Citrix Templates
About Citrix Templates
The system supports several mechanisms for intermediating traffic between a Citrix server and client, including the Citrix Services Client proxy, JSAM, PSAM, VPN Tunneling, and the hosted Java applets feature.
The Citrix Web template enables you to easily configure access to a Citrix server using the Citrix Services Client proxy, JSAM, or PSAM. The Citrix Web template is a resource profile that controls access to Citrix applications and configures Citrix settings as necessary. Citrix Web templates significantly reduce your configuration time by consolidating configuration settings into one place and by prepopulating a variety of resource policy settings for you depending on the type of Citrix setup you select.
Because of their highly simplified configurations, templates are the ideal Citrix configuration method if you want to deliver ActiveX or Java applets from a third-party Web server through the system.
Citrix Web templates simplify your configuration by automatically detecting whether the Citrix Web client or the Citrix Java applet is being used and employing the appropriate access mechanism accordingly.
We strongly recommend using Citrix templates instead of the traditional role and resource policy configuration options available through the system.
Ivanti does not support saving a Citrix application shortcut to the desktop through the system when the loopback IP address is running on the client. Double-clicking this shortcut returns an error as it does not use JSAM or PSAM.
Comparing Access Mechanisms for Configuring Citrix
Ivanti Connect Secure supports several mechanisms for intermediating traffic between a Citrix server and client, including the Citrix Terminal Services proxy, JSAM, PSAM, VPN Tunneling, and the hosted Java applets feature.
The following table describes Accessing Citrix Metaframe Server:
|
Requirement |
Terminal Services |
JSAM |
PSAM |
|
User experience |
The user launches the published application by clicking the bookmark or icon in the Terminal Services section of the end user console. |
JSAM auto-launches when the user signs into the device or the user launches JSAM manually. The user launches the published application using standard methods such as the Windows Start menu or a desktop icon. |
PSAM auto-launches when the user signs into the device or the user launches PSAM manually. The user launches the published application using standard methods such as the Windows Start menu or a desktop icon. |
|
Accessing published applications from Mac or Linux |
Macintosh and Linux users cannot access published applications from a Citrix Metaframe server. |
Macintosh and Linux users can access published applications from a Citrix Metaframe server. |
Macintosh and Linux users cannot access published applications from a Citrix Metaframe server. |
|
Admin configuration |
You can specify which ports the system intermediates. If you do not configure this information, the system automatically monitors ports 1494 and 2598. |
You cannot configure Citrix as a standard application. Instead, you need to create a custom JSAM application, provide the server names of all Metaframe servers, and specify which ports to monitor. This enables you to use applications such as Citrix Secure Gateways (CSGs) and published applications that use ports other than 1494. |
You must specify which ports and applications the system monitors. This enables you to use applications such as Citrix Secure Gateways (CSGs) and published applications that use ports other than 1494. |
|
Administrator privileges |
If a Citrix Web client is not installed on the user's desktop, administrator privileges are required. This is a limitation of the installation of the Citrix client. To install and run the Citrix Services Client proxy, administrator privileges are not required. |
Requires administrator privileges to run JSAM because etc/hosts file modifications are required. |
Requires administrator privileges to install PSAM. |
|
Modifying host file |
Does not require modification of the etc/hosts file. |
Requires modification of the etc/hosts file. |
Does not require modification of the etc/hosts file. |
Creating Resource Profiles for Citrix Storefront Server
If you have the Citrix StoreFront 31. and above, you can create a Web template to allow users to access Citrix applications without the need for a Citrix client. Users must have one of the following browser versions (or later) to support HTML5 and Websockets:
•Internet Explorer 10
•Safari 6
•Google Chrome 23
•Mozilla Firefox 17
You can collect all the logs related to this feature using hprewrite-server as the process name.
To create a resource profile using the Citrix template:
1.Select Users > Resource Profiles > Web in the admin console.
2.Click New Profile.
3.Select Citrix StoreFront 3.1 and above from the Type list.
4.Enter a unique name and optionally a description for the Citrix resource profile.
5.Enter the URL of the Citrix StoreFront Web server in the Base URL field. Use the format: [protocol://]host[:port][/path]. The system uses the specified URL to define the default bookmark for the Citrix resource profile. You may enter a directory URL or a file URL.
6.Under Citrix Settings, select the ICA Client Access option. Admin can either choose to go with the HTML5 way of delivery or can choose to deliver ICA over CTS/PSAM/HTML5 Access clients. If admin chooses the ICA over CTS/PSAM/HMTL5 Access, the corresponding ACL should be created and when ICS rewrites ICA content it should launch the appropriate client. Add the Number of servers/applications and Citrix Ports which require ICA client access.
7.Select the Autopolicy: Web Access Control check box to create a policy that allows or denies users access to a specific resource under the Base URL. Enter the full URL of the resource, select Allow or Deny, and click Add. By default, the system automatically creates a policy that enables access to the resource and all of its subdirectories.
8.Select the Autopolicy: Single Sign-on check box to automatically pass data such as usernames and passwords to the Citrix application. The system automatically adds the most commonly used values to the single sign-on autopolicy.
9.If you want to perform a form POST when a user makes a request to the resource specified in the Resource field, select the POST the following data check box and specify the following:
•In the Resource field, specify the application's sign-in page, such as: http://my.domain.com/public/login.cgi. Wildcard characters are not supported in this field.
To automatically post values to a specific URL when an end user clicks on a system bookmark, the resource that you enter here must exactly match the URL that you specify in the Base URL field.
•In the Post URL field, specify the absolute URL where the application posts the user's credentials, such as: http://yourcompany.com/login.cgi. You can determine the appropriate URL using a TCP dump or by viewing the application's sign-in page source and searching for the POST parameter in the FORM tag.
•Select the Deny direct login for this resource check box if you do not want to allow users to manually enter their credentials in a sign-in page. Users may see a sign-in page if the form POST fails.)
•Select the Allow multiple POSTs to this resource check box if you want to send POST and cookie values to the resource multiple times if required. If you do not select this option, the system does not attempt single sign-on when a user requests the same resource more than once during the same session.
•Optionally specify the following for each item of user data you want to post and click Add:
•Label-The name used to identify the data.
•Name-The name used to identify the data in the Value field. The back-end application should expect this name.
•Value-The value to post to the form for the specified Name. You can enter static data, a system variable, or system session variables containing username and password values.
•User modifiable?-Select Not modifiable to prevent users from changing the information in the Value field. Select User CAN change value to allow users to specify data for a back-end application. Select User MUST change value if users must enter additional data to access a back-end application. If users can or must change the value, a field for data entry appears on the user's Advanced Preferences page. This field is labeled using the name in the Label field. If you enter a value in the Value field, this data appears in the field but is editable.
10.To post header data to the specified URL when a user makes a request to a resource specified in the Resource field, select the Send the following data as request headers check box. Then:
- In the Resource section, specify the resources to which this policy applies.
- Optionally specify the header data to post by entering data in the following fields and clicking Add:
•Header name-The text to send as header data.
•Value-The value for the specified header.
- Click Save and Continue.
- Select the roles in the Roles tab to which the Citrix resource profile applies and click Add.
The selected roles inherit the autopolicies and bookmarks created by the Citrix resource profile. If it is not already enabled, the system also automatically enables the Web option in the Users > User Roles > Select_Role > General > Overview page of the admin console and the Allow Java Applets option in the Users > User Roles > Select_Role > Web > Options page of the admin console for all of the roles you select.- Click Save Changes.
- (Optional.) Select the Bookmarks tab to modify the default bookmark created by the system and/ or create new bookmarks. By default, the system creates a bookmark for the URL defined in the Base URL field and displays it to all users assigned to the role specified in the Roles tab.