Customizing Citrix NFuse with Project Columbia Jay Tomlin
Customizing Citrix NFuse with Project “Columbia” Jay Tomlin, Product Readiness Manager Derek Rice, Technical Relationship Manager Citrix Technical Support Webification October 30 th, 2001
Learning Objectives In this session, you will: Discuss some challenges to NFuse deployment See how Project Columbia deals with those challenges
Introducing Project Columbia
What is Project Columbia? Project Columbia 6. 0 is a sample NFuse 1. 6 website that has been customized by Citrix technical support to address common configuration issues. The web pages included in project Columbia 6. 0 are based on the default example site included with NFuse 1. 6, but have been customized to implement additional features.
Features of Project Columbia adds support for the following: • Override the web server’s default Meta. Frame server farm address. • Identify multiple XML services per server farm for fault tolerance and load-balancing. • Merge application sets from multiple server farms. • Serve internal users and external users connecting through network address translation from the same web site. • Alter the size and layout of application icons. • Hide applications or folders by name. • Offer the user a menu of domains during logon.
Features of Project Columbia • Route ICA sessions through client-side SOCKS proxy servers. • Route users to multiple internal Meta. Frame servers through a single external IP address using port address translation. • Allow users to change expired NT 4 or Windows 2000 Active Directory domain passwords. • Force the installation or upgrade of ICA clients to windows users who do not already have an ICA client installed or have an old ICA client installed.
System Requirements The following requirements apply to the web server hosting the Project Columbia files: • Windows 2000 with IIS 5. 0 • NFuse 1. 6 • Active Directory Services Interface (ADSI) 2. 5 or later • VBScripting Engine 5. 0 or later • Active Server Pages 3. 0 or later
The Config. txt File Project Columbia includes a file named config. txt where you indicate your preferences regarding how the features of Columbia should be implemented. After making changes to the config. txt file, you must either restart the World Wide Web Publishing service or unload the ASP application in Internet Services Manager, then revisit the web site.
The Config. txt File Sample Config. txt entries include: NFuse_Farm=farm one, 1, server 2, server 3 NFuse_Number. Of. Columns=3 NFuse_Icon. Percent=50 NFuse_Domain. List=CITRIX, accounts NFuse_Internal. Networks=10. , 192. 168. NFuse_Port. Map=192. 168. 0. 1, 24. 25. 16. 203: 1494 NFuse_Ignore. Port. Maps=10. , 192. 168. NFuse_Change. Password. Mode=HTML NFuse_Push. Win 32 Web. Client=THIN NFuse_Win 32 Web. Client. Version=6, 20, 985, 0 NFuse_Embed. Applications=off NFuse_Embed. Method=3
Configuring Columbia This section will discuss the syntax and configuration of the following features: • Configuring XML Services • Configuring SSL Relay Services • Automating Win 32 Web Client Downloads • Changing Expired Passwords • Navigating a NAT Firewall • Embedding Applications
XML Service(s) The NFuse web server must communicate with at least one Meta. Frame server via the XML Service: NFuse Gateway object NFuse Web Server XML HTTP XML Service on port 80 Meta. Frame Server
SSL Relay XML traffic can be encrypted using the Citrix SSL Relay Service NFuse Gateway object XML HTTP SSL Relay : 443 XML Service : 80 NFuse Web Server Meta. Frame Server
Configuring XML Services By default, Columbia will connect to the XML Service that you provided when you installed NFuse. However, this address can be replaced with one or more other XML services using the NFuse_Farm preference in config. txt. If an NFuse_Farm entry exists in config. txt, the default XML Service address and port listed in you NFuse. conf file will be ignored. Syntax: NFuse_Farm=Farm-name, load-balance-flag, xml-addr[: xml-port][|ssl-addr[: ssl-port]][, …]
Configuring XML Services Where: • Farm-name is a string of your choice describing the server farm (it does not have to match the actual farm) • load-balance-flag is a zero (0) or one (1) indicating whether or not the XML services listed should be load -balanced in a round-robin fashion • xml-addr is the name or IP address of a Meta. Frame server running the Citrix XML service • xml-port is the TCP port number where the XML service is running (default 80) • ssl-addr is the name of the Meta. Frame server running the SSL Relay Service • ssl-port is the TCP port number where the SSL Relay service is running (default 443)
Load Balancing XML Services XML HTTP NFuse Web Server : 80 Meta. Frame Server 1 : 80 Meta. Frame Server 2 : 80 Meta. Frame Server 3
Configuring XML Services Multiple XML/SSL services may be listed, separated by commas. If load-balance-flag is 0, then Columbia will treat the list as a backup server list: the first server will always be used, unless it becomes unavailable. If load-balance-flag is 1, then the list of XML services will also be transposed with each logon request to impose round-robin load-balancing across all XML servers in addition to treating the list as a backup server list. If no port numbers are specified, Columbia will assume that all XML services are running on port 80 and all SSL Relay services are running on port 443. If no SSL Relay address is provided, Columbia will communicate directly with the XML Service.
Load Balancing SSL Relays : 443 : 80 XML HTTP SSL : 443 : 80 NFuse Web Server Meta. Frame Server 1 Meta. Frame Server 2 : 443 : 80 Meta. Frame Server 3
Configuring SSL Relay Services To specify SSL Relay addresses for an XML Service identified with the NFuse_Farm preference, append a vertical stroke “|” to the XML service address, followed by the server name and TCP port of the SSL Relay server. If no port is specified, 443 is assumed. IMPORTANT: The server name must exactly match the subject name of the server certificate that you installed on the Meta. Frame server when you configured the SSL Relay Service. Additionally, the root certificate of the certification authority who issued your Meta. Frame server certificate must be installed on the NFuse web server as a Trusted Root Certification Authority Example: NFuse_Farm=Apps, 0, srv 01: 8080 | srv 01. company. com
Multiple Farms Meta. Frame Farm One NFuse Web Server Meta. Frame Farm Two
Multiple Server Farms Columbia can aggregate applications from multiple server farms, so long as the accounts with which users authenticate to the NFuse site are valid for all Meta. Frame server farms. To add farms, simply additional NFuse_Farm= lines to config. txt. There is no limit to the number of farms you can add. Each farm may have a different number of XML services. Each XML service may or may not use an SSL Relay. Within each farm, multiple XML services are treated as either a backup list or load-balanced in a round-robin fashion, according to the value of the load-balance flag: NFuse_Farm=Farm One, 1, server 2, server 3 NFuse_Farm=Farm Two, 0, server 4, server 5
Auto Download of Win 32 Clients For Windows 32 -bit client machines, the ICA client can be delivered automatically. Columbia implements this feature by including an Active. X control in a hidden HTML frame after the user has logged in. The required CAB files for this feature exist beneath the clients subdirectory. Two client packages are included: a full Program Neighborhood ICA client (3. 4 MB) and a “thin” ICA client (1. 6 MB). The full client includes a graphical Program Neighborhood interface that may be used without NFuse. The thin client contains no user interface, requiring users to access applications through NFuse. You can control which client is delivered by Columbia’s config. txt file.
Auto Download of Win 32 Clients Listed below are the config. txt entries for client delivery: NFuse_Push. Win 32 Web. Client=Client. Package NFuse_Win 32 Web. Client. Version=Client. Version WHERE: • Client. Package is one of the following 1. THIN – downloads the 1. 6 MB client, wficat. cab. (default) 2. FULL – downloads the full 3. 4 MB client, wfica. cab. 3. OFF – no client is automatically delivered to the user. • Client. Version is the version number of the CAB files as it would appear in an HTML <OBJECT> tag. The initial value is 6, 20, 985, 0. If you replace the cab files beneath the clients directory with a newer ICA client version, update the NFuse_Win 32 Web. Client. Version value with the new client version number in order to deliver the upgraded client to the users with older ICA Clients.
Changing Expired Passwords If a user logs onto the Columbia web site with a password that has expired, there are three ways that Columbia might respond. In “ICA Mode”, the user is prompted to make an ICA connection to a Meta. Frame server where they would be prompted by the normal logon dialog box to change their password. In “HTML Mode”, an HTML form is returned allowing the user to change their password through the web page. Finally, you can opt for “null”, which will not prompt the user to change their password. This behavior can be controlled by using the NFuse_Change. Password. Mode setting in config. txt
Changing Expired Passwords The syntax of the NFuse_Change. Password. Mode field is: NFuse_Change. Password. Mode=ICA | HTML | NULL With NFuse_Change. Password. Mode=ICA, a link is shown for users who have entered expired credentials after the error message in the NFuse Message Center that reads “Click here to change your password. ” This link initiates an ICA session to a Meta. Frame server’s operating system to change their password. Once the password change is successful, the user is logged out. By default, the Meta. Frame server to which the user is connected to will match the Meta. Frame server hosting the XML service when the expired credentials were discovered. The NFuse_ICAMode. Password. Change. Server field can be used to change which server the user connects to change the password.
Changing Expired Passwords HTML Mode With NFuse_Change. Password. Mode=HTML, when the user logs in with a password that has expired, an HTML form pops up allowing the user to change their password through the web server. Once logged in, a key icon appears allowing the user to change their password at any time, regardless of whether it has expired. Important: In order for HTML-mode password changes to succeed, either the web server must be a domain controller in the same domain in which the user account resides, or the Columbia web pages must be served by a Domain Admin user account instead of the IUSR_Machine. Name account. HTML mode cannot change Novell NDS passwords. Use ICA mode for expired Novell accounts.
Changing Passwords When NFuse_Change. Password. Mode=HTML
Navigating a NAT Firewall If external users need to traverse a firewall performing Network Address Translation (NAT), then rendered ICA files sent to those users will need to include the Meta. Frame server’s alternate (external) address instead of its internal address. Each Meta. Frame server should have a unique alternate address; to specify alternate addresses, run ALTADDR. EXE from the command prompt of each Meta. Frame server.
NAT Firewall Support Internal clients need the private address, external clients need the public address Internet HTTP ICA to External IP NFuse Web Server Columbia External Client NAT FIREWALL ICA FIREWALL DMZ Meta. Frame Server XML/HTTP ICA to Internal IP HTTP Internal Client
Navigating a NAT Firewall The syntax for this preference is: NFuse_Internal. Networks=IP-prefix[, …] Where all internal clients have IP addresses beginning with IP-prefix. When configured for NAT, Columbia will detect each user’s IP address and return the internal or external address of each Meta. Frame server as appropriate. In order to configure Columbia for NAT, you must specify the network prefixes for all internal networks. For any user whose IP address does not begin with one of the specified prefixes, the alternate address will be returned.
Navigating a NAT Firewall For example, if your internal network consists of some 10. 0/8 addresses and some 192. 168. 0. 0/16 addresses, you would add the following line to config. txt: NFuse_Internal. Networks=10. , 192. 168. Any client whose IP address does not begin with “ 10. ” or “ 192. 168. ” would then receive the alternate address from each Meta. Frame server instead of its internal address when launching applications. Important: NFuse. conf also allows you to configure the alternate address behavior for the website. In order for Columbia to render ICA files with alternate addresses, the NFuse. conf file must be configured with Alternate. Address=Off.
Embedding Published Apps By default, NFuse 1. 6 will launch applications in a separate seamless window. Columbia allows you to embed published applications into an HTML page using the Active. X, Netscape plugin, or Java applet ICA clients. This preference is controlled by two settings in config. txt NFuse_Embed. Applications=Off | On NFuse_Embed. Method=1 | 2 | 3 Where NFuse_Embed. Method numbers correspond to 1. Active. X control 2. Netscape Plugin 3. Java Applet
Embedding Published Apps If desired, the webmaster may allow end users to choose their own method for launching applications. This preference is controlled by the following setting: NFuse_Allow. Customize. Launch. Type=Off | On If NFuse_Allow. Customize. Launch. Type=On, then users will receive a menu labeled “Client type” on the NFuse settings page allowing them to choose between launching applications with their native ICA client or embedding applications with any of the three browser embedding methods listed above. NOTE: In order to see the settings page, you must also set Allow. Customize. Settings=On in NFuse. conf.
Embedding Applications When NFuse_Allow. Customize. Launch. Type=On
Other Columbia Options • Port Address Translation • Navigating Client-Side Proxy Servers • Altering Default Display Options • Hiding Published Applications and Folders • Idle Session Timeout • Logging and Debugging
How do I get a copy? Columbia 6. 0 is now available for download and discussion at the Citrix Developer Network site: www. citrix. com/cdn Watch this space for Columbia updates! Send feedback to: Project-Columbia@citrix. com
Thank You
- Slides: 36