Citrix 1812

02-05-2021
 |  [RAND-100] - Comments



downloadWhy can't I download this file?Secure Gateway Single DMZA NetScaler Gateway configuration that involves a Single DMZ accessing Web Interface, the Secure Ticketing Authority (STA) and Presentation Server over ports 1494 and 2598 using Common Gateway Protocol (CGP).Secure Gateway Double Hop DMZ Deployment 1Portal Page Authentication OFF Single NetScaler Gateway in each DMZSecure Gateway Double Hop DMZ Deployment 2Portal Page Authentication ON; Single NetScaler Gateway in each DMZSecure Gateway Double Hop DMZ Deployment 3Portal Page Authentication OFF; Multiple NetScaler Gateways in second DMZSecure Gateway Double Hop DMZ Deployment 4Portal Page Authentication ON; Multiple NetScaler Gateways in Second DMZ

NetScaler Gateway: Secure Gateway Single DMZ

The preceding diagram shows an example of a NetScaler Gateway configuration that involves a Single DMZ accessing Web Interface, the Secure Ticketing Authority (STA) and Presentation Server over ports 1494 and 2598 using Common Gateway Protocol (CGP).

Installer Citrix 1812

Notes:

  • Firewall 1 DMZ (port 443) - Internet user through NetScaler Gateway

  • Firewall 2 Internal Network (ports 80, 443, 1494, and 2598) - Web Interface, STA XML Service, and Presentation Server

Back to top
The following list explains the flow of the diagram:

Windows

  1. The user points the browser to https://<NetScaler Gateway>.

  2. NetScaler Gateway retrieves the Web Interface logon page.

  3. NetScaler Gateway returns the Web Interface logon page to the user.

  4. The user enters credentials into the Web Interface authentication form and clicks log in.

  5. NetScaler Gateway forwards the HTTP-POST credentials to Web Interface.

  6. Web Interface takes the credentials and negotiates with the XML Service.

  7. The XML Service returns the list of applications to the Web Interface page.

  8. Web Interface constructs the appropriate page and responds to NetScaler Gateway.

  9. NetScaler Gateway returns the resultant page to the user.

  10. The user clicks an application, and launches the Presentation Server Client.

  11. NetScaler Gateway receives an STA ticket from the Presentation Server Client to validate.

  12. NetScaler Gateway presents the STA ticket to the STA server.

  13. The STA server responds to the request.

  14. If the STA authorizes the ticket, NetScaler Gateway consults the ICA Access Control List (ACL) to validate whether the incoming ICA connection conforms with the listed ACLs.


    Back to top



NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 1 – Portal Page Authentication OFF Single NetScaler Gateway in each DMZ

Notes:

  • Firewall 2 DMZ2

  • NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.

The following list explains the flow of the diagram:

  1. The user points the browser at https://<NetScaler Gateway in DMZ 1>.

  2. NetScaler Gateway 1 retrieves the Web Interface logon page.

  3. NetScaler Gateway 1 returns the Web Interface logon page to the user.

  4. The user enters credentials into the Web Interface authentication form and clicks log in.

  5. NetScaler Gateway 1 forwards the HTTP-POST credentials to Web Interface.

  6. Web Interface takes the credentials and negotiates with the XML Service.

  7. The XML Service returns the list of applications to Web Interface.

  8. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.

  9. NetScaler Gateway 1 returns the resultant page to the user.

  10. The user clicks an application, then launches the Presentation Server Client.

  11. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

  12. NetScaler Gateway 1 proxies through NetScaler Gateway2 to reach the STA server.

  13. The STA server responds to the request.

  14. NetScaler Gateway 2 forwards the response to NetScaler Gateway 1.

  15. If the STA authorizes the request, NetScaler Gateway 1 consults the ICA ACL list to validate whether the incoming ICA connection conforms with the listed ACLs.

  • Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with NetScaler Gateway 1.
  • Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler Gateway 2 is SOCKS or SOCKS over SSL.
  • Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.

Note: Ports are always configurable. The preceding are based on the default protocol port numbers.


Back to top


NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 2 – Portal Page Authentication ON; Single NetScaler Gateway in each DMZ

Notes:

  • NetScaler Gateway 1 can access Web Interface, the Authentication, Authorization, and Accounting (AAA) server and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.

  • The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon authentication again.

Citrix Workspace App 1812

Back to top
The following list explains the flow of the diagram:

  1. The user points the browser to https://<NetScaler Gateway in DMZ 1>.

  2. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.

  3. If the authentication is acceptable, NetScaler Gateway 1 logs the user on to Web Interface using Single Sign-on (SSO).

  4. Web Interface takes the credentials and negotiates with the XML Service.

  5. The XML Service returns a list of applications to Web Interface.

  6. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.

  7. NetScaler Gateway 1 returns the resultant page to the user.

  8. The user clicks an application, then launches the Presentation Server Client.

  9. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

  10. NetScaler Gateway 1 proxies through NetScaler Gateway 2 to reach the STA server.

  11. The STA server responds.

  12. NetScaler Gateway 2 forwards the response to NetScaler Gateway 1.

  13. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA connection conforms to the listed ACLs.

  • Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with NetScaler Gateway 1.
  • Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler Gateway 2 is SOCKS or SOCKS over SSL. Open port used for portal page authentication (for example,1812 for RADIUS).
  • Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.

Note: Ports are always configurable. The preceding are based on the default protocol port numbers.


Back to top


NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 3 – Portal Page Authentication OFF; Multiple NetScaler Gateways in second DMZ

Notes:

  • NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access STA and Presentation Server directly.
  • Configure a Load Balancing virtual server in NetScaler Gateway 1 and point the next hop to this Load Balancing virtual server. SOCKS handshake occurs inside NetScaler Gateway 1.
Back to top

Citrix 1812 Software

The following list explains the flow of the diagram:

  1. The user points the browser at https://<NetScaler Gateway in DMZ 1>.

  2. NetScaler Gateway 1 retrieves the Web Interface logon page.

  3. NetScaler Gateway 1 returns the Web Interface logon page to the user.

  4. The user enters credentials into the Web Interface authentication form and clicks Log in.

  5. NetScaler Gateway 1 forwards the HTTP-POST credentials to Web Interface.

  6. Web Interface takes the credentials and negotiates with the XML Service.

  7. The XML Service returns the list of applications to Web Interface.

  8. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.

  9. NetScaler Gateway 1 returns the resultant page to the user.

  10. The user clicks an application, then launches the Presentation Server Client.

  11. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

  12. NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy it will use and proxies through that appliance to reach the STA server.

  13. The STA server responds.

  14. The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.

  15. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA connection conforms to the listed ACLs

  • Firewall 1: Open port 443 (SSL port) for the end user browser and the Presentation Server Client to communicate with NetScaler Gateway 1.
  • Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the NetScaler Gateway proxies is SOCKS or SOCKS over SSL.
  • Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation Server.

Note: Ports are always configurable. The above is based on the default protocol port numbers.


Back to top

1812


NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 4 – Portal Page Authentication ON; Multiple NetScaler Gateways in Second DMZ

Notes:

  • NetScaler Gateway 1 can access Web Interface, the AAA server, and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.

  • The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon authentication again.
    Back to top

The following list explains the flow of the diagram:

  1. The user points the browser at https://<NetScaler Gateway in DMZ 1>.

  2. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.

  3. If authentication is acceptable, NetScaler Gateway 1 signs the user on to Web Interface using SSO.

  4. Web Interface takes the credentials and negotiates with the XML Service.

  5. The XML Service returns a list of applications to Web Interface.

  6. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.

  7. NetScaler Gateway 1 returns the resultant page to the user.

  8. The user clicks an application, then launches the Presentation Server Client.

  9. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

  10. NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy it will use and proxies through that appliance to reach the STA server.

  11. The STA server responds.

  12. The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.

  13. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA connection conforms to the listed ACLs.

Citrix 1812

  • Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with NetScaler Gateway 1.
  • Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the NetScaler Gateway proxies is SOCKS or SOCKS over SSL. Open the port used for portal page authentication (for example,1812 for RADIUS).
  • Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation Server.

Note: Ports are always configurable. The preceding are based on the default protocol port numbers.

Back to top

Citrix 1812 User

Additional Resources

CTX114355 - NetScaler Gateway Configuration of Ports on Firewall

Citrix Workspace 1812 Deinstallieren

Citrix Documentation - How NetScaler Gateway Uses IP Addresses

Additional Resources

https://docs.citrix.com/en-us/xenmobile/10/xmob-system-requirements/xmob-deploy-component-port-reqs-con.html