Citrix Web Interface 4 Implementation Guide

Copyright Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.

Citrix Web Interface Application Overview This documentation presents an overview and necessary steps in configuring Citrix Web Interface 4.0 for use with CRYPTO-MAS and CRYPTOCard tokens. CRYPTO-MAS works in conjunction with the Citrix Web Interface 4 to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a connection to gain access to protected resources.

How CRYPTOCard Web Interface Agent authentication works Citrix Web Interface is an application deployment system that provides users with access to MetaFrame applications through a standard Web browser. Each user is presented with all the applications published in the MetaFrame server farms for that user or group. With Web Interface, administrators have centralized application management capabilities and complete control over the application deployment process. CRYPTOCard provides a module that, once installed with Citrix Web Interface, requires all users to successfully authenticate against a CRYPTO-MAS server before access is granted.

1. The administrator installs the CRYPTOCard Web Interface Agent on the Citrix Web Interface 4.x system. 2. The administrator configures Citrix Web Interface 4.x to use CRYPTOCard authentication by activating this option via the Citrix Access Console. 3. The user establishes a connection to Citrix Web Interface via their web browser. The user enters their Microsoft username, password and CRYPTOCard token-generated one-time

Citrix Web Interface Implementation Guide

1

password into the Citrix Web Interface Logon page. 4. The CRYPTOCard Citrix Web Interface agent passes the Microsoft username and password to the Domain Controller and the CRYPTOCard PIN + One-time password to the CRYPTO-MAS Server. 5. The Microsoft username and password is verified by Domain Controller and the CRYPTOCard PIN + One-time password is verified by the CRYPTO-MAS Server. 6. If both passwords are valid the user is presented with the Citrix Applications defined within the Citrix Presentation Server.

Citrix Web Interface Implementation Guide

2

Prerequisites The following must be installed and operational prior to configuring Citrix Web Interface to use CRYPTOCard authentication. •

Verify that Citrix Web Interface 4.0 authentication works using static passwords before configuring CRYPTOCard authentication.

•

An initialized CRYPTOCard token assigned to a valid CRYPTOCard user.

The following CRYPTO-MAS server information is also required if performing RADIUS authentication: Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address: Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL): CRYPTO-MAS RADIUS Authentication port number: CRYPTO-MAS (OPTIONAL):

RADIUS

Accounting

port

number

CRYPTO-MAS RADIUS Shared Secret: Company/Organization name:

The following CRYPTO-MAS server information is also required if performing CAP authentication: Primary CRYPTO-MAS CAP Hostname or IP Address:

Server

Fully

Qualified

Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL): CRYPTO-MAS CAP Authentication port number: Company/Organization name:

Citrix Web Interface Implementation Guide

3

Citrix Web Interface Agent Installation The following instructions apply for configuring the CRYPTOCard Citrix Web Interface 4.0 Agent to authenticate against the CRYPTO-MAS Server. In order for Citrix Web Interface to authenticate CRYPTOCard token users, a CRYPTOCard Citrix Web Interface Agent must be installed then configured within the Citrix Access Suite Console. Configuring Citrix Web Interface consists of 4 steps

Step 1 - Install the Citrix Web Interface Agent 1. Run the CRYPTOCard Citrix Web Interface 4.0 Agent installer on the prepared server. Read and accept the license agreement to continue the installation.

2. Select Static Password installation mode. 3. Fill in the information for the CRYPTO-MAS server obtained from the prerequisites section then select Next.

4. Choose the Web Interface Site folder location (the default is \inetpub\wwwroot\citrix\Metaframe) then continue the installation.

Step 2 - Enabling CRYPTOCard Authentication in Citrix Web Interface Citrix Web Interface must be configured to allow CRYPTOCard authentication. 1. On the Web Interface 4.0 system, open the Citrix Access Suite Console for Presentation Server. 2. Expand the Suite Components, and then expand Configuration Tools. Now select Web Interface and highlight your Web Interface site. This should be the site where the CRYPTOCard Citrix Web Interface 4.0 Agent was installed. Select the Configure authentication methods task.

Citrix Web Interface Implementation Guide

4

3. Select Explicit authentication and ensure that CryptocardWI_4.0 is selected in the Enforce 2-factor authentication dropdown list.

Citrix Web Interface Implementation Guide

5

4. Run the Discovery process to ensure no errors are reported. Exit from the Citrix Access Suite Console. 5. Browse to the Citrix Web Interface logon page. A CRYPTOCard-enabled logon page will appear, forcing all users to authenticate to the CRYPTO-MAS Server.

Citrix Web Interface Implementation Guide

6

Configuring CRYPTOCard Authentication for Multiple Web Interface 4.0 Sites Citrix Web Interface 4.0 provides the ability to create multiple Web Interface sites. Each site can be configured to access a Citrix farm residing on a Citrix Presentation Server 4.0 server. Each site that is created has a unique URL associated with it during the site creation process. By default, the first Web Interface site is called \inetpub\wwwroot\citrix\MetaFrame, the second site created is called …\MetaFrame1, the third site would be called …\MetaFrame2, and so on. The following describes how to apply CRYPTOCard authentication to multiple Web Interface 4.0 sites. It assumes that the CRYPTOCard Citrix Web Interface 4.0 Agent has been installed in the default site location of \inetpub\wwwroot\citrix\MetaFrame.

1. Make a backup of the appropriate MetaFrame site folder (i.e. \inetpub\wwwroot\citrix\MetaFrame1). 2. Copy ccwia.dll, authcap.dll, and csccwia.dll from the …\MetaFrame\bin folder to the …\MetaFrame1\bin folder. 3. Copy cryptocardWI_4.0.aspx and cryptocardWI_4.0_CL_INT.aspx from the …\MetaFrame\auth folder to the …\MetaFrame1\auth folder. 4. From the …\MetaFrame1\auth folder, rename change_pin_system.aspx, change_pin_user.aspx, change_pin_warning.aspx, and login.aspx (e.g. by adding a backup_ prefix). Then copy these files from the …\MetaFrame\auth folder into the …\MetaFrame1\auth folder.

5. From the …\MetaFrame1\auth\clientscripts folder, rename login.js (e.g. by adding a backup_ prefix). Then copy login.js from the …\MetaFrame\auth\clientscripts folder into the …\MetaFrame1\auth\clientscripts folder.

6. From the …\MetaFrame1\auth\include folder, rename loginButtons.inc, loginMainForm.inc, and loginView.ascx (e.g. by adding a backup_ prefix). Then copy these files from the …\MetaFrame\auth\include folder into the …\MetaFrame1\auth\include folder.

7. Modify the WebInterface.conf file located in \inetpub\wwwroot\citrix\MetaFrame1\conf to add the line: AdditionalExplicitAuthentication=CryptocardWI_4.0 to the bottom of the file. Save the file.

8. Use the Citrix Access Suite Console to enable CRYPTOCard authentication for the …\MetaFrame1 site.

Citrix Web Interface Implementation Guide

7

Solution Overview Summary Product Name

Citrix Web Interface 4.0

Vendor Site

http://www.citrix.com

Supported Client Software

Internet Explorer 6+ Mozilla Firefox 1.5+

Authentication Method

RADIUS or CAP Authentication

Supported RADIUS or CAP Functionality RADIUS Authentication Encryption

PAP

Authentication Method

One-time password Static password User-changeable Alphanumeric 4-8 digit PIN

New PIN Mode

User-changeable Numeric 4-8 digit PIN Server-changeable Alphanumeric 4-8 digit PIN Server-changeable Numeric 4-8 digit PIN

Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either registered trademarks or trademarks of CRYPTOCard Corp. Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.

Publication History Date

Changes

October 27, 2006 November 8, 2006 November 29, 2006

Initial Draft Global Edit Minor Revision

Citrix Web Interface Implementation Guide

8