Demystifying Citrix Cloud: Configure Gateway Connector, Access Control, and SSO !

unagi2

Part 1: Demystifying Citrix Cloud: Access Control, Gateway, and Secure Browser

Introduction:

Ever since I wrote an article on Access Control and other Citrix Cloud services such as Secure Browser and Secure Gateway  Demystifying Citrix Cloud: Access Control, Gateway, and Secure Browser, I have been trying to make the Citrix Cloud Gateway Connector work but my efforts were in vain, going down the drain.

At last, the recent release of the Citrix Cloud Gateway Connector is operational, well at least to some extent, and I can showcase the immense potential that lies with the hybrid approach that Citrix now seems to be convinced with after going all-in trying to lift and shift customers to the cloud. Hybrid is a key term in the current digital era and any successful business digitalization initiative should invest in vendors that offer true hybrid service not vendors that try to emulate the cloud to make more money on subscription licensing.

Repeat after me, Monolithic applications do not belong to the cloud, Monolithic applications do not belong to the cloud, Monolithic applications do not belong to the cloud. Keep saying it until you memorize it, I don’t care how many app containerization vendors try to work around this, part of moving to the cloud is transforming applications to a microservices architecture, consider this as part of the cloud transformation journey ( or digital transformation whatever made-up terms work for you ) not something you need to work around for the sake of the journey.

Citrix Gateway Cloud Connector enables Citrix Cloud customers utilizing  Citrix Workspace Services to provide users with access to internal (Does not necessarily mean its on-premises but can be on the cloud as well, internal just means internal to your environment where-ever that may be) hosted web applications with single sign on and access control security capabilities without having to publish that web application to the outside world nor purchase an ADC when only requiring these features. The Gateway Connector acts as a reverse proxy, enables optional single sign-on, and allows for optional security policies to be applied through Access Control all of which open in the built-in Citrix Workspace chromium browser.

The Gateway Connector is a prepackaged virtual appliance available for vSphere, Hyper-V, and Citrix Hypervisor, is around 365 MB in size, and can be downloaded for your Citrix Cloud account under the resource location that it will reside on and provide services for. The installation is fairly simple and straightforward as long as you have a DHCP server in place to facilitate the initial configuration access for the virtual appliance. The gateway connector does support proxy even with authentication but I would always recommend to bypass proxy authentication for gateway connectors. Physical resources required for the virtual appliance as per Citrix:

  • 3 vCPU (The appliance fails to boot with less than 2 vCPU). A maximum of 6 vCPU can be installed. 4 GB memory per vCPU is recommended for optimum performance.

  • 6 GB RAM

  • 1 Network Adapter (virtual NIC). You can add an additional virtual NIC upon requirement. (There seems to be a discrepancy in documenting the NIC requirements. Two  minimum NICs are recommended in the section deploying the gateway connector in Citrix Gateway showcased below but the documentation page lists one NIC. Importing the OVA only added a single NIC never the less the connector did not work until I added a second NIC so for the sake of being on the safe side just add another NIC before initializing the connector).

    image

    image

    The Gateway Connector Single Sign On (SSO) optional capabilities with Citrix Gateway are described by Citrix as follows:

    image

    Basic : If your back-end server presents you with a basic-401 challenge, choose Basic SSO .

    Kerberos : If your back-end server presents you with negotiate-401 challenge, choose Kerberos SSO.

    Form Based : If your back-end server presents you with an HTML form for authentication, choose Form based SSO.

    No SSO : Use No SSO option when you do not need to authenticate user on the backend server.

    The Gateway Connector Reverse Proxy functionality offered through Citrix Gateway is simplified to an easy click of a button:

    image

    The Gateway Connector Security optional capabilities offered through Access Control service are described by Citrix as follows:

    image

    Enable enhanced security: launches and monitors the web or SaaS application in the Citrix embedded browser, and routes unknown traffic to Access Control.

    Restrict clipboard access: disables cut/copy/paste operations between the app and system clipboard

    Restrict printing: disables ability to print from within the app browser.

    Restrict navigation: disables the next/back app browser buttons.

    Restrict downloads: disables the user’s ability to download from within the app.

    Display watermark: displays a watermark on the user’s screen displaying username and IP address of the user’s machine.

    Enforce policy on mobile device: enforces enhanced security selections on a mobile device. Enforcing enhanced security on a mobile device may negatively affect your experience of the application.

    As with Citrix Cloud Connectors, the Gateway Connectors do not require any load balancing and deploying two gateway connectors per resource group is enough to maintain High Availability with nothing else needed. No specific load metrics has been released but if your resource locations contains thousands of users then I would recommend to deploy multiple gateway connectors knowing that all communication is stateless so load is distributed automatically.

    The Gateway Connectors encrypts all communication between internal resource location and the Citrix cloud . All traffic is outbound 443 TCP and no inbound traffic is allowed. Outbound 443 TCP should be at least permitted to the following Citrix Cloud site FQDNs:

    • *.nssvc.net
    • *.netscalermgmt.net
    • *.citrixworkspacesapi.net
    • *.citrixnetworkapi.net
    • *.citrix.com
    • *.servicebus.windows.net

    Since Gateway Connectors act as a reverse proxy to internal web applications, the required web application ports need to be opened from the gateway connectors to the applications that will be published including other traffic to DNS and DC for name resolution and Kerberos delegation:

    • UDP port 53 to DNS server
    • (optional1) TCP&UDP port 389 to Active Directory Domain Controllers
    • (optional1) TCP port 636 to Active Directory Domain Controllers
    • (optional1) TCP port 3268 to Active Directory Domain Controllers
    • (optional1) TCP port 3269 to Active Directory Domain Controllers
    • TCP ports to Web Servers accessed via Citrix Gateway Connector
    • Port 8443 open in-bound for web-based management

     

    When publishing web applications that may have embedded redirection internal web applications that are hosted on a different URL or sub-domain, the sub-domain needs to be whitelisted as an additional domain under the application. This will allow users to access the redirected URL within the same app connection through Access Gateway and Cloud Gateway reverse proxy.

    image

    Finally note that Gateway Connector is still in Technical Preview so support is limited from Citrix. A bit of messing around showed good reason for this still being in technical preview, it took around 2 hours to get one gateway connector to show up in my resource location after a multitude of activating, restarting, and refreshing and I could not get the second one up after an hour of trying.

    Configuration:

    Download the Gateway Connector files from Citrix Cloud and Import into your environment hypervisor which is in my case VMware vSphere. The Gateway Connector will reside in the resource group it is downloaded from and added to in the Citrix Cloud portal.

    image

    Navigate to the resource location were the gateway connectors will be deployed and serve its functionality for resources only in that resource group.

    image

    image

    image

    Download the image for your respective hypervisor and import. Although not required, make sure to add a secondary NIC on the same network.

    image

    image

    image

    image

    image

    The appliance is not a standard Linux system and I could not access Shell, so make sure you have a DHCP configured to access the appliance through management console then it can be set to static.

    image

    image

    Default username and password are “ administrator “ . Changing the password is mandatory on first login.

    image

    You can choose to keep the DHCP IP but make sure to reserve it on your DHCP server or change to a static IP. Proxy with/without authentication can be set here. Again I always recommend bypassing authentication and proxy for such appliances.

    image

    If the IP has been changed, make sure to navigate to the new IP after the restart is completed for the appliance.

    image

    Don’t use “ administrator “ for Kerberos SSO integration , this is just a lab environment, use any standard user for Kerberos Constrained Delegation.

    image

    Choose the already configured gateway connectors or add new ones here for this specific resource location.

    image

    The activation code is what links the gateway connector with the Citrix cloud account and resource group it is deployed in.

    image

    image

    image

    image

    image

    Here is were the process still lacks and Citrix needs to put some effort into resolving this. When adding my first connector, it took around 2 hours of new activation codes then assigning the code on the connector then multiple restarts all of which failed in the detection phase but at last, one showed under the resource group later. When adding the second connector for this blog, one hour into it with the same code/assign/restart and still it did not show so I decided to use the one already added.

    image

    In order to add internal web applications to showcase the reverse proxy, security, and SSO features, navigate to Citrix Gateway.

    image

    image

    image

    Here is where the “ inside my corporate network “ dictates that the application is internal and not published to the outside world or published but will be accessed internally through Citrix Workspace. If the web applications has embedded links into other URLs that are not under the related domains tab which is in this case anything under the domain vcenter.diyarunited.com then it needs to be added as a related domain.

    image

    If Access Control is not enabled on your Citrix Cloud subscription, the below tab will not appear. Below the required security features can be enabled for this web application.

    image

    You have the option of creating a new resource location and installing the gateway connectors from this tab. When choosing internal resources, you wont move beyond this step without at least one gateway connector in one resource location.

    image

    Choose the required SSO option if any. The SSO options are detailed in the introduction section of this blog.

    image

    Now that the web application has been added successfully, navigate to the Library tab in order to add user access to this application.

    image

    image

    Add the users as subscribers to the published web application from the respective domain serving the resource location were the gateway connector is added.

    image

    image

    In order to test the same, navigate to the workspace URL and login with one of the users that are subscribed to the web application.

    image

    image

    image

    image

    The web version of the Workspace is used and the published web application which is internal to the network is opened from an external location without having to NAT or publish the app to the internet so that represents the reverse proxy feature. The watermark in the middle of the screen is part of the applied Access Control feature. The SSO feature will also kick-in when the login page is presented.

    image

    Lets try it from the Citrix Workspace App as well and we have the same results. The web app opens from a built-in secured chromium browser and access control policies kick in.

    image

    image

    For some reason, apps published through Citrix Gateway do not appear in the Gateway console so if any editing is required for application settings, it can be done from Library and then clicking on edit inside the application options tab.

    image

    Conclusion:

    The advantages of using the gateway connector service with Citrix Gateway and Access Control is providing enterprises with the option of utilizing their Citrix Workspace to secure on-premises internal applications while providing users with ease-of-use features such as SSO all from a pure cloud based service. I personally like the reverse proxy feature because it removes the burden of having to publish services directly to the internet and more so all of these features combined can relieve some SMBs from having to invest in an ADC when just requiring minimal specific features. Combine all of this with the coming app-protection technology built into Workspace App for protection from keyloggers and screen scraper malware, and the workspace security is becoming a reality.

    May the Peace, Mercy, and Blessing of God Be Upon You