New Betas: Secure Gateway 3.0 and Web Interface 4.0

Written on Feb 15 2005 Filed under: Citrix XenApp, Security, Tip, Citrix Web Interface, Citrix 11,734 views, 8 comments

by Thomas Koetzing

Citrix released the first public preview versions of MetaFrame Presentation Server 4.0 after their annual iForum show in October 2004. They then released an updated preview version at their Solution Summit show this past January. Since I spent quite of bit of time with the first preview, I wanted to see what the developers had done between these two releases. This article updates my previous findings. (Please read the WI 4.0 and CSG 3.0 if you haven’t done so yet.)

Web Interface 4.0 build 43524

Many of the bugs I noticed in the previous version have now been fixed and some additional enhancements have been added. It’s clear the developers are still moving file locations around, because the Web Interface has been broken into several small packages (wi.zip; pna.zip; mcm.zip; common.zip).

In addition to the previous Windows authentication support, Citrix added NIS (UNIX) authentication and is working on NDS (Novell) support with full context searching. Web Interface 3.0 was limited to twenty Novell context entries and no context search was available directly from Citrix. (Centralis had to release customizations for WI version 2.x and 3.0 to make searching the context tree possible. You can find this code on my site at http://www.citrix4ge.de/wim/wimncs.htm.)

This latest preview version of Web Interface has a lot of other little improvements, including a better display arrangement within the Access Suite Console, more descriptions on what effect every option has, and the ability to set the default ICA client or to only allow unicode clients (version 8+).

Web Interface Ticketing

WI ticketing requires at least MetaFrame 1.8 FR1. Previously you could only disable it by editing the template.ica file (see CTX103305), but now you can configure it all via the GUI. (Of course ticketing is an important component of your WI security and should not be disabled.)

Speaking of security, I still think the new GUI is missing the ability to automatically configure a robots.txt file to prevent search engine spiders from crawling and indexing your site. At the moment there are more than 300 WI login sites listed in the Google database. Read my advice that I posted to the Citrix Support Forum a long time ago about this. (http://ctxex10.citrix.com/forums/searchClick.jspa?messageID=174897&searchID=3313639)

Customization Points (CP’s)

To customize the web pages in previous versions of Web Interface, administrators had to pour through the source code to find the points that they think they might be able to change to affect a customization. There were no hints or comments of any kind.

Thankfully this is changing in WI 4.0. If you edit the source code you’ll find “Customization Points” (with easy-to-locate “CP CP CP CP CP” text borders). These CPs have full documentation and hints for what you should and shouldn’t do! (And since WI 4.0 is based on ASP.NET, the web pages’ source code is compiled at runtime so these extra words do not affect the performance or load times of the pages.)

These CPs gives me the hope that we might see an “Advanced Web Interface 4.0 Guide” and/or WING Guide for customizations.

Secure Gateway 3.0 Build 40369

The big news here is that Session Reliability is now fully supported through CSG as long as you have a Secure Ticket Authority version 4.0. The STA is now built-in to MPS 4.0’s Citrix XML Service.

To get Session Reliability working through a CSG, the CSG and WI will both have to point to a version 4 STA. If you want to use the CSG in “relay mode” (and option that was in CSG 1.x, removed for 2.x, and back in 4.0) you can’t use Session Reliability since relay mode doesn’t use a WI or STA.

You’ll also need to explicitly enable this option in WI 4.0. Enabling this option causes the rendered launch.ica file to get a new entry called “CGPSecurityTicket=On.” You’ll also need a Win32 ICA Client version 9.00.30589 or newer.

If the client doesn’t support CGP (which is what Session Reliability uses) then it falls back to SOCKS and connects through the CSG in the traditional way without Session Reliability enabled.

A quick look at a sniff of the XML stream (more on that here) shows that the “Allowed Ticket Type” is version 4 and that the address information is set for port 2598 (which is the CGP / Session Reliability port).

In the end I think that Citrix’s WI/CSG development teams have done a very good job with the upcoming Web Interface and Secure Gateway. Of course there is still room for improvements and enhancements to these secure access components, including solving the WI ClientName issue, the WI/CSG “real” client IP dilemma, CSG Access Suite Console integration, and Access Suite Console reports for the CSG/WI. I’m sure they will make it some day though…

Comments

Guest wrote What about AIEs?

on Wed, Feb 16 2005 8:40 AM

Has anyone actually been able to get the "Application Isolation Environments" to work in the preview yet?

Opinions vs. Softgrid?

Jay Tomlin wrote Nice review

on Wed, Feb 16 2005 3:30 PM

Hi Thomas, nice review. Here are a few comments on your comments:

> Web Interface has been broken into several small
> packages (wi.zip; pna.zip; mcm.zip; common.zip).

These zip files are part of the implementation of multi-site support. The Access Suite Console allows you to create as many WI sites as you like. Each time you create a new MetaFrame Presentation Server site, the wi.zip file containing all the web scripts and images for that type of site is exploded into the target directory for your new WI instance. The pna.zip file is used for PNAgent sites and mcm.zip is used for MetaFrame Conferencing Manager sites.

> Citrix added NIS (UNIX) authentication and is working
> on NDS (Novell) support with full context searching.

WI has always supported NIS authentication, it's just more clear now in the admin console. Plus, the Novell integration feature has always supported full context searching too... when you supply particular contexts in the configuration it is to limit the context search to a subset of the NDS tree. New in version 4.0 is support for Novell authentication under Web Interface for UNIX.

> ability to set the default ICA client or to only allow
> unicode clients (version 8+).

This feature was introduced in Web Interface 3.0, where it is enabled by clearing the WIAdmin checkbox labeled "Enable support for legacy ICA clients".

> hope that we might see an "Advanced Web Interface 4.0
> Guide" and/or WING Guide for customizations.

Yes, the WI 4.0 documentation will include an advanced customization guide with tutorials on how to use the new WING API's.

> If the client doesn’t support CGP (which is what Session
> Reliability uses) then it falls back to SOCKS and connects
> through the CSG in the traditional way without Session
> Reliability enabled.

Also, if the SR checkbox is enabled in WI but the STA is not version 4, WI will gracefully fall back to the older STA protocol and render ICA files that do not attempt to use session reliability.

> solving the WI ClientName issue

Yes, that's a tricky one. Unfortunately WI 4.0 will not offer a solution for this. A real solution is likely to require big changes to MPS, the XML service and IMA, not just WI.

> the WI/CSG “real” client IP dilemma

When Web Interface is placed behind Secure Gateway 3.0, SG3 will pass the "real" client IP to Web Interface in an HTTP header. It will be possible to pick up this value in the WI scripts and use it instead of REMOTE_ADDR. The real client IP will show up in an HTTP server variable called HTTP_X_FORWARDED_FOR.

Best regards,
JayT

Shawn Bass wrote RE: Nice review

on Wed, Feb 16 2005 3:34 PM

Hi Jay, nice to see you here! Thanks for the additional info. Really glad to see that CSG3 is now passing through the true client IP. This has been a big issue when trying to find ways to map printers geographically.

Shawn

Thomas Koetzing wrote Re: Nice review

on Wed, Feb 16 2005 4:17 PM

Hey Jay, thanks for all your comments!

Thomas

Guest wrote Application Isolation Environments

on Wed, Feb 16 2005 10:45 PM

I got it to work with Office 2000 and Office XP. Still not 100% perfect, im getting weird messages when the apps fire up. But in thorey it worked fine....
It was a bit of a pain to config...you need to read the help section to get it to work.

Guest wrote RE: What about AIEs?

on Mon, May 9 2005 12:36 AM

i have.. and found out its not really finished. I will start testing again on the 12th of may, which is the official download of ps4 date. Then i will find out if its something i can use. Have tested it with Office versions. not that hard, not that many tools, not that well documented. I havent (yet) used softgrid, but my guess its FAR more superior from the docs ive read. Im most curious about the shortcomings of both thuogh, ive read they have to do with the integration of applications to the server os like printerdrivers and IE components. I have a app to support who uses IE and COM+, so im curious if AIE or softgrid can handle it.

Dennis Pennings wrote RE: What about AIEs?

on Mon, May 9 2005 12:40 AM

this was my reply btw, i forgot to login..

Guest wrote RE: What about AIEs?

on Fri, Sep 22 2006 11:45 PM

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.