Citrix Templates (Deprecated for 21.x)

About Citrix Templates

The system supports several mechanisms for intermediating traffic between a Citrix server and client, including the Citrix Services Client proxy, JSAM, PSAM, VPN Tunneling, and the hosted Java applets feature.

The Citrix Web template enables you to easily configure access to a Citrix server using the Citrix Services Client proxy, JSAM, or PSAM. The Citrix Web template is a resource profile that controls access to Citrix applications and configures Citrix settings as necessary. Citrix Web templates significantly reduce your configuration time by consolidating configuration settings into one place and by prepopulating a variety of resource policy settings for you depending on the type of Citrix setup you select. You should use the Citrix Web template if you have the Citrix Web Interface already installed in your environment or if you are using a Web server to host your ICA files.

Because of their highly simplified configurations, templates are the ideal Citrix configuration method if you want to deliver ActiveX or Java applets from a third-party Web server through the system.

Citrix Web templates simplify your configuration by automatically detecting whether the Citrix Web client or the Citrix Java applet is being used and employing the appropriate access mechanism accordingly. For instance, if you have configured the Citrix Web Interface to deliver a Java client, the system automatically uses its Java rewriting engine to tunnel traffic. If you have configured the Citrix Web Interface to deliver an ActiveX client, the system uses its Citrix Terminal Services feature, JSAM, or PSAM (depending on the option you select) to tunnel traffic.

We strongly recommend using Citrix templates instead of the traditional role and resource policy configuration options available through the system.

Ivanti does not support saving a Citrix application shortcut to the desktop through the system when the loopback IP address is running on the client. Double-clicking this shortcut returns an error as it does not use JSAM or PSAM.

Comparing Access Mechanisms for Configuring Citrix

Ivanti Connect Secure supports several mechanisms for intermediating traffic between a Citrix server and client, including the Citrix Terminal Services proxy, JSAM, PSAM, VPN Tunneling, and the hosted Java applets feature.

Table describes key differences when accessing a Citrix Metaframe Server through a Citrix Web Interface server. The descriptions in this table focus on configuring Citrix Terminal Services, JSAM, and PSAM through Web resource profile templates (Select Users > Resource Profiles > Web, click New Profile and select Citrix Web interface/JICA from the Type list.)

If you want to configure access to a Citrix Metaframe server through a Citrix Web Interface server, you must use Web resource profile templates. If you want to configure access to a Citrix Metaframe server without using a Citrix Web Interface server, you must use a standard Citrix Terminal Services or PSAM resource profile or role.

The following table describes Accessing the Citrix Web Interface Server Using Web Resource Profile Templates

It describes key differences when accessing a Citrix Metaframe Server without using a Citrix Web Interface

Requirement	Terminal Services	JSAM	PSAM
User experience	The user clicks a Citrix Web Interface bookmark in the Web Bookmarks section of the end user console. The user is taken to the Citrix Web Interface (WI) sign-in page (assuming you do not configure FORM POST SSO). Once the user signs into the WI portal (either manually or automatically through SSO), he is taken to the Citrix WI portal page, which contains the list of published applications in icon form. When the user clicks the published application, the Citrix Services Client (CTS) proxy launches and the ICA traffic is tunneled through the CTS proxy.	The user launches JSAM. The user clicks a Citrix Web Interface bookmark in the Web Bookmarks section of the end user console. The user is taken to the Citrix Web Interface (WI) sign-in page (assuming you do not configure FORM POST SSO). Once the user signs into the WI portal (either manually or automatically through SSO), he is taken to the Citrix WI portal page, which contains the list of published applications in icon form. When the user clicks the published application, the ICA traffic is tunneled through JSAM.	The user launches PSAM The user clicks a Citrix Web Interface bookmark in the Web Bookmarks section of the end user console. The user is taken to the Citrix Web Interface (WI) sign-in page (assuming you do not configure FORM POST SSO). Once the user signs into the WI portal (either manually or automatically through SSO), he is taken to the Citrix WI portal page, which contains the list of published applications in icon form. When the user clicks the published application, the ICA traffic is tunneled through PSAM.
Accessing published applications from Mac or Linux	Not supported on Mac and Linux.	Supported on Mac and Linux.	Not supported on Mac and Linux.
Configuring ports	Automatically monitor all traffic on port 1494 if session reliability is turned off on the server. The system monitors port 2598 if session reliability is turned on. You do not need to specify which ports to monitor or which applications to intermediate.	You must specify which ports to monitor. This enables you to access published applications that use ports other than 1494.	You do not need to specify which ports to monitor or which applications to intermediate. PSAM works in app mode and monitors all traffic coming from certain Citrix executables.
Administrator privileges	If a Citrix Web client is not installed on the user's desktop, administrator privileges are required. This is a limitation of the installation of the Citrix client. To install and run the Citrix Services Client proxy client, administrator privileges are not required.	If a Citrix Web client is not installed on the user's desktop, administrator privileges are required.   This is a limitation of the installation of the Citrix client. To run JSAM, administrator privileges are not required.	Requires administrator privileges to install PSAM.
Modifying host file	Does not require modification of the etc/hosts file.	Does not require modification of the etc/hosts file.	Does not require modification of the etc/hosts file.

Interface server. The descriptions in this table focus on configuring Citrix Terminal Services, JSAM, and PSAM through standard resource profiles (Select Users > Resource Profiles > SAM or Terminal Services.)

The following table describes Accessing Citrix Metaframe Server Without Using a Citrix Web Interface Server:

Requirement	Terminal Services	JSAM	PSAM
User experience	The user launches the published application by clicking the bookmark or icon in the Terminal Services section of the end user console.	JSAM auto-launches when the user signs into the device or the user launches JSAM manually. The user launches the published application using standard methods such as the Windows Start menu or a desktop icon.	PSAM auto-launches when the user signs into the device or the user launches PSAM manually. The user launches the published application using standard methods such as the Windows Start menu or a desktop icon.
Accessing published applications from Mac or Linux	Macintosh and Linux users cannot access published applications from a Citrix Metaframe server.	Macintosh and Linux users can access published applications from a Citrix Metaframe server.	Macintosh and Linux users cannot access published applications from a Citrix Metaframe server.
Admin configuration	You can specify which ports the system intermediates. If you do not configure this information, the system automatically monitors ports 1494 and 2598.	You cannot configure Citrix as a standard application. Instead, you need to create a custom JSAM application, provide the server names of all Metaframe servers, and specify which ports to monitor. This enables you to use applications such as Citrix Secure Gateways (CSGs) and published applications that use ports other than 1494.	You must specify which ports and applications the system monitors. This enables you to use applications such as Citrix Secure Gateways (CSGs) and published applications that use ports other than 1494.
Administrator privileges	If a Citrix Web client is not installed on the user's desktop, administrator privileges are required. This is a limitation of the installation of the Citrix client. To install and run the Citrix Services Client proxy client, administrator privileges are not required.	Requires administrator privileges to run JSAM because etc/hosts file modifications are required.	Requires administrator privileges to install PSAM.
Modifying host file	Does not require modification of the etc/hosts file.	Requires modification of the etc/hosts file.	Does not require modification of the etc/hosts file.

Creating Resource Profiles Using Citrix Web Applications

The Citrix Web template enables you to easily configure Citrix access using the Citrix Services Client proxy, JSAM, or PSAM.

To create a resource profile using the Citrix template:

1.Select Users > Resource Profiles > Web in the admin console.

2.Click New Profile.

3.Select Citrix Web Interface/JICA from the Type list.

4.Enter a unique name and optionally a description for the Citrix resource profile.

5.Enter the URL of the Web server that hosts your ICA files in the Web Interface (NFuse) URL field. Use the format: [protocol://]host[:port][/path]. For instance, enter the URL of an NFuse server, the Web interface for a Citrix Metaframe Presentation Server, or a Web server from which the system can download Citrix Java applets or Citrix cab files. (The system uses the specified URL to define the default bookmark for the Citrix resource profile.) You may enter a directory URL or a file URL.

6.Specify which type of Citrix implementation you are using in your environment by selecting one of the following options:

•Java ICA Client with Web Interface (NFuse)-Select this option if you have deployed the Citrix Web Interface for MPS (that is, NFuse) to deliver Java ICA clients.

•Java ICA Client without Web Interface (NFuse)-Select this option if you have deployed a generic Web server to deliver Java ICA clients.

•Non-Java ICA Client with Web Interface (NFuse)-Select this option if you have deployed the Citrix Web Interface for MPS (that is, NFuse) to use any of the different clients (Java, ActiveX, local).

•Non-Java ICA Client without Web Interface (NFuse)-(Read only) If you have deployed a non-Java ICA client without the Citrix Web Interface for MPS (that is, NFuse), you cannot create a Citrix resource profile through this template. Instead, click the client application profile link beneath this option. The link brings you to the Client Application Profiles page, where you can create a SAM resource profile.

7.From the Web Interface (NFuse) version list, select which Citrix version you are using. (The system uses this value to pre-populate the Forms POST SSO values in your single sign-on autopolicy.

8.Specify the Metaframe Servers to which you want to control access in the MetaFrame servers area. Then click Add. When specifying servers, you can enter wildcards or IP ranges.
The system uses the values that you enter to automatically create a corresponding resource policy that enables access to the necessary resources:

•If you select either Java ICA Client with or without Web Interface, the system creates a corresponding Java ACL resource policy that enables Java applets to connect to the specified Metaframe servers.

•If you select Non-Java ICA Client with Web Interface, and then you select ICA client connects over PSAM or JSAM, the system creates a corresponding SAM resource policy that enables users to access the specified Metaframe servers.

•If you select Non-Java ICA Client with Web Interface, and then you select ICA client connects over CTS, the system creates corresponding Terminal Services and Java resource policies that enable users to access the specified Metaframe servers.

9.(Java ICA clients only.) If you deployed Citrix using a Java ICA Client, select the Sign applets with uploaded code-signing certificate(s) check box to re-sign the specified resources using the certificate uploaded through the System > Configuration > Certificates > Code-signing Certificates page of the admin console.
When you select this option, the system uses all of the "allow" values that you enter in the resource profile's Web access control autopolicy to automatically create a corresponding code-signing resource policy. Within this policy, the system uses the specified Web resources to create a list of trusted servers.

10.(Non-Java ICA clients only) If you have deployed Citrix using a non-Java ICA Client with a Web interface, you must use the Citrix Services Client proxy, Secure Application Manager, or VPN Tunneling to secure traffic to your Metaframe servers instead of the Content Intermediation Engine.
To secure traffic through the Citrix Services Client proxy or the Secure Application Manager, select one of the following options in the ICA Client Access section:

•ICA client connects over CTS Client - Select this option to secure your Citrix traffic through the Citrix Terminal Services client (if your users are using Active X clients) or Java rewriting engine (if your users are using Java clients). (When you select this option, the system automatically enables the Terminal Services option on the Users > User Roles > Select_Role > General > Overview page of the admin console.)

•ICA client connects over PSAM - Select this option to secure traffic using PSAM. (When you select this option, the system automatically enables the Secure Application Manager option on the Users > User Roles > Select_Role > General > Overview page of the admin console.)

•ICA client connects over JSAM - Select this option to secure traffic using JSAM. Then, configure the following options:

•Number of Servers/Applications - Enter the lesser of the following two numbers: maximum number of Citrix servers in your environment or the maximum number of published applications that a user can open simultaneously. For instance, if your environment contains one server and five published applications, enter 1 in this field. Or, if your environment contains 20 servers and 10 published applications, enter 10 in this field. The maximum value this field accepts is 99.

•Citrix Ports - Specify the ports on which the Metaframe servers listen.
When you select the ICA client connects over JSAM option, the system automatically enables the Secure Application Manager option on the Users > User Roles > Select_Role > General > Overview page of the admin console.

You cannot enable PSAM and JSAM for the same role. Therefore, if you try to create a Citrix resource profile that uses one of these access mechanisms (for instance, JSAM) and another profile associated with role already uses the other access mechanism (for instance, PSAM), the system does not enable the new access mechanism (JSAM) for the role. Also note that you can only use PSAM or JSAM to configure access to one Citrix application per user role.

11.(Non-Java ICA Client with Web Interface only.) If you want to allow users to access local resources such as printers and drives through their Citrix Web Interface sessions, select the Configure access to local resources check box. Then, select from the following options:

•Select Connect printers if you want to enable the user to print information from the terminal server to his local printer.

•Select Connect drives if you want to enable the user to copy information from the terminal server to his local client directories.

•Select Connect COM Ports if you want to enable communication between the terminal server and devices on the user's serial ports.

When you enable local resources through the terminal server, each user can only access his own local resources. For instance, user 1 cannot see user 2's local directories.

12.Select the Autopolicy: Web Access Control check box to create a policy that allows or denies users access to the resource specified in the Web Interface (NFuse) URL field. (By default, the system automatically creates a policy for you that enables access to the resource and all of its subdirectories.)

13.If you selected one of the Web interface options above, update the SSO policy created by the Citrix template. Select the Autopolicy: Single Sign-on check box. (Single sign-on autopolicies configure the system to automatically pass data such as usernames and passwords to the Citrix application. The system automatically adds the most commonly used values to the single sign-on autopolicy based on the Citrix implementation you choose.)
When you select single sign-on, the WIClientInfo and WINGSession cookies are prepopulated automatically in addition to the POST Resource and URL.
Or, if you selected the non-Web interface option, you may optionally create your own single sign-on autopolicy.

14.Click Save and Continue.

15.Select the roles in the Roles tab to which the Citrix resource profile applies and click Add.
The selected roles inherit the autopolicies and bookmarks created by the Citrix resource profile. If it is not already enabled, the system also automatically enables the Web option in the Users > User Roles > Select_Role > General > Overview page of the admin console and the Allow Java Applets option in the Users > User Roles > Select_Role > Web > Options page of the admin console for all of the roles you select.
Also enable the Terminal Services access feature under User Roles > Select_Role > General Overview. If the user role does not have this feature enabled, the Citrix ICA file is delivered as is (without being rewritten) and the Citrix component (CTS) will not start. In this case, the Citrix native client attempts to establish a connection with the back-end server directly (without going through the system) and will fail.

16.Click Save Changes.

17.(Optional.) In the Bookmarks tab, modify the default bookmark created by the system and/or create new ones.
By default, the system creates a bookmark to the Web interface (NFuse) URL defined in the Web Interface (NFuse) URL field and displays it to all users assigned to the role specified in the Roles tab.

Creating Resource Profiles for Citrix Storefront Server

If you have the Citrix StoreFront, you can create a Web template to allow users to access Citrix applications without the need for a Citrix client. Users must have one of the following browser versions (or later) to support HTML5 and Websockets:

•Internet Explorer 10

•Safari 6

•Google Chrome 23

•Mozilla Firefox 17

You can collect all the logs related to this feature using hprewrite-server as the process name.

To create a resource profile using the Citrix template:

1.Select Users > Resource Profiles > Web in the admin console.

2.Click New Profile.

3.Select Citrix StoreFront from the Type list.

4.Enter a unique name and optionally a description for the Citrix resource profile.

5.Enter the URL of the Citrix StoreFront Web server in the Base URL field. Use the format: [protocol://]host[:port][/path]. The system uses the specified URL to define the default bookmark for the Citrix resource profile. You may enter a directory URL or a file URL.

6.Under Citrix Settings, select the ICA Client Access option. Admin can either choose to go with the HTML5 way of delivery or can choose to deliver ICA over CTS/PSAM/HTML5 Access clients. If admin chooses the ICA over CTS/PSAM/HMTL5 Access, the corresponding ACL should be created and when ICS rewrites ICA content it should launch the appropriate client. Add the Number of servers/applications and Citrix Ports which require ICA client access.

7.Select the Autopolicy: Web Access Control check box to create a policy that allows or denies users access to a specific resource under the Base URL. Enter the full URL of the resource, select Allow or Deny, and click Add. By default, the system automatically creates a policy that enables access to the resource and all of its subdirectories.

8.Select the Autopolicy: Single Sign-on check box to automatically pass data such as usernames and passwords to the Citrix application. The system automatically adds the most commonly used values to the single sign-on autopolicy.

9.If you want to perform a form POST when a user makes a request to the resource specified in the Resource field, select the POST the following data check box and specify the following:

•In the Resource field, specify the application's sign-in page, such as: http://my.domain.com/public/login.cgi. Wildcard characters are not supported in this field.
To automatically post values to a specific URL when an end user clicks on a system bookmark, the resource that you enter here must exactly match the URL that you specify in the Base URL field.

•In the Post URL field, specify the absolute URL where the application posts the user's credentials, such as: http://yourcompany.com/login.cgi. You can determine the appropriate URL using a TCP dump or by viewing the application's sign-in page source and searching for the POST parameter in the FORM tag.

•Select the Deny direct login for this resource check box if you do not want to allow users to manually enter their credentials in a sign-in page. Users may see a sign-in page if the form POST fails.)

•Select the Allow multiple POSTs to this resource check box if you want to send POST and cookie values to the resource multiple times if required. If you do not select this option, the system does not attempt single sign-on when a user requests the same resource more than once during the same session.

•Optionally specify the following for each item of user data you want to post and click Add:

•Label-The name used to identify the data.

•Name-The name used to identify the data in the Value field. The back-end application should expect this name.

•Value-The value to post to the form for the specified Name. You can enter static data, a system variable, or system session variables containing username and password values.

•User modifiable?-Select Not modifiable to prevent users from changing the information in the Value field. Select User CAN change value to allow users to specify data for a back-end application. Select User MUST change value if users must enter additional data to access a back-end application. If users can or must change the value, a field for data entry appears on the user's Advanced Preferences page. This field is labeled using the name in the Label field. If you enter a value in the Value field, this data appears in the field but is editable.

10.To post header data to the specified URL when a user makes a request to a resource specified in the Resource field, select the Send the following data as request headers check box. Then:

•In the Resource section, specify the resources to which this policy applies.

•Optionally specify the header data to post by entering data in the following fields and clicking Add:

•Header name-The text to send as header data.

•Value-The value for the specified header.

•Click Save and Continue.

•Select the roles in the Roles tab to which the Citrix resource profile applies and click Add.

The selected roles inherit the autopolicies and bookmarks created by the Citrix resource profile. If it is not already enabled, the system also automatically enables the Web option in the Users > User Roles > Select_Role > General > Overview page of the admin console and the Allow Java Applets option in the Users > User Roles > Select_Role > Web > Options page of the admin console for all of the roles you select.

•Click Save Changes.

•(Optional.) Select the Bookmarks tab to modify the default bookmark created by the system and/ or create new bookmarks. By default, the system creates a bookmark for the URL defined in the Base URL field and displays it to all users assigned to the role specified in the Roles tab.