.2 from previous versions, uninstall the Administration Tool before installing the new version. To uninstall the Administration Tool, use Add/Remove Programs in Control Panel.
15
16
Note You do not need to restart the Access Gateway until you complete all configuration steps.
To configure network settings inside the firewall or behind a server load balancer
1. 2. 3. 4.
In the Access Gateway Administration Tool, click the Access Gateway Cluster tab and then click the Networking tab. Select Use only interface 0 and in IP Address, type the Access Gateway internal IP address for Interface 0. In Subnet mask, type the value. Click Submit.
Chapter 2 Installing the Access Gateway To configure network settings if the Access Gateway is in the DMZ
17
1. 2.
In the Access Gateway Administration Tool, click the Access Gateway Cluster tab and then click the Networking tab. Select Use both interfaces and in IP Address, type the IP address for Interface 0, the external connection, and for Interface 1, the internal connection. In Subnet Mask, type the value for both interfaces. Click Submit.
3. 4.
For any of those configurations, you can also enter the following information: In External Public IP or FQDN, type the Access Gateway external IP address or host name. In VPN Port, the default port is 443. Under Default Gateway, in IP Address, type the IP address of the default gateway device, such as the main router, firewall, or server load balancer. This is the same as the Default Gateway setting on computers on the same subnet. On the Name Service Providers tab, enter your DNS and WINS servers and then click Submit. If the Access Gateway is in the DMZ and is in front of a router, click the Routes tab. If your site uses Routing Information Protocol (RIP), select Dynamic Routing so that the Access Gateway can use your routing tables. Otherwise, configure a static route so the Access Gateway can reach subnets that are not automatically available through your Default Gateway. Click Submit.
1. 2. 3.
In the Administration Tool, click the Access Gateway Cluster tab. On the Administration tab, next to Restart the server, click Restart. -orIn the Administration Portal, click Maintenance. Next to Restart the Server, click Restart.
The computer will lose the connection to the Access Gateway. Connect the 10/100 RJ45 NIC connector(s) located on the Access Gateway back panel to your network, according to the configuration you decided to use in Step 1.
18
Installing Licenses
When you purchase the Access Gateway, license codes are delivered to you by email or appear on the license card in the Connection License Pack. These licenses are also available from the MyCitrix Web site at http://www.mycitrix.com.
To download licenses from the Citrix Web site
Click Licensing > Citrix Activation System > View Purchased Licenses. If you are a Subscription Advantage customer, use the Licensing > Fulfillment menu on the MyCitrix Web site to obtain the licenses and download the latest product image. If you received an email, follow the instructions contained in the email to download your license file(s). For deployments of Access Gateway that include Advanced Access Control, copy the license file to your license server using the License Management Console. If using the Access Gateway without Advanced Access Control, upload the license file directly to the appliance.
Important Citrix recommends that you retain a local copy of all license files that you receive. When you save a backup copy of the configuration file, all uploaded license files are included in the backup. If you need to reinstall the Access Gateway server software and do not have a backup of the configuration, you will need the original license files.
To install a license file on the Access Gateway
1. 2. 3.
In the Administration Tool, click the Access Gateway Cluster tab and then click the Licensing tab. Click Browse and locate the .lic file that you want to upload. Click Open to upload the license file.
Note You can also install the license file using the Administration Portal.
19
1. 2. 3. 4. 5.
Open the Administration Tool. Click the Access Policy Manager tab. Right-click the Local Users folder in the left pane and click New User. In the Username dialog box, type a user name, the password twice, and click OK. In a Web browser, type the address of the Access Gateway using either the IP address or fully qualified domain name (FQDN) to connect to either the internal or external interface. The format should be either https://ipaddress or https://FQDN. Type the logon credentials. The Access Gateway Secure Access page appears. Click My own computer and then click Connect. The Secure Access Client connection icon appears in the notification tray, indicating a successful connection.
6. 7.
The initial configuration is complete. You can connect to all of your network resources, such as email, Web servers, and file shares as if you are in the office. To test the connection, try connecting to the applications and resources that are available from the corporate network. Refer to the online Help and the Access Gateway Administrators Guide for detailed information about the many configuration and customizing options for the Access Gateway.
Firewall Configuration
Configure your firewall so that the port is open for the external IP address of the Access Gateway. The default port is 443. Map the external IP address of the Access Gateway to its internal IP address. For specific information about configuring your firewall, see the manufacturers documentation.
20
Caution When you select the Advanced Access Control for managing the Access Gateway global settings, the corresponding settings in the Administration Tool are deactivated and any existing configuration values are removed. If you configured these settings with the Administration Tool before selecting the Advanced Access Control, you must configure these settings again using the Access Suite Console. For more information about configuring these settings in the console, see the Advanced Access Control Administrators Guide.
If you disable administration with the Advanced Access Control, settings in the Access Suite Console are deactivated and existing configuration values are removed.
To enable Advanced Access Control
1. 2.
On the Access Gateway Cluster tab, select an Access Gateway, and click the Advanced Options tab. Do one of the following: If the Access Gateway is going to be configured using the Administration Tool, select The Administration Tool - configures appliances only and then click Submit. If the Access Gateway is going to be configured using the Access Suite Console, select Advanced Access Control - includes an access server farm. Continue with Steps 4 through 8.
3. 4. 5.
Select Get Appliance Configuration from Advanced Access Server. In Server running Advanced Access Control, type the IP address or FQDN of the server that is running the Access Suite Console. In Advanced Access Control Logon Agent Root, type the path to the logon point virtual directory. The default is /CitrixLogonPoint.
21
For more information about the Logon Point, see the Advanced Access Control Administrators Guide. 6. 7. To encrypt communication between the Access Gateway and the server running Advanced Access Control, select Secure server communication. Click Submit.
The server or servers that are configured to connect to the Access Gateway are listed in Advanced Access Control Servers. To remove a server from the list, select the server and then click Remove.
Third-Party Software
Citrix recommends that you do not install any third-party software on the Access Gateway. The installation of third-party software is not supported.
22
C HAPTER 3
The Access Gateway Rack Mounting Kit is used to install the Access Gateway in a four-post or two-post rack. This chapter describes installing the Access Gateway in a rack. The rack-mounting kit includes two sets of rail assemblies, two rail mounting brackets, and the mounting screws that you need to install the system into the rack. Follow the steps in the order given to complete the installation process in a minimum amount of time. Read this chapter in its entirety before you begin the installation.
Separating the rails and the mounting holes in the Access Gateway
24
1.
Pull the fixed chassis rail (A) out as far as possible you will hear a click as a locking tab emerges from inside the rail assembly and locks the inner rail. Depress the locking tab to pull the inner rail completely out. Do this for both the left and right side rack rail assemblies.
2.
1.
Position the fixed chassis rail sections (A) that you just removed along the side of the server, making sure the five screw holes align. Note that the right and left rails are specific. Screw the rail securely to the side of the chassis, as illustrated below. Repeat this procedure for the other rail on the other side of the chassis. If you are installing the server in a two-post rack, also attach the rail brackets.
2. 3. 4.
25
1. 2.
Line up the rear of the chassis rails with the front of the rack rails. Slide the chassis rails into the rack rails, keeping pressure even on both sides. You may have to depress the locking tabs while inserting the Access Gateway. Refer to the illustration below. When the Access Gateway is pushed completely into the rack, you will hear the locking tabs click.
26
3.
Finish by inserting and tightening the thumbscrews that hold the front of the Access Gateway to the rack.
27
28
C HAPTER 4
This chapter reviews the hardware specifications of the Access Gateway and the BIOS self-test messages.
30
Specifications
Processor Memory Power supply Maximum BTU/hr System cooling fan Drive bay Drives Network adapters System monitoring Chassis size Accessories Pentium 4 2.8Ghz HyperThreading 800MHz front side bus 1 gigabyte (GB) PC3200 (400MHz) 260W, 12V+ 887.15 1 x 10cm blower fan 1 x 3.5 inch internal drive bay; 40 GB 1 x Slim 32x CD-ROM drive 1 x 3.5 inch 1.44MB floppy drive Dual Intel gigabit network adapters LED indicators for power on, network activity, IDE HDD activity, overheat warning, and drive failure 16.7 inches x 1.7 inches x 14 inches (1RU) Rack-mounting kit
Error messages If a message is displayed, it will be accompanied by the following: PRESS F1 TO CONTINUE, CTRL-ALT-ESC OR DEL TO ENTER SETUP. One or more of the following messages may appear if the BIOS detects an error during the POST. This list includes messages for both the ISA and the EISA BIOS.
APPENDIX A
31
CMOS BATTERY HAS FAILED. The CMOS battery is no longer functional. Replace the battery. CMOS CHECKSUM ERROR. The CMOS checksum is incorrect. This can indicate that CMOS is corrupted. This error might be the result of a weak battery. Check the battery and replace if necessary. DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER. No boot device was found. This could mean that either a boot drive was not detected or the drive does not contain the proper system boot files. Insert a system disk into drive A and press Enter. If you expected the system to restart from the hard drive, make sure the controller is inserted correctly and all cables are properly attached. Also make sure the disk is formatted as a boot device. Then restart the system. DISKETTE DRIVES OR TYPES MISMATCH ERROR - RUN SETUP. The type of diskette drive installed in the system is different from the CMOS definition. Run Setup to reconfigure the drive type correctly. DISPLAY SWITCH IS SET INCORRECTLY. The display switch on the motherboard can be set to either monochrome or color. This indicates that the switch is set to a different setting than indicated in Setup. Determine which setting is correct, and then either turn off the system and change the jumper or enter Setup and change the VIDEO selection. DISPLAY TYPE HAS CHANGED SINCE LAST BOOT. Since last turning off the system, the display adapter was changed. You must configure the system for the new display type. ERROR ENCOUNTERED INITIALIZING HARD DRIVE. The hard drive cannot be initialized. Be sure the adapter is installed correctly and all cables are correctly and firmly attached. Also be sure the correct hard drive type is selected in Setup. ERROR INITIALIZING HARD DISK CONTROLLER. Cannot initialize the controller. Make sure the cord is correctly and firmly installed in the bus. Be sure the correct hard drive type is selected in Setup. Also check to see if any jumper needs to be set correctly on the hard drive. KEYBOARD ERROR OR NO KEYBOARD PRESENT. Cannot initialize the keyboard. Make sure the keyboard is attached correctly and no keys are being pressed during start up. If you are intentionally configuring the system without a keyboard, set the error halt condition in Setup to HALT ON ALL, BUT KEYBOARD. This causes the BIOS to ignore the missing keyboard and continue to start.
32
Memory Address Error at ... Indicates a memory address error at a specific location. You can use this location along with the memory map for your system to find and replace the faulty memory chips. Memory parity Error at ... Indicates a memory parity error at a specific location. You can use this location along with the memory map for your system to find and replace the faulty memory chips. Memory Verify Error at ... Indicates an error verifying a value already written to memory. Use the location along with your systems memory map to locate the faulty chip. OFFENDING ADDRESS NOT FOUND. This message is used in conjunction with the I/O CHANNEL CHECK and RAM PARITY ERROR messages when the segment that caused the problem cannot be isolated. OFFENDINGSEGMENT. This message is used in conjunction with the I/O CHANNEL CHECK and RAM PARITY ERROR messages when the segment that caused the problem is isolated. PRESS A KEY TO REBOOT. This is displayed at the bottom of the screen when an error occurs that requires you to restart. Press any key and the system will restart. PRESS F1 TO DISABLE NMI, F2 TO REBOOT. When BIOS detects a Nonmaskable Interrupt condition during start, this allows you to disable the interrupt condition and continue to start, or you can restart the system with the interrupt condition enabled. RAM PARITY ERROR - CHECKING FOR SEGMENT ... Indicates a parity error in random access memory (RAM). SYSTEM HALTED, (CTRL-ALT-DEL) TO REBOOT ... Indicates the present start attempt is aborted and the system must be restarted. Press and hold down the CTRL+ALT+DEL keys.
Hard Disk(s) fail (80) HDD reset failed. Hard Disk(s) fail (40) HDD controller diagnostics failed. Hard Disk(s) fail (20) HDD initialization error. Hard Disk(s) fail (10) Unable to recalibrate fixed disk. Hard Disk(s) fail (08) Sector Verify failed.
Keyboard is locked out - Unlock the key. BIOS detected that the keyboard is locked. P17 of the keyboard controller is pulled low.
33
Keyboard error or no keyboard present. Cannot initialize the keyboard. Make sure that the keyboard is attached correctly and no keys are being pressed during start up. Manufacturing POST loop. The system repeats the POST procedure infinitely while P15 of the keyboard controller is pulled low. This is also used for M/B burn in testing. BIOS ROM checksum error - System halted. The checksum of ROM address F0000H-FFFFFH is faulty. Memory test fail. BIOS reports a memory test failure if the onboard memory has an error.
34