Access Gateway Advanced Edition Administrator's Guide - Citrix ...

Access Gateway Advanced Edition Administrator’s Guide 

Citrix® Access Gateway 4.5 

Citrix Access Suite

Copyright and Trademark Notice 

Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. Copies of the End 

User License Agreement are included in the Documentation folder of the product CD-ROM. 

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious 

unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any 

form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. 

© 2003-2006 Citrix Systems, Inc. All rights reserved. 

Citrix, Citrix Presentation Server, Citrix Access Gateway, ICA (Independent Computing Architecture), Access Suite, Citrix Program 

Neighborhood, and SmoothRoaming are registered trademarks or trademarks of Citrix Systems, Inc. in the United States and other 

countries. 

RSA Encryption © 1996-1997 RSA Security Inc., All rights reserved. 

Trademark Acknowledgements 

Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other 

countries. 

Apple, Mac, Mac OS, and Macintosh are registered trademarks or trademarks of Apple Computer Inc. 

Flash and Shockwave are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. 

Java is a registered trademark of Sun Microsystems, Inc. in the U.S. and other countries. 

Microsoft, MS-DOS, Windows, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory and Vista are either 

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. 

Lotus, Domino, Notes, and iNotes are trademarks of International Business Machines Corporation in the United States, other countries, or 

both. 

Mozilla and Firefox are trademarks or registered trademarks of the Mozilla Foundation in the United States and/or other countries. 

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. 

Secure Computing and SafeWord are registered trademarks of Secure Computing Corporation. 

McAfee and VirusScan are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. 

Norton AntiVirus, Norton Personal Firewall, Symantec, Symantec AntiVirus Solution, and Symantec Desktop Firewall are registered 

trademarks or trademarks of Symantec Corporation in the US and/or other countries. 

OfficeScan, Trend Micro, and Trend Micro Incorporated are trademarks of Trend Micro in the US and/or other countries. 

ZoneAlarm and Zone Labs are trademarks or registered trademarks of Zone Labs LLC in the United States and other countries. 

All other trademarks and registered trademarks are the property of their owners. 

Document code: September 19, 2006 (JB)

CONTENTS 

Contents 

Chapter 1 

Chapter 2 

Chapter 3 

Welcome 

Access Gateway Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 

Smart Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 

SmoothRoaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 

Secure by Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 

New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 

New Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 

Getting Information and Help 

Accessing Product Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 

Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 

Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 

Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 

Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 

Knowledge Center Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 

Education and Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 

Customizing the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 

Planning Your Access Strategy 

Step 1: Evaluating Corporate Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 

Step 2: Performing a Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 

Step 3: Developing Your Access Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 

Securing Access and Resources with Policies . . . . . . . . . . . . . . . . . . . . . . . . . .26 

Planning for Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 

Traversing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 

Protecting Sensitive Corporate Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 

Evaluating Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 

One-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 

Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 

Planning for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

4 Access Gateway Advanced Edition Administrator’s Guide 

Considering Users’ Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 

Chapter 4 

Chapter 5 

Licensing the Advanced Edition 

Installing Citrix Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 

Getting More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 

Obtaining Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 

Determining the Licenses Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 

Licensing Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 

Mixed Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 

Specifying the License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 

Adding Shortcuts to the License Management Console . . . . . . . . . . . . . . . . . . . . .37 

Installing Advanced Access Control 

Planning Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 

Pre-Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 

Post-Installation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 

Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 

Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 

Account Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 

Microsoft SQL Server User Account Requirements . . . . . . . . . . . . . . . . . . . . .44 

Service Account Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 

Using Security Templates with the Service Account . . . . . . . . . . . . . . . . . . . . .45 

Database Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 

Access Gateway Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 

Feature Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 

HTML Preview Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 

Live Edit Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 

Email Synchronization Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 

Web Email Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 

Using Microsoft Windows 2003 Server Web Edition for Web Email . . . . . . .52 

Endpoint Analysis Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 

Authentication Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 

Citrix Presentation Server Integration Requirements . . . . . . . . . . . . . . . . . . . .54 

Requirements for Bypassing the Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . .57 

Third Party Portal Integration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .57 

Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 

Web Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 

Live Edit Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60


Endpoint Analysis Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 

Secure Access Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 

Console Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 

Installing Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 

Uninstalling Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 

Chapter 6 

Configuring Advanced Access Control 

Supported Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 

Access Gateway Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 

Advanced Access Control Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 

Double-Hop DMZ Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 

Changing the Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 

Configuring Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 

Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 

Steps to Configuring A Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 

Creating or Joining an Access Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 

Selecting a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 

Specifying an Existing Database Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 

Specifying a License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 

Selecting a Web Site Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 

Securing Web Site Traffic with SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 

Finishing Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 

Enabling Advanced Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 

Using the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 

Installing the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 

Users and Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 

Deploying the Console to Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 

The Access Management Console User Interface . . . . . . . . . . . . . . . . . . . . . . .82 

Starting the Access Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 

Finding Items in Your Deployment Using Discovery . . . . . . . . . . . . . . . . . . . .83 

Customizing Your Displays Using My Views . . . . . . . . . . . . . . . . . . . . . . . . . .84 

Configuring Your Farm with the Getting Started Panel . . . . . . . . . . . . . . . . . . . . .84 

Linking to Citrix Presentation Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 

Specifying Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 

Configuring Load Balance or Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 

Configuring Address Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 

Configuring Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 

Configuring the Access Gateway Address Mode. . . . . . . . . . . . . . . . . . . . . . . .88 

Associating Access Platform Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89


Configuring Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 

Renaming Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 

Logging on through the Logon Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 

Updating Logon Page Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 

Changing Expired Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 

Setting the Default Logon Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 

Removing Logon Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 

Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 

Configuring Split Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 

Configuring Accessible Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 

Forwarding System Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 

Configuring Client Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 

Configuring Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 

Configuring ICA Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 

Configuring Authentication with Citrix Presentation Server. . . . . . . . . . . . . . . . .100 

Chapter 7 

Chapter 8 

Securing User Connections 

Configuring Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 

Configuring RADIUS and LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . .102 

Creating RADIUS Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . .102 

Creating LDAP Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 

Assigning Authentication Profiles to Logon Points . . . . . . . . . . . . . . . . . . . . .105 

Setting Authentication Credentials for Logon Points . . . . . . . . . . . . . . . . . . .106 

Configuring RSA SecurID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 

Configuring SafeWord Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 

Configuring Advanced Authentication with SafeWord . . . . . . . . . . . . . . . . . .111 

Configuring Authentication with SafeWord Only . . . . . . . . . . . . . . . . . . . . . .111 

Configuring RADIUS with SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112 

Configuring Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 

Configuring the Access Gateway for Trusted Authentication . . . . . . . . . . . .115 

Configuring Advanced Access Control for Trusted Authentication . . . . . . . .116 

Adding Resources 

Creating Network Resources for VPN Access. . . . . . . . . . . . . . . . . . . . . . . . . . . .119 

Using the Entire Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 

Defining Resources to Avoid Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 

Creating Web Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 

Including Related Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 

Configuring Sites Secured with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123


Web Resources that Keep Sessions Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 

Enabling Pass-Through Authentication for Web Resources . . . . . . . . . . . . . . . . .124 

Configuring Sites with Form-Based Authentication . . . . . . . . . . . . . . . . . . . .125 

Creating File Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 

Using Dynamic System Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128 

Active Directory Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 

Creating Resource Groups to Ease Policy Administration . . . . . . . . . . . . . . . . . .129 

Integrating Resource Lists in Third-Party Portals . . . . . . . . . . . . . . . . . . . . . . . . .130 

Chapter 9 

Chapter 10 

Controlling Access Through Policies 

Controlling User Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 

Integrating Your Access Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 

Pooling Resources By Access Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 

Designing Policies From User Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 

Differentiating Access Control and Publishing . . . . . . . . . . . . . . . . . . . . . . . .134 

Creating Access Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 

Naming Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 

Configuring Policy Settings to Control User Actions . . . . . . . . . . . . . . . . . . . . . .137 

Allowing Access to Standard Web Content . . . . . . . . . . . . . . . . . . . . . . . . . . .138 

Allowing File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 

Allowing HTML Preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 

Allowing Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 

Allowing Live Edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 

Allowing Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 

Setting Conditions for Showing the Logon Page. . . . . . . . . . . . . . . . . . . . . . . . . .141 

Bypassing URL Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 

Considerations about URL Rewriting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 

Limitations of Browser-Only Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 

Creating Connection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 

Creating Policies for Presentation Server Connections . . . . . . . . . . . . . . . . . .148 

Prioritizing Connection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 

Creating Policy Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 

Creating Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 

Creating Continuous Scan Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 

Granting Access to the Entire Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 

Reviewing Policy Information with Policy Manager . . . . . . . . . . . . . . . . . . . . . .155 

Integrating Citrix Presentation Server 

Linking from Advanced Access Control to Citrix Presentation Server . . . . . . . .158


Integrating Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 

Displaying Multiple Sites and Caching Credentials. . . . . . . . . . . . . . . . . . . . .160 

Coordinating Advanced Access Control and Web Interface Settings . . . . . . .162 

Configuring File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 

Integrating Third-Party Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 

Chapter 11 

Chapter 12 

Verifying Requirements on Client Devices 

Creating Endpoint Analysis Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 

Using Scan Outputs to Filter Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 

Using Scan Outputs to Filter Logon Page Visibility . . . . . . . . . . . . . . . . . . . .168 

Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 

Adding Rules to Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 

Using Scan Outputs in Other Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 

Editing Conditions and Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 

Editing the Available Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 

Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 

Using Data Sets in Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 

Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 

Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 

Creating Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 

Adding Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 

Grouping Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 

Adding Language Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 

Scripting and Scheduling Scan Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 

Updating Property Values in Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 

Updating Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 

Creating Continuous Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 

Providing Secure Access to Corporate Email 

Choosing an Email Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 

Providing Access to Published Email Applications. . . . . . . . . . . . . . . . . . . . . . . .183 

Providing Users with Secure Web-Based Email . . . . . . . . . . . . . . . . . . . . . . . . . .184 

Enabling Access to Web-Based Email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 

Integrating Web-Based Email Access with a Third-Party Portal . . . . . . . . . . . . .187 

Providing Users with Secure Access to Email Accounts. . . . . . . . . . . . . . . . . . . .188 

Enabling Users to Attach Files to Web-Based Email . . . . . . . . . . . . . . . . . . . . . .190 

Restricting File Attachment Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 

Enabling Access to Email on Small Form Factor Devices . . . . . . . . . . . . . . . . . .192 

Updating the Mapisvc.inf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193


Chapter 13 

Chapter 14 

Chapter 15 

Rolling Out Advanced Access Control to Users 

Developing a Client Software Deployment Strategy. . . . . . . . . . . . . . . . . . . . . . .195 

Determining Responsibility for Installing Client Software . . . . . . . . . . . . . . .196 

Supported Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198 

Determining Which Clients to Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 

Managing Client Software Using the Access Client Package . . . . . . . . . . . . . . . .200 

Client Software Available for the Access Client Package . . . . . . . . . . . . . . . .201 

Creating a Client Distribution Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 

Distributing and Installing Your Client Software Package . . . . . . . . . . . . . . .201 

Posting Client Software to a Share Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 

Downloading Client Software on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 

Ensuring a Smooth Logon Experience with the Secure Access Client . . . . . . . . .205 

Modifying the Logon Point Redirect URL. . . . . . . . . . . . . . . . . . . . . . . . . . . .206 

Modifying Browser Delay Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 

Modifying Ticket Lifetime Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 

Ensuring a Smooth Rollout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 

Providing Logon Information to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 

Browser Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209 

Customizing Browser Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 

Customizing the Logon Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 

Managing Your Access Gateway Environment 

Managing Access Server Farms Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 

Controlling Access by Multiple Consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 

Using Groups in Policy Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 

Securing the Access Management Console Using COM+ . . . . . . . . . . . . . . . . . .215 

Restarting COM+ Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 

Adding and Removing Farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 

Adding and Removing Gateway Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 

Changing Service Account and Database Credentials. . . . . . . . . . . . . . . . . . . . . .218 

Modifying Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 

Removing Servers from the Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 

Maintaining Availability of the Access Server Farm. . . . . . . . . . . . . . . . . . . . . . .220 

Exporting and Importing Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . .220 

Monitoring Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 

Auditing Access to Corporate Resources 

Configuring Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 

Interpreting Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229


Troubleshooting User Access to Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 

Performing Audit Log Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 

Appendix A 

Appendix B 

Glossary 

Scan Properties Reference 

Antivirus Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 

Citrix Scans for McAfee VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 

Citrix Scans for McAfee VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . .240 

Citrix Scans for Norton AntiVirus Personal . . . . . . . . . . . . . . . . . . . . . . . . . . .241 

Citrix Scans for Symantec AntiVirus Enterprise . . . . . . . . . . . . . . . . . . . . . . .242 

Citrix Scans for Trend OfficeScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 

Citrix Scans for Windows Security Center Antivirus . . . . . . . . . . . . . . . . . . .244 

Browser Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 

Citrix Scans for Browser Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 

Citrix Scans for Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 

Citrix Scans for Internet Explorer Update . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 

Citrix Scans for Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 

Citrix Scans for Netscape Navigator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 

Firewall Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 

Citrix Scans for McAfee Desktop Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .248 

Citrix Scans for McAfee Personal Firewall Plus . . . . . . . . . . . . . . . . . . . . . . .249 

Citrix Scans for Microsoft Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . .250 

Citrix Scans for Norton Personal Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 

Citrix Scans for Windows Security Center Firewall . . . . . . . . . . . . . . . . . . . .251 

Citrix Scans for ZoneAlarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 

Citrix Scans for ZoneAlarm Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 

Machine Identification Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 

Citrix Scans for Domain Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 

Citrix Scans for MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 

Miscellaneous Scan Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 

Citrix Bandwidth Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 

Operating System Scan Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 

Citrix Scans for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 

Citrix Scans for Microsoft Windows Service Pack . . . . . . . . . . . . . . . . . . . . .256 

Citrix Scans for Microsoft Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . .257

CHAPTER 1 

Welcome 

Citrix Access Gateway is a universal SSL VPN appliance that provides a secure, 

always-on, single point-of-access to all applications and protocols. It has all of 

the advantages of IPSec and SSL VPNs, without their costly and cumbersome 

implementation and management. With the Advanced Edition, Access Gateway 

finely controls both the resources users can access and what actions they can 

perform, facilitating regulatory compliance. Access Gateway delivers the best 

access experience for everyone: secure access to corporate data for the business, 

easy access for users, and easy administration and management for IT. 

Access Gateway Advanced Edition 

The Advanced Edition expands your Access Gateway environment with 

Advanced Access Control software, which provides your users with the following 

standard features. 

Smart Access 

SmartAccess analyzes the access scenario and then delivers the appropriate level 

of access without compromising security. Depending on who and where users are 

and what device and network they are using, users are granted different levels of 

access, such as the ability to preview, but not edit, documents. 

Advanced Access Control provides SmartAccess through two key phases—sense 

and respond. In the sensing phase of SmartAccess, the system analyzes the users’ 

access scenario and then responds with an appropriate level of access. “Granted” 

or “denied” are no longer the only answers to an access attempt because 

organizations not only control which resources users get access to based on their 

access scenario, but how they can use these resources when they gain access. 

For example, a user at an airport kiosk could be allowed to only preview or read 

email attachments and files but would not be allowed to download, edit, or print 

these files. However, that same user working from home may be granted full 

download, editing, and printing capabilities. In addition, Advanced Access 

Control integrates seamlessly with Citrix Presentation Server to give 

organizations this same level of granular control over published applications.


SmoothRoaming 

Advanced Access Control supports SmoothRoaming technology by ensuring that 

as users move between devices, networks, and locations, the appropriate level of 

access is configured automatically for each new access scenario. 

Secure by Design 

Advanced Access Control provides users with access that is inherently secure by 

design, protecting both the security of company information as well as the 

integrity of the network. 

SmartAccess, SmoothRoaming, and Secure by Design technologies work 

together by combining the following features: 

• Integrated endpoint security. Provides continuous real-time monitoring to 

ensure that the device is safe to connect and remain connected to the 

network. Endpoint analysis further evaluates the integrity of connecting 

devices and allows you to tailor the level of access you grant in policies 

according to analysis results. 

• VPN connectivity. Network resources enable direct SSL virtual private 

network (VPN) connectivity to servers, services, and networks within the 

corporate LAN. 

• Action controls. Allow administators to set policies that allow or deny 

viewing, editing, and saving documents depending on the user’s identity, 

device, location and connection. 

• Mobile device awareness. Re-factors email and file interfaces for personal 

digital assistants (PDAs) and small form factor devices. 

• Browser-only access. Provides access with any Web browser on any 

device to Web sites, files, and email. You can automatically render 

Microsoft Office documents for HTML Preview. 

• Secure access to Web-based email and files. Provides access to corporate 

email securely over the Internet through a Web-based user interface. 

Allows users to securely access Microsoft Outlook and Lotus Notes in real 

time and synchronize information for offline use. Enables access to 

corporate network file shares securely over the Internet through a Webbased 

user interface. 

• Advanced Presentation Server integration. You can use endpoint 

analysis and client location to control which published applications are 

available to the user. This feature extends SmartAccess to Presentation 

Server, including the use of Advanced Access Control filters to control 

local client drive mapping, clipboard operations, and local printer mapping.

Chapter 1 Welcome 13 

• Multilingual support. Provides full server and client support for Japanese, 

German, French, and Spanish. 

• Standards-based encryption. Uses industry-standard SSL encryption to 

provide secure access to corporate resources. 

• Common management platform. Provides a unified framework 

containing client and server configuration, licensing, monitoring, and 

reporting tools for administrative simplicity, business visibility, and 

corporate security 

New Features 

This release provides the following new features and enhancements. 

• Support for UPN and Alternate UPN credentials. Users who log on to 

internal networks with credentials specified in User Principal Name (UPN) 

or Alternate UPN format can log on to the Access Gateway and seamlessly 

access corporate resources such as published Web sites, file shares, and 

Web email. 

• Enhanced access to Citrix Presentation Server published applications. 

Citrix Presentation Server published applications are accessible as Access 

Platform sites from within the Access Interface, allowing users to quickly 

access and launch published applications. You can enable up to three 

Access Platform sites to display applications from multiple Presentation 

Server farms. 

• Support for third-party load balancers. In addition to its internal load 

balancing capabilities, Access Gateway Advanced Edition supports 

configurations that include third-party load balancers such as Citrix 

Netscaler. In the event an Advanced Access Control server in a farm 

becomes unavailable, users are routed automatically to another Advanced 

Access Control server. 

• Enhanced access to documents hosted on Sharepoint sites. Microsoft 

Sharepoint sites that are accessed through the Web proxy retain many of the 

menu-driven features users need to work with files, such as Delete, Edit 

Properties, and Alert Me. 

• Support for double-hop DMZ deployments. Organizations can provide 

an extra layer of security for their internal resources by deploying Access 

Gateway appliances in a two-stage DMZ configuration. 

• Policies dynamically determine best resource delivery method. You can 

configure policies to determine the best method for accessing resources 

based on users’ connection bandwidth. Using the Citrix Bandwidth 

endpoint analysis scan, the connection bandwidth is calculated and the


result is used to determine whether resources such as published applications 

are streamed or delivered to the user through an ICA session. 

New Name 

Access Gateway Advanced Edition is the new name for the products formerly 

known as Access Gateway with Advanced Access Control, Access Gateway 

Enterprise, and MetaFrame Secure Access Manager.

CHAPTER 2 

Getting Information and Help 

The topics in this section describe how to get more information about the product 

and how to contact Citrix. 

• “Accessing Product Documentation” on page 15 

• “Getting Service and Support” on page 18 

• “Education and Training” on page 19 

• “Customizing the Software” on page 19 

Accessing Product Documentation 

Your product documentation includes PDF guides, online documentation, known 

issue information, integrated on-screen assistance, and application help. 

• User documentation is provided through the online help system and Adobe 

Portable Document Format (PDF) files. Guides correspond to different 

features. For example, information for administrators is contained in the 

Access Gateway Standard Edition Administrator’s Guide. Guides are stored 

in the \Documentation folder on the Server CD. Installation places 

documentation files in the 

C:\Program Files\Citrix\Access Gateway\Documentation\lang directory. In 

these examples, lang refers to the language, such as en for English, de for 

German, and so on. 

Note: Online guides are provided as Adobe Portable Document Format 

(PDF) files. To view, search, and print the PDF documentation, you need to 

have Adobe Acrobat Reader 5.0.5 with Search or Adobe Reader 6.0 

through 7.0. You can download these products for free from the Adobe 

Systems Web site at http://www.adobe.com/. 

• In many places in the user interface, integrated on-screen assistance is 

available to help you complete tasks. For example, in the Access


Management Console, you can position your mouse over a setting to 

display help text that explains how to use that control. 

• Online help is available in many components such as the console. You can 

access the online help from the Help menu or Help button. 

The following documentation is included with your software: 

• The Readme files on the Server CD provide the latest information about 

functionality, known issues, and documentation changes. Be sure to read 

these documents for important information before you install the product or 

its components. 

• This manual, the Access Gateway Advanced Edition Administrator’s Guide, 

provides conceptual information and procedures for system administrators 

who plan, design, pilot, or deploy the software. It provides information 

about features, installation and setup, and access server farm maintenance. 

• Access Gateway Advanced Edition Upgrade Guide provides procedures for 

system administrators upgrading from an earlier release. It provides 

information about how to back up your access server farm’s data, upgrade 

server components, and migrate data and license information. 

• Getting Started with Citrix Licensing Guide and the licensing Readme file 

provide conceptual and procedural information about deploying, 

maintaining, and using licensing for Citrix products. 

Additional gateway appliance documentation available from the Access 

Gateway’s Administration Portal includes Getting Started with Citrix Access 

Gateway Standard Edition, Access Gateway Standard Edition Pre-Installation 

Checklist, Access Gateway Standard Edition Administrator's Guide, and a 

Readme file. 

To provide feedback about the documentation, go to www.citrix.com and click 

Support > Knowledge Center > Product Documentation. To access the 

feedback form, click the Submit Documentation Feedback link. 

Document Conventions 

This documentation uses the following typographic conventions for menus, 

commands, keyboard keys, and items in the program interface:

Chapter 2 Getting Information and Help 17 

Convention 

Boldface 

Italics 

%SystemRoot% 

Monospace 

Meaning 

Commands, names of interface items such as text boxes, 

option buttons, and user input. 

Placeholders for information or parameters that you 

provide. For example, filename in a procedure means you 

type the actual name of a file. Italics also are used for new 

terms and the titles of books. 

The Windows system directory, which can be WTSRV, 

WINNT, WINDOWS, or other name you specify when you 

install Windows. 

Text displayed in a text file. 

{ braces } A series of items, one of which is required in command 

statements. For example, { yes | no } means you must type 

yes or no. Do not type the braces themselves. 

[ brackets ] Optional items in command statements. For example, [/ 

ping] means that you can type /ping with the command. Do 

not type the brackets themselves. 

| (vertical bar) A separator between items in braces or brackets in 

command statements. For example, { /hold | /release | / 

delete } means you type /hold or /release or /delete. 

… (ellipsis) 

You can repeat the previous item or items in command 

statements. For example, /route:devicename[,…] means 

you can type additional device names separated by 

commas. 

Command-Line Conventions 

Some components run from a DOS command line interface. If you are not 

familiar with DOS command lines, note that: 

• Slashes and hyphens in a command line are important and must be entered 

exactly as described in the instruction 

• The spacing on the command line is important and must be followed 

exactly as described in the instructions 

• Help is available for DOS-based programs by entering the command name 

followed by a forward slash and a question mark, for example: 

C:>sessmon/


Getting Service and Support 

Citrix provides technical support primarily through the Citrix Solution Advisors 

(CSA) Program. Our CSA partners are trained and authorized to provide a high 

level of support to our customers. Contact your supplier for first-line support or 

check for your nearest CSA partner at http://www.citrix.com/support/. 

In addition to the CSA program, Citrix offers a variety of self-service, Web-based 

technical support tools that include the following: 

• The Citrix Knowledge Center, an interactive tool containing thousands of 

technical solutions to support your Citrix environment 

• Support forums, where you can participate in technical discussions and 

search for previous responses from other forum members 

• Software downloads, for access to the latest service packs, hotfixes, and 

utilities 

• Downloadable clients, available at http://www.citrix.com/download/ 

Another source of support, Citrix Preferred Support Services, provides a range of 

options that allows you to customize the level and type of support for your 

organization’s Citrix products. 

Subscription Advantage 

Your product includes a one-year membership in the Subscription Advantage 

program. The Citrix Subscription Advantage program gives you an easy way to 

stay current with the latest software versions and information for your Citrix 

products. Not only do you get automatic access to download the latest feature 

releases and software upgrades and enhancements that become available during 

the term of your membership, you also get priority access to important Citrix 

technology information. 

You can find more information on the Citrix Web site at http://www.citrix.com/ 

services/ (select Subscription Advantage). You can also contact your Citrix sales 

representative, Citrix Customer Care, or a member of the Citrix Solutions 

Advisors program for more information. 

Knowledge Center Watches 

The Citrix Knowledge Center allows you to configure watches. A watch notifies 

you if the topic you are interested in was updated. Watches allow you to stay 

notified of updates to Knowledge Base or Forum content. You can set watches on 

product categories, document types, individual documents, and on Forum product 

categories and individual topics. 

To set up a watch, log on to the Citrix Support Web site at

Chapter 2 Getting Information and Help 19 

http://support.citrix.com. After you are logged on, in the upper right corner, click 

My Watches and follow the instructions. 

Education and Training 

Citrix offers a variety of instructor-led training and Web-based training solutions. 

Instructor led courses are offered through Citrix Authorized Learning Centers 

(CALCs). CALCs provide high quality classroom learning using professional 

courseware developed by Citrix. Many of these courses lead to certification. 

Web-based training courses are available through CALCs, resellers, and from the 

Citrix Web site. 

Information about programs and courseware for Citrix training and certification is 

available from http://www.citrix.com/edu/. 

Customizing the Software 

The Citrix Developer Network (CDN) is an open-enrollment membership 

program that provides access to developer toolkits, technical information, and test 

programs. Software and hardware vendors, system integrators, ICA licensees, and 

corporate IT developers who incorporate Citrix computing solutions into their 

products can access CDN at http://apps.citrix.com/cdn/. 

Some operations can be scripted with a Citrix Software Development Kit (SDK). 

The Endpoint Analysis SDK that is included with your software supports 

customization of endpoint analysis and is located on the Server CD in the 

\Setup\EndpointAnalysisSDK folder.

20 Access Gateway Advanced Edition Administrator’s Guide

CHAPTER 3 

Planning Your Access Strategy 

Before you install Advanced Access Control, you should evaluate your 

infrastructure and collect the information necessary to develop an access strategy 

that meets the specific needs of your corporation. When planning an access 

strategy, follow the general steps below. 

“Step 1: Evaluating Corporate Infrastructure” on page 21 

“Step 2: Performing a Risk Analysis” on page 25 

“Step 3: Developing Your Access Strategy” on page 25 

Each of these steps is discussed in detail in the following sections. Consider 

documenting your findings throughout this process to assist you in designing and 

scoping the overall effort of the project, determining a realistic timeline for 

implementation, and setting benchmarks against which to measure your overall 

progress. 

Step 1: Evaluating Corporate Infrastructure 

Corporate infrastructure includes all of the hardware components comprising 

your company’s network such as client devices, servers, load balancers, firewalls, 

and so on. In addition, include the resources for which you want to provide access 

such as applications, services, and data in your assessment. The most common 

types of corporate infrastructure include: 

• Web applications such as a corporate intranet, Web-based email 

application, and so on 

• Corporate data such as databases, documents, presentations, spreadsheets, 

and so on 

• Servers such as Exchange or Notes/Domino servers, Web servers, database 

servers, and so on 

You can use Advanced Access Control to secure and control users’ access to all 

their resources on the corporate network. The following diagrams show three 

traffic routes (VPN, browser, or Presentation Server ICA) you can provide and 

combine to satisfy a wide variety of remote access needs.


Virtual private network traffic:

Web browser traffic: 

Chapter 3 Planning Your Access Strategy 23


Presentation Server traffic:

Chapter 3 Planning Your Access Strategy 25 

After you identify the elements within your corporate infrastructure, you can 

perform a risk analysis and then develop a strategy for providing the appropriate 

level of access to these resources. 

Note: Advanced Access Control includes built-in load balancing support. 

Therefore, you do not need to deploy a load balancer to manage requests made to 

Advanced Access Control servers. 

Step 2: Performing a Risk Analysis 

In the context of access control, vulnerabilities represent the possibility of 

unauthorized users gaining access to corporate resources. There are various 

methods of deriving risk, usually based on a combination of likelihood and 

consequence information. For example, when providing users with access to a 

specific corporate resource, how likely is a particular threat and what damage 

could be done if that threat is realized 

The key elements to consider when determining the risks associated with 

providing access to a corporate resource include the type of resource accessed, 

the sensitivity of the data included in that resource, and the environment from 

which the resource is accessed. Due to its subjective nature and the resulting 

damage, it is difficult to quantify risk. However, the goal of risk analysis is to 

ensure that your Advanced Access Control policies enable users to access 

corporate resources at an acceptable risk level. 

For example, consider the benefits of enabling users to access confidential data 

compared with the possibility that this data is accidentally revealed to 

unauthorized users. If your analysis reveals the risk is too great, you can create 

policies that further restrict access to this data and, as a result, minimize the risk 

associated with providing access to this data. 

Step 3: Developing Your Access Strategy 

After you collect information about your corporate infrastructure, identify the 

corporate resources for which you want to provide access, and perform a risk 

analysis, you are ready to develop your access strategy. This process includes 

determining how to integrate Advanced Access Control into your existing 

network.


Securing Access and Resources with Policies 

Policies extend the security of your network by controlling which resources users 

can access and what actions users can perform on those resources. Before 

creating policies, consider: 

• Resources. Identify the resources for which you want to provide access. 

Use the results of your risk analysis to assist you in this process. 

• Users. Associate policies with the appropriate users. 

• Access scenarios. Develop policies to support the scenarios in which users 

access corporate resources. A scenario is defined by the logon point used to 

access the network, endpoint analysis scan results, authentication type, or a 

combination thereof. For example, determine if users can access their email 

over the Internet using a corporate laptop. 

In addition, determine the actions users can perform when they gain access. 

For example, you can specify whether users can modify documents using a 

published application, preview a document as an HTML file, and so on. 

For a detailed explanation about how to incorporate policies into your access 

strategy, see “Controlling Access Through Policies” on page 131. 

Planning for Client Requirements 

Advanced Access Control includes two methods of verifying information on the 

client device. Continuous scans verify required files, processes, or registry entries 

on client devices connecting to your network. These scans run repeatedly during 

the user session to ensure that the client device continues to meet your 

requirements. You can incorporate continuous scans into connection policies so 

that if a required file, process, or registry scan ceases to be verified, the 

connection is disconnected. 

Endpoint analysis scans detect information about a client device, such as the 

operating system version and service pack level. The scans run when a user tries 

to connect through a logon point. However, unlike continuous scans, endpoint 

analysis scans run only once per session. You can incorporate scan results into 

access policies, allowing you to base access to your networks and resources on 

the information you gather about the client device. For example, you can prohibit 

access to your corporate network by employees working from a home 

workstation unless the workstation is running a required version of antivirus 

software. 

For more information about incorporating continuous and endpoint analysis scans 

into your access strategy, see “Verifying Requirements on Client Devices” on 

page 165.


Traversing Firewalls 

Access Gateway eases firewall traversal and provides a secure Internet gateway 

between Advanced Access Control servers and client devices. Scenarios in which 

firewalls are commonly used include: 

• Demilitarized zones (DMZs). In this scenario, firewalls are used to create 

one-stage or two-stage DMZs to protect the corporate network from 

Internet traffic. This deployment requires users external to the network to 

traverse firewalls protecting the corporate network before gaining access to 

corporate resources. 

• Enclaves. In this scenario, firewalls limit traffic between specific segments 

of the network. For example, hospital administrators may segment their 

LAN so that access to sensitive information such as patient records is 

accessible only from specific enclaves within the network. 

• Perimeter of access server farm. In this scenario, firewalls secure 

Advanced Access Control servers from threats within the corporate LAN 

by forming a secure perimeter around the access server farm. This 

deployment ensures that the access server farm is not directly accessible to 

users. 

Corporations often implement a combination of the above deployments to protect 

against different types of threats. See the Access Gateway Standard Edition 

Administrator’s Guide for more information about supported Access Gateway 

deployment scenarios. 

Protecting Sensitive Corporate Data 

Sensitive data, often referred to as intellectual property, is any information, 

application, or service considered proprietary to the corporation. Examples of 

intellectual property include financial documents, customer data, employee 

records, and so on. The sensitivity of data is based on the assessment of impact if 

there is a loss of data confidentiality or integrity. When assessing the sensitivity 

of data consider: 

• Regulatory requirements. More stringent privacy laws impose new levels 

of confidentiality on several business sectors including health care, 

insurance, and finance. In addition, the global environment necessitates an 

awareness of regulations in any state or country in which your corporation 

performs business. 

• Legal ramifications. Determine if there are any legal implications related 

to the exposure of proprietary data; specifically, whether or not another 

party takes legal action against your corporation due to the exposure of 

confidential information to unauthorized users.


• Competitive impact. Determine if the loss of information results in your 

corporation’s inability to remain competitive. For example, consider a 

scenario in which your company’s “secret recipe” is made available to your 

competitors. 

• Corporate reputation. Determine the impact to your corporation’s 

reputation if certain proprietary information is made available to 

unauthorized users. For example, consider a scenario in which your 

customers’ credit card information is accessed by unauthorized users. In 

addition to possible legal action, customers may lose faith in your 

company’s ability to maintain their privacy and, as a result, choose to stop 

using your services. 

The goal of intellectual property control is to prevent the exposure of sensitive 

corporate data. Using Advanced Access Control, you can protect intellectual 

property through the use of the following policy-based access control features: 

• HTML Preview. You can configure Microsoft Office files such as Word 

and Excel so that they display as HTML files instead of their native file 

format. This allows users to view but not modify the document. In addition, 

the risks associated with temporary files are mitigated as the HTML files 

are removed from the client device’s cache when the user terminates the 

session. Therefore, no sensitive data is accidentally left on the client device 

after users log off. 

• Citrix Presentation Server integration. You can configure files to open 

within a published application instead of a local application on a client 

device. This increases the protection of intellectual property because 

proprietary data remains within the protected corporate network at all 

times. 

In addition, you can share Advanced Access Control policy information 

with Citrix Presentation Server to selectively enable functionality for a 

specific published application session such as client drive mapping and 

local printing. For more information about filters, see “Controlling Access 

Through Policies” on page 131. 

Evaluating Authentication Types 

Authentication is the process of determining whether users are, in fact, who they 

declare to be. Advanced Access Control supports one-factor and advanced 

authentication. Each authentication option is described in the following sections.


One-Factor Authentication 

One-factor authentication is based on something users know such as a PIN, 

password, or pass phrase. When implementing one-factor authentication, users 

authenticate to Advanced Access Control by entering their user name and 

password when they log on. Users are assumed to be valid because they enter the 

correct credentials. 

The advantages of using one-factor authentication include: 

• Advanced Access Control supports standard Windows- and LDAP-based 

one-factor authentication. Therefore, no additional effort or implementation 

costs are associated with this authentication method. 

• Passwords are easily revokable and replaceable in the event that they are 

compromised. 

• All users are familiar with user names and passwords. 

The disadvantages of using one-factor authentication include: 

• Passwords are highly susceptible to “social engineering” attacks where 

users unknowingly provide their passwords to unauthorized users. 

• Users can share passwords and as a result, it is not possible to rely on a 

password to ensure that the authentication is genuine. In addition, after 

sharing passwords for a particular purpose, users often forget to change 

their passwords. This allows multiple users to authenticate using the same 

set of credentials. 

Advanced Authentication 

Advanced authentication combines something a user knows with a second piece 

of information. The second piece of information can be something the user has, 

such as a hardware token, or something a user knows, such as an additional 

password. Advanced Access Control integrates with RSA Security SecurID, 

Secure Computing SafeWord, and RADIUS to support advanced authentication. 

The advantages of advanced authentication include: 

• It increases your overall confidence in the authentication process. Whether 

it is an additional password or a one-time passcode generated from a 

hardware token, requiring users to provide an additional piece of 

information greatly mitigates authentication-related risks. For example, if a 

user’s main password is compromised, an attacker must obtain the user’s 

RADIUS password or hardware token to access the network. 

• Token-based solutions provide an additional benefit in that users cannot 

record their authentication information for later use. This ensures that users


adhere to the basic password protection best practice of not saving 

proprietary authentication information in electronic or paper format. 

The disadvantages of advanced authentication include: 

• Implementation costs are significant. In addition to the software required to 

validate advanced authentication information, token-based solutions also 

require the purchase of hardware tokens. 

• Tokens can be lost, stolen, or forgotten. 

Consider the advantages and disadvantages of one-factor and advanced 

authentication. For some corporations, one-factor authentication provides a 

sufficient level of security. However, if your corporation requires additional 

security, an advanced authentication solution may be more appropriate. 

Planning for High Availability 

Advanced Access Control includes built-in load balancing support. In addition, 

Advanced Access Control servers support industry-standard server clustering 

applications and techniques to ensure high availability and maximum business 

continuity. When planning your Advanced Access Control deployment, consider 

implementing one or more of the following solutions: 

• Database backups. Back up your Advanced Access Control SQL database 

to recover from a variety of problems including database storage failures, 

application errors, and user errors. In addition, backups are often critical 

when recovering from catastrophic disasters such as hurricanes, fires, 

floods, and so on. 

• Hardware redundancy. Prevent downtime due to hardware failures by 

detecting a failing component before it actually fails and bypassing a failure 

when it does occur. To achieve hardware redundancy, ensure your hardware 

meets the minimum requirements as specified in “Server Requirements” on 

page 41. In addition, determine if redundancy is needed in the following 

areas: 

• Switches and routers transporting Advanced Access Control traffic 

• Network cards on Advanced Access Control servers 

• Database servers 

• Server redundancy. Each Advanced Access Control server within an 

access server farm is configured for the HTML Preview server role by 

default. Therefore, each server you add to your farm acts as a redundant 

server to minimize downtime in the event of a server failure. If you do not 

want all servers in your farm assigned to this role, deploy one or more


servers for each Advanced Access Control server with this role enabled. 

For more information about assigning the HTML Preview server role, see 

“Modifying Server Roles” on page 219. 

• Database redundancy. A SQL database server stores all of Advanced 

Access Control’s data. Therefore, to ensure that this data is always 

available to users, consider one or more of the high availability strategies: 

• Clustering 

• Log shipping 

Considering Users’ Needs 

• Network load balancing to switch SQL servers 

• Stretch clustering 

For more information about the above high availability solutions, refer to 

your SQL documentation. 

When planning your access strategy, consider the needs of your users. This 

analysis helps you determine the type of access users need to perform effectively. 

Consider the following issues: 

• Productivity. Create policies that provide the appropriate level of access 

for users to remain efficient and productive. 

• Access to resources. Evaluate which resources users need to access such as 

email, Web applications, published applications, file shares, and so on. 

• User interface. Determine the default user interface you want users to see 

when they log on. Advanced Access Control includes the Access Interface, 

a Web page that displays a user’s available corporate resources and email. 

In addition, you can configure any Web application such as a Citrix Access 

Platform site or a third-party portal as the default user interface. 

• Working offline. Consider whether users periodically access the network 

to synchronize data and work offline. For example, users who travel often 

could benefit from securely accessing their email in real-time and 

synchronizing data to their client device. This allows these employees to 

remain productive because they can continue to work even while 

disconnected from the network. 

• Client devices. Advanced Access Control supports a range of client 

devices. Therefore, evaluate the hardware and software profile of your 

client devices including form factor, operating system, browser, and so on 

to ensure the client devices in your environment meet the minimum


requirements of Advanced Access Control. For additional information 

about client device requirements, see “Client Requirements” on page 58. 

• Browser-only access. Determine if users need to access network file 

shares, Web email, and internal Web sites from “locked down” client 

devices that do not permit the downloading of any client software. In this 

scenario, a Web browser is the only client software needed to access the 

corporate network. 

Note: Not all Web applications support browser-only access. For more 

information, see “Limitations of Browser-Only Access” on page 145.

CHAPTER 4 

Licensing the Advanced Edition 

Citrix Licensing limits the number of concurrent user sessions to the number of 

licenses purchased. If you purchase 100 licenses, you can have 100 concurrent 

user sessions at any time. When a user ends a session, the license is released for 

the next user. A user who connects from more than one computer at the same time 

uses a license for each session. 

The licensing process includes the following steps: 

• “Installing Citrix Licensing” on page 33 (optional if you already have 

Citrix Licensing) 

• “Obtaining Licenses” on page 34 

• “Specifying the License Server” on page 36 

• “Adding Shortcuts to the License Management Console” on page 37 

(optional) 

Installing Citrix Licensing 

Access Gateway Advanced Edition requires access to at least one shared or 

dedicated license server running Citrix Licensing. If your product portfolio 

already includes other Citrix products, you may already have a license server 

available to store and manage your user licenses. If so, you can skip this step and 

proceed to obtain your license files. 

Note: The Access Gateway Standard Edition uses a license server on the 

gateway appliance and does not require a dedicated Citrix license server. You 

must use a dedicated license server for the Advanced Edition. If you upgrade 

from the Standard Edition and do not already have a Citrix license server, you 

need to install one. 

You can install and configure Citrix Licensing before, during, or after you install 

Access Gateway Advanced Edition.


Obtaining Licenses 

To install Citrix Licensing, follow the procedures in the Getting Started with 

Citrix Licensing Guide, available from: 

• The Citrix Knowledge Center (http://support.citrix.com/) 

• The Documentation folder on the product CD 

• Start > All Programs or Programs > Citrix > Access Gateway > 

Documentation on a server running Access Gateway Advanced Edition 

Because licensing is a crucial part of your product installation, Citrix strongly 

recommends that you read the licensing guide before installing Citrix Licensing. 

Getting More Information 

In addition to the Getting Started with Citrix Licensing Guide, you can find a 

series of articles designed to provide you with more detailed information for tasks 

that extend beyond the scope of installing your licensing components. These 

articles are listed in Chapter 3 of the guide and are found in the Citrix Knowledge 

Center (http://support.citrix.com/). 

If you have not already done so, you must obtain license files to download and 

copy to your license server. License files contain the licenses that you allocated 

for a specified license server. You obtain these files from the Licensing area of the 

MyCitrix Web site (http://www.mycitrix.com/). 

Before downloading a license file, be prepared with the case-sensitive name of 

the license server that will store the license file and the number of licenses you 

want to allocate to that server. 

Further details about the information to have ready and the steps for downloading 

license files are provided in the Getting Started with Citrix Licensing Guide, 

available on the product CD, from the Start menu of a server running the Access 

Gateway Advanced Edition, or the Support area of the Citrix Web site 

(http://support.citrix.com). 

Determining the Licenses Required 

Users connecting through the Access Gateway Advanced Edition occupy two 

licenses—one for the gateway appliance and one for the Advanced Access 

Control server. Therefore, ensure that you have an adequate number of both 

Access Gateway and Access Gateway Advanced Edition user licenses to support 

your deployment. 

Both types of licenses can be bundled together into a single license file for 

copying to the license server.

Chapter 4 Licensing the Advanced Edition 35 

Note that each server occupies one of the Access Gateway Advanced Edition 

concurrent user licenses. When tallying the number of licenses you need, include 

one for each server. 

Licensing Grace Period 

A 96-hour grace period goes into effect at installation if you point your Access 

Gateway Advanced Edition server to a license server with no product licenses 

installed. A grace period of 30 days goes into effect if communication with a 

license server is lost after having contacted the license server successfully at least 

once. 

During the grace period, user sessions are not disconnected. However, new user 

sessions cannot be connected. If the grace period runs out before communication 

is established with a license server with the appropriate licenses, all active user 

sessions are disconnected. 

Mixed Environments 

For environments with a mixture of deployments (in other words, Access 

Gateway Standard Edition deployments and Advanced Edition deployments), 

you can allocate the desired number of licenses among the different deployments 

when you generate your license files. 

To allocate new or migrated licenses 

1. Log on to MyCitrix (http://www.mycitrix.com). 

2. Choose Licensing > Fulfillment > Fulfill Eligible Products, choose the 

licensing program type of your license, and follow the on-screen 

instructions to select licenses. A Product Fulfillment Certificate verifies 

license conversion and presents the resulting license codes. 

After you generate new license codes, you must allocate licenses into license files 

that you copy to the license server. Allocating licenses lets you choose the 

number of licenses to include in a license file; you can allocate all or some of 

your available licenses at a time. The license file is a digitally signed, text-only 

file that contains product licenses and information needed by the license server. 

To download license files 

1. From MyCitrix (http://www.mycitrix.com), choose Licensing > Citrix 

Activation System > Activate or Allocate Licenses. 

2. Follow the on-screen allocation instructions. Note that the License Server 

Name is case-sensitive. 

3. Download the license file.


By default, the Citrix Activation System saves files to the last location used by 

the Save As control. License files have the extension .lic. In the event you cannot 

locate the downloaded license file, search your computer for files with an .lic 

extension. 

Note: 

Care. 

If you have trouble downloading license files, contact Citrix Customer 

To copy licenses to the license server 

1. In the License Management Console, navigate to the License Files pages of 

the Configuration tab. 

2. On the License Files page, click Copy license file to License Server, 

browse to your license file, and copy it to the license server. 

3. Ensure that the license server recognizes the new file by performing one of 

the following actions. 

• In the License Management Console, from the Welcome page, click 

Configure License Server, followed by Update license data. 

• If you are not using the License Management Console, you must 

initiate a reread of the file. At a command prompt, navigate to 

C:\Program Files\CitrixLicensing\LS\ and type the following 

command: 

lmreread -c @localhost 

After the license server recognizes the file, your Citrix products can be 

launched. 

Important: Do not edit license files without understanding their format. You 

can unintentionally corrupt them and render the licensing system unusable. 

Specifying the License Server 

All computers in an access server farm must communicate with the same license 

server. You can specify the license server during initial installation through the 

Server Configuration Utility, or specify it later through the farm node of the 

Access Management Console.

Chapter 4 Licensing the Advanced Edition 37 

To specify a license server 

1. From the console tree, select the server farm node and choose Define 

license server under Other Tasks. 

2. Configure the following settings: 

A. Host name. Type the name of the license server. 

B. License server port number. This is the port number the product 

uses to communicate with the license server. Unless you must 

perform configurations to accommodate a firewall or the default port 

is already in use, Citrix recommends you leave the port at its default 

setting. 

Adding Shortcuts to the License Management Console 

The License Management Console snap-in allows you to create a shortcut to one 

or more license servers. You have the option of installing the snap-in when you 

install the product or can add it later from the product CD. Use the shortcut to run 

the License Management Console remotely and administer licensing for your 

farm. 

To create a shortcut to the license servers in your environment 

1. From the console tree, click the Licensing node. 

2. Under Common Tasks, click Add shortcut to license server. 

3. For Server name, type the DNS name or IP address of the license server 

for your farm.


CHAPTER 5 


The installation of Advanced Access Control varies depending on your 

deployment scenario. You can install the logical server components on a single 

physical server or distribute components across multiple servers. 

The topics in this section provide the following information: 

• “Planning Your Installation” on page 39 

• “Server Requirements” on page 41 

• “Network Requirements” on page 43 

• “Feature Requirements” on page 46 

• “Authentication Software Requirements” on page 53 

• “Citrix Presentation Server Integration Requirements” on page 54 

• “Client Requirements” on page 58 

• “Console Requirements” on page 62 

• “Installation Overview” on page 62 

• “Installing Advanced Access Control” on page 63 

Planning Your Installation 

As part of your access strategy, you must also plan for the installation of the 

Access Gateway Advanced Edition components and the requirements for the 

features you want to implement. This section provides an overview of the tasks 

you must perform before and after you install the Advanced Access Control 

software. 

Pre-Installation Tasks 

Many of the features of Access Gateway Advanced Edition require that certain 

components are installed or settings are configured before you install the 

Advanced Access Control software.


The following table provides an overview of these prerequisites to help you plan 

your installation. References to additional information about each component or 

feature are included. 

Component or Feature Required Task Additional Information 

Access Gateway appliance Install appliance(s) Access Gateway Standard Edition 

Pre-Installation Checklist 

Access Gateway Standard Edition 

Administrator’s Guide 

Advanced Access Control server 

Database server 

License sever 

HTML Preview 

Ensure the server meets all hardware 

and software requirements 

• Supported version of Microsoft 

Windows 

• Windows Installer 3.0 or 3.1 

• .NET Framework 2.0 

• MDAC 2.7 or 2.8 

Set Web extensions 

• ASP.NET (Allowed) 

• Active Server Pages (Allowed) 

• FrontPage Server Extensions 

(Prohibited 

• WebDAV (Prohibited) 

Ensure network configuration meets 

requirements 

Ensure service account meets 

requirements 

Install database server and create 

user account 

Restart the server if installing on the 


Install Citrix License Server on the 

Advanced Access Control server or a 

separate server 

Install Microsoft Office (without 

Outlook) on the Advanced Access 

Control server 

“System Requirements” on page 42 

“Network Requirements” on page 43 

“Service Account Requirements” on 

page 44 

“Microsoft SQL Server User 

Account Requirements” on page 44 

“Database Requirements” on page 

46 

“Installing Advanced Access 

Control” on page 63 

Getting Started with Citrix Licensing 

Guide 

“HTML Preview Requirements” on 

page 46

Chapter 5 Installing Advanced Access Control 41 


Web email 

Install Microsoft Exchange System 

Management Tools and Microsoft 

Exchange Administrator 5.5 on the 


Update the mapisvc.inf file on the 


Post-Installation Tasks 

“Installing the Microsoft Exchange 

System Management Tools and 

Administrator Software” on page 51 

“Default Email Interface 

Requirements” on page 51 

RADIUS Authentication Install Visual J# .NET 2.0 “RADIUS Requirements” on page 

53 

RSA SecurID Authentication 

Install RSA ACE/Agent for 

Windows 

“SecurID Requirements” on page 54 

Secure Computing SafeWord Install SafeWord Agent “SafeWord Requirements” on page 

54 

Access Management Console 

If installing on a standalone 

workstation, ensure required 

software is installed 

“Console Requirements” on page 62 

The following table provides an overview of tasks you perform immediately after 

installing the Advanced Access Control software. References to additional 

information about each component or feature are included. 


Access Gateway appliance 

HTML Preview 

Configure communication with 

Advanced Access Control server(s) 

To display PDF files, install and 

configure conversion software 

“Enabling Advanced Access 

Control” on page 80 

“HTML Preview Requirements” on 

page 46 

Server Requirements 

Before proceeding with software installation, verify that the servers you are using 

meet the hardware and software requirements for Advanced Access Control. 

Important: To ensure that installation of Advanced Access Control progresses 

smoothly, use servers that are not configured as domain controllers. During 

installation, Advanced Access Control adds a service account to the local 

Administrators group that is not present on a domain controller. If you attempt to 

install Advanced Access Control on a domain controller, the service account 

cannot be added and the installation will fail.


System Requirements 

• PC with a 550 MHz processor 

• 768 MB of physical memory 

• 9 GB of available hard disk space 

• Microsoft Windows 2000 Server Family with Service Pack 4, or Windows 

Server 2003, Standard Edition, Web Edition, or Enterprise Edition with all 

service packs and updates installed 

• Internet Information Services (IIS) 5.0 or 6.0 

• Microsoft Windows Installer 3.0 or 3.1 

• Microsoft .NET Framework 2.0 

• Microsoft Data Access Components (MDAC) Version 2.7 Refresh or 2.8 

Important: You must install the Windows Installer (WindowsInstaller- 

KB884016-v2-x86.exe), the .NET Framework, and MDAC 2.7 Refresh 

(mdac_typ.exe) before you install Advanced Access Control. The Windows 

Installer, .NET Framework, and MDAC 2.7 Refresh executable files are located 

on the Advanced Access Control Server CD-ROM. 

To set Web services extensions 

Before installing Advanced Access Control, you must ensure the following Web 

services extensions are set appropriately in the Internet Information Services (IIS) 

Manager: 

Extension Name Required for Advanced Access Status in IIS Manager 

Control Installations 

ASP.NET Yes Allowed 

Active Server Pages Yes Allowed 

FrontPage Server 

Extensions 

WebDAV 

No. Must be prohibited for the Web 

proxy to function properly. 

No. Must be prohibited for Outlook 

Web Access (OWA) to display the 

contents of users’ inboxes. 

Prohibited 

Prohibited


1. Click Start > Programs or All Programs > Administrative Tools > 

Internet Information Services (IIS) Manager. 

2. Expand the local computer node and then select Web Services Extensions. 

3. Make the following selections as required: 

• Select ASP.NET and click Allow. 

• Select Active Server Pages and click Allow. 

• Select FrontPage Server Extensions and click Prohibit. 

• Select WebDAV and click Prohibit. 

You may need to register ASP.NET if you installed the .NET Framework before 

installing IIS. To register ASP.NET, locate aspnet_regiis.exe and then type 

aspnet_regiis.exe -i from a command prompt. 

Network Requirements 

Before installing Advanced Access Control, ensure that your network 

configuration meets the following requirements: 

• The computers or resources that users will access are connected to the 

Advanced Access Control servers you will deploy 

• The Advanced Access Control server is: 

• A member of the domain to which users who authenticate to the 

server belong 

—Or— 

• A member of a domain that trusts and is trusted by the domain(s) of 

the authenticating users 

• In a multi-domain environment, trust relationships have been established so 

that users in all domains can authenticate and access resources 

• To provide access to the Internet, a Domain Naming System (DNS) host 

record resolves to a public IP address for the Access Gateway appliance 

Note: To configure Advanced Access Control successfully, the server must 

belong to a domain. If the Advanced Access Control server is a member of a 

workgroup and not a domain, the Server Configuration wizard does not run.


Account Requirements 

This section describes the server accounts required to install Advanced Access 

Control. 

Microsoft SQL Server User Account 

Requirements 

When creating an access server farm, Advanced Access Control requests an 

account for access to SQL Server. The specified account must permit Advanced 

Access Control to create a database for the access server farm and then connect to 

the database. 

To create the database during install, at a minimum, the account must be included 

in the Database Creators server role on SQL Server. After Advanced Access 

Control creates the database, the database user must be assigned the 

db_datareader and db_datawriter permissions. 

SQL Server 2000 supports Windows Authentication mode, which requires 

Windows user accounts for access, and Mixed Mode, which accepts Windows 

user accounts and SQL Server accounts. 

When you first install Advanced Access Control and create an access server farm, 

Setup creates a database with the same name as the access server farm. Setup 

does not create additional databases when you add servers to an access server 

farm. 

Note: The database creation and access requirements in this section apply to 

both SQL Server authentication and Windows authentication for database user 

accounts. 

Service Account Requirements 

When you install Advanced Access Control and create a new access server farm, 

the Server Configuration wizard prompts you for an account to use for 

communicating with services and servers in the farm. This account is referred to 

as the service account. You must specify an existing account to be the service 

account. If you do not have a service account, create one prior to installing 

Advanced Access Control. Valid service accounts meet the following 

requirements: 

• The service account must be a member of the local Administrators group on 

every server in the farm.


• The service account must not be disabled and not subject to password 

expiration or other credential changes. If the service account is removed, 

the access server farm will not operate. 

• The service account can be a local user account only if you are creating a 

single-server access server farm and do not intend to scale the farm. You 

cannot install Advanced Access Control on multiple servers with a local 

user account selected for the service account. Citrix strongly recommends 

using a domain account instead of a local user account when installing 

Advanced Access Control. 

Important: If you specify a local user account as the service account, 

ensure the local user account also has database owner permissions for the 

database Advanced Access Control creates during Setup. If the local user 

account does not have database owner permissions, some features might 

not be available to users. 

• In an Active Directory environment, when specifying the service account 

user name in User Principal Name (UPN) or Alternate UPN format, you 

must enter the full domain name. 

If necessary, you can change the service account after installing Advanced Access 

Control. For more information about changing service account details, see 

“Changing Service Account and Database Credentials” on page 218. 

Note: If you are deploying Advanced Access Control in an environment where 

the Restricted Group policy is used to control the membership to the local 

Administrators group, ensure the user associated with the service account is in 

one of the groups added by the Restricted Group policy. For additional 

information, refer to the Resource Kit for Windows 2000 or Windows 2003. 

Using Security Templates with the Service 

Account 

Your corporate IT policy may require that security templates be applied to reduce 

the attack surface area of your Windows servers. The Highly Secure security 

template (HiSECWS.INF) removes the service account from the local 

Administrators group when applied after installing Advanced Access Control. 

After applying this security template, add the service account back to the local 

Administrators group. Otherwise, Advanced Access Control will not function 

correctly.


Database Requirements 

Access Gateway Advanced Edition supports the following database packages: 

• Microsoft SQL Server 2005 

• Microsoft SQL Server 2000 with Service Pack 4 

• Microsoft SQL Server Express 2005 

Note: If you install Microsoft SQL Server and you create a database before you 

install Advanced Access Control, be sure to specify case-insensitive collation 

when you create the database. This ensures the names you assign to resources 

remain unique and prevents resources with duplicate names from being created. 

Access Gateway Requirements 

Feature Requirements 

The Access Gateway appliance is a universal SSL VPN appliance that provides 

users with controlled access to application and information resources. For 

information about requirements for installing and using the Access Gateway 

appliance, see the Getting Started with Citrix Access Gateway Standard Edition 

guide. 

You can use Advanced Access Control to allow users to view, upload, or 

download Web-based resources using any client device that has a Web browser. 

However, some features such as Live Edit use additional client software. Other 

features require additional server software. This section provides information to 

help you plan access to features depending on a feature’s client or server 

requirements. 

HTML Preview Requirements 

HTML Preview enables users to view files such as Microsoft Office documents 

or Adobe Acrobat PDF files in HTML. 

Installing Microsoft Office for HTML Preview 

To use HTML Preview to view Microsoft Office documents, the following 

software must be installed on a Web server in your access server farm: 

• Microsoft Word 2000, XP, or 2003


• Microsoft Excel 2000, XP, or 2003 

• Microsoft Powerpoint 2000, XP, or 2003 

• Microsoft Visio 2002 or 2003 

If you install these programs after installing Advanced Access Control, you will 

need to restart the Citrix Activation Engine Service. 

If you use HTML Preview with Microsoft Office documents, be aware of the 

following considerations: 

• Microsoft Outlook must be excluded from the Office installation because it 

interferes with Advanced Access Control’s Web email functions. 

• All devices deploying HTML Preview content to users should have 

adequate Microsoft Office licenses. For more information about licensing 

requirements, refer to your Microsoft Office Licensing Agreement. 

• If multiple servers are configured for HTML Preview, these servers must 

have the same version of Microsoft Office installed. Otherwise, a document 

viewed with HTML Preview may appear different to some users, 

depending on the version of Office rendering the document. 

For more information about using HTML Preview to provide access to 

documents, see “Allowing HTML Preview” on page 139. 

Using Macros with HTML Preview 

When using HTML Preview to access Microsoft Office documents, it is possible 

to run macros embedded within these documents. Viewing a document containing 

macros could represent a security risk to your deployment because the macros 

may run on the Advanced Access Control server within the context of the service 

account. 

Before implementing HTML Preview, evaluate each of the following strategies 

for mitigating this potential risk: 

• Set macro security in each Microsoft Office application according to your 

organization’s network security policies 

• Configure each Microsoft Office application to run in the context of a User 

account with limited privileges 

Important: These strategies do not provide protection against possible security 

risks related to functional issues in Microsoft Office applications (for example, 

Microsoft Word crashes when opening a document). As you evaluate these 

strategies, consider Microsoft’s recommendations for server and application 

security as well as your organization’s information security requirements.


To disable embedded macros in Microsoft Office 

1. Launch the Microsoft Office application installed on the Advanced Access 

Control server. 

2. Set the macro security level to the highest level available for the version of 

the Microsoft Office application you are running. 

3. Disable trust for all installed add-ins and templates. 

For more information about setting macro security for Microsoft Office 

applications, refer to the Microsoft Office documentation or the Microsoft Office 

Web site. 

To configure Microsoft Office applications to run under a User account 

This procedure involves automating Office applications using an unattended user 

account. For more information about this approach and its accompanying 

considerations, refer to Microsoft knowledgebase article 288367, How to 

configure Office applications to run under a specific user account. 

1. Log on to the Advanced Access Control server as Administrator and create 

a new User account. 

2. Start the Office application you want to configure and press ALT+F11 to 

load the Visual Basic for Applications (VBA) editor. 

3. Close the application and the VBA editor. 

4. Click Start > Run and type DCOMCNFG to open the Component 

Services console. 

5. From the DCOM Config node, locate the Office application you want to 

configure. They are listed as follows: 

• Microsoft Excel Application 

• Microsoft PowerPoint Presentation 

• Microsoft Word Document 

6. Right-click the application and select Properties. 

7. Click the Security tab and perform the following tasks: 

A. Under Launch and Activation Permissions, select Customize and 

then click Edit. 

B. Add the User account you created and allow Local Launch and 

Local Activation permissions. Ensure the SYSTEM, 

INTERACTIVE and Everyone accounts are present. 

C. Under Access Permissions, select Customize and then click Edit.


D. Add the User account you created and allow the Local Access 

permission. 

8. On the Identity tab, select This user and enter the credentials of the User 

account you created. 

9. Restart the server. 

Repeat these steps for each Office application you want to configure. After you 

restart the server, start the Task Manager and then start each application to verify 

it is running under the new User account. 

Using HTML Preview with PDF Documents 

If you want to use HTML Preview with PDF documents, you must install on the 

Advanced Access Control server software that converts the PDF file to HTML. 

For more information about configuring Advanced Access Control to view PDF 

files, see the Citrix Knowledge Center article CTX107543: Customizing HTML 

Preview in Advanced Access Control located on the Citrix Web site. 

Live Edit Requirements 

Live Edit is a convenient way for users to work remotely with files such as Word 

documents and Excel spreadsheets using a Web browser. 

To use Live Edit, users must have the following software installed on their 

computers: 

• Microsoft Internet Explorer 6.0 SP1 

• Live Edit Client ActiveX control 

• An appropriate Microsoft Office editing application such as: 

• Microsoft Word 2000, XP or 2003 

• Microsoft Excel 2000, XP, or 2003 

• Microsoft Powerpoint 2000, XP, or 2003 

• Microsoft Visio 2002 or 2003 

Note: After installing any Microsoft Office applications, run the application for 

the first time before using Live Edit. This ensures that any post-installation tasks 

are completed and allows the Live Edit Client to display documents for editing 

without delay.


For information about requirements for running the Live Edit Client, see “Client 

Requirements” on page 58. For more information about using Live Edit to 

provide access to documents, see “Allowing Live Edit” on page 140. 

Email Synchronization Requirements 

Email synchronization allows users to synchronize their email folders on their 

client devices with their folders on Microsoft Exchange or Lotus Notes/Domino 

servers to prepare for working offline. 

Email synchronization requires the following components: 

• Microsoft Outlook 2000, XP, or 2003; or Lotus Notes R5, R6, or R7 

installed on the client device 

• Secure Access Client installed on the client device 

• An email server running Microsoft Exchange or Lotus Notes/Domino 

For more information about requirements for the Secure Access Client, see 

“Client Requirements” on page 58. For more information about email 

synchronization, see “Providing Users with Secure Access to Email Accounts” on 

page 188. 

Web Email Requirements 

You can provide users with access to corporate email resources using Web email. 

Using the included default email interface, users can access their email accounts 

from a workstation or a handheld device with only a Web browser. This interface 

functions only with email servers using Microsoft Exchange. 

Advanced Access Control also supports using Outlook Web Access, Lotus 

iNotes/Domino Web Access, or other Web email interfaces. Outlook Web Access 

and iNotes do not operate on handheld devices such as PDAs. 

The following table lists the components required for each supported Web email 

platform.


Advanced Access Control 

Web Email 

Outlook Web Access 

iNotes/Domino Web Access 

Required Email 

Server 

Microsoft Exchange Server, 

Versions 2000 or 2003 with all 

service packs and critical 

updates installed 

Microsoft Exchange Server, 

Versions 2000 or 2003 with all 

service packs and critical 

updates installed 

IBM Lotus Domino Server, 

Versions R6 or R7 

Required Server 

Administration 

Tools 

Microsoft Exchange System 

Management Tools 

Microsoft Exchange 5.5 

Administrator 

Microsoft Exchange System 

Management Tools 

Microsoft Exchange 5.5 

Administrator 

N/A 

Supported Web 

Browsers 

Internet Explorer 6.0 SP1 

Safari 1.1 and 1.3 

Netscape Navigator 8.0 

Mozilla Firefox 1.0 



Default Email Interface Requirements 

If you are using Microsoft Exchange 2000 and you want to use the default Email 

Interface, you must install Microsoft Exchange System Management Tools and 

then update the mapisvc.inf file on the Advanced Access Control server. For 

more information, see “Updating the Mapisvc.inf File” on page 193. 

Installing the Microsoft Exchange System Management 

Tools and Administrator Software 

Microsoft Exchange System Management Tools and Microsoft Exchange 5.5 

Administrator supply the MAPI components that are required for Web email 

functionality. These tools are supported on the following operating systems: 

• Microsoft Windows 2000 Server Family with Service Pack 3 or 4 

• Windows Server 2003, Standard Edition or Enterprise Edition 

When using these tools, it is important that you: 

• Install Microsoft Exchange System Management Tools and Microsoft 

Exchange 5.5 Administrator on the server before installing Advanced 

Access Control or other software such as Microsoft Office. This ensures the 

required Messaging Application Programming Interface (MAPI) 

components are installed correctly. 

• Install the versions of Microsoft Exchange System Management Tools and 

Microsoft Exchange 5.5 Administrator that are included with the version of 

Microsoft Exchange you are using. If they do not match, Web email may 

not function correctly.


• Ensure the WebDAV Web service extension is set to “Prohibit” if you use 

Outlook Web Access for your Web-based email interface. If this extension 

is set to “Allowed,” users’ inboxes may not display correctly. 

For information about configuring Web email, see “Providing Users with Secure 

Web-Based Email” on page 184. 

Using Microsoft Windows 2003 Server Web 

Edition for Web Email 

If you are using Microsoft Windows Server 2003 Web Edition and you have 

Microsoft Exchange 2003 in your environment, you cannot install Microsoft 

Exchange System Management Tools or Microsoft Exchange 5.5 Administrator. 

Instead, copy the MAPI components to the %SystemRoot%/system32 directory 

of the Advanced Access Control server. 

To install the MAPI components on a server running Microsoft Windows 

2003 Server Web Edition 

1. On the server running Microsoft Exchange 2003, copy the following files: 

• mapi32.dll 

• mapisvc.inf 

2. On the Advanced Access Control server, paste the files to the 

%SystemRoot/system32 directory. 

User Profile Access Requirements 

Advanced Access Control stores MAPI user profiles in the Temp folder located in 

the Advanced Access Control installation directory. Users configured for Web 

email must have read/write access to this folder. Before installing Advanced 

Access Control, you must add the users to the Users group on all Advanced 

Access Control servers. The installation process grants the Users group read/write 

access to the Temp folder. 

Endpoint Analysis Requirements 

You can configure endpoint analysis scans to be run on client devices to check 

them for protective measures, such as operating system patches and antivirus 

software, before users access resources. 

Endpoint analysis scans require the Endpoint Analysis Client that can be installed 

as an ActiveX control, a plug-in for Netscape Navigator or Firefox, or as a 

Windows 32-bit application. To download and install the ActiveX control, users 

must be members of the Administrators or Power Users group of the client 

device.


Important: If the Endpoint Analysis Client is not installed on a client system, 

the user can access only those resources for which a scan is not required. 

For information about requirements for running the Endpoint Analysis Client, see 

“Client Requirements” on page 58. For more information about configuring 

endpoint analysis scans, see “Creating Endpoint Analysis Scans” on page 166. 

Authentication Software Requirements 

Advanced Access Control supports using the following authentication methods to 

strengthen the security of your deployment: 

• Microsoft Active Directory 

• Lightweight Directory Access Protocol (LDAP) 

• Remote Authentication Dial-In User Service (RADIUS) 

• RSA SecurID 5.2 or 6.0 

• Secure Computing SafeWord PremierAccess and SafeWord for Citrix 

LDAP Requirements 

To use LDAP with Access Gateway Advanced Edition, you must have an LDAPcompliant 

directory service in your environment such as Microsoft Active 

Directory, Novell eDirectory, or IBM Directory Server. 

Important: User credentials specified in User Principle Name (UPN) or 

Alternate UPN formats are not supported when using LDAP as an authentication 

method. 

RADIUS Requirements 

To use RADIUS with Access Gateway Advanced Edition, you must install the 

Microsoft Visual J# .NET Version 2.0 executable file (vjredist.exe) on the server 

running Advanced Access Control before you install the Advanced Access 

Control software. This executable file is located in the JSharp20 folder on the 

Advanced Access Control Server CD-ROM. 

Important: User credentials specified in User Principle Name (UPN) or 

Alternate UPN formats are not supported when using RADIUS as an 

authentication method.


For more information about using RADIUS with logon points, see “Creating 

RADIUS Authentication Profiles” on page 102. 

Supported RADIUS Authentication Protocols 

Access Gateway Advanced Edition supports implementations of RADIUS that 

are configured to use the Password Authentication Protocol (PAP) for user 

authentication. Other authentication protocols such as the Challenge-Handshake 

Authentication Protocol (CHAP) are not supported. 

For more information about configuring RADIUS authentication, see “Creating 

LDAP Authentication Profiles” on page 104. 

SecurID Requirements 

To use SecurID authentication with Access Gateway Advanced Edition, install 

the RSA ACE/Agent for Windows software before installing the Advanced 

Access Control software. If you install Advanced Access Control before you 

install the ACE/Agent, SecurID authentication does not function correctly. 

For information about requirements for installing RSA SecurID, refer to the RSA 

product documentation. 

SafeWord Requirements 

To use SafeWord authentication with Access Gateway Advanced Edition: 

• Obtain the latest version of the SafeWord Agent from Secure Computing 

• Install the SafeWord Agent software on the server before installing the 

Advanced Access Control software 

For information about requirements for installing SafeWord PremierAccess and 

SafeWord for Citrix, refer to the Secure Computing documentation for these 

products. 

Citrix Presentation Server Integration 

Requirements 

To access resources published with Citrix Presentation Server using file type 

association or Web Interface, users must have a Citrix Presentation Server Client 

on their client device. 

Advanced Access Control supports integration with the following versions of 

Citrix Presentation Server: 

• Citrix Presentation Server 4.0 

• MetaFrame Presentation Server 3.0


• MetaFrame XP 1.0 Feature Release 3 with Service Pack 4 

• MetaFrame for UNIX 4.0 

Note: Advanced Access Control supports application policies that are applied 

using Citrix Presentation Server Version 4.0 and above. While Advanced Access 

Control can communicate with older versions of Citrix Presentation Server, it 

does not allow application-specific policies to be applied. 

You can configure the logon point to use either the Web Client or the Client for 

Java on demand when users access published resources. 

Advanced Access Control supports using the following Citrix Presentation Server 

Clients: 

Client English Japanese German Spanish French 

Citrix Presentation Server Client 

Version 9.2 

Yes Yes Yes Yes Yes 

Client for Java Version 9.4 Yes Yes Yes Yes Yes 

Web Client Version 9.2 Yes Yes Yes Yes Yes 

For more information about requirements for running the Client for Java, see the 

Client for Java Administrator’s Guide. For more information about configuring 

Advanced Access Control to access published resources, see “Allowing File Type 

Association” on page 138. 

Citrix Presentation Server for UNIX Requirements 

If you want to integrate Advanced Access Control with Citrix Presentation Server 

for UNIX, be aware of the following: 

• Workspace Control is not supported 

• SmartAccess is not supported 

• Because Web Interface requires users to enter a domain when logging on, 

users must enter the word “unix” as the domain to authenticate to Web 

Interface through Advanced Access Control 

SmartAccess Requirements 

The SmartAccess feature enables organizations to better control how published 

applications are accessed and used.


You can use SmartAccess with Advanced Access Control to control which 

resources users can access, based on their access scenario, and what they can do 

within those resources after they get access. SmartAccess integrates with Web 

Interface for Citrix Presentation Server to give organizations granular control 

over published applications. To use SmartAccess, you must have the following 

components in your environment: 

• Citrix Access Gateway Advanced Edition 

• Citrix Presentation Server 4.0 

Note: 

SmartAccess is not supported with Citrix Presentation Server for UNIX. 

If you are using Web Interface to access published applications, you must also 

have the following software: 

• Access Suite Console 4.0 for Citrix Presentation Server with the Web 

Interface Extension 4.2 patch applied 

• Web Interface for Citrix Presentation Server 4.0 or 4.5 

You must also ensure that address translation and firewall settings are identical 

for the Web Interface and Advanced Access Control. For more information about 

configuring SmartAccess, see the Web Interface Administrator’s Guide. 

Multiple Access Platform Site and Credential Caching 

Requirements 

Advanced Access Control supports displaying up to three Citrix Access Platform 

sites within the Access Interface. If the credentials used to log on to the Access 

Platform sites are different from those used for Advanced Access Control, you 

can cache these credentials so users are not required to reenter them. These 

features require: 

• Web Interface for Citrix Presentation Server 4.0 or 4.5. 

• Advanced Access Control to authenticate users with Active Directory 

credentials only. Credential caching is not supported for use with RADIUS, 

LDAP, RSA SecurID, or Secure Computing SafeWord. 

SmoothRoaming Requirements 

The SmoothRoaming features of Citrix Presentation Server provide users with 

uninterrupted access to information. These features include Workspace Control, 

Session Reliability, and Dynamic Session Reconfiguration.


Note: 

UNIX. 

Workspace Control is not supported with Citrix Presentation Server for 

You can use SmoothRoaming features with Advanced Access Control to enable 

users to move between client devices and gain access to all of their applications 

when they log on. To use SmoothRoaming, you must have the Advanced or 

Enterprise edition of Citrix Presentation Server 3.0 or 4.0 installed on a server in 

your environment. SmoothRoaming is not available in the Citrix Presentation 

Server Standard Edition. 

Requirements for Bypassing the Web Proxy 

If you want users to bypass the Web proxy when accessing a Web resource, you 

can allow them to access the resource using the Secure Access Client. For 

information about requirements for running the Secure Access Client, see “Client 

Requirements” on page 58. 

Third Party Portal Integration Requirements 

Access Gateway Advanced Edition supports integration with third party portals 

such as Microsoft Sharepoint to provide convenient access to Web resources, file 

shares, Web email, and published applications. To integrate Microsoft Sharepoint 

you must have one of the following versions installed in your environment: 

• Microsoft Sharepoint 2001 

• Microsoft Sharepoint 2003 

Typically, users can work with documents managed by Sharepoint using menudriven 

commands. When users access the Sharepoint site through the Web proxy, 

menu items that require ActiveX to function are not available. The following 

table describes these menu items: 

Menu Item Requires ActiveX Available to Users by 

Default 

View Properties No Yes 

Edit Properties No Yes 

Edit in Microsoft Office Yes No 

Delete No Yes 

Check In No Yes 

Check Out No Yes


Menu Item Requires ActiveX Available to Users by 

Default 

Version History No Yes 

Alert Me No Yes 

Discuss Yes No 

Create Document Workspace No 

Yes 

Additionally, custom menu items that require ActiveX to function are not 

available to users when Sharepoint is accessed through the Web proxy. 

Client Requirements 

This section describes the client requirements for the platforms that Advanced 

Access Control supports. 

Web Browser Requirements 

Advanced Access Control supports the use of Web browsers on the following 

platforms: 

Devices Operating System Web Browser 

Desktop Workstations 

Microsoft Windows: 

Windows XP Home/ 

Professional SP2 

Windows 2000 Professional 

SP4 




Apple Macintosh OS X 

(English only) 10.3.9 or greater 

Safari 2.0 



Red Hat Linux Netscape Navigator 8.0 

Mozilla Firefox 1.0.4


Devices Operating System Web Browser 

PDAs and Smartphones PalmOS 5.4 

(Palm Treo 650) 

Microsoft Windows Mobile 5.0 

(UT Starcom/Verizon Wireless 

XV6700) 

Microsoft Windows Mobile 

2003 

(HP iPAQ hw6515 Mobile 

Messenger) 

RIM BlackBerry 

(BlackBerry 7130e) 

Symbian (Japanese only) 

(Motorola FOMA M1000) 

PalmSource Web Browser 2.0 

Internet Explorer 

Internet Explorer 

Default Web Browser 

Default Web Browser 

Note: If you are using Apple Macintosh OS X, apply all updates, service packs, 

and patches to ensure Web-based features function properly.


The following table describes localization support based on the platform and Web 

browser: 

Web Browser English Japanese German Spanish French 


(Windows 2000/XP) 










Yes No No No No 

Yes Yes Yes No Yes 



Safari 2.0 (Mac OS X) Yes No No No No 


(Mac OS X) 


(Mac OS X) 


(Mac OS X) 




Advanced Access Control delivers content to client Web browsers by transmitting 

Web pages encoded with HTML and JavaScript. In most cases, standard client 

configurations can support Advanced Access Control. 

You must ensure the following settings are configured for each Web browser: 

• Enable execution of client-side JavaScript 

• Allow downloading of signed ActiveX controls 

• Allow downloading of Java applets if you provide access to published 

applications and restrict users to the Client for Java 

For more information about configuring Web browsers for use with Advanced 

Access Control, see “Browser Security Considerations” on page 209. 

Live Edit Client Requirements 

The Live Edit Client is an ActiveX control that downloads automatically to a 

client Web browser to provide remote editing capabilities for Microsoft Office 

documents.


To use the Live Edit Client, the following software is required on users’ 

workstations: 

• Microsoft Windows 2000 or XP with all service packs and critical updates 

• Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission 

to load signed ActiveX controls 

Note: Windows 2000 or XP users must be members of the Administrators or 

Power Users group to download and install ActiveX controls. 

Endpoint Analysis Client Requirements 

The Endpoint Analysis Client collects device information such as operating 

system, antivirus, or Web browser versions prior to logging on to Advanced 

Access Control. The Endpoint Analysis Client can be distributed as an ActiveX 

control, a browser plug-in, or a Windows 32-bit application. 

To use the Endpoint Analysis Client, the following software is required on users’ 

workstations: 

• Microsoft Windows 2000 or XP with all service packs and critical updates 

• Microsoft Internet Explorer 6.0 SP1 with cookies enabled and permission 

to load signed ActiveX controls if distributing the ActiveX control 

• Netscape Navigator 8.0 if distributing the browser plug-in 

• Mozilla Firefox 1.5 if distributing the browser plug-in 

Note: Windows 2000 or XP users must be members of the Administrators or 

Power Users group to download and install ActiveX controls. 

Secure Access Client Requirements 

The Secure Access Client acts as a proxy between the client computer and the 

Access Gateway appliance. The Secure Access Client can be distributed as a 

desktop application for Microsoft Windows or Linux operating systems. The 

Secure Access Client is downloaded and installed automatically when users enter 

the secure Web address of the Access Gateway appliance and a logon point in a 

Web browser.


Note: Windows 2000 and XP users must be members of the Administrators or 

Power Users group to install applications. Linux users must have the tcl and tk 

packages installed to use the Secure Access Client. 

The Secure Access Client is not supported in double-hop DMZ deployments. If 

you deploy Access Gateway Advanced Edition in a double-hop DMZ, users 

access resources only through a browser-only connection. 

Console Requirements 

The Access Management Console is the configuration and administration tool for 

Advanced Access Control. You can install the console on an Advanced Access 

Control server or on a standalone workstation. 

The Console requires at least: 

• Windows Server 2003, Standard Edition, Enterprise Edition, or Datacenter 

Edition with Service Pack 1; Microsoft Windows Server 2003, 64-bit 

Edition; Windows XP Professional with Service Pack 2; or Windows 2000 

Professional with Service Pack 4 

• 25 MB of hard drive space 

• .NET Framework Version 2.0 

• Microsoft Data Access Components (MDAC) Version 2.7 Refresh 

Important: If you install the console on the Advanced Access Control server, 

you must install the .NET Framework and MDAC 2.7 Refresh (mdac_typ.exe) 

before you install Advanced Access Control. The .NET Framework and MDAC 

2.7 Refresh executable files are located on the Advanced Access Control Server 

CD-ROM. 

Installation Overview 

This overview includes the basic steps for installing Advanced Access Control. 

Citrix supports deploying Advanced Access Control on a single server or on 

multiple servers. 

For important information to consider before installing Citrix products, review 

the readme files and administrator guides for components you plan to install. The 

readme files and administrator guides are available in the Documentation folder 

of the Advanced Access Control Server CD-ROM.


To get started with Advanced Access Control, complete the following steps: 

1. Before you begin installation, use Windows Update to ensure all Advanced 

Access Control servers are patched with critical updates. 

2. Ensure your servers meet all requirements for components and features you 

plan to use. 

3. Install and configure Citrix Licensing. See the Readme for Citrix Licensing 

and the Getting Started with Citrix Licensing Guide, available in the 

Documentation folder of the Advanced Access Control Server CD-ROM. 

Note: Citrix recommends performing this step before installing 

Advanced Access Control to save time during server configuration and 

prevent user access delays due to licensing issues. However, you can install 

the licensing server during or after server configuration. 

4. Install Advanced Access Control and the Access Management Console. 

5. Install additional components, if applicable. 

6. After you install components, visit the Citrix Hotfixes and Service Packs 

Web site to download and install critical updates. 


The Advanced Access Control Setup wizard guides you through the process of 

installing Advanced Access Control and its components. 

To install Advanced Access Control 

1. Insert the Advanced Access Control Server CD-ROM in the CD drive. The 

startup screen appears if autorun is enabled. If autorun is not enabled, 

navigate to the CD root directory and double-click AutoRun.exe. 

2. On the startup screen, click Access Gateway Advanced Edition. 

3. Read and accept the Citrix license agreement.


4. Select any of the following components to install: 

• Server. Installs the Advanced Access Control server software, 

including the Logon Agent and server configuration tools. 

• Management console. Installs the configuration and management 

tool for Advanced Access Control and the other products in the Citrix 

Access Suite. 

• Access Management Console - Licensing. Installs the Licensing 

Console snap-in. For more information about this snap-in, see “The 

Access Management Console User Interface” on page 82. 

• Access Management Console - Diagnostics. Installs the Diagnostic 

Facility Console snap-in. You do not need to install this component 

unless requested to do so by a Citrix Technical Support 

representative. For more information about this snap-in, see “The 

Access Management Console User Interface” on page 82. 

5. Follow the on-screen instructions to complete the Setup wizard. 

As Advanced Access Control is installed, a message box displays the progress. 

When the installation is complete, you can configure the server with the Server 

Configuration utility or you can install Advanced Access Control on other 

servers. 

To begin configuring your server, click Finish. For more information about 

configuring your server, see “Configuring Your Server” on page 76. 

Troubleshooting the Installation 

During installation, Advanced Access Control creates the log file 

CTXMSAM40_Install.log that you can use to troubleshoot the server installation. 

This log file is written to a temporary folder by default. To define the location of 

this folder, Advanced Access Control checks the following environment 

variables: 

• TMP 

• TEMP 

• USERPROFILE 

• windir 

The first valid path that Windows finds among these variables becomes the 

location of the installation log files. 

You can override this default path by typing /logfilepath folder_path at a 

command prompt, where folder_path is the location where you want to store the 

installation log files.


Uninstalling Advanced Access Control 

If you want to remove an Advanced Access Control component from a server, use 

Add/Remove Programs on the Control Panel. Depending on the options you 

selected during installation, remove these components in the following order: 

• Citrix Access Gateway 4.5 Server 

• Citrix Access Gateway 4.5 Console 

• Citrix License Server Administration 

• Citrix Access Management Console - Diagnostics 

• Citrix Access Management Console - Framework 

Note: If you remove the Citrix Access Gateway Console component before 

removing the Citrix Access Gateway Server component, the Server component 

cannot be removed successfully. 

The Citrix License Server Administration and Citrix Access Management 

Console - Diagnostics components can be removed at any time in the 

uninstallation. However, the Citrix Access Management Console - Framework 

component must be removed last. 

To remove Advanced Access Control components 

1. Choose Start > Control Panel > Add or Remove Programs. 

2. In Add or Remove Programs, select an Advanced Access Control 

component. 

3. Click Change or Remove. The wizard prompts for verification that you 

want to remove the software. 

4. Click Yes or Next to remove the component.


CHAPTER 6 

Configuring Advanced Access 

Control 

After you install Advanced Access Control, you configure each of your servers in 

the access server farm. The following topics discuss server configuration: 

• “Supported Configurations” on page 68 

• “Configuring Your Server” on page 76 

• “Steps to Configuring A Server” on page 77 

• “Enabling Advanced Access Control” on page 80 

• “Using the Access Management Console” on page 82 

• “Configuring Your Farm with the Getting Started Panel” on page 84 

• “Linking to Citrix Presentation Server” on page 85 

• “Configuring Logon Points” on page 89 

• “Logging on through the Logon Point” on page 92 

• “Updating Logon Page Information” on page 93 

• “Changing Expired Passwords” on page 93 

• “Setting the Default Logon Point” on page 93 

• “Removing Logon Points” on page 94 

• “Configuring the Access Gateway” on page 95 

• “Configuring Split Tunneling” on page 95 

• “Forwarding System Messages” on page 96 

• “Configuring Client Properties” on page 97 

• “Configuring Server Properties” on page 98 

• “Configuring ICA Access Control” on page 99


• “Configuring Authentication with Citrix Presentation Server” on page 100 

Supported Configurations 

You can deploy Access Gateway Advanced Edition in a variety of ways to meet 

the needs of your organization. Supported configurations include: 

• One or more Access Gateway appliances deployed in the DMZ and the 

Advanced Access Control server deployed in the internal network 

• One or more Access Gateway appliances deployed behind a load balancer 

in the DMZ and the Advanced Access Control server deployed in the 

internal network 

• A double-hop DMZ scenario where one or more Access Gateway 

appliances are deployed in the first DMZ, one or more Access Gateway 

appliances are deployed in the second DMZ, and the Advanced Access 

Control server is deployed in the internal network 

Access Gateway Configurations 

Depending on your organization’s needs, you can deploy one or multiple Access 

Gateway appliances. If your deployment includes a load balancer with multiple 

appliances, you configure each appliance with the same FQDN as the load 

balancer but you do not specify Access Gateway failover servers. The load 

balancer handles failover as well as load balancing. 

If your deployment includes multiple appliances without a load balancer, you 

configure each appliance with a unique FQDN and specify the other appliances as 

failover servers. For more information about deploying the Access Gateway 

appliance, see Getting Started with Citrix Access Gateway Standard Edition. 

Advanced Access Control Configurations 

Advanced Access Control supports the following access server farm 

configurations: 

• Advanced Access Control on a single server. 

Install Advanced Access Control on a single server. The server contains all 

required access server farm components, including the database server. 

• Advanced Access Control on a single server and Microsoft SQL Server 

on a separate server. 

Install Microsoft SQL Server on a separate server. Install Advanced Access 

Control and specify the SQL database server for the server farm database.

Chapter 6 Configuring Advanced Access Control 69 

• Advanced Access Control on multiple servers. 

Install Microsoft SQL Server on a separate database server. Install 

Advanced Access Control on multiple servers. 

Double-Hop DMZ Configurations 

You can deploy two Access Gateway appliances in a double-hop DMZ to control 

access to corporate resources through Advanced Access Control. In a double-hop 

DMZ configuration, three firewalls divide the DMZ into two stages to provide an 

extra layer of security for the internal network. One Access Gateway resides in 

the first DMZ while one or more Access Gateway appliances reside in the second 

DMZ. The Advanced Access Control server resides in the internal network. 

The Access Gateway in the first DMZ handles the client connections and 

performs the security functions of an SSL VPN. This Access Gateway encrypts 

the client connections, determines how clients are authenticated, and controls 

access to the servers in the internal network. 

The Access Gateway in the second DMZ serves as a proxy device. This Access 

Gateway enables the ICA traffic to traverse the second DMZ to complete 

Presentation Server Client connections to the access server farm. 

Communications between the Access Gateway in the first DMZ and the Secure 

Ticket Authority (STA) in the internal network are also proxied through the 

Access Gateway Proxy in the second DMZ. 

Note: The term Access Gateway Proxy refers to the Access Gateway appliance 

deployed in the second DMZ. 

When Access Gateway Advanced Edition is deployed in a double-hop DMZ 

configuration, the Access Gateway appliance in the first DMZ can communicate 

with any number of appliances in the second DMZ. However, the Access 

Gateway Proxy in the second DMZ can communicate with only one appliance in 

the first DMZ. Notification messages from the Advanced Access Control server 

are proxied through the Access Gateway in the second DMZ to the appliance in 

the first DMZ. For more information about communication between the Access 

Gateway and Access Gateway Proxy, see “Understanding the Relationship 

between the Access Gateway and the Access Gateway Proxy” on page 70. 

In a double-hop DMZ deployment, users connect to the Access Gateway in the 

first DMZ with a Web browser and a Citrix Presentation Server Client. Users 

access the logon point on the Advanced Access Control server with a Web 

browser to access corporate resources. Users connect with a Citrix Presentation 

Server Client to use the resources to which they have access such as published 

applications.


Important: The Secure Access Client is not supported in a double-hop DMZ 

deployment. You cannot use the Secure Access Client to access network 

resources when Access Gateway appliances are deployed in a double-hop DMZ 

configuration. 

Understanding the Relationship between the Access 

Gateway and the Access Gateway Proxy 

Although the Access Gateway in the first DMZ can communicate with any 

number of Access Gateway Proxy appliances in the second DMZ, the Access 

Gateway Proxy in the second DMZ can communicate with only one Access 

Gateway in the first DMZ. If you deploy multiple Access Gateway appliances in 

the first DMZ, you should configure each appliance to communicate only with 

the Access Gateway Proxy that is configured to communicate with that specific 

Access Gateway. 

For example, an administrator has two Access Gateway appliances in the first 

DMZ (named Appliance 1 and Appliance 2) and four Access Gateway Proxy 

appliances in the second DMZ (named Appliance 4, Appliance 5, Appliance 6, 

and Appliance 7). The administrator configures Appliances 4 and 5 to 

communicate with Appliance 1; and Appliances 6 and 7 communicate with 

Appliance 2, as illustrated below.


When configuring Appliance 1 in the first DMZ, the administrator enables 

communication only with the Access Gateway Proxy that is configured to 

communicate with Appliance 1. Therefore, the administrator configures 

Appliance 1 to communicate with Appliances 4 and 5 only. Likewise, the 

administrator configures Appliance 2 to communicate with Appliances 6 and 7 

only. The illustration below shows this configuration. 

In this example, each Access Gateway in the first DMZ communicates with a 

subset of the Access Gateway Proxy appliances in the second DMZ. This ensures 

the Proxy appliances are able to respond to the appropriate Access Gateway in the 

first DMZ. Otherwise, notifications from the Advanced Access Control server 

would be lost and users could not log on and use corporate resources. 

Deploying Double-Hop DMZ Configurations 

Deploying Access Gateway Advanced Edition in a double-hop DMZ 

configuration involves the following tasks: 

• Installing the Access Gateway appliances in the first and second DMZs. 

• Adding the IP addresses and FQDNs of the Advanced Access Control 

server, the Access Gateway in the first DMZ, and the Access Gateway 

Proxy in the second DMZ to the Hosts file on the Access Gateway 

appliances in both DMZs and the Advanced Access Control server. This 

task is required if you are not using DNS in your environment.


• Configuring the Access Gateway Proxy in the second DMZ to 

communicate with the Access Gateway in the first DMZ and the Advanced 


• Configuring the Access Gateway in the first DMZ to communicate with the 

Access Gateway Proxy in the second DMZ. 

• Configuring the Access Gateway in the first DMZ to communicate with the 

Advanced Access Control server. 

Important: To deploy this configuration correctly, you must perform these 

tasks in the specified order. For example, if you configure the Access Gateway in 

the first DMZ before you configure the Access Gateway Proxy in the second 

DMZ, you will receive errors and communication between the appliances will not 

occur even if all the settings are correctly configured. 

Step 1: Installing Access Gateway Appliances 

The Access Gateway Standard Edition Administrator’s Guide describes in detail 

the process for installing the Access Gateway in the first DMZ and the Access 

Gateway Proxy in the second DMZ. After you install these appliances, proceed to 

Step 2. 

Step 2: Adding Entries to the Hosts Files on the Access Gateway 

and Advanced Access Control Server 

The Hosts files on the Access Gateway appliances and the Advanced Access 

Control server consist of entries that are used to resolve FQDNs to IP addresses. 

If you are not using DNS in your double-hop DMZ configuration, you must add 

these entries. 

Use the Administration Tool to add the following entries to the Hosts file: 

• On the Access Gateway, add the FQDNs and IP addresses of the Access 

Gateway Proxy in the second DMZ and the Advanced Access Control 

server 

• On the Access Gateway Proxy, add the FQDNs and IP addresses of the 

Access Gateway in the first DMZ and the Advanced Access Control server 

On the Advanced Access Control server, use a text editor to add the FQDNs and 

IP addresses of the Access Gateway appliances in both DMZs to the Hosts file. 

To add entries to the Hosts file on the Access Gateway 

1. From the Administration Tool, click the Access Gateway Cluster tab and 

then expand the window for the Access Gateway in the first DMZ.


2. Click the Name Service Providers tab. 

3. Under Edit the HOSTS file, in IP address, enter the IP address of the 

Access Gateway Proxy installed in the second DMZ. 

4. In FQDN, enter the FQDN you want to associate with the IP address you 

entered in the previous step. Click Add. 

5. Repeat Steps 3 and 4 to add entries for any remaining Access Gateway 

Proxy appliances installed in the second DMZ and for the Advanced 


To add entries to the Hosts file on the Advanced Access Control server 

1. In Windows Explorer, locate the Hosts file in the 

%SystemRoot\system32\drivers\etc directory. 

2. Open the file using a text editor. 

3. On a separate line, type the IP address and associated FQDN of each 

appliance. 

4. Save the Hosts file. 

5. Repeat Steps 1 through 4 for each Advanced Access Control server in your 

farm. 

Step 3: Configuring Communication with the Access Gateway 

Proxy and Advanced Access Control 

For a double-hop DMZ configuration, you must first configure the Access 

Gateway Proxy in the second DMZ to communicate with the Access Gateway in 

the first DMZ and with the Advanced Access Control server in the internal 

network. After you complete this step, the Access Gateway Proxy is ready to 

establish communication with the Access Gateway in the first DMZ. 

Note: You can configure the Access Gateway Proxy to communicate with only 

one Access Gateway in the first DMZ. For more information about 

communication between the Access Gateway and Access Gateway Proxy, see 

“Understanding the Relationship between the Access Gateway and the Access 

Gateway Proxy” on page 70. 

To configure communication between the Access Gateway Proxy and the 

Access Gateway 

If you have multiple appliances installed in the second DMZ, perform this 

procedure on each appliance.


1. From the Administration Tool, select the Access Gateway Cluster tab and 

then expand the window for the appliance in the second DMZ. 

2. On the General Networking tab, in DMZ Configuration, select Second 

hop in double DMZ. 

3. In Protocol, select either SOCKS over SSL or SOCKS. 

4. In Port, the default port is either 443 (for secure connections) or 1080 (for 

unsecure connections). 

5. Select the Advanced Access Control check box. 

6. In FQDN of the first appliance in the DMZ, type the FQDN or IP address 

of the Access Gateway in the first DMZ. If you are using the SOCKS over 

SSL protocol, you must type the FQDN address. If you are using the 

SOCKS protocol, you can type either the FQDN or IP address. 

7. Click Submit and restart the Access Gateway Proxy. 

After you configure the Access Gateway Proxy, you can configure the Access 

Gateway in the first DMZ. 

Step 4: Configuring Communication between the Access 

Gateway and Access Gateway Proxy 

In a double-hop DMZ configuration, the Access Gateway in the first DMZ 

communicates with the Access Gateway Proxy in the second DMZ to deliver 

requests to the Advanced Access Control server in the internal network. 

Note: If you have multiple Access Gateway appliances installed in the first 

DMZ, you will need to configure each of these appliances to communicate with a 

subset of Access Gateway Proxy appliances. For more information, see 

“Understanding the Relationship between the Access Gateway and the Access 

Gateway Proxy” on page 70. 

To configure communication between the Access Gateway and Access 

Gateway Proxy 

1. From the Administration Tool, click the Access Gateway Cluster tab and 

then expand the window for the Access Gateway in the first DMZ. 

2. On the General Networking tab, in DMZ Configuration, select First hop 

in double DMZ. 

3. Select the Configure for Advanced Access Control check box. Click 

Add.


4. In the Add appliance from second hop window, complete the following: 

• FQDN or IP address. Enter the FQDN or IP address of the Access 

Gateway Proxy installed in the second DMZ. If you are using the 

SOCKS over SSL protocol, you must enter the FQDN address. If you 

are using the SOCKS protocol, you can enter either the FQDN or IP 

address. 

Note: This FQDN or IP address is also used by the Advanced 

Access Control server to communicate with the Access Gateway 

Proxy. When the Advanced Access Control server registers the 

Access Gateway in the first DMZ, the Gateway Appliances node in 

the Access Management Console displays the Access Gateway 

Proxy’s information. 

• Port. The default port for a SOCKS over SSL connection is 443. The 

default port for a SOCKS connection is 1080. You can change the 

default ports as necessary. 

• Protocol. Select SOCKS over SSL if you want to secure the SOCKS 

connection to the Access Gateway Proxy in the second DMZ with 

SSL. Select SOCKS if you want this connection to be unsecured. 

• Second hop appliance MAC address. Enter the MAC address of the 

network card associated with Interface 0 on the Access Gateway 

Proxy installed in the second DMZ. 

5. Click Validate to verify that the Access Gateway in the first DMZ can 

connect to the Access Gateway Proxy in the second DMZ using the 

specified address, protocol, and port. 

6. Repeat Steps 3 through 5 to add more appliances to the Appliances in 

second hop list. 

Note: The Access Gateway in the first DMZ uses the Appliances in 

second hop list to load balance connections to the appliances installed in the 

second DMZ. 

7. Click Submit and restart the Access Gateway.


Step 5: Configuring Communication between the Access 

Gateway and Advanced Access Control 

In a double-hop DMZ configuration, the Access Gateway in the first DMZ 

communicates with the Advanced Access Control server through the Access 

Gateway Proxy in the second DMZ. To configure the Access Gateway in the first 

DMZ to communicate with the Advanced Access Control server, see “Enabling 

Advanced Access Control” on page 80 for instructions. 

Changing the Server Configuration 

You can make changes to the access server farm configuration at any time from 

the console. When you install more than one Advanced Access Control server in 

an access server farm, you can configure additional servers to provide recovery, 

enhance performance, and increase the server farm’s capacity to support 

additional users. For more information about managing Advanced Access 

Control servers, see “Managing Your Access Gateway Environment” on page 

213. 

Configuring Your Server 

After you install Advanced Access Control, you configure your servers using the 

Server Configuration utility. This section describes the following configuration 

tasks: 

• Creating an access server farm 

• Selecting a farm database and specifying a database server 

• Specifying the Citrix Licensing Server 

• Selecting a Web site path and securing Logon Agent traffic 

• Enabling Advanced Access Control 

Server Configuration Overview 

The Server Configuration utility allows you to perform preliminary configuration 

tasks such as creating an access server farm and specifying a license server. 

This utility sets up the account you specify as the service account. It adds the 

account to the local Administrators group and grants the following local security 

policy rights: 

• Act as part of the operating system 

• Log on as a batch job


• Log on as a service 

Important: The Server Configuration utility cannot create a SQL user account 

for access to the farm database. You must create an account in SQL Enterprise 

Manager before you change the user account for database access. The database 

user account must have System Administrator privileges. 

The Server Configuration utility does not add the service account to network 

shares. 

The Server Configuration utility does not remove previous service accounts from 

the local security policy or network shares. If this is a security concern, remove 

the old accounts after updating the account information with the utility. 

The Server Configuration utility performs the following operations: 

• Verifies all account information 

• Updates services 

• Stops Advanced Access Control services 

• Starts Advanced Access Control services 

• Updates internal service account information 

• Updates internal database account information 

• Synchronizes the access server farm 

Steps to Configuring A Server 

After installing Advanced Access Control, you can configure a server with the 

Server Configuration Utility. 

To run the Server Configuration utility 

Click Start > Programs > Citrix > Access Gateway > Server Configuration. 

Creating or Joining an Access Server Farm 

When you install Advanced Access Control on a server, you can create a new 

access server farm or add the server to an existing access server farm. 

• Create a new access server farm 

Choose this option if you are creating an access server farm. The access 

server farm name becomes the SQL Server database name. Choosing this


option requires you to enter licensing, service account, and database 

information. 

• Join an existing access server farm 

Choose this option if you are adding a server to an existing access server 

farm. Choosing this option requires you to enter service account and 

database information. 

Selecting a Database 

When you create an access server farm, the Server Configuration utility prompts 

you to specify whether to use an existing SQL Server database or to install a local 

database engine. The database server stores the configuration data for the access 

server farm. 

• Microsoft SQL Server 

Choose this option to use a supported version of Microsoft SQL Server as 

the database server for the access server farm. SQL Server can run on the 

same server running Advanced Access Control or on a separate database 

server. 

Important: If you want to select a SQL Server database, be sure the SQL 

Service is running on the server you want to specify. If the SQL Service is 

not running, the Server Configuration utility cannot detect the server. 

• Microsoft SQL Server Express 

Choose this option if you want Advanced Access Control to install the 

necessary components for a local database server and create a database for 

the access server farm. The Server Configuration utility searches for an 

instance of SQL Server Express labeled CitrixAAC. If this instance is not 

found, the Server Configuration utility installs this instance for you. 

Note: Use the Microsoft SQL Server Express option for a pilot 

deployment of Advanced Access Control. Citrix recommends the use of 

Microsoft SQL Server for large-scale deployments. 

Specifying an Existing Database Server 

If you select Microsoft SQL Server as your database, the Server Configuration 

utility prompts you to specify the server on which SQL Server is installed. 

• Farm database server. Type the name of the database server.


• Access server farm name. Type the name of the access server farm you 

want to create or join. 

• Use the Service Account to access the configuration database. Choose 

this option to use the Advanced Access Control service account credentials 

to access the SQL database. 

• Use SQL Authentication to access the configuration database. Choose 

this option to use the SQL database account credentials to access the SQL 

database. If you choose this option, you must also enter the database user 

name and password. 

Specifying a License Server 

If you are creating a new access server farm, the Server Configuration utility 

prompts you to identify the license server you want to use to validate your 

installation of Advanced Access Control. You must select one of the following 

options to continue server configuration. 

• I would like to use an existing license server. Choose this option if you 

want to specify a license server that you installed directly. In the Host 

name box, type the name of the license server you want to use. If the 

license server uses a port other than 27000, clear the Use default port 

check box and then type the correct port in the License server port box. 

• I would like to install a new license server on this computer. Choose this 

option if you want to install a license server on the same machine as the 

server running Advanced Access Control. When you complete the server 

configuration, Advanced Access Control installs the license server. 

• I do not wish to configure licensing at this time. Choose this option if you 

want to specify a license server later. If you do not specify a license server, 

users will receive an “Access Denied” message when they attempt to log on 

to Advanced Access Control. 

Selecting a Web Site Path 

The Web site path is the location where all Web content for Advanced Access 

Control is installed. Review the Web site path that Advanced Access Control 

detects to ensure it is valid for your deployment. 

To change the physical path 

1. Select the Web site you want to change. 

2. Click the Use custom path for web content check box. 

3. In the Path box, type the physical path you want to use for the Web site. 

You can also click Browse to navigate to the directory you want to specify.


Securing Web Site Traffic with SSL 

When you select a Web site path, you can also enable the Secure Sockets Layer 

(SSL) protocol to secure communication with the Logon Agent. 

To secure Web site traffic, click the Secure traffic between the Logon Agent 

and the Authentication Service check box. 

Important: You must have the required digital certificates installed on the 

server before configuring Advanced Access Control. This check box is not 

enabled unless SSL is enabled on the server. 

Finishing Server Configuration 

The Server Configuration utility displays a summary of your selected options and 

configuration settings. After you review the summary, click Next to initiate server 

configuration. When configuration is complete, click Finish and proceed to 

enabling Advanced Access Control to manage the Access Gateway appliance. 

Enabling Advanced Access Control 

To use the granular access control features of Advanced Access Control, you 

must enable the Access Gateway appliance to communicate with the Advanced 


Note: If you are deploying Access Gateway Advanced Edition in a double-hop 

DMZ deployment, you enable communication with Advanced Access Control 

after several other tasks are completed. For more information about these 

additional tasks, see “Double-Hop DMZ Configurations” on page 69. 

To enable communication with Advanced Access Control, you perform the 

following tasks using the Access Gateway Administration Tool: 

• In the Name Service Providers tab, enter the DNS and WINS information 

for your Advanced Access Control server. 

• In the Routes tab, configure the IP routes as needed. 

• In the Advanced Options tab, select Advanced Access Control and enter the 

server information.


After you perform these tasks and reboot the appliance, you use the 

Administration Tool to manage appliance-specific settings only. For more 

information about using the Administration Tool, see the Access Gateway 

Standard Edition Administrator’s Guide. 

Important: When you enable Advanced Access Control to manage global 

gateway appliance settings, the corresponding settings in the Administration Tool 

are deactivated and any existing configuration values are removed. If you 

configured these settings with the Administration Tool before enabling Advanced 

Access Control, you must configure these settings again in the Access 

Management Console. For more information about configuring these settings in 

the console, see “Configuring the Access Gateway” on page 95. 

If you disable appliance administration with Advanced Access Control, the global 

gateway appliance settings you configured in the console are deactivated and 

existing configuration values are removed. 

To enable Advanced Access Control 

1. Launch the Access Gateway Administration Tool and select an Access 

Gateway appliance. 

2. On the Access Gateway Cluster tab, click Advanced Options. 

3. To manage the Access Gateway cluster using the Access Management 

Console, select Advanced Access Control. 

4. In Server running Advanced Access Control, type the IP address or 

FQDN of the server that is running Advanced Access Control. 

Important: If you specify the FQDN of the server running Advanced 

Access Control and you cannot connect to the server, ensure you have 

entered the DNS servers you want to use in the Name Service Providers tab 

of the Administration Tool. If you specify the IP address of the server 

running Advanced Access Control, you do not need to specify the DNS 

servers. 

5. To encrypt communication between the Access Gateway appliance and the 

Advanced Access Control server, select Secure server communication. 

6. Click Submit to save your changes. 

7. Restart the Access Gateway.


Using the Access Management Console 

The Access Management Console extends your ability to manage your 

deployment by integrating many of the administrative features of your Citrix 

products into the Microsoft Management Console (MMC). The Access 

Management Console is a standalone snap-in to the MMC. Management 

functionality is provided through a number of management tools (extension snapins) 

that you can select when you install the Access Management Console or at 

any time later. 

Installing the Access Management Console 

Before installing any snap-ins to the Access Management Console, ensure that 

you installed the Access Management Console - Framework Version 4.5. If you 

try to install any snap-ins before installing the Framework on your server, the 

installation fails. You cannot install any snap-in if a newer version of the snap-in 

is present on your server. If you try to do so, the installation fails. Before you 

install an older version of a snap-in, first uninstall your existing snap-in. 

Users and Accounts 

You must be a Citrix administrator to use the Access Management Console. You 

should therefore ensure that the correct administrator privileges are in place 

before allowing others to use the console. 

Do not run the console in two sessions simultaneously on one computer using the 

same user account. Changes made on the console in one session can overwrite 

changes made in the other. 

Deploying the Console to Administrators 

To use the console to make changes to an Advanced Access Control deployment, 

administrators must have permission to run the Access Gateway Server COM+ 

application. For more information about granting COM+ permissions, see 

“Securing the Access Management Console Using COM+” on page 215. 

The Access Management Console User Interface 

The main user interface of the Access Management Console consists of three 

panes: 

• The left pane contains the console tree. 

• The task pane in the middle displays administrative tasks and tools. This 

pane is not present in the MMC.


• The details pane on the right displays information about your deployment 

items and associated tasks. 

The following nodes are available under the top-level node in the console tree: 

• Alerts. Lists the alerts created by all the items in your deployment. Doubleclick 

an alert to drill down to the affected item. 

• Search Results. Displays the results of any search that you performed. 

Click Search in the task pane to perform a standard or advanced search. 

• My Views. Allows you to customize the information that you display in the 

details pane. 

In addition, nodes are created by some Access Management Console snap-ins 

when they are installed. Depending on your Access Management Console 

installation, the following snap-ins are available: 

• Licensing. Launches the License Management Console that allows you to 

manage licenses for your Citrix products. For more information about the 

License Management Console, see the Getting Started with Citrix 

Licensing Guide. 

• Diagnostic Facility. Creates and packages trace logs and other system 

information to assist Citrix Technical Support in diagnosing problems. 

Starting the Access Management Console 

To start the Access Management Console 

Click Start > Programs > Citrix > Management Consoles > Access 

Management Console. 

Finding Items in Your Deployment Using 

Discovery 

Before you can use the Access Management Console to manage the items in your 

deployment, you must run discovery. Discovery is not equivalent to locating 

items that already exist in the console tree, which you perform using Search in the 

task pane. In contrast, discovery adds items to the console tree. 

You discover items using the Run discovery task. The first time you open the 

console, discovery runs automatically. At any stage afterwards, run discovery to 

locate newly installed products or components and to update the console if items 

were added to or removed from your deployment. For example, if another 

instance of the console was used to configure settings, you need to run discovery 

to add those updates.


To run discovery for all components 

1. Select Suite Components in the console tree. 

2. Click Run discovery in the task pane. 

To run discovery for one component in the console tree, select the component and 

then click Run discovery. 

Running discovery is something that you should consider doing on a regular basis 

to ensure that you have the most up-to-date view of your deployment. Run 

discovery if: 

• You installed or removed an Access Gateway or Advanced Access Control 

item or component. The Console does not recognize any recently installed 

items or components until you run discovery. 

• Items are added to or removed from an existing deployment. The console 

tree, the details pane, and the available tasks are “refreshed” only after 

discovery is completed. 

• Your administrative privileges change or you change a custom 

administrator’s privileges. Modifications to privileges do not take effect in 

the console until you rerun discovery. 

Customizing Your Displays Using My Views 

You can create custom displays of the details pane called My Views. These are 

configurable displays that give you quick access to items you need to examine 

regularly or items in different parts of the console tree that you want to group in 

the same display. Instead of repeatedly browsing the console tree, you can place 

the items in a single, easily retrieved display. For example, you can create a My 

View to display policies for servers in different access server farms. 

Configuring Your Farm with the Getting Started Panel 

To help you configure your deployment, the Getting Started panel presents links 

to several wizards that guide you through tasks such as configuring email and 

access policies. 

To access the Getting Started Panel 

1. Select the Access Gateway node in the navigation pane. 

2. Under Other Tasks in the task pane, click Getting started. 

You can also right-click the Advanced Access Control node or the farm node in 

the console tree and then click All Tasks > Getting started.


By default, the Getting Started panel appears when you click the Advanced 

Access Control node. To prevent the Getting Started panel from appearing 

automatically, clear the Always show this page check box located near the 

bottom of the panel. 

Linking to Citrix Presentation Server 

You can link the access server farm to farms running Citrix Presentation Server. 

This allows you to offer published resources from Citrix Presentation Server 

through file type association or the Web Interface. When file type association is 

allowed by policies, opening a document launches it in an associated application 

running on a server. 

To link your access server farm to farms running Citrix Presentation Server, you: 

• Specify the farm(s) you want to link to your access server farm 

• Configure load balancing or failover if the server farm includes multiple 

servers 

• Configure address modes if the server farm is behind a firewall configured 

for Network Address Translation (NAT) 

Before you link your access server farm, ensure the following requirements are 

met in Citrix Presentation Server: 

• Published resources are assigned to the same user groups assigned to 

resources in the access server farm. 

• The option Allow connections made through Access Gateway is enabled 

for each published resource. This option appears in the access control 

settings of the published resource properties. 

• In each server’s properties, the option Trust requests sent to the XML 

Service is selected. 

Specifying Server Farms 

Create a list of the server farms that are available to users of Access Gateway. 

This list is used in logon point properties to specify which farms are available to 

users of the logon point. Each server farm you configure contains a list of servers 

you can use to specify load balancing or failover among servers within the farm. 

To specify server farms 

1. In the console tree, select the access server farm node and click Edit farm 

properties in Common Tasks. 

2. Select the Presentation Server Farm page and click New.


3. In the Citrix Presentation Server farm name box, type the name or IP 

address of the farm to which you want to link your access server farm. 

Note: Advanced Access Control accepts server farm names up to 50 

characters long. If the server farm name is longer than 50 characters, type 

the IP address instead. 

4. If you want to secure the link between Advanced Access Control and Citrix 

Presentation Server, select the Secure communication with the farm by 

applying a secure protocol check box. 

Note: To apply a secure protocol, you must have the appropriate client 

and server certificates installed on the Advanced Access Control servers 

and Access Gateway appliances. 

5. Click Next and then click Add. 

6. In the Server name box, type the machine name of the server running 

Citrix Presentation Server. 

Configuring Load Balance or Failover 

You can balance the load of requests sent to servers running Citrix Presentation 

Server. Requests follow the sequence of the server list in Presentation Server 

Farm Properties. The initial request goes to the first server on the list, the next 

request goes to the second server, and so on. After the last server, the process 

starts again at the top of the list. 

Important: Do not prioritize the data collector or master ICA browser server as 

the first server on the list. 

You can use the list to sequence failover in case connectivity to a server becomes 

unavailable. Use failover support to ensure continued access to published 

resources. 

The server list can sequence load balancing or failover support, but not both. By 

default, the server list is used for failover. 

To implement load balancing or failover support 

1. Select the access server farm node and click Edit farm properties. 

2. On the Presentation Server Farms page, select the farm and click Edit. 

The Presentation Server Farm Properties appear.


3. On the Servers page, use Up and Down to change the sequence of servers. 

4. Select Load balance requests to servers or Set failover sequence of 

unavailable servers. 

5. To change the bypass interval, change the value displayed in minutes. The 

default is five minutes. 

Configuring Address Modes 

If your server farm is behind a firewall and the firewall is configured for Network 

Address Translation (NAT), you can define settings to determine the IP address of 

the server included in ICA files. 

To configure address modes for client IP addresses 



3. On the Address Mode page, click New. 

4. In the Client IP Address box, type the incoming client IP address or range 

of IP addresses for client requests in dot address format (for example, 

255.255.255.255). For Access Gateway, the incoming address is the 

address of the Access Gateway appliance. 

5. Select the Server Address Mode from the list: 

• Normal. The IP address sent to the client is the actual address of the 

server. This is the default setting. 

• Alternate Address. The IP address sent to the client is the alternate 

address of the server. Alternate addresses are configured on the server 

running Citrix Presentation Server. To use this option, you must have 

a firewall with NAT enabled and alternate IP addresses assigned to 

the servers. For more information about setting alternate addresses, 

see the Citrix Presentation Server Administrator’s Guide. 

• Translated Address. The IP address sent to the client is based on the 

configured address translation mappings. For more information, see 

“Configuring Address Translation” on page 88. 

• Access Gateway. The IP address sent to the client is the actual 

address of the Access Gateway appliance. To use this option, you 

must also define the Access Gateway settings. For more information, 

see “Configuring the Access Gateway Address Mode” on page 88. 

You can assign addressing modes for specific IP addresses or a range of IP 

addresses. You can use asterisks as wildcards (such as 10.12.128.*) to indicate a 

range of IP addresses.


Configuring Address Translation 

If your server farm is behind a firewall, you can hide internal server addresses by 

performing the following tasks: 

• Map the internal IP address of each server to an external IP address 

• Specify the client addresses that use the translated address 

Note: To use this option, you must have a firewall with Network Address 

Translation (NAT) enabled. 

To map the internal IP address of a server 



The Presentation Server Farm Properties appear. 

3. On the Address Mode page, click Address Translation. 

4. Click New. 

5. Enter the internal IP address and port of the server running Citrix 

Presentation Server. 

6. In the Translated address box, enter the external IP address and port that 

clients must use to connect to the server. 

7. On the Address Mode page, click New to open the New Client Address 

Mode dialog box. Add the client IP address or range of addresses for the 

clients that use the translated address you just configured. Select 

Translated Address from the Server Address Mode list. 

The Address Translation settings apply only to the specified client IP addresses 

on the Address Mode page. 

Configuring the Access Gateway Address Mode 

If you are providing applications through Citrix Presentation Server, you must 

configure the server address mode. The server address mode determines which 

server IP address is sent to users when they open applications from the farm 

running Citrix Presentation Server. 

To configure the Access Gateway address mode 

1. Select the access server farm and click Edit farm properties. 

2. On the Presentation Server Farms page, select the farm and click Edit.


3. On the Address Mode page, click Access Gateway. 

4. Select the option to configure Access Gateway. 

5. Enter the Access Gateway server name (exactly as it appears on the server 

certificate) and port. 

6. If the servers in your server farm are behind a firewall and configured to 

use NAT alternate addresses, select the option to use alternate addresses. 

Associating Access Platform Sites 

If you display multiple sites within the Access Interface and want to preserve 

Workspace Control functions, you must select an Access Platform site to 

associate with a Presentation Server farm. After you configure and publish an 

Access Platform site as a Web resource, you can select the site from the Web 

Interface page of the farm properties. For more information, see “Displaying 

Multiple Sites and Caching Credentials” on page 160. 

Configuring Logon Points 

The logon point defines the logon page for users and specifies settings that are 

applied to user sessions. These initial settings include the required authentication 

strength, the clients to use, the home page, and the accessible server farms. User 

sessions inherit the properties of the logon point through which they connect. 

To determine the logon points you will need, consider: 

• The users who will be accessing your deployment. For example, users in a 

particular department may require their own logon point. Likewise, users 

with a specific relationship to your organization, such as partners, may 

require their own logon point. 

• The devices with which users access the logon point. For example, users 

who access resources with small form factor devices such as a PDA may 

require a logon point separate from the logon point accessed with 

workstations. 

• The policies you want to create that restrict access to resources based on the 

logon point used. For example, users who authenticate from a specific 

logon point can access specific resources that are unavailable when using a 

different logon point. 

For more information about using logon points in policies to control access to 

resources, see “Controlling Access Through Policies” on page 131. 

To configure a logon point in your deployment, you perform the following tasks: 

• Create the logon point using the console


• Deploy the logon point using the Server Configuration utility 

To create a logon point 

1. In the console tree, select Logon Points. 

2. Under Common Tasks in the task pane, click Create logon point. 

3. Type a unique name and description for the new logon point. 

4. Select a home page from the following options: 

• Display the default navigation page. Displays the Access Interface, 

a built-in default home page for users, with tabs for email, file shares, 

and Web applications. 

• Display the home page application with the highest display 

priority. Displays the Web application listed at the top of the display 

order list. To change the display priority, click Set Display Order. 

5. On the Authentication and Authorization pages, select the authentication 

method and group authority you want to use when users log on. For more 

information about configuring authentication, see “Securing User 

Connections” on page 101. 

6. On the Presentation Server Farms page, add the farms that you want to 

make available to users through file type association. If you are using the 

Web Interface to deliver published applications, you do not need to add 

farms to the logon point. For more information about using the Web 

Interface with Advanced Access Control, see “Integrating Citrix 

Presentation Server” on page 157. 

7. Configure options for sound, windows, and Workspace Control. 

Note: Workspace Control allows users to reconnect to their open 

applications. If users have pop-up blockers enabled, they are prompted to 

allow each application to open in a separate window. 

8. On the Clients page, select the clients you want to deploy to users during 

logon. 

9. On the Sessions Settings page, set the options for the method of prompting 

users for their domain and the number of days to warn users about 

password expiration.


Note: Users who allow their passwords to expire cannot log on to 

Advanced Access Control. For more information about restoring access to 

these users, see “Changing Expired Passwords” on page 93. 

10. On the Session Timeouts page, set the interval, in minutes, for the 

following time-out settings: 

• Maximum time for VPN client sessions. The length of time a 

session using the Secure Access Client is allowed to remain active. 

The default value of zero means the session remains active 

indefinitely. 

• Maximum time for traffic inactivity before session ends. The 

length of time a browser-only session or a session using the Secure 

Access Client is allowed to remain active without any traffic activity 

detected. The default value is 20 minutes. You may want to increase 

this value if users experience excessive time-outs with features such 

as Live Edit that do not communicate with the Advanced Access 

Control server to keep sessions active. If you enter zero for this 

setting, the session will remain active regardless of inactivity. 

• Maximum time for mouse and keyboard inactivity before VPN 

session ends. The length of time a session using the Secure Access 

Client is allowed to remain active without any mouse or keyboard 

input detected. If you enter zero for this setting, the session will 

remain active regardless of inactivity. 

11. On the Visibility page, select whether to show the logon page to users 

logging on through the Access Gateway or to set conditions for showing the 

logon page to users logging on to Advanced Access Control directly. The 

default logon point is always visible to users logging on through the Access 

Gateway. For more information about using conditions for showing the 

logon page, see “Setting Conditions for Showing the Logon Page” on page 

141. 

To deploy a logon point 

1. Click Start > Programs or All Programs > Citrix > Access Gateway > 

Server Configuration. 

2. From the Configured Logon Points page, select the logon point you want 

to deploy. 

3. Click Deploy.


Renaming Logon Points 

If you rename an existing logon point, you must redeploy it to make it available to 

users. To redeploy a renamed logon point, open the Server Configuration utility 

and select the renamed logon point. Click Update to redeploy the logon point. 

Logging on through the Logon Point 

When you deploy a logon point, a logon point folder is created in a virtual 

directory named CitrixLogonPoint. A URL pointing to the logon point folder can 

be used to access the network. For example: 

https://appliancename/CitrixLogonPoint/logonpointname 

where appliancename is the FQDN or IP address of the Access Gateway 

appliance and logonpointname is the name of the logon point folder. 

During installation, Advanced Access Control creates a logon point, called 

SampleLogonPoint, that you can use for testing. To access this logon point, you 

type the following URL: 

https://appliancename/CitrixLogonPoint/SampleLogonPoint 


appliance. 

Important: The sample logon point is designed for testing purposes only. 

Default policies created for the sample logon point allow all authenticated users 

to see the logon page and to log on. After testing your system, replace the sample 

logon point or edit these policies to comply with your network security 

guidelines. For more information, see “Controlling Access Through Policies” on 

page 131. 

Users can also access the default logon point by typing the following URL: 

https://appliancename/ 


appliance. For more information about default logon points, see “Setting the 

Default Logon Point” on page 93. 

For more information about distributing logon points to users, see “Rolling Out 

Advanced Access Control to Users” on page 195.

Updating Logon Page Information 


The Access Gateway stores copies of the Web pages and graphic files that 

comprise the logon pages users see when they access resources. You must update 

these files when you: 

• Deploy a new logon point 

• Customize an existing logon page 

• Redeploy a renamed logon point 

To update logon page files on the Access Gateway 

1. From the console tree, expand Logon Points and select the logon point you 

want to update. 

2. In Common Tasks, click Refresh logon page information. 

If the Access Gateway is unavailable when you perform this task, the console 

displays an error message indicating the gateway appliance is out of date. If the 

Access Gateway becomes available when you rerun the task, the console displays 

a message indicating the update was successful. 

Changing Expired Passwords 

The Session Settings page in the logon point properties allows you to specify the 

number of days to warn users about password expiration. Users can change their 

password at any time during this period and continue accessing resources through 

the logon point. Users who allow their passwords to expire are denied access and 

are not prompted to change their expired passwords. 

To restore access to users with expired passwords, select the User must change 

password at next logon check box in the user’s Windows account properties. 

The next time the user attempts to log on to Advanced Access Control, the user is 

prompted to change the expired password. 

Setting the Default Logon Point 

Default logon points enable users to log on to the access server farm through the 

Access Gateway without specifying a logon point. You can designate a logon 

point as the default using the console. When you install Advanced Access Control 

the SampleLogonPoint is designated as the default logon point. Only one logon 

point can be designated as the default at any time.


When you set a logon point as the default, the logon point becomes visible 

automatically to users logging on through the Access Gateway. If, at a later time, 

you set a different logon point as the default, the logon point remains visible to 

these users. If you want the logon point to be visible only to users logging on to 

Advanced Access Control within the corporate network, you must change the 

visibility settings in the logon point properties. For more information about 

configuring logon points, see “Configuring Logon Points” on page 89. 

To set a default logon point 

1. In the console tree, expand Logon Points and select the logon point you 

want to designate as the default. 

2. Under Common Tasks, click Set as default logon point. 

Removing Logon Points 

To remove a logon point from your deployment, you perform the following tasks: 

• Remove any policies associated with the logon point 

• Delete the logon point from the console 

• Remove the logon point’s virtual directory from the Advanced Access 

Control server using the Server Configuration utility 

To delete a logon point from the console 

1. In the console tree, expand Logon Points and then select the logon point 

you want to delete. 

2. Under Common Tasks in the task pane, click Delete logon point. 

To remove a logon point’s virtual directory from the server 

1. Click Start > Programs or All Programs > Citrix > Access Gateway > 

Server Configuration. 

2. On the Configured Logon Points page, select the logon point you want to 

remove. 

3. Click Remove.

Configuring the Access Gateway 


To enable the full range of access control features in Advanced Access Control, 

you configure the settings on the Advanced Options tab in the Access Gateway 

Administration Tool. Additionally, you use the Access Management Console to 

configure the settings that govern all the gateway appliances in your access server 

farm. These settings include: 

• Enable split tunneling and specify the networks that can be accessed 

through the Access Gateway 

• Capture system log messages 

• Enable Simple Network Management Protocol (SNMP) logs 

• Enable features that are controlled by the communication between the 

Secure Access Client and the Access Gateway 

• Create client access control lists (ACLs) 

Configuring Split Tunneling 

Split tunneling enables client devices to communicate with public Internet 

resources and your corporate network concurrently. 

Enabling split tunneling can improve the efficiency of the client connection and 

minimizes the occurrence of “Access Denied” messages when users access 

resources on the Internet or your corporate network. However, split tunneling 

requires you to configure a list of accessible networks so that users can access 

corporate resources. If this list is not defined, users cannot access any corporate 

resources regardless of any policies granting access. 

Disabling split tunneling maximizes the security of client connections and 

requires no additional configuration for users to begin accessing corporate 

resources. When split tunneling is disabled, all network traffic sent by the Secure 

Access Client is routed through the Access Gateway, including traffic to public 

Internet Web sites. Therefore, when users log on through the Access Gateway, 

they can access only the resources you define. If a user tries to access a resource 

that you have not defined, such as a public Web site, access is denied by default. 

To configure split tunneling 

1. From the console tree, select Gateway Appliances. 

2. Under Common Tasks, click Edit gateway appliances properties. 

3. On the Accessible Networks page, select or clear the option to enable split 

tunneling.


4. If you enable split tunneling, click New to configure the list of accessible 

networks. 

5. In the New Accessible Network box, select the addressing method you 

want to use. 

6. Enter the destination IP address and, depending on the selected addressing 

method, the corresponding subnet mask or network prefix length. 

Configuring Accessible Networks 

Accessible networks are the networks and subnets that can be accessed through 

the Access Gateway when split tunneling is enabled for the Secure Access Client. 

Users can access a server or subnode address provided that address is defined in 

one of the accessible networks. When a user logs on using the Secure Access 

Client, the access control list (ACL) received during authorization governs the 

accessible networks available to that user. 

When using accessible networks, be aware of the following limitations: 

• The Secure Access Client can recognize only 24 accessible networks. If 

your organization has a large number of subnets and you want to enable 

split tunneling, you may need to define supersets of networks so that you 

can define all required networks within the 24 recognized accessible 

networks. 

• When you enable split tunneling, all network resources you create in the 

Access Management Console must fall within the accessible networks you 

define. If you create a network resource that falls outside of these accessible 

networks, users cannot access the resource regardless of any policies 

granting access. 

When you define an accessible network in the Access Management Console, you 

specify the destination using either an IP address and subnet mask or the 

Classless Inter-Domain Routing (CIDR) addressing scheme. 

Forwarding System Messages 

System message logs contain information that can help support personnel assist 

with troubleshooting. You can forward system messages to a syslog server or 

enable SNMP logs. 

To forward Access Gateway messages to a syslog server 


2. Under Common Tasks, click Edit gateway appliances properties.


3. On the Syslog and SNMP page under Syslog Settings, type the IP address 

or the FQDN of the syslog server you want to capture system messages sent 

by the Access Gateway. 

4. In Syslog facility, select the facility you want to use for captured messages. 

Select User Level for generic user processes. Select Local Use 0 - 7 if you 

defined one of these facilities for Access Gateway processes. For example, 

a syslog server may have Local Use 0 defined for anonymous FTP 

processes while Local Use 1 is reserved for Access Gateway processes. 

5. In Statistics broadcast interval, type the frequency in minutes at which 

you want the Access Gateway to send system messages. If the broadcast 

interval is set to zero, broadcasting is continuous. 

To enable logging of SNMP messages 

When Simple Network Management Protocol (SNMP) is enabled, the Access 

Gateway reports the MIB-II system group (1.3.6.1.2.1). The Access Gateway 

does not support Access Gateway-specific SNMP data. 



3. On the Syslog and SNMP page under SNMP Settings, select Enable 

logging of SNMP messages. 

4. In SNMP server name or address, type the location of the SNMP server. 

This required field is informational only. 

5. In Name of SNMP contact or associate, type the contact. This field is 

informational only. 

6. In SNMP Community, type the name of the community. This required 

field is informational only. 

7. In Port, type the port. 

Configuring Client Properties 

The Client Properties page of the gateway appliances properties controls a variety 

of settings that affect the interaction between the Access Gateway and the Secure 

Access Client. 

To configure client properties 


2. Under Common Tasks, click Edit gateway appliances properties.


3. On the Client Properties page, select any of the following check boxes: 

• Require SSL client certificate for users connecting via the 

gateway appliances. If you want additional authentication, select 

this option to require certificates for Windows client computers. If a 

client certificate is required, it must be provided by the network 

administrator. The certificate is installed separately into the certificate 

store using the Microsoft Management Console. When this 

requirement is enforced, every computer that logs on through the 

Access Gateway must have an SSL client certificate that is in P12 

format. 

• Enable internal failover. Select this option to enable the Secure 

Access Client to connect to the Access Gateway from inside the 

firewall if the Access Gateway IP address cannot be reached. When 

internal failover is configured, the client will failover to the internal 

IP address of the Access Gateway if the external IP address cannot be 

reached. The Secure Access Client must connect at least once to 

retrieve the failover list. This list is then cached in the registry. 

Note: 

Internal failover is not available for browser-only access. 

Configuring Server Properties 

• Enable failover among gateway appliances. You can configure an 

Access Gateway to failover to multiple Access Gateways. Because 

the Access Gateway failover is active/active, you can use each 

Access Gateway as a primary gateway for a different set of users. 

The Server Properties page of the gateway appliances properties controls settings 

related to securing communications between the Access Gateway and Secure 

Access Client and improving Voice over IP connections. 

To configure server properties 



3. On the Server Properties page, select any of the following check boxes: 

• Validate SSL certificates on backend. Select this option to require 

the Access Gateway to validate SSL server certificates. This 

increases security for internal connections originating from the 

Access Gateway. Validating SSL server certificates is an important


security measure because it can help prevent security breaches, such 

as man-in-the-middle attacks. The Access Gateway requires 

installing the proper root certificates that are used to sign the server 

certificates. 

• Improve latency for Voice over IP traffic. Select this option to 

improve the latency and audio quality of Voice over IP (VoIP) traffic 

over an SSL connection. If you select this option, the Access 

Gateway appliance uses a 56-bit key to encrypt this traffic. Citrix 

recommends the use of strong ciphers to reduce the possibility of a 

malicious attack to the corporate network. For more information 

about improving VoIP connections made through the Access 

Gateway appliance, see the Access Gateway Standard Edition 

Administrator’s Guide. 

4. Select the bulk encryption cipher you want to use for symmetric encryption 

of data over SSL connections. 

Configuring ICA Access Control 

Citrix Presentation Server uses the Independent Computing Architecture (ICA) 

protocol for communication between its clients and servers. When using the 

Access Gateway as a proxy to tunnel ICA traffic without the Secure Access 

Client, you can control which servers running Citrix Presentation Server that 

users can access. To do this, you provide an access control list (ACL) in the 

Access Management Console. When users request published applications through 

the Access Gateway, they are granted or denied access based on the ACL you 

provide. 

If you are using the Web Interface to deliver published applications through the 

Access Gateway, you must configure the Web Interface’s Secure Gateway 

settings with the FQDN of the Access Gateway. 

Important: ACLs you specify are not applied when published applications are 

configured as network resources. 

To configure ICA access control 



3. On the ICA Access Control page, select the option to provide unrestricted 

access or use an ACL to restrict access to servers running Citrix 

Presentation Server.


4. To provide an ACL, click New. 

5. In Start IP address and End IP address, type the range of IP addresses of 

the servers running Citrix Presentation Server you want to include. 

6. In Port, type the port number or enable the default port. 

7. In Protocol, select the protocol you want to use. 

• Select ICA to allow ICA/SOCKS connections to the selected servers. 

Typically, you would use ICA for servers running Citrix Presentation 

Server that accept ICA/SOCKS connections. 

• Select CGP to allow CGP connections to the selected servers. 

Typically, you would use CGP for servers running Citrix Presentation 

Server that accept CGP connections. CGP can provide session 

reliability if you enable session reliability on the selected servers. 

Configuring Authentication with Citrix Presentation 

Server 

Citrix Presentation Server works with the Web Interface and the Secure Ticket 

Authority (STA) to provide authentication and authorization for clients. To 

provide access to published applications using the Web Interface through the 

Access Gateway, you must configure the STA settings in the gateway appliances 

properties. You also configure these settings to preserve Workspace Control when 

you enable the display of multiple Access Platform sites within the Access 

Interface. 

To configure the Access Gateway to use the Secure Ticket Authority 



3. On the Secure Ticketing Authority page, click New. 

4. Type the IP address or FQDN of the server where the STA is installed. 

5. Select Use secure communication to secure the connection to the STA. 

6. In STA Path, type the path of the STA. 

7. In STA ID, type the ID of the STA or click Retrieve STA ID to 

automatically enter the ID based on the server and path.

CHAPTER 7 

Securing User Connections 

Access Gateway Advanced Edition supports authentication and authorization for 

users connecting from remote locations. Advanced Access Control supports 

several authentication types including Active Directory, LDAP, RADIUS, RSA 

SecurID, and Secure Computing Safeword products. 

You can enable these authentication types by configuring the Logon Point 

Properties in the Access Management Console. When you configure a logon 

point, you select the authentication and authorization methods you want to use. 

For example, you can select LDAP to authenticate users and Active Directory to 

authorize users to access certain corporate resources. 

The following topics discuss how to configure these authentication types: 

• “Configuring Advanced Authentication” on page 101 

• “Configuring RADIUS and LDAP Authentication” on page 102 

• “Configuring RSA SecurID Authentication” on page 108 

• “Configuring SafeWord Authentication” on page 110 

• “Configuring Trusted Authentication” on page 115 

Configuring Advanced Authentication 

Access Gateway Advanced Edition supports using Active Directory as the only 

authenticator and group authority as well as with another authentication method 

such as RADIUS, RSA SecurID, or Secure Computing SafeWord. When you 

configure advanced authentication, only Active Directory is allowed as the group 

authority for the logon point you want to use. 

To use RADIUS with Access Gateway Advanced Edition, Visual J# .NET 2.0 

must be installed on the Advanced Access Control server. See “RADIUS 

Requirements” on page 53 for more information.


To configure a logon point with advanced authentication 

If you are configuring advanced authentication with RADIUS, ensure you 

configure a RADIUS authentication profile before you configure the logon point. 

See “Creating RADIUS Authentication Profiles” on page 102 for more 

information. 

1. In the console tree, select the logon point you want to configure. For more 

information about creating a new logon point, see “Configuring Logon 

Points” on page 89. 

2. On the Authentication page, under Advanced Authentication select the 

authentication method you want to use with Active Directory. 

3. On the Authorization page, only Active Directory is selected. If you are 

using a RADIUS profile with Active Directory, select whether or not the 

RADIUS and Active Directory servers use the same password. 

If you are configuring advanced authentication with RADIUS, you need to set the 

RADIUS authentication credentials for the logon point. For more information, 

see “Setting Authentication Credentials for Logon Points” on page 106. 

For more information about configuring advanced authentication for SecurID and 

SafeWord products, see “Configuring RSA SecurID Authentication” on page 108 

and “Configuring Advanced Authentication with SafeWord” on page 111. 

Configuring RADIUS and LDAP Authentication 

To use RADIUS or LDAP authentication when users log on through a logon 

point, perform the following tasks: 

• Install and configure a RADIUS or LDAP server 

• Create RADIUS or LDAP authentication profiles 

• Assign the authentication profile to a logon point 

• Set the authentication credentials for the logon point 



Requirements” on page 53 for more information. 

Creating RADIUS Authentication Profiles 

Authentication profiles allow you to configure RADIUS settings at the farm level 

and apply them to one or more logon points. Creating a RADIUS authentication 

profile involves the following tasks:

Chapter 7 Securing User Connections 103 

• Define RADIUS server authentication to specify the RADIUS servers you 

want to use, the time-out period, and to configure server load balancing or 

failover 

• Define RADIUS authorization using the attributes and values configured 

on your RADIUS server 

To define RADIUS authentication 



2. Select Authentication Profiles and then click New under RADIUS 

profiles. Type a name and description to define the profile. 

3. Click New to enter the RADIUS server and corresponding ports. 

4. If you have multiple RADIUS servers, select to use the server list for one of 

the following: 

• Load balancing of requests to the servers. Requests follow the 

sequence of the server list so that the initial request goes to the first 

server in the list, the next request goes to the second server, and so on. 

• Failover sequence of communication if servers become 

unavailable. In the event connectivity to a server becomes 

unavailable, connectivity with another server in the list ensures 

RADIUS authentication services remain available to users. 

5. Use the arrows to change a server’s position in the list. 

6. Change the value in the Bypass failed servers for this time interval field 

if you want to specify the amount of time an unavailable server should be 

bypassed. The default value is 300 seconds. 

7. If you want to audit RADIUS events, select Enable RADIUS auditing. 

8. If you want to change the period in which the user authentication process 

times out for lack of a server response, change the value in the Cancel 

authentication after this time field. By default, authentication times out 

after 30 seconds elapse. 

To define RADIUS authorization 

1. From the RADIUS Profile Configuration dialog box, click Configure 

Authorization. 

2. In Group attribute name, type the group name that is defined on your 

RADIUS server.


3. Type the Separator you want to use if multiple user groups are included in 

the RADIUS configuration. A separator can be a period, a semicolon, or a 

colon. 

4. In the Vendor identifier field, type the vendor-specific code number that 

was entered on your RADIUS server. 

5. In the Vendor specified type field, type the vendor-assigned attribute 

number. 

Creating LDAP Authentication Profiles 

Authentication profiles allow you to configure LDAP settings at the farm level 

and apply them to one or more logon points. When using LDAP authentication 

and Active Directory authorization, group names, including character and case, 

must be identical. 

To create an LDAP authentication profile 



2. Select Authentication Profiles and then click New under LDAP profiles. 

3. Type a name and description to define the profile. 

4. Type the name or IP address of the LDAP server you want to use. 

5. In Port, type the server port number that your LDAP server uses for LDAP 

requests. 

6. In Administrator DN, type the distinguished name of the administrative 

user that has access to your LDAP server and the rights to look up user 

entries in the LDAP repository. The following are examples of syntax for 

this field: 

“domain/user name” 

“ou=administrators,dc=ace,dc=com” 

“user@domain.name” (for Active Directory) 

“cn=Administrator,cn=Users,dc=ace,dc=com” 

For Active Directory, the group name, specified as cn=groupname, is 

required. The group name that is defined in the Access Gateway must be 

identical to the group name that is defined on the LDAP server. 

For other LDAP directories, the group name either is not required or, if 

required, is specified as ou=groupname. 

The Access Gateway binds to the LDAP server using the administrator 

credentials and then searches for the user. After locating the user, the


Access Gateway unbinds the administrator credentials and rebinds with the 

user credentials. 

7. In Base DN, type the distinguished name under which user lookups should 

begin. Base DN is usually derived from the Bind DN by removing the user 

name and specifying the group where users are located. Examples of syntax 

for Base DN include: 

“ou=users,dc=ace,dc=com” 

“cn=Users,dc=ace,dc=com” 

8. In LDAP attribute for user logon names, type the attribute under which 

the Access Gateway should look for user logon names for the LDAP server 

that you are configuring. Depending on the directory service you are using, 

type one of the following attributes: 

• For Active Directory, use the default sAMAccountName. 

• For Novell eDirectory or Lotus Domino, use cn. 

• For IBM Directory Server, use uid. 

• For Sun ONE Directory , use uid or cn. 

9. In LDAP group attribute, type the name of the group attribute the Access 

Gateway should use to obtain the groups associated with a user during 

authorization. Depending on the directory service you are using, type one 

of the following attributes: 

• For Active Directory, use the default memberOf. 

• For Novell eDirectory, use groupMembership. 

• For IBM Directory Server, use ibm-allGroups 

• For Sun ONE Directory, use nsRole. 

Assigning Authentication Profiles to Logon 

Points 

After you configure RADIUS or LDAP authentication profiles, you must assign 

these profiles to a logon point. You can assign authentication profiles in the logon 

point properties, on the Authentication and Authorization pages. 

You can use RADIUS profiles as the sole authentication method or as part of 

advanced authentication with Active Directory. You can use LDAP profiles as the 

sole authentication method only.


If you assign an LDAP profile to authenticate users, you can use Active Directory 

or an LDAP profile to authorize users. If you assign a RADIUS profile for 

authentication, you can choose the LDAP or RADIUS profile for authorization. 

When using a RADIUS profile for authentication, you must use the same profile 

for authorization. 

When you use RADIUS or LDAP profiles, you can specify how users access 

resources that require Active Directory credentials. In an advanced authentication 

scenario where Active Directory is the group authority, you can specify whether 

the Active Directory and RADIUS servers share the same password. In scenarios 

where RADIUS or LDAP authenticate and authorize users, you can enable passthrough 

authentication to Active Directory. This allows users to access resources 

smoothly, without entering their Active Directory credentials. To do this, you 

supply the default Active Directory domain. User accounts in the default Active 

Directory domain match those on your RADIUS or LDAP servers. 

To assign authentication profiles to a logon point 




2. Under Common Tasks, click Edit logon point. 

3. On the Authentication page, select the RADIUS or LDAP profile you 

want to use to identify users in your organization. 

4. On the Authorization page, select the RADIUS or LDAP profile you want 

to use to determine the level of access users receive when they authenticate 

successfully. 

After you assign the authentication profile to the logon point, use the Server 

Configuration utility to set the authentication credentials for the profile. 

Setting Authentication Credentials for Logon 

Points 

Logon point authentication credentials consist of the global or server-specific 

RADIUS secrets or LDAP passwords that you specify. Before you set the 

authentication credentials, ensure a RADIUS or LDAP authentication profile has 

been assigned to the logon point.


If your deployment is configured to use RADIUS authentication, and your 

RADIUS server is configured to use PAP, you can strengthen user authentication 

at the logon point by assigning a strong shared secret to the RADIUS server. 

Strong RADIUS shared secrets consist of random sequences of upper and 

lowercase letters, numbers, and punctuation and are at least 22 characters long. If 

possible, use a random character generation program to create RADIUS shared 

secrets. 

To further protect RADIUS traffic, assign a different shared secret to each Access 

Gateway appliance or each Advanced Access Control server. When you define 

clients on the RADIUS server, you can also assign a separate shared secret to 

each client. If you do this, you must configure separately each Access Gateway 

realm that uses RADIUS authentication. If you synchronize configurations 

among several Access Gateway appliances in a cluster, all the appliances will be 

configured with the same secret. 

To assign RADIUS shared secrets 

1. On the Advanced Access Control server, click Start > Programs or All 

Programs > Citrix > Access Gateway > Server Configuration. 

2. Click Configured Logon Points and then select the logon point that you 

have configured to use RADIUS authentication. 

3. Click Authentication Credentials. 

4. Under RADIUS Servers, select Global secret for all servers or Server 

specific secrets. 

5. Type the global secret in the Authentication secret and Confirm 

authentication secret boxes. 

6. For server-specific secrets, double-click the IP address of the RADIUS 

server and enter the secret in the Server Credential box. 

To assign LDAP server passwords 

1. On the Advanced Access Control server, click Start > Programs or All 

Programs > Citrix > Access Gateway > Server Configuration. 

2. Click Configured Logon Points and then select the logon point that you 

have configured to use LDAP authentication. 

3. Click Authentication Credentials. 

4. Under LDAP Servers, select Global password for all servers or Server 

specific passwords. 

5. Type the global password in the Authentication secret and Confirm 

authentication secret boxes.


6. For server-specific passwords, double-click the IP address of the LDAP 

server and enter the password in the Server Credential box. 

Configuring RSA SecurID Authentication 

If you use RSA SecurID for authentication, you can configure Access Gateway 

Advanced Edition to authenticate user access with the RSA ACE/Server. The 

Advanced Access Control server acts as an RSA Agent Host to authenticate users 

who attempt to log on. 

You can configure the Advanced Access Control server to authenticate with RSA 

SecurID in the following ways: 

• With Active Directory, as an advanced authentication method 

• As the only authentication method, where LDAP is used as the group 

authority 

Configuring RSA SecurID authentication consists of the following tasks: 

• Configure the Advanced Access Control server(s) as an RSA ACE/Agent 

and generate a Sdconf.rec file 

• Generate an Sdroot certificate file for the Advanced Access Control 

server(s) and install the RSA ACE/Agent software 

• Test authentication with the RSA SecurID server 

• Configure a logon point for RSA SecurID authentication 

If you are using RSA SecurID as the only authentication method, ensure you have 

performed the following tasks prior to configuring the logon point: 

• Create an LDAP authentication profile 

• Assign the authentication profile to the logon point 

• Set the authentication credentials for the logon point 

For more information, see “Creating LDAP Authentication Profiles” on page 

104, “Assigning Authentication Profiles to Logon Points” on page 105, and 

“Setting Authentication Credentials for Logon Points” on page 106. 

To configure the Advanced Access Control server as an RSA ACE/Agent 

1. On the RSA ACE/Server computer, open the RSA ACE/Server Database 

Administration window and click Agent Host > Add Agent Host. 

2. In Name, type the fully-qualified domain name (FQDN) of the Advanced 

Access Control server.


3. In Network Address, type the IP address of the Advanced Access Control 

server. 

4. In Agent Type, select NetSP Agent. 

5. From the Database Administration window, click Agent Host > Generate 

Configuration Files and then click One Agent Host. 

6. Double-click the name of the Advanced Access Control server and save the 

Sdconf.rec file in a folder on the computer. 

7. Copy the Sdconf.rec file to the %SystemRoot%/System32 folder on the 


To generate an Sdroot certificate file and install RSA ACE/Agent 

1. On the Advanced Access Control server, install and launch the RSA ACE/ 

Agent Certificate Utility. 

2. In Current Directory, enter the path of the directory in which you want to 

store the certificate file. 

3. Click the New Root Certificate and Keys button. 

4. Enter your organization name, country, and key passwords. 

5. Install the RSA ACE/Agent for Windows software and select the following 

installation options: 

• In Setup Type, select Custom 

• In Custom Setup, select Local Authentication Client only. All 

other client options should not be installed. 

6. When prompted, locate the Sdroot certificate file you created. 

7. Follow the remaining onscreen instructions to install the RSA ACE/Agent 

software. 

8. Restart the server after installation finishes. 

To test authentication with RSA SecurID 

1. On the Advanced Access Control server, click Start > Control Panel > 

RSA ACE/Agent. 

2. From the Main tab, click the Test Direct Authentication with RSA ACE/ 

Server button. 

3. From the RSA ACE/Server Configuration Information window, click the 

RSA ACE/Server Test Directly button and enter the user ID and token 

passcode for the user you are testing.


If the test is successful, the “Successful Authentication” message appears. You 

can then configure logon points to use RSA SecurID authentication. 

To configure a logon point with RSA SecurID authentication 

If you are using RSA SecurID as the only authentication method, ensure you 

create an LDAP authentication profile, assign the profile to the logon point, and 

set the authentication credentials prior to configuring the logon point. For more 

information, see “Creating LDAP Authentication Profiles” on page 104 and 

“Setting Authentication Credentials for Logon Points” on page 106. 




2. Under Common Tasks, click Edit logon point. 

3. On the Authentication page, select one of the following options: 

• Under Advanced Authentication, select RSA to use SecurID with 

Active Directory to authenticate users. 

• Under Authentication, select RSA to use SecurID as the only 

authentication method. 

4. If you are using RSA SecurID as the only authentication method, on the 

Authorization page, select the LDAP profile you want to use. 

Configuring SafeWord Authentication 

The SafeWord product line provides secure authentication using a token-based 

passcode. Once the passcode is used, it is immediately invalidated by SafeWord 

and cannot be used again. Access Gateway Advanced Edition supports 

authentication with SafeWord for Citrix and SafeWord PremierAccess. 

You can configure the Advanced Access Control server to authenticate with 

SafeWord in the following ways: 

• With Active Directory, as an advanced authentication method 

• As the only authentication method, where LDAP is used as the group 

authority 

• With RADIUS, where the Advanced Access Control server acts as a 

RADIUS client to a server configured with Microsoft Internet 

Authentication Service (IAS)


Configuring Advanced Authentication with 

SafeWord 

When you configure advanced authentication, Active Directory works with 

SafeWord to authenticate users and determines the level of access users have once 

they log on. To configure advanced authentication with SafeWord, perform the 

following tasks: 

• Install and configure the SafeWord for Citrix Secure Access Manager 

Agent on the Advanced Access Control server. Citrix strongly recommends 

obtaining the latest version of the agent software from Secure Computing to 

ensure SafeWord authentication is successful. Refer to the Secure 

Computing product documentation for information about configuring the 

agent. 

• Create a logon point and configure authentication and authorization using 

the Access Management Console. 

To configure advanced authentication with SafeWord 

1. On the Advanced Access Control server, install the SafeWord for Citrix 

Secure Access Manager agent software located on the SafeWord product 

CD. When prompted, accept the option to use the latest agent software from 

Secure Computing and then select the Secure Access Manager Agent 

option. 

2. Restart the Advanced Access Control services. You can use the Server 

Configuration utility to restart all the services simultaneously. 

3. Restart the Citrix Access Gateway Server COM+ application from the 

Component Services console. 

4. From the console tree, select the logon point you want to configure and 

click Edit logon point in Common Tasks. For more information about 

creating a new logon point, see “Configuring Logon Points” on page 89. 

5. On the Authentication page, under Advanced Authentication, select 

SafeWord. 

Configuring Authentication with SafeWord Only 

When you configure SafeWord as the only authentication method for users, you 

must use LDAP as the group authority. If you want to use SafeWord as the sole 

authentication method, perform the following tasks: 

• Install and configure the SafeWord for Citrix Secure Access Manager 

Agent on the Advanced Access Control server. Citrix strongly recommends 

obtaining the latest version of the agent software from Secure Computing to


ensure SafeWord authentication is successful. Refer to the Secure 

Computing product documentation for information about configuring the 

agent. 

• Create an LDAP authentication profile that you can assign to the logon 

point as the group authority. 

• Create a logon point and configure authentication and authorization using 

the Access Management Console. 

• Set the authentication credentials for the logon point. 

To configure authentication with SafeWord only 

1. On the Advanced Access Control server, install the SafeWord for Citrix 

Secure Access Manager agent software located on the SafeWord product 

CD. When prompted, accept the option to use the latest agent software from 

Secure Computing and then select the Secure Access Manager Agent 

option. 

2. Restart the Advanced Access Control services. You can use the Server 

Configuration utility to restart all the services simultaneously. 

3. Restart the Citrix Access Gateway Server COM+ application from the 

Component Services console. 

4. Create an LDAP authentication profile. For more information, see 

“Creating LDAP Authentication Profiles” on page 104. 

5. From the console tree, select the logon point you want to configure and 

click Edit logon point in Common Tasks. For more information about 

creating a new logon point, see “Configuring Logon Points” on page 89. 

6. On the Authentication page, select SafeWord. 

7. On the Authorization page, select the LDAP authentication profile you 

want to use. 

To complete the configuration, you need to set the authentication credentials for 

the logon point to which you assigned the LDAP profile. See “Setting 

Authentication Credentials for Logon Points” on page 106 for more information. 

Configuring RADIUS with SafeWord 

To authenticate users, SafeWord uses the RADIUS protocol, Microsoft Internet 

Authentication Service (IAS), and a user database stored on an Active Directory 

server. 



Requirements” on page 53 for more information.


If you want to use RADIUS with either SafeWord product, perform the following 

tasks: 

• Configure Microsoft Internet Authentication Service (IAS) on a separate 

server and configure the Advanced Access Control server as a RADIUS 

client. 

• Create a RADIUS authentication profile for the IAS server. If you want to 

use LDAP as the group authority instead of RADIUS, you must also create 

an LDAP authentication profile. For more information, see “Configuring 

RADIUS and LDAP Authentication” on page 102. 

• Assign the RADIUS authentication profile to the logon point. If you use 

LDAP as the group authority, you must also assign the LDAP 

authentication profile to the logon point. For more information, see 

“Assigning Authentication Profiles to Logon Points” on page 105. 

• Set the RADIUS authentication credentials for the logon point. If you use 

LDAP as the group authority, you must also set the LDAP authentication 

credentials. For more information, see “Setting Authentication Credentials 

for Logon Points” on page 106. 

• On the SafeWord server, install and configure the SafeWord IAS Agent 

software. 

To configure IAS and configure a RADIUS client 

Before proceeding, ensure IAS is installed on a server in your environment. You 

can install IAS using Add/Remove Programs in Control Panel. For more 

information, see the Windows online help. 

1. Open the Microsoft Management Console (MMC) and install the snap-in 

for IAS. 

2. In the left pane, right-click Remote Access Policies and select New 

Remote Access Policy. The New Remote Access Policy Wizard appears.


3. Complete the wizard, using the following settings: 

• Set up a custom policy and then type a unique policy name. 

• Select Windows Groups for the policy and select the group(s) 

containing the users to be authenticated with SafeWord 

• Select Grant remote access permission and click Edit Profile. 

• On the Authentication tab, clear the check boxes selected by default 

and then select only Unencrypted authentication (PAP, SPAP). 

• Click the Advanced tab and remove the attributes that appear by 

default. Then, add the Vendor Specific RADIUS Standard attribute. 

• In the Vendor-specific Attribute Information box, select Yes to 

specify that the attribute conforms to the RADIUS RFC specification. 

• Click Configure Attribute and enter the following settings: 

• In Vendor-assigned attribute number, type 0. 

• In Attribute Format, select String. 

• In Attribute value, enter the group name(s) you specified for 

the policy. For example, if you specified the Sales and Finance 

groups, you enter CTXSUserGroups=sales;finance. 

4. From the left pane of the MMC, right-click RADIUS Clients and select 

New RADIUS Client. 

5. Type a name for the client and enter the IP address or the FQDN of the 


6. Ensure RADIUS Standard is selected and then provide a shared secret that 

the Advanced Access Control server can use to authenticate with the 

RADIUS server. 

To configure the SafeWord IAS Agent 

1. Launch the IAS Agent by clicking Start > Programs or All Programs > 

Secure Computing > SafeWord > IAS Agent > Configure IAS Agent. 

2. Click Authentication Engine and enter the host name or IP address of the 

authentication engine. 

3. Click Groups and enter the user group and domain of the users using 

SafeWord tokens.


Configuring Trusted Authentication 

To further strengthen your Access Gateway environment, you can ensure that 

each Access Gateway that connects to an Advanced Access Control server is a 

trusted device. To do this, you configure each Access Gateway to present a client 

certificate when prompted. Then, you configure each Advanced Access Control 

server to request the client certificate from each Access Gateway in your 

environment. 

Configuring the Access Gateway for Trusted 

Authentication 

Before you configure the Access Gateway, ensure that: 

• The Access Gateway uses SSL to communicate with the Advanced Access 

Control server. This is required because the virtual directories the Access 

Gateway must access on the Advanced Access Control server are secured. 

• The Access Gateway trusts the root certificate for the certificate authority 

that issued the client certificate. If not, you will need to install it as a trusted 

root certificate. 

• You have obtained a client certificate from a recognized certificate 

authority so you can install it on the Access Gateway. 

To verify the Access Gateway is using SSL 

1. Open the Access Gateway Administration Tool and select the Access 

Gateway from the Access Gateway Cluster tab. 

2. Click the Advanced Options tab. 

3. To enable SSL communication, select the Secure server communication 

check box. 

To install the root certificate as a trusted certificate 

Before you install the root certificate, check to be sure it conforms to the Base64 

file format. Access Gateway does not recognize other formats as valid. 

1. From the Administration Tool, select the Access Gateway and then click 

the Administration tab. 

2. In Manage trusted root certificates, click Manage. 

3. From Trusted Root Certificate Management, click the Manage tab. 

4. Click Upload Trusted Root Certificate. 

5. Select the root certificate you want to install.


6. Reboot the Access Gateway. 

After the Access Gateway reboots, verify the root certificate appears in the 

Trusted Issuers tab of the Trusted Root Certificate Management window. You can 

then install the client certificate. 

To install the client certificate on the Access Gateway 

1. Open the Administration Tool and select the Access Gateway from the 

Access Gateway Cluster tab. 

2. Click the Administration tab and then click Browse to upload a .pem 

private key and client certificate. 

3. Locate the client certificate and enter the passphrase when prompted. 

4. Reboot the Access Gateway. 

After you install the client certificate, you can configure the Advanced Access 

Control server to require the certificate from the Access Gateway. 

Configuring Advanced Access Control for Trusted 


To configure the Advanced Access Control server to request the client certificate 

from each Access Gateway in your environment, you perform the following 

tasks: 

1. Create or assign a server certificate 

2. Add the root certificate from the certificate authority that issued the Access 

Gateway client certificate to the Certificate Trust List on the server 

3. Configure the virtual directories that the Access Gateway will access to 

require client certificates 

To create or assign a server certificate 

1. Click Start > All Programs > Administrative Tools > Internet 

Information Services (IIS) Manager. 

2. Expand the local computer node and the Web Sites node. 

3. Right-click the Default Web Site node and select Properties. 

4. Click the Directory Security tab and then click the Server Certificate 

button under Secure communications. 

5. Follow the onscreen instructions in the IIS Certificate Wizard to create a 

new server certificate or assign an existing certificate.


After the server certificate is assigned, you can add the root certificate to the 

server’s Certificate Trust List and configure the server to require client 

certificates. 

To add the root certificate to the Advanced Access Control server’s 

Certificate Trust List 

1. Open Internet Information Services (IIS) Manager and locate the Default 

Web Site node. 

2. Right-click the Default Web Site node and select Properties. 

3. Click the Directory Security tab and then click the Edit button under 

Secure communications. 

4. Select the Enable certificate trust list check box. 

5. Click the New button and follow the onscreen instructions to complete the 

Certificate Trust List wizard. This wizard allows you to add the root 

certificate that matches the Access Gateway’s client certificate to the 

Certificate Trust List. 

To configure the server to require client certificates 

1. In Internet Information Services (IIS) Manager, expand the Default Web 

Site node and locate the CitrixGatewayConfigService node. 

2. Right-click the CitrixGatewayConfigService node and select Properties. 



4. Select the Require secure channel checkbox. 

5. Under Client certificates, select Require client certificates. 

6. In Internet Information Services (IIS) Manager, right-click the 

CitrixLogonAgentService node and select Properties. 



8. Select the Require secure channel check box. 

9. Under Client certificates, select Require client certificates.


CHAPTER 8 

Adding Resources 

To control your corporate resources with Advanced Access Control, you add 

them to the console and then create policies for them. 

Resources include corporate applications, Web sites, portals, file shares, services, 

servers, email, and email synchronization—essentially any resource that you 

want to provide for user access. 

This section describes how and why you configure the following types of 

resources: 

• Network resources 

• Web resources 

• File shares 

For information about configuring email resources, see “Providing Secure Access 

to Corporate Email” on page 181. 

Creating Network Resources for VPN Access 

Use network resources to define subnets or servers on the corporate network that 

users can connect to directly through a VPN tunnel using the Secure Access 

Client. By default, users are denied access to network resources until you create 

policies that grant them access permission. 

To create a network resource 

1. In the console tree, select Network Resources and click Create network 

resource in Common Tasks. 

2. In the New Network Resource wizard, enter a name and description for the 

resource. 

3. On the Specify Servers and Ports page, click New to add network 

identification, port, and protocol information for the resource. 

• To define entire subnets, specify network addresses with subnet 

masks. For example, to define all servers on the 10.x.x.x network,


specify a subnet mask of 255.0.0.0. To define a single server, you can 

define a specified network IP address such as 10.2.3.4 with subnet 

mask 255.255.255.255. 

• For Port, you can specify multiple ports or port ranges by separating 

each port with a comma and hyphenating ranges. For example, the 

entry “22,80,110-120” means that the resource uses port 22, port 80, 

and all ports between and including 110-120. 

• The Secure Access Client software listens on the specified port. 

4. Specify whether or not to create a default policy. If you create a default 

policy, you can edit its properties later. 

After defining a network resource, you can create policies that control its user 

access and connection settings. 

The only access control permission you can grant for a network resource is to 

allow or deny access. Because users connect directly to the services defined by 

the specified port or network subnode, the Web proxy is not used. Connecting to 

resources through the Web proxy is required if you want to tailor the level of 

access with action controls such as HTML Preview and Live Edit. 

When users connect with the Secure Access Client they can view a list of their 

network resources in the client properties. 

Using the Entire Network Resource 

The Entire Network resource is a built-in resource you can use to grant or deny 

Secure Access Client access to all servers and services on the secure network. 

The definition of the “entire network” might be limited in scope if you have 

enabled split tunneling in the global properties for gateway appliances. If split 

tunneling is enabled, the Entire Network resource does not override the definition 

of accessible networks. In other words, when split tunneling is enabled, the Entire 

Network resource equals the definition you have configured for accessible 

networks. For more information about split tunneling and accessible networks, 

see “Configuring Split Tunneling” on page 95. 

Note: Entire Network includes all resources on the secure network, including 

servers or subnets you add later. For example, if you create an access policy that 

includes Entire Network and later add a server to the network, the new server is 

controlled by the settings of the existing policy. 

For more information about creating policies that include Entire Network, see 

“Granting Access to the Entire Network” on page 154.

Chapter 8 Adding Resources 121 

Defining Resources to Avoid Conflicts 

Because you have multiple choices for configuring your corporate resources, you 

can create resources that overlap. For example, you can create a file share 

resource for File Share B on Server A and also create a network resource for 

Server A. Both of these resources overlap by including File Share B. 

If you assign overlapping resources to different policies, it is possible to create 

conflicts between the action controls provided for the same corporate resource. 

Overlapping definitions arise if you use network resources to provide access to 

entire servers, networks, or subnets and simultaneously use file shares and Web 

resources to define parts of the same servers, networks, and subnets. The 

following bullets describe a scenario in which such an overlap exists: 

• Server A is a file share server for which you define a network resource. A 

policy assigned to the network resource allows all company employees 

remote VPN access to the server when they use a trusted client device and 

the advanced authentication combination of Active Directory with RSA 

SecurID. 

• File Share B is a shared folder on Server A. 

• You define File Share B as a file share resource for browser access. You 

assign this file share to a policy that allows access if users are using a logon 

point visible only from the internal company network. 

Although your intention with the second policy above is to restrict the access to 

File Share B, the actual result is that the first policy allows users full access to 

File Share B through a VPN tunnel to the entire server. 

To avoid conflicts: 

• Define network resources so that they do not overlap with browser-based 

resources (file shares and Web resources). 

• Assign overlapping resources to the same policy. 

Creating Web Resources 

Web resources define the Web pages, sites, or applications that you want to secure 

with policies. You can group multiple URLs and define them as a single Web 

resource. 

By default, users are denied access to a Web resource until you create policies 

that grant access permissions.


To create a Web resource 

1. In the console tree, select Resources > Web resources and click Create 

Web resource in Common Tasks. 

2. Enter a name and description for the resource. 

3. On the Configure Addresses page, click New for each URL address you 

want to add and enter the address. 

Addresses can include: 

• virtual directories but not individual documents. For example, you 

can add http://PeopleManagementSystem/Recruiting/ 

but not 

http://PeopleManagementSystem/How-to-Interview.html 

• dynamic system tokens, such as 

http://www.MyCompany.com/users/# 

Addresses cannot include: 

• general regular expressions such as 

http://www.server[1-0]+.com/[A-Za-z]+(A-Za-z0-9)*/ 

• wildcards such as 

*.MyURL.com or http://www.*/Dept/MyCompany.com 

4. From the Application type list, select the type of application the URL 

opens. The application type determines if specialized information is needed 

in the URL configuration. 

• Citrix Web Interface 4.2 or later points to a Web Interface site 

displaying users’ published applications from Citrix Presentation 

Server. For more information see “Integrating Web Interface” on 

page 158. 

• SharePoint points to a SharePoint site. 

• SharePoint with Web Interface Web Part points to a Web Part 

designed to provide Citrix Web Interface as an area on a SharePoint 

site. Supports SmartAccess features through the Web Interface. 

• Web Application points to a Web site URL that needs no specialized 

configuration information. This is the default setting. 

• Web Application (requires session cookies) points to Web sites 

allowed to receive cookies. By default the Web proxy does not 

forward cookies to redirected URL addresses. The Web proxy does 

not pass cookies to the default Web application type.


5. From the Authentication types supported area of the New URL dialog 

box, you can enable pass-through authentication to the site by selecting the 

site’s authentication method. For more information, see “Enabling Pass- 

Through Authentication for Web Resources” on page 124. 

6. Select the option to publish in users’ lists of resources if you want this 

resource to appear on the Access Interface. 

• The home page must be a page within the exact URL you specify in 

Step 3. For example, if you enter http://MyCompany.net for the 

resource address, you can specify a page within that site, such as 

http://MyCompany.net/Finance.aspx. 

• If your directory service uses the homepage token, you can enter 

# for the URL home page. For more information about 

using tokens, see “Using Dynamic System Tokens” on page 128. 

Note: If you are enabling Advanced Access Control to display multiple 

Citrix Access Platform sites within the Access Interface, you must publish 

the site so you can associate it with a Presentation Server farm. For more 

information, see “Displaying Multiple Sites and Caching Credentials” on 

page 160. 

7. Select the option to use an interface that is common for all browser types if 

users are not allowed to use ActiveX controls or use a variety of browser 

versions. Selecting this option presents users with a generic interface that 

does not require advanced browser technologies such as ActiveX. 



Including Related Files 

For Web sites, make sure when you create the resource that you include all the 

necessary files required by the pages of the Web site, such as image files that 

might be stored in a separate location or separate server. For example, if a site 

such as www.citrix.com uses images stored on www.webimages.site.com, add the 

URL www.webimages.site.com to the Web resource. 

Configuring Sites Secured with SSL 

When creating Web resources that contain URL addresses secured with Secure 

Sockets Layer (SSL), you must ensure that all servers in the access server farm 

with the role of Web server have the root certificate for the secured URL 

addresses.


This requirement does not apply if the Web proxy is bypassed for access to the 

server hosting the URL address. For more information about bypassing URL 

rewriting, see “Bypassing URL Rewriting” on page 144. 

Web Resources that Keep Sessions Alive 

User sessions for Web resources and applications normally time out according to 

the time-out settings of the logon point through which users connect. 

Note that when users view a Web resource that uses a keep-alive mechanism, the 

session remains open until the user closes the window displaying the Web 

resource. An example of such a resource is Microsoft Outlook Web Access, 

which performs regular polling to discover new email messages. This polling 

keeps the user’s session open until the Outlook Web Access window is closed. 

Enabling Pass-Through Authentication for Web 

Resources 

You can pass user credentials to Web servers on the secured network configured 

for Basic, Digest, or Integrated Windows Authentication. This feature avoids 

requiring users to enter their credentials multiple times to access Web resources. 

For example, if a team Web site in your organization is configured for Digest 

Authentication, you can pass the credentials with which users log on to the 

Access Gateway to that site. If you do not enable the URL address to support 

Digest Authentication, users might be required to log on to the Web site. 

Note that the authentication required for a Web site is determined by the settings 

of the site’s host Web server. 

When configuring a Web resource, you can enable its URL addresses to use one 

of the following methods of pass-through authentication: 

• Basic authentication. Credentials are passed to the Web site in plain text. 

Important: Because credentials are passed in plain text, consider using 

SSL for Web sites that use Basic pass-through authentication. 

• Digest authentication. Hashed credentials are passed to the Web site using 

Digest Authentication. 

• Integrated Windows authentication. Hashed credentials are passed to the 

Web site using Integrated Authentication. NTLM or Kerberos 

authentication is used, depending on your Web server configuration.


Caution: When using any of the three pass-through authentication methods, the 

target Web application is first presented with the credentials with which the user 

logged on to the Access Gateway. Accessing Web sites that require a second, 

differing set of credentials through Access Gateway can result in the caching of 

the second set of credentials. 

Creating File Shares 

To specify pass-through authentication for a Web site 

1. In the console tree, select the Web resource and click Edit Web resource in 

Common Tasks. 

2. On the URL Addresses page, select the Web site’s URL and click Edit. 

3. In the Authentication types supported area, select the authentication 

method being used by the Web site. 

Configuring Sites with Form-Based 


Web sites that require form-based authentication must be configured with the 

application type of Web application. 

Each URL defined in a Web resource is assigned an application type. For URLs 

that are assigned the application type Web Application, credentials are not 

passed and users might need to log on to the Web site. This is the default setting. 

You must use this option for sites that require form-based authentication. 

File shares are shared directories, folders, and files on your network that you want 

to secure with policies. 

You can group multiple shares and define them as a single resource. Grouping file 

shares requires you to create fewer policies, because each policy you create for 

the resource applies to all shares in the group. 

By default, users are denied access to file shares until you create policies that 

grant them access permission. 

To create a file share 

1. In the console tree, select Resources > File Shares and click Create file 

share in Common Tasks. 

2. Enter a name and description for the resource.


3. On the Configure Addresses page, click New to add each shared item, for 

example, \\MyServer\Shared-Files-Folder. 

• You can include addresses for specific document files as well as 

directories. 

• You can use dynamic system tokens, such as #. To use 

system tokens, the service account in the Server Configuration for 

Advanced Access Control must be a domain account and not a local 

machine account. 

4. In the File Share dialog box, select Publish for users in their list of 

resources if you want this resource to be listed on the Access Interface. 



If you do not select the option to publish a file share, users can still navigate to the 

share in their browsers as long as a policy allows access to the file share. A file 

share that a user has access to but which is not published can also be accessed if it 

appears embedded in a Web page or email. 

Uploading Large Documents to File Shares 

When users access a published file share through the Access Interface and 

policies allow them to upload documents, users can upload documents up to 100 

MB in size by default. To enable users to upload larger documents, you must edit 

the Windows Registry. 

Caution: Using Registry Editor incorrectly can cause serious problems that can 

require you to reinstall the operating system. Citrix cannot guarantee that 

problems resulting from incorrect use of Registry Editor can be solved. Use 

Registry Editor at your own risk. Make sure you back up the registry before you 

edit it. 

To enable users to upload documents larger than 100 MB 

1. From Registry Editor, find the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\CITRIX\MSAM\FEI 

2. Click Edit > New > DWORD Value and type MaxUploadSize in the right 

pane. 

3. Right-click on the new value and select Modify. 

4. In Value Data, type the maximum document size in kilobytes (KB). For 

example, to specify a maximum size of 120 MB, you type 120000.

5. Under Base, select Decimal. 

Chapter 8 Adding Resources 127


Using Dynamic System Tokens 

You can use dynamic token replacement in UNC or URL addresses when 

defining resources that can retrieve dynamic information from the directory 

service. Dynamic token replacement provides replacement of strings with user 

attributes obtained from Active Directory. 

Note: There is one attribute from Lightweight Directory Access Protocol 

(LDAP) or NT Directory Services that you can use without Active Directory. 

This is the # attribute. All other attributes require Active Directory. 

For example, if an enterprise with thousands of employees provides each user 

with a unique file share named for the user, it is more efficient to use a token in 

place of the user name rather than listing each explicit file share to define the 

resource group. 

To use system tokens the service account in the Server Configuration for 

Advanced Access Control must be a domain account and not a local machine 

account. 

Use the following syntax for token replacement: 

# 

Examples: 

\\Public-shares\Departments\#\Reports 

http://inotes.my-server.com/mail/#.nsf


Active Directory Attributes 

The following attributes can be used with Active Directory. 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

Creating Resource Groups to Ease Policy Administration 

Resource groups enable you to group different types of resources into a single 

entity and apply policies to the group. Using resource groups requires fewer total 

policies and eases policy administration. The basic steps for bundling resources 

are: 

1. Decide which resources you want to provide to users under a specific 

access scenario. For example, make a list of all the resources (including 

email, Web sites, and file shares) that your sales force needs to access from 

corporate laptops they use on the road. 

2. Ensure that each of the resources from Step 1 is configured in the console. 

For example, if you want to include five corporate Web sites and Webbased 

email, make sure you configure one or more Web resources that 

include these sites and configure Web Email before you create the resource 

group.


3. Create a resource group that includes all the resources you listed in Step 1. 

4. Create a filter that includes your requirements for the access scenario. For 

example, you can create a filter that requires users to authenticate with RSA 

authentication, log on to your Sales logon point URL, and pass specified 

endpoint analysis scans of the client device. 

5. Create a policy for the resource group. Associate the policy with the filter 

you created in Step 4 and select the action controls you want for each 

resource. 

Resource group names or descriptions do not appear to users in published lists of 

resources. The name and description you define for a resource group is for 

administrative use only. If you choose to publish a Web resource or file share, 

users see the resource’s description (not the description of the resource group) in 

their lists of resources. 

Each resource type has a wizard to guide you through adding the resource. These 

wizards are available from Common Tasks when the Resources node is selected. 

By default, users are denied access to any resource you define until you create 

policies that grant access permissions. This includes all resources and resource 

groups. 

Integrating Resource Lists in Third-Party Portals 

If you provide users with the lists of Web resources or file shares included with 

Advanced Access Control, you can integrate these lists into any portal solution. 

For example, if you are using Microsoft SharePoint as a portal or information 

aggregation point, you can display for users their list of Web resources or file 

shares in the SharePoint portal. 

To integrate user resource lists with a third-party portal 

1. Configure Web resources and files shares for users. 

2. Configure your portal product’s Web site viewer to display one or both of 

the following: 

• The Web resources list at http://servername/CitrixSessionInit/ 

URLList.aspx 

• The file share list at http://servername/citrixfei/myfiles.asp 

where servername is the name of a Web server running Access Gateway 

Advanced Edition.

CHAPTER 9 

Controlling Access Through 

Policies 

Policies provide granular control of access at the resource level. Use policies to 

control which resources users can get to and what actions they can perform on 

those resources. You can leverage the power of filters to apply policies based on 

information detected about the client device, who users are, the strength of their 

authentication, and where they are logging on. Filters provide the flexibility to 

match policies with your access scenarios. This section discusses how to 

implement policies and formulate strategies to control resources according to the 

user scenario. 

Policies extend the security of your network environment by enabling you to 

control: 

• Access. You can control users’ ability to connect to your resources unless 

they meet security requirements such as identity, authentication, antivirus, 

firewall, and client software. 

• Actions. You can control specific actions that users perform on resources 

accessed through the browser, based on the user scenario. 

• Connections. You can control Secure Access Client connections and apply 

settings to those connections. 

Controlling User Access 

Policies help you secure the corporate network even before users log on and 

allow you to extend that security down to the individual resource level. Policies 

enable you to: 

• Provide connection privileges to trusted devices only. When you create 

policies for the “Allow Logon” resource, you can deny connection 

privileges unless the client device meets your minimum security 

requirements verified through endpoint analysis scans. You can use 

connection policies with continuous scans to monitor Secure Access Client


connections throughout the user session, disconnecting as soon as the client 

device fails to meet your requirements. 

• Allow logon permission only to trusted users and devices. When you 

configure logon point properties, you can hide the logon page from users 

with unknown client devices or client devices that do not meet your 

security requirements. This feature prevents viruses on the client device 

from stealing the users’ credentials as they type them on the logon page. 

• Allowing or denying individual actions on resources. After users pass 

your security requirements for connecting, they must be granted explicit 

permission to a resource before the resource is available to them. You 

control this access through policies defined for each resource or group of 

resources. For more information about creating policies, see “Creating 

Access Policies” on page 135. 

By default, users are not provided permission to access or take action on any 

resources on your networks. You must define your resources for the farm and then 

create policies that grant access to them and control actions users can perform on 

them. 

Advanced Access Control policies extend the operating system security settings 

and cannot override them. For example, if a user is denied access to a file share in 

the share’s Windows NT File System (NTFS) security settings, granting access to 

that file share through Access Gateway policies will not allow access to the file 

share. 

Note: Access to applications and resources published by Citrix Presentation 

Server is not controlled by Advanced Access Control policies. Access to these 

resources depends on the properties of the logon point through which users log on 

and the permissions that users are assigned in Citrix Presentation Server. 

Integrating Your Access Strategy 

The way you define resources and create policies is influenced by your overall 

strategy for controlling access. The goal is to make sure users get the level of 

access that you can securely provide given the user situation. 

Your strategy determines how you pool resources and design policies. 

Pooling Resources By Access Needs 

Before defining resources and creating policies, pool resources into resource 

groups that reflect their relative security requirements. When you define 

resources, group similar resources together.

Chapter 9 Controlling Access Through Policies 133 

For example, you might create a resource group that contains several file shares, 

Web resources, and email that require very restricted access when users are 

connecting remotely. In another resource group you might add Web resources and 

file shares and that you want users to have access to at all times, as long as they 

have a trusted client device. 

Designing Policies From User Scenarios 

Plan policies according to a basic set of user scenarios, such as the ones presented 

in the next table. Start with just a few scenarios. Define a few types of resources, 

pool them into resource groups, and practice creating policies until you have 

enough policies to cover all the user scenarios needed in your organization. 

The following table provides a few example scenarios of user situations with 

different access and actions that might be permitted: 

User Device Resources Users Can Access Actions Users Can Take 

Corporate desktop 

running required 

antivirus software 

Remote corporate 

device running required 

antivirus and firewall 

software 

• All corporate networks and file 

systems 

• Full email services 

• Corporate portals and Web 

applications 

• Published applications through 

Citrix Presentation Server 

• Other applications 

• Web applications 

• Synchronized email applications 

• Published applications through 


• Limited access to file systems 

• Servers or services defined as 

network resources 

• Download files 

• Upload files 

• Edit files on the local client device 

• Edit files on servers running Citrix 

Presentation Server 

• Send documents as email attachments 

• Edit and save documents with Live Edit 

ActiveX control without needing to 

download and upload 

• Limited client mapping or printing 

documents on servers running Citrix 



• Connect directly to network resources 

through VPN using Secure Access Client


User Device Resources Users Can Access Actions Users Can Take 

Public kiosk running a 

required browser 

• Web applications 

• Web-based email only 

• Limited access to published 

applications 

• Preview documents as HTML 

• No client mapping or printing documents 

on servers running Citrix Presentation 

Server 

Personal digital 

assistant (PDA) 

Web-based email only • View Web-based email, which supports 

refactoring for small devices 

• Preview documents as HTML, which 

supports refactoring for small devices 


• No application access 

Remote corporate 

laptops for system 

administrators who 

cover emergencies from 

home 

Full access to individual mission critical 

applications defined as network 

resources or the Entire Network resource 

Connect directly to network resources through 

VPN using Secure Access Client 

After you develop an access strategy, you configure resources, policies, and 

filters in combinations that comply with and extend your corporate security 

guidelines. Resources and policies define the access control you allow. Filters 

define when and under what conditions the access is granted. 

Differentiating Access Control and Publishing 

Allowing access to a resource through policy control is not the same as 

publishing the resource. When you define file shares and Web resources you can 

choose to publish the resource, which means it is listed for users on the Access 

Interface or third-party portals. 

The built-in file share and Web resource lists can also appear as plug-ins to thirdparty 

corporate portals. For information about integrating resource lists in thirdparty 

portals, see “Integrating Resource Lists in Third-Party Portals” on page 

130. 

Enabling the Access permission to a Web resource permits the user to view it with 

a browser. What the user can do with the item or which application is used to 

open it depends on the group of policy settings you have defined for the resource. 

Simply enabling the Access permission for a resource does not provide a 

navigation to that resource. For example, if you enable the Access permission to a 

URL address but do not publish it, users can get to the URL only through a link 

embedded on a Web page or, if the resource is configured to bypass the Web 

proxy, by typing the URL directly in their browser.


You must create a Web resource or network resource for any application that you 

want users to have remote access to and you must create policies for these items 

granting explicit “Access” permission for users. Configuring file share access is 

slightly different than for Web resources, because you do not choose the “Access” 

permission in policies for file shares. Users can view a file share resource through 

their browser if you publish the resource and if the operating system access 

control list (ACL) allows access permission to the users. Policies for file shares 

define the users who can view the file share, the actions those users are allowed to 

take on the documents in those file shares, and the conditions under which they 

can take the actions. 

Creating Access Policies 

You must create policies to provide users with access to resources. By default, 

users have no access privileges to any resource. When you create an access 

policy, you define who has access, the conditions under which access is granted, 

and the granular access controls that are allowed or denied. 

To create an access policy 

1. In the console tree select Policies and choose Create access policy from 

Common Tasks. 

2. In the New Access Policy wizard, name and describe the policy. 

3. On the Select Resources page, select the resource groups and resources for 

the policy to control. 

• Select Network Resources > Entire Network if you want this policy 

to control access to all visible servers and services on the network. 

• Select the Allow Logon resource if you want this policy to include 

the conditions under which the users are allowed to log on to the 

network. 

Take care to review selections in the available resources tree. When you 

select or clear a category of resource, such as File Shares, all items grouped 

under that category are selected or cleared. Expand nodes to display the 

selections under each category. 

4. On the Configure Settings page, enable each desired setting individually 

and select Allow or Deny. Take care to review your selections in the 

settings tree. 

It is possible to select policy settings on the Configure Settings page for 

types of resources that you did not select for the policy to control. The 

policy applies settings only for the resources that are selected for the policy.


5. On the Select Filter page, select a filter that defines the conditions to be 

met for the policy to be enforced. 

If you have not yet configured filters, you can edit the policy and assign a 

filter to it later. 

6. On the Select Users page, select the users to whom the policy applies. 

Note: If multiple policies apply to a resource, a policy that denies an access 

permission takes precedence over other policies that allow the access permission. 

Naming Policies 

All policy names must be unique. Developing a consistent naming convention or 

practice eases administration of policies. Because policies are defined per 

resource to provide granular control, you can potentially create many policies. 

The naming convention you develop should help you quickly identify the 

resource and, if possible, the level of access you are applying. 

You can develop a convention that meets your organization’s needs. In general, 

the policy name should include the resource. One typical naming convention 

names policies by resource name and an access level phrase that coincides with 

your access strategy or the permissions allowed. For example: 

• Web resource X_full access_all users 

• Web resource X_limited access_field users 

• Web resource X_full access_administrators 

• File share Z_all actions_all users 

• File share Z_restricted actions_unknown devices 

You can change the name of default policies. 

To change a policy name 

1. Select the policy in the right details pane of the console. 

2. At the bottom of the details pane click Edit policy properties. 

3. In the policy Properties, change the name and save the policy.


Configuring Policy Settings to Control User Actions 

Policies for resources opened through the browser (Web resources, file shares, 

and email) enable you to control not only access, but also what actions users can 

perform with the resource. 

Policy settings enable you to allow or deny specific action controls. Configure 

policy settings in the policy wizard or policy properties. 

The policy settings that are available when you create a policy depend on the type 

of resource you are securing and your environment. For example, if the access 

server farm is not configured to link to a farm running Citrix Presentation Server, 

the File Type Association permission setting is not available. 

Depending on the type of resource and your farm configuration, you can allow or 

deny the following policy settings: 

Policy Setting 

Access 

Bypass URL 

Rewriting 

Download 

Email as 

Attachment 

Description 

Allows users access to the resource through a Web browser or Secure 

Access Client connection. 

For Web-based email, this setting allows all functionality provided 

by the Web-based email application, such as viewing and sending 

emails, managing the Calendar, and viewing an address book, but 

does not allow the ability to access email attachments. Accessing 

email attachments is allowed through the Email as Attachment 

setting. 

For network resources, Access allows a direct VPN connection to 

the resource using the Secure Access Client. Access is the only 

permission you can set for network resources. 

Allows the browser to retrieve a Web resource without the URL 

address of the resource being rewritten by the Web proxy component 

of Advanced Access Control. By default, URL addresses are 

rewritten by the Web proxy. 

For more information, see “Bypassing URL Rewriting” on page 144. 

Allows documents or email attachments to be sent to the user’s 

browser as HTTP content and saved on the local client device. The 

browser performs its default action depending on the MIME type of 

the content. 

Allows users to attach documents to email. You can use this control to 

allow users to email documents without having other action controls 

(such as Download) that require sending the document to the client 

device.


Policy Setting 

File Type 

Association 

HTML Preview 

Live Edit 

Upload 

Description 

Allows users to open documents in applications published through 

Citrix Presentation Server. You can use this permission to allow users 

to open and edit documents on servers in the trusted environment and 

avoid sending the document to the user’s client device. You can use 

file type association only for document types that are associated with 

a published application and only if the logon point properties are 

correctly configured. 

Allows users to view non-HTML content as HTML in a browser 

without needing to run additional client software. Supports a wide 

range of client devices, including small form factors. Users need this 

access control or Download to view an HTML document in a file 

share. This feature is available only for document types for which 

there is conversion software installed on a farm Web server. At least 

one Web server must have the conversion software installed and must 

be assigned to perform the HTML Preview server role. 

Allows users to edit remote documents using the Live Edit Client, an 

ActiveX control. Users can conveniently edit and save documents 

without needing to download and upload them. 

Allows users to save new documents and overwrite existing files in a 

file share. 

Allowing Access to Standard Web Content 

The only policy setting that applies for standard Web content is the Allow or 

Deny Access setting. Standard Web content includes those document types that 

you typically view with a browser. These documents are simply downloaded to 

the client device as usual for browsing, and do not come under the varying levels 

of access control (HTML Preview or Live Edit, for example) that you can apply 

to other document types. 

The following document types are treated as standard Web content: 

Text: 

Applications: 

Images: 

HTML; CSS; XML; X-component 

X-Java Script; S-Component 

GIF; JPEG; PNG 

Allowing File Type Association 

Allowing file type association for a resource enables users to open the resource 

with an application running in Citrix Presentation Server. Providing file type 

association as the only means for editing resource documents can heighten 

security because it requires that editing occur on the server and not on the client 

device.


For example, you might choose to grant file type association for a file share 

where employees post reports of ongoing project meetings, without providing the 

ability to download or upload. 

Providing file type association requires that: 

• Users run Citrix Presentation Server Client software on the client device. 

• Users connect through a logon point configured for Citrix Presentation 

Server. 

• Users are assigned to the desired applications in Citrix Presentation Server. 

• Citrix Presentation Server is configured to work with Advanced Access 

Control. 

Allowing HTML Preview 

HTML Preview enables users to view non-HTML content in a browser without 

requiring any additional client software. HTML Preview displays documents: 

• For read-only permission 

• On a wide range of devices when the associated application is not available 

• On small form factor devices such as PDAs 

HTML Preview is designed primarily for situations in which you want users to be 

able to view documents even if they don’t have an application installed on the 

client device that can display the document. For example, you might decide to 

allow HTML Preview for employees who need to view documents on the road 

from public kiosks, PDAs, or non-corporate devices. 

For more information about the requirements of providing HTML Preview in the 

farm, see “HTML Preview Requirements” on page 46. 

Allowing Email Attachments 

The Email as Attachment access control is designed to allow users to email 

documents from a location on a remote server to a recipient, without having to 

download the document to the client device. You might choose to allow Email as 

Attachment along with or in similar situations as the HTML Preview. 

For example, you might provide email attachment capability for employees on 

the road when they are using unrecognized or untrusted client devices. These 

employees can view documents, write their comments in a Web-based version of 

their email program, and attach the document to the email message. Users can 

take these actions without downloading the document to the client device.


Allowing Live Edit 

Live Edit is a convenience feature that allows users to edit remote documents 

with an ActiveX control. Users can edit and save documents without needing to 

download and upload them. 

The following notes explain how Live Edit works in combination with other 

action controls you can allow for the same resource: 

• Live Edit allowed without other action controls. Users can save the 

document on the source repository. 

• Live Edit and Email As Attachment allowed. Users can save the 

document on the local client device and email it from within the Live Edit 

session. 

• Live Edit and Download allowed. Users can save the document on the 

local client device. 

• Live Edit and Upload allowed. Users can save the document on the local 

client device. Users can upload (save) the document to published file 

shares. Published file shares have the option Publish for users in their list 

of resources selected in their properties. 

For more information the requirements for using Live Edit in your environment, 

see “Live Edit Requirements” on page 49. 

Allowing Logon 

The privilege of logging on is treated as a resource so you can secure the privilege 

through policies, just as you do for other resources. This feature enables you to 

configure additional requirements, beyond the authentication of credentials, that 

users must meet to log on to your network. 

The resource is named Allow Logon. You can select the Allow Logon resource 

along with other resources when you create an access policy. 

Users cannot log on until you create an access policy to allow them to do so.


To allow users to log on 

1. Open the properties of an existing access policy or create a new access 

policy. 

• To open an existing policy’s properties, select Policies and click 

Manage policies in Common Tasks. Search for the policy you want, 

select it, right-click, and choose Edit policy. 

• To create a new access policy, select Policies in the console tree and 

click Create access policy in Common Tasks. 

2. On the Resources page, select Allow Logon. 

3. On the Settings page, locate the heading Allow Logon and select from 

under it Access. 

4. Select Enable this policy to control this setting and select Allow, unless 

denied by another policy. 

Setting Conditions for Showing the Logon Page 

The logon point sends the logon page to the client device browser, allowing users 

to enter their credentials. You can make display of the logon page conditional by 

requiring that users’ client devices pass endpoint analysis scans before displaying 

the page. 

This feature adds security to your logon page. For example, you can create an 

endpoint analysis scan that verifies that the client device is running your required 

level of antivirus protection. Client devices that are not running the required level 

of antivirus protection might host a virus or sniffing program to record a user’s 

keystrokes. Such programs can record and steal credentials as users log on. 

You can set conditions for showing the logon page in logon point properties. If 

users do not meet the specified conditions, they receive an Access Denied error 

when they attempt to open the logon page URL. 

If you do not set any conditions in the Visibility section of logon point properties, 

the logon page is visible to any user who is allowed to browse to the URL. 

To set conditions for showing the logon page 

1. In the console tree, select the logon point and click Edit logon point in 

Common Tasks. 

2. In the logon point properties, select the Visibility page. 

3. Select Show logon page. 

4. If you want to show the logon page conditionally, use the logical expression 

builder to define the conditions to be met by the connecting client device.


A. Insert the logical operators AND, OR, and NOT and click Endpoint 

Analysis Output to choose from a list of your configured scans. 

B. Review the resulting logical statement in the Expression preview. 

Note: The expression builder appears unavailable until you have created 

endpoint analysis scans. 

The Root object displayed in the expression builder does not affect 

expression logic. The root signals the beginning of your expression tree. 

Example 1: An Expression Requiring One Scan 

To create an expression that requires the client device to be running a required 

level of McAfee VirusScan, click Endpoint Analysis Output and choose the scan 

output for the antivirus application. The expression builder contains: 

Citrix Scans for McAfee VirusScan.scan_name.Verified-McAfee- 

VirusScan 

where scan_name is the name you assigned to the scan when you created it. 

Example 2: Creating a Conditional Expression with OR 

Assume that the conditions you want to set are reflected by the following 

statement: Show the logon page to users with client devices that are running a 

required level of McAfee VirusScan or McAfee VirusScan Enterprise. Before you 

build this conditional expression, you must create an endpoint analysis scan for 

your required versions of McAfee VirusScan and McAfee VirusScan Enterprise. 

Note: This example requires you to have configured two endpoint analysis 

scans to verify whether or not the client device is running McAfee VirusScan or 

McAfee VirusScan Enterprise. For information about creating scans, see 

“Creating Endpoint Analysis Scans” on page 166. 

1. Select the Root object in the tree and click OR. 

2. Click Endpoint Analysis Output and choose the scan output for McAfee 

Virus Scan. 

3. Click Endpoint Analysis Output and choose the scan output for McAfee 

Virus Scan Enterprise. 

The result of this example procedure looks like this in the expression tree: 

ROOT 

OR 

Citrix Scans for McAfee VirusScan.scan_name.Verified- 

McAfee-VirusScan


Citrix Scans for McAfee VirusScan Enterprise.scan_ 

name.Verified-McAfee-VirusScan-Enterprise 

where scan_name is the name you assigned to the scans. 

Example 3: Creating a Complex Conditional Expression with NOT 

The following example shows a conditional expression using the NOT operator. 

To pass this complex condition, the client device must have your required version 

of McAfee VirusScan or McAfee VirusScan Enterprise, but the device cannot be 

connecting with the Mozilla Firefox browser. 

Note: This example requires you to have configured three endpoint analysis 

scans to verify whether or not the client device is running McAfee VirusScan or 

McAfee VirusScan Enterprise, and to also verify if the client device is connecting 

with the Mozilla Firefox browser. For information about creating scans, see 

“Creating Endpoint Analysis Scans” on page 166. 

1. Select the Root object in the tree and click AND. 

2. Click OR. 

3. Click Endpoint Analysis Output and choose your scan output for McAfee 

VirusScan. 

4. Click Endpoint Analysis Output and choose your scan output for McAfee 

VirusScan Enterprise. 

5. Select the AND object that you created in Step 1 and click NOT. 

6. Click Endpoint Analysis Output and choose your scan output for Mozilla 

Firefox. 

The result of the example looks like this in the expression tree: 

ROOT 

AND 

OR 

Citrix Scans for McAfee VirusScan.scan_name. 

Verified-McAfee-VirusScan 

Citrix Scans for McAfee VirusScan Enterprise. 

scan_name.Verified-McAfee-VirusScan-Enterprise 

NOT 

Citrix Scans for Mozilla Firefox.scan_name. 

Verified-Mozilla-Firefox-Connecting 


The Expression preview shows the following logical statement: 

((Citrix Scans for McAfee VirusScan.scan_name.Verified- 

McAfee-VirusScan OR Citrix Scans for McAfee VirusScan 

Enterprise.scan_name.Verified-McAfee-VirusScan-Enterprise)


AND (NOT Citrix Scans for Mozilla Firefox.scan_name. 

Verified-Mozilla-Firefox-Connecting)) 


Note the following about this example: 

• Inserting the NOT operator results in an OR NOT logic by default. If you 

want logic for AND NOT, insert the AND operator before the NOT 

operator in your tree, as you did in the above example. 

• The Mozilla Firefox scan package verifies a minimum version number. In 

this example, we want to verify any known version. To detect all known 

versions, we can create the scan to verify that the client device is 

connecting with a minimum of version 0.1. 

Bypassing URL Rewriting 

By default, Access Gateway rewrites the URL addresses of Web resources using 

a built-in Web proxy component. Web servers in the farm proxy the URL 

addresses of these internal resources. If you select the policy setting to bypass 

URL rewriting, you decrease your ability to set differing levels of access. This 

occurs because some action controls (policy settings) are not available for the 

resource unless Web proxy URL rewriting is used. 

In some documentation, this feature is referred to as bypassing the Web proxy. 

You might decide to bypass URL rewriting to: 

• Increase performance among the farm’s Web servers 

• Provide end-to-end SSL connections between the client device browser and 

the destination Web server hosting the resource 

• Provide access to internal Web sites that do not allow or work well when 

their URLs are rewritten. 

• Provide access to Web resources that are stored on a Web server hosting 

Advanced Access Control. 

Considerations about URL Rewriting 

Note the following considerations when deciding to use or bypass the URL 

rewriting feature: 

• If you select Bypass URL rewriting for a Web resource, all URL addresses 

for the host name are subject to the option and bypass the Web proxy. For 

example, if you select the option for the address 

“http://www.server1.company.com/folder1/folder2/”, all URL addresses


hosted on server1.company.com bypass the Web proxy, even if those 

addresses are not specified within the Web resource. 

• Users cannot access Web resources stored on a Web server hosting 

Advanced Access Control unless URL rewriting is bypassed. If you want to 

provide such access, you must create a policy for the Web resources and 

select Bypass URL Rewriting in the policy settings. 

• Ensure that the Web sites you make accessible are secure from 

vulnerabilities such as cross-site scripting and SQL injection. When the 

Web proxy is used to rewrite Web resource URLs (the default case), all 

resources appear to reside on the Web proxy server. In such cases you 

cannot rely upon protection by the JavaScript “same origin” policy to 

prevent malicious scripts from one server accessing properties of resources 

on another server, because resources from all servers appear to share the 

same origin. 

To bypass URL Rewriting 

Select Bypass URL rewriting in the policy settings of the policy that controls 

access to the Web resource. 

Important: When defining resources that bypass URL rewriting, you must 

specify entire servers, such as //server/. All URL addresses hosted on the 

specified server are bypassed by the Web proxy, even if those URL addresses 

appear in the properties of other Web resources that are supposed to be routed 

through the Web proxy. 

Limitations of Browser-Only Access 

If your Advanced Access Control deployment does not require any client 

software on client devices, your deployment is considered to provide browseronly 

access. In this scenario, users need only a Web browser to access corporate 

resources. 

Browser-only access to Web resources depends on the URL rewriting function of 

the Web proxy. Some Web applications do not handle URL rewriting well or do 

not allow the cookie management needed for browser-only access. Such 

applications are better suited for the simplified functionality of a common 

browser interface or client access through the Access Gateway. 

For example, the more a Web application uses the following advanced 

technologies, the less likely it is to work smoothly with proxied URL rewriting: 

• Flash animations


• Shockwave multimedia objects 

• ActiveX controls 

• Advanced Java scripting languages 

Test the behavior of those Web applications that you plan to provide only through 

a browser. If the applications do not behave as expected, consider the following 

alternatives: 

• Bypass the Web proxy. You can choose for users to bypass the Web proxy. 

For remote users (and possibly internal users in deployments of secure 

enclaves), this means using the Access Gateway with the Secure Access 

Client. For more information about bypassing the proxy, see “Bypassing 

URL Rewriting” on page 144. 

• Network resources. You can create a network resource to provide users 

direct access to the application using the Secure Access Client. Network 

resources do not appear in published lists of users’ resources such as the 

Access Interface. 

• Common browser interface. You can choose to use a basic browserindependent 

interface that suppresses use of enhanced display or 

functionality. 

To implement the common interface, open the Properties for the Web 

resource, choose the URL Addresses page, and select Use the interface 

that is common for all browser types. 

Note: You cannot incorporate the failover feature for Access Gateway 

appliances for users accessing Web resources only with a browser. 

Creating Connection Policies 

Connection policies control connections that use the Secure Access Client. You 

can assign filters to connection policies to define when the policy applies. 

Take care not to confuse connection policies with access policies: 

• Connection policies allow Secure Access Client connections and applies 

settings to those connections. You must allow use of the Secure Access 

Client to establish connections to any network resource and for email 

synchronization, because these types of resources do not allow browseronly 

access. 

• Access policies define access permissions that specified users have to 

resources under specified conditions. For example, an access policy


determines whether or not a group of users can access a certain file share 

and whether they can preview files in HTML or use Live Edit to modify the 

file. 

One of the filters you can apply to a connection policy is a continuous scan filter. 

A continuous scan filter comprises a set of scans that continue to monitor the 

connection during the entire user session. As soon as the client device ceases to 

meet the requirements defined in the continuous scan filter, the connection is 

disconnected. 

To create a connection policy 

1. In the console tree, select Policies > Connection Policies and choose 

Create connection policy from Common Tasks. 

2. Name and describe the policy. 

3. Configure the connection settings you want to apply by selecting each 

setting and choosing Yes or No to allow or deny it. You must allow the 

setting Launch Secure Access Client if access allowed to make additional 

settings available. Select from among the following settings: 

• Authenticate after system resume forces authentication after the 

client device goes into standby or hibernate mode. 

• Authenticate after network interruption forces authentication if 

the network connection is interrupted. 

• Enable split DNS allows failover to a user’s local DNS if the remote 

DNS is not available. By default, Access Gateway checks a user’s 

remote DNS only. 

• Execute logon scripts runs Windows logon scripts when the 

connection is established. 

• Desktop sharing allows users to share their desktop with other users 

who are logged on to the Access Gateway from a Secure Access 

Client. Users can then share their desktop by right-clicking the Secure 

Access Client icon in the Windows notification area and selecting 

Share Desktop.


4. If you want to give client devices a unique IP address, add and define the 

address pools from which address aliases are assigned. On the Define IP 

Pool Configuration page, click New to add each available IP pool. 

• For Access Gateway, enter the IP address of the Access Gateway 

appliance. 

• For Gateway, enter the IP address of the default gateway if you use 

one. If you do not use a default gateway, you can leave this box blank. 

• Each IP range should be valid but unused on the network. 

• To avoid conflicting assignments, ensure that you configure a unique 

IP range or ranges for each gateway appliance. You should not assign 

the same IP range or ranges to multiple gateway appliances. 

Note: If you add address pools, you must restart each Access 

Gateway appliance in the farm before the IP pool becomes available. 

You might want to schedule IP pool configuration for a convenient 

time. 

5. Select filters that define the conditions for policy enforcement. You can 

select two types of filters: 

• A filter defines requirements for logon points, endpoint analysis, 

authentication, and client certificates. This type of filter checks for 

your requirements once during logon. 

• A continuous scan filter defines requirements of registry entries, 

files, or processes that must be verified on the client device. This 

filter checks its requirements throughout the user session. 

6. Select users and user groups to whom the policy applies. 

Creating Policies for Presentation Server 

Connections 

If you create policies for Secure Access Client connections to Citrix Presentation 

Server, you must: 

• Define at least one IP pool in the connection policy properties 

• Create a network resource that includes the server or servers running 

Presentation Server


If no IP pools are defined, the client device is identified by the IP address of the 

Access Gateway appliance and connects directly to the server running 

Presentation Server without being controlled by policies assigned to the network 

resources defined for the servers running Presentation Server. 

Prioritizing Connection Policies 

Because multiple connection policies can apply to the same user, you can 

prioritize connection policies. The settings in policies with a higher ranking 

priority take precedence over those in lower ranking policies. 

To prioritize connection policies 

1. In the console tree, select Connection Policies and choose Set connection 

policy priority from Common Tasks. 

2. Select a policy and use the arrow buttons to move its position in the ordered 

list. The highest priority policy appears at the top of the list. 

Creating Policy Filters 

Filters define the conditions under which the policy applies. Consider the 

following example of a policy statement: 

Allow access and HTML Preview permission only to the Quarterly Sales Reports 

file share for Sales department users when they log on from outside the secure 

network using an SSL client certificate. 

The filter part of the above policy statement is “when they log on from outside the 

secure network using an SSL client certificate.” If you authenticate remote 

workers through a specific logon point, you can filter by the logon point and you 

can require the use of a client certificate. 

You can configure four types of conditions for a filter: 

• Logon point. Applies the policy based on the URL with which the user 

connects to the network. 

• Authentication strength. Applies the policy based on the authentication 

being used. The options available in the filter depend on the authentication 

configurations you have set up. For more information see “Securing User 

Connections” on page 101. 

• Endpoint analysis scan outputs. Applies the policy based on information 

gathered by endpoint analysis scans of the client device. You must 

configure scans before any scan outputs are available to integrate into a 

filter.


• Client certificate requirements. Applies the policy based on the presence 

of specified criteria in the SSL client certificate. 

Filters are designed so you can name them and use the same filter for multiple 

policies. Each policy uses one filter only. To achieve the effect of using multiple 

filters, you can use the custom filter feature to create complex filters that contain 

other filters. 

To create a policy filter 

You can create a filter before, at the same time, or after you create the policies 

you want to associate with it. 

1. Open the New Filter wizard from one of the following locations: 

• In the console tree, select Policies > Filters and click Create filter in 

Common Tasks. 

• On the Select Filters page of a policy wizard, click New. 

2. Enter a name and description for the filter. 

3. Select the option Create a typical filter. 

4. If you want the policy to apply when users enter through specific logon 

points, select those logon points. 

5. If you want the policy to apply based on the authentication used, select the 

authentication. 

6. If you want the policy to apply based on endpoint analysis scans of the 

client device, select the appropriate scan outputs. 

7. If you want the policy to apply based on required information in an SSL 

client certificate, select Specify SSL client certificate matching criteria. 

You can require that the certificate contain specified values for common 

name, organization, or organizational unit. 

• You cannot specify SSL client certificate values for filtering unless 

the option to require client certificates is selected in Access Gateway 

Global Properties (Gateway Appliances > Edit gateway appliances 

properties > Client Properties). 

• Do not add quotation marks around the values you enter for common 

name, organization, or organizational unit. 

Each type of filter condition is optional. For example, you can configure a filter 

based on logon point only. Logically, the conditions defined in a filter are 

combined with the AND logical operator, and within a condition type, the settings 

are combined with an OR operator. For example, if your filter settings specify 

Logon Point A, Logon Point B, and Scan Output C, the policy is applied with the 

following logic:


(Logon Point A or Logon Point B) and Scan Output C 

Creating Custom Filters 

You can create custom filters that use logical expressions with the operators 

AND, OR, and NOT, allowing you to create filters of greater complexity than you 

can with typical filters. With typical filters you are limited to selecting conditions 

that the wizard combines with AND logic only. Because they are made from 

logical expressions, custom filters provide more complexity and flexibility, but 

they are harder to create. 

Using custom filters is optional and not required for common configurations. For 

ease of administration, use typical policy filters. 

To build a custom filter with logical expressions 

1. In the console tree, select Policies > Filters and click Create filter in 

Common Tasks. The New Filter wizard opens. 


3. Select the option Create a custom filter. 

4. On the Build Custom Filter page, use the logical expression builder to 

create an expression that reflects the conditions you want met before the 

policy is enforced. 

• Insert the logical operators AND, OR, and NOT along with elements 

for logon point, authentication, endpoint analysis output, client 

certificate, or another filter to create the logical expression. 

• Note that the Root object displayed in the expression builder does not 

affect expression logic. The root signals the beginning of your 

expression tree. 

Example: Creating a Custom Filter 

Assume for this example that your network security strategy is to deny logon 

privileges to client devices running Windows 2000 unless those devices have 

Windows 2000 Service Pack 4 installed OR are running Internet Explorer 6.0. 

You want to build a filter for this scenario that you can assign to a policy that 

includes the Allow Logon privilege. 

Before creating the custom filter, create two scans as follows:


1. Use “Citrix Scans for Windows Service Pack” to create a scan with these 

settings: 

• Rule conditions: operating system = Windows 2000; client device 

regional locale = all 

• Property value to verify: Service Pack 4 

2. Use “Citrix Scans for Internet Explorer” to create a scan with these settings: 

• Rule conditions: operating system = Windows 2000; client device 

regional locale = all 

• Property value to verify is the minimum required version: 6.0 

On the Build Custom Filter page of the New Filter wizard, follow these steps to 

create the logical expression: 

1. Click OR from the Insert group box. 

2. Click Endpoint Analysis Output and choose the scan output for Service 

Pack 4. 

3. Select OR in the expression builder and click Endpoint Analysis Output 

again to choose the scan output for Internet Explorer Version 6.0. 

The result in the expression builder appears as: 

OR 

Citrix Scans for Windows Service Pack.scan_name.Verified-Windows- 

Service-Pack 

Citrix Scans for Internet Explorer.scan_name.Verified-Internet- 

Explorer 


For more examples of using an expression builder, see “Setting Conditions for 

Showing the Logon Page” on page 141. 

Creating Continuous Scan Filters 

Continuous scan filters define the continuous scan requirements for a connection 

policy. A continuous scan verifies one item (a file, registry entry, or process) on 

the client device. The filter can include one or more continuous scans for 

verification. When associated with a connection policy, the filter defines all the 

requirements to be verified by continuous scans for the connection policy to take 

effect. 

Note that continuous scan filters, unlike regular policy filters, cannot be used by 

Citrix Presentation Server policies. For more information, see “Integrating Citrix 

Presentation Server” on page 157.


For information about continuous scans, see “Creating Continuous Scans” on 

page 178. 

To create a continuous scan filter 

1. In the console tree, select Policies > Continuous Scan Filters and click 

Create filter in Common Tasks. 


3. On the Configure Requirements page, use the logical expression builder 

to create an expression that reflects the conditions you want the client 

device to meet. 

• Insert the logical operators AND, OR, and NOT and click File Scan, 

Process Scan, or Registry Scan to choose from your configured 

scans. 

• Note that the Root object displayed in the expression builder does not 

affect expression logic. The root signals the beginning of your 

expression tree. 

Example 1: Conditional Expression Requiring One Scan 

Assume that you want to create an expression that requires an antivirus program's 

executable file to be installed on the client device and that you configured a file 

scan to verify this file. From the Configure Requirements page of the 

continuous scan filter wizard, click File Scan and choose the file scan. The result 

of this example procedure looks like this in the expression tree: 

ROOT 

scan_name 

where scan_name is the name you assigned to the scan when you created it. 

Example 2: Conditional Expression Requiring One of Two Scans 

Assume that the conditions you want to set are reflected by the following 

statement: Client devices must be running the process for a personal firewall from 

either Company A or Company B. Before you build this conditional expression, 

you must create a process scan for Company A's personal firewall process and 

another process scan for Company B's personal firewall process. 

1. Click OR. 

2. Click Process Scan and choose the scan for Company A’s personal firewall 

process. 

3. Click Process Scan and choose the scan for Company B’s personal firewall 

process. 

The result of this example procedure looks like this in the expression tree:


ROOT 

OR 

scan_name_CompanyA_process 

scan_name_CompanyB_process 

where scan_name_CompanyA_process and scan_name_CompanyB_process are 

the names you assigned to the scans. 

For more examples of using an expression builder, see “Setting Conditions for 

Showing the Logon Page” on page 141. 

Granting Access to the Entire Network 

The Entire Network resource represents all visible servers and services on your 

secure network. If policies allow connections and access to this resource, Secure 

Access Client users can access these servers or services through an SSL virtual 

private network tunnel created between the client device and the network. The 

Entire Network resource is a built-in network resource, the properties of which 

cannot be edited or deleted. To control the conditions under which the Entire 

Network resource is accessed, you must create access policies just as you do for 

all other types of resources. 

You can use the Entire Network resource to: 

• Quickly set up your deployment and test access 

• Provide unlimited access to a special class of user, such as administrators 

who need wide access for disaster recovery or emergency operations 

• Provide open access by default and later develop policies that deny access 

to specified resources according to your security plan 

The general steps involved in granting access to the Entire Network include: 

1. Create an access policy for the Entire Network resource allowing access to 

selected users. 

2. Create a connection policy allowing user connections. 

3. Filter the policies according to the conditions or requirements you want to 

impose. 

Because the Entire Network resource includes all visible servers on the network, 

take care to allow access to this resource only under the conditions you intend. 

Access to this resource is a powerful level of access.


Reviewing Policy Information with Policy Manager 

Policy Manager enables you to search your policies by resource, users, and filters. 

You can use keywords for your searches. The search results can assist with quick 

policy planning, management, or troubleshooting. The following are only a 

sample of the types of information you can find quickly with Policy Manager: 

• Find all the policies that affect a specified user or user group 

• View all the policy settings that pertain to a specified resource 

• List all policies that use a specified filter 

• Find all policies that control the permission to logon 

To search for policies and settings 

1. Open Policy Manager by selecting Policies in the console and choosing 

Manage policies from Common Tasks. 

2. Use a mixture of keywords in the Resource, User, and Filter text boxes 

and click Search. For example, to find every policy assigned to “All 

authenticated users,” type all in the User text box. 

• By default all policies are shown when you open the Policy Manager. 

Clicking Clear at any time empties the search criteria boxes and 

returns to a view of all policies. 

• Double-click a filter to open the filter’s properties. Double-click in 

any other column to open the policy’s properties. 

• Click a column heading to sort results alphabetically by that column’s 

entries. Click the same column again to reverse the sort order. 

Note: Policy Manager does not present information about the filtered results of 

policy control with live connecting clients, such as the resulting set of access 

permissions after endpoint analysis scans or continuous scans are taken into 

consideration.


CHAPTER 10 

Integrating Citrix Presentation 

Server 

You can integrate Advanced Access Control and Citrix Presentation Server so 

that users can easily access all of their resources, including published 

applications, from a common interface. For example, you can embed a Citrix 

Access Platform site within the Access Interface. The Access Interface is a 

navigation page shipped with Advanced Access Control that can list available 

published applications alongside other available resources such as Web resources, 

file shares, and so on. 

In addition, you can share information collected by Advanced Access Control to 

extend the policy-based access control capabilities of Citrix Presentation Server. 

By integrating Advanced Access Control filters within Citrix Presentation Server 

policies, you can control which published applications users can access and what 

they can do within those applications once they get access. This allows you to 

create Citrix Presentation Server policies to accommodate different access 

scenarios based on a variety of factors such as authentication strength, logon 

point, and client device information such as endpoint analysis. 

For example, you can include endpoint analysis information collected by 

Advanced Access Control within a Citrix Presentation Server policy to determine 

access to a published application. In addition, you can selectively enable clientside 

drive mapping, cut and paste functionality, and local printing based on the 

logon point used to access the published application. 

The next section discusses the supported deployments as well as the procedures 

required to integrate Citrix Presentation Server and Advanced Access Control. If 

you are passing Advanced Access Control information into Citrix Presentation 

Server for policy evaluation, you must complete the following steps as well: 

• Create one or more filters within Advanced Access Control. See “Creating 

Policy Filters” on page 149 for more information about creating filters. 

• Create policies within Citrix Presentation Server that reference Advanced 

Access Control filters. See the Citrix Presentation Server Administrator’s 

Guide for more information about creating policies.


Note: Continuous scan filters, unlike regular policy filters, cannot be used by 

Citrix Presentation Server policies. 

Linking from Advanced Access Control to Citrix 


Complete the steps below to enable Citrix Presentation Server to allow 

connections from Advanced Access Control. 

1. Ensure that published resources are assigned to the same user groups 

assigned to resources in the access server farm. 

2. In Citrix Presentation Server: 

• Enable Allow connections made through MetaFrame Secure 

Access Manager for each published resource. This option appears in 

the access control settings of the published resource properties. 

• In each server's properties, select the option Trust requests sent to 

the XML Service. 

3. Complete the steps required to integrate published applications within your 

deployment. Integration options include: 

Integrating Web Interface 

• Citrix Access Platform site created by Web Interface. Display 

published applications within a Citrix Access Platform site. For more 

information, see “Integrating Web Interface” on page 158. 

• File type association. Documents are launched in an associated 

application running on a server in a Citrix Presentation Server farm. 

For more information, see “Configuring File Type Association” on 

page 163. 

• Third-party portals. Embed a Citrix Access Platform site within a 

third-party portal such as Microsoft SharePoint. For more 

information, see “Integrating Third-Party Portals” on page 163. 

Advanced Access Control provides several methods for integrating Citrix Access 

Platform sites created with Web Interface including: 

• Citrix Access Platform site embedded within the Access Interface. When 

the Access Interface is selected as the default home page, a Citrix Access

Chapter 10 Integrating Citrix Presentation Server 159 

Platform site is displayed alongside file shares and Web applications. You 

can also configure the Access Interface to display up to three Presentation 

Server sites in a separate tab. 

• Citrix Access Platform site configured as the default home page for a logon 

point. Once logged on, users are presented the Citrix Access Platform site. 

Note: Web Interface and its accompanying documentation is available for 

download from the Citrix Web site at www.citrix.com/. 

To integrate a Citrix Access Platform site 

This procedure requires that you use Version 4.2 of the Access Management 

Console to create and manage Citrix Access Platform sites integrated with 

Advanced Access Control. Version 4.0 of the console or command-line tool 

cannot be used to manage sites created with later versions of the console. In 

addition, once a Citrix Access Platform site is configured with the Advanced 

Access Control access method, users can access this site only through Advanced 

Access Control. Attempts to directly access the site are denied. 

Complete the following steps in Advanced Access Control. 

1. Configure Citrix Presentation Server to communicate with Advanced 

Access Control. See “Integrating Citrix Presentation Server” on page 157 

for more information. 

2. Create a Web resource for the Citrix Access Platform site with the 

following settings: 

• Select Citrix Web Interface 4.2 or later as the application type 

• Select the Publish for users in their list of resources check box 

3. Specify the appropriate policy settings for the Web resource referencing the 

Citrix Access Platform site. 

4. Provide access to the Citrix Access Platform site in one of the following 

ways: 

• Display the Citrix Access Platform site as the default home page. 

Configure a logon point to display the application with the highest 

display priority as the home page. Then, configure the Citrix Access 

Platform site as the application with the highest priority. 

• Embed a Citrix Access Platform site within the Access Interface. 

Configure a logon point to display the Access Interface as the home 

page. The Citrix Access Platform site is embedded as a frame within 

the Access Interface.


See “Configuring Logon Points” on page 89 for more information. 

In Web Interface, complete the following steps. For additional information about 

configuring Web Interface, see the Web Interface Administrator’s Guide. 

1. Select Using Advanced Access Control when specifying an access method 

for the site. 

2. Enter the URL of the Advanced Access Control authentication service. 

In both Web Interface and Advanced Access Control, ensure the Workspace 

Control, Java Client fallback, and session time-out settings are configured 

properly. For more information, see “Coordinating Advanced Access Control and 

Web Interface Settings” on page 162. 

Displaying Multiple Sites and Caching Credentials 

You can embed multiple Citrix Access Platform sites within the Access Interface 

and cache the credentials used to log on to those sites. You can display up to three 

Access Platform sites as well as enable each site to “remember” and “forget” 

users’ logon credentials. 

Using Multiple Access Platform Sites from the Access 

Interface 

By enabling multiple Access Platform sites to display within the Access 

Interface, you can provide access to published applications from multiple 

Presentation Server farms. To enable Advanced Access Control to display these 

sites, you create and run a Visual Basic script that modifies the values of the 

CredentialCachingEnabled and MultipleWebInterfaceEnabled fields in the 

FarmSettings table of the configuration database. When you do this, the layout of 

the Access Interface changes to accommodate up to three sites. Access Platform 

sites appear in the Applications tab while Web email appears on the Email tab. 

File shares and published Web sites appear on the Home tab. 

Using Credential Caching 

When users log on to Advanced Access Control, their credentials are passed 

through to the Access Platform sites. If the credentials for Advanced Access 

Control match the credentials for the Access Platform site, users are 

automatically logged on to the site. Additionally, if Workspace Control is enabled 

at the logon point, published applications that were disconnected in the previous 

session are automatically reconnected. If these credentials differ, users are 

prompted to provide the correct credentials. After logging on, users can select the 

Remember my logon check box to avoid re-entering their Access Platform site 

credentials. Users can also delete their cached credentials by clicking the Forget 

My Logon icon.


Note: If users choose to store credentials for an Access Platform site and their 

credentials for logging on to Advanced Access Control are later changed, 

Advanced Access Control automatically deletes the stored credentials the next 

time the users log on. The users are then prompted to re-enter their credentials for 

the Access Platform site. 

When you enable credential caching, Advanced Access Control stores the Access 

Platform site credentials in the UserData table in the configuration database. 

When a user logs on, the Web proxy reads the encrypted credentials from the 

configuration database and forwards them to the Citrix Access Platform site. If 

credential caching is disabled or the cached credentials for the site are incorrect, 

users are prompted to enter the correct credentials to log on to the Access 

Platform site. 

Preserving Workspace Control 

When users log on to Advanced Access Control, the credentials they enter are 

used to provide Workspace Control with the Presentation Server farms specified 

in the access server farm properties. If users enter one set of credentials to log on 

to Advanced Access Control and a different set of credentials to log on to the 

Access Platform site, they may not be able to disconnect or reconnect their 

applications when you enable multiple sites to be displayed. To preserve 

Workspace Control for users with differing sets of credentials, you perform the 


• Associate each Citrix Access Platform site with its corresponding farm 

configured in Advanced Access Control. 

• Define a Secure Ticket Authority (STA) so the Access Gateway can 

authenticate users to the farm. For more information about defining the 

STA, see “Configuring Authentication with Citrix Presentation Server” on 

page 100. 

To enable the display of multiple Citrix Access Platform sites and enable 

credential caching 

1. On the Advanced Access Control server, create a .vbs file that contains the 

following script: 

Dim object 

Dim farmsetting 

Set object = 

WScript.CreateObject("Citrix.Msam.Amc.BusinessObjects.FarmSett 

ingManager") 

Set farmsetting = object.GetFarmSetting () 

farmsetting.CredentialCachingEnabled = 1


farmsetting.MultipleWebInterfaceEnabled = 1 

obj.UpdateFarmSetting (farmsetting) 

2. Save and close the file. 

3. Double-click the file to run the script. 

To associate a Citrix Access Platform site with the corresponding farm 

Before you can associate an Access Platform site with a Presentation Server farm, 

you must configure the site as a Web resource and publish it for users to access 

from the Access Interface. If you do not select Publish for users in their list of 

resources when you configure the Access Platform site as a Web resource, the 

site is not available to associate with a Presentation Server farm. 



2. From the Presentation Server Farms page, select the farm and click Edit. 

3. On the Web Interface page, select the site you want to associate with the 

farm. 

To ensure Workspace Control functions for all users, you must define a STA in 

the gateway properties. For more information, see “Configuring Authentication 

with Citrix Presentation Server” on page 100. 

Coordinating Advanced Access Control and Web 

Interface Settings 

Certain Citrix Presentation Server settings are available for configuration within 

Advanced Access Control and Web Interface. However, because a Citrix Access 

Platform site integrated with Advanced Access Control can be referenced by 

more than one logon point, it is possible for one logon point to embed a Citrix 

Access Platform site within its Access Interface page while another logon point 

displays the site as its default home page. This can cause conflicts with certain 

published application settings. To ensure your settings work as intended, follow 

the instructions below. 

• Workspace Control. Disable all Advanced Access Control Workspace 

Control settings for all logon points that have a Citrix Access Platform site 

as their home page. This ensures that the settings configured within Web 

Interface are used. All other logon points can have Workspace Control 

configured as desired. 

• Java Client Fallback. Ensure that logon points using the Access Interface 

as their home page have the same Java Client fallback settings as the Citrix 

Access Platform site.


• Session time-out. Ensure all logon points use the same settings as the 


Configuring File Type Association 

When file type association is allowed, users opening a document launch it in an 

associated application running on servers in Citrix Presentation Server farms. For 

example, if a user opens a document within a file share configured with file type 

association, the document opens within a published application. File type 

association is available to Web resources, file shares, and Web-based email. 

To configure file type association for file shares, Web resources, and Webbased 

email 

Before you configure file type association, verify that published application 

settings in Citrix Presentation Server specify the associations you want. For 

example, if you want a published application to be launched for users when they 

open a bitmap image (.bmp) file, make sure that the application’s settings 

associate it with .bmp files. 




2. Specify the farm(s) you want to link to your access server farm. See 

“Specifying Server Farms” on page 85 for more information. 

3. Specify the Citrix Presentation Server farms available to the logon point. 

See “Configuring Logon Points” on page 89 for more information. 

4. Create an access policy for the file share, Web resource, or Web-based 

email application and enable and allow the File Type Association action 

control. See “Configuring Policy Settings to Control User Actions” on page 

137 for more information. 

Integrating Third-Party Portals 

You can incorporate a Citrix Access Platform site into a third-party portal such as 

SharePoint to provide convenient access to published applications next to other 

Web applications and content. You can integrate Advanced Access Control within 

this deployment to provide granular policy-based control over files, Web content 

and applications, and published applications.


Important: Web Interface for Microsoft SharePoint is a Web Part that allows 

the integration of a Web Interface within SharePoint. For more information about 

Web Interface for Microsoft SharePoint, see the Citrix Web site. Generic thirdparty 

portals must support the display of IFRAME-based Web content to properly 

integrate a Citrix Access Platform site. 

To display a Citrix Access Platform site in a portal 




2. Create a Web resource for the Citrix Access Platform site with the 

following settings: 

• When integrating with SharePoint, select SharePoint with Web 

Interface Web Part application type 

• When integrating with a generic third-party portal, select Citrix Web 

Interface 4.2 or later application type 

3. Enable the Publish for users in their list of resources check box. 

4. Specify the appropriate policy settings for the Web resource referencing the 


5. Create a Web resource for the SharePoint site or third-party portal 

containing the Citrix Access Platform site and specify the appropriate 

policy settings. 

6. In Web Interface, configure a Citrix Access Platform site to use Advanced 

Access Control as its access method by: 

A. Selecting Using Advanced Access Control when specifying an 

access method for the site 

B. Entering the URL of the Advanced Access Control authentication 

service 

7. In both Web Interface and Advanced Access Control, ensure the Workspace 

Control, Java Client fallback, and session time-out settings are configured 

properly. For more information, see “Coordinating Advanced Access 

Control and Web Interface Settings” on page 162.

CHAPTER 11 

Verifying Requirements on Client 

Devices 

Endpoint analysis is a process that scans a client device and detects information 

such as the presence and version level of operating system, antivirus, firewall, or 

browser software. Use endpoint analysis to verify that the client device meets 

your requirements before allowing it to connect to your network. You can monitor 

files, processes, and registry entries on the client device throughout the user 

session to ensure that the device continues to meet requirements. 

You can use two types of scans: 

• Endpoint analysis scans detect information about the client device, such 

as the presence and version level of operating system, antivirus, firewall, or 

browser software. This information can be included as a filter within an 

access policy or a connection policy. Endpoint analysis scans are run once, 

during logon. 

• Continuous scans are scans of the client device that occur repeatedly 

throughout the session to ensure that the client device continues to meet 

requirements. The feature prevents, for example, users from changing the 

status of a client device requirement after establishing the connection. 

Types of continuous scans include file scans, process scans, and registry 

scans. For more information, see “Creating Continuous Scans” on page 

178. 

You can incorporate detected information into policies, enabling you to grant 

different levels of access based upon the client device. For example, you can 

provide full access with download permission to users who connect from the field 

using corporate laptops that are up-to-date with antivirus and firewall software 

requirements. For users connecting from kiosks or untrusted home computers, 

you can provide a more restricted level of access that allows previewing 

documents only or editing the documents on remote servers without downloading 

them. 

Endpoint analysis performs these basic steps: 

• Examines an initial set of information about the client device to determine 

which scans to apply


• Runs all applicable scans 

• Compares property values detected on the client device against desired 

property values listed in your configured scans 

• Produces an output verifying if desired property values are found 

When a user tries to connect through a logon point, endpoint analysis checks the 

scans that are filtered for the logon point. All scans with conditions met by the 

client device are run on the client device using the Endpoint Analysis Client 

software. These scans return results (called scan outputs) of detected information 

or True or False results of required property values. 

Note: The Citrix Scans for Macintosh and Citrix Scans for Browser Type do not 

require that the Endpoint Analysis Client software run on the client device. These 

scans can gather their results from information provided to the server from the 

client device directly, without using Endpoint Analysis Client software. 

Note that scans with conditions not matching the client device do not run on the 

client device; however, even these scans receive a default output defined by the 

scan package, such as False. 

Endpoint analysis completes before the user session consumes a license. 

To configure endpoint analysis 

Follow these general steps to configure endpoint analysis: 

1. Identify the scan packages that check the properties you want to verify. 

2. Create scans, configuring the conditions under which they run and the 

properties they verify. 

3. Add additional rules if you want a scan to apply to multiple scenarios. 

4. Use scan outputs in policies when you configure policy filters. 

5. Deploy client software to users. 

You can log endpoint analysis events through the system Event Viewer. For more 

information about auditing such events, see “Auditing Access to Corporate 

Resources” on page 225. 

Creating Endpoint Analysis Scans 

Scans verify specific properties of client devices connecting to your network, 

such as the installed version of an antivirus software product or verification that 

the machine belongs to a required domain.

Chapter 11 Verifying Requirements on Client Devices 167 

Scans have rules that define when the scan is applied to a client device. Each rule 

includes a set of conditions, which are required attributes of the client device that 

must all be met for the scan to be applied. 

Creating a scan includes defining the prerequisite conditions under which the 

scan runs and configuring the properties to verify. 

Note: For detailed information about the configurable properties of a specific 

scan, see the “Scan Properties Reference” on page 239. 

To create a scan 

1. In the console tree, select the scan package for the properties you want to 

scan. 

2. From the Common Tasks area, click Create scan. 

3. Name the scan. 

4. Select the conditions that will define when the scan runs. 

5. Provide a rule name for the set of conditions and properties you are 

configuring. 

6. Select all acceptable values for each condition. 

• The condition is met if the client device matches any of the values 

you select 

• The wizard presents a separate page for each condition 

7. Configure the property values to verify. 

• For example, to verify that a minimum version of an antivirus 

program is running on the client device, enter the minimum version 

number. 

• The wizard presents a separate page for each property value the scan 

verifies. If the scan verifies multiple property values, the client device 

must meet the requirements for all specified values. 

• Version numbers follow the typical syntax for the specific product 

and require at least one decimal point; for example, 2.1 or 2.1.1. 

For information about individual scan packages and the properties you can set for 

them, see “Scan Properties Reference” on page 239. 

After creating a scan, you can add more rules to make the scan apply to multiple 

user scenarios.


Scan Packages 

Using Scan Outputs to Filter Policies 

You can use endpoint analysis scan outputs to filter policy enforcement. Filtering 

with scan outputs allows you to secure access to your network and resources 

based on properties of the client device, such as whether or not it is running 

required minimum levels of antivirus or firewall software. 

To use a scan output in a policy 

The following steps describe the general process for using scan outputs in 

policies. 

1. Create a scan that verifies the properties you require. 

2. Create a policy filter that uses the scan output from Step 1. 

3. Create a policy and assign to it the filter you created in Step 2. 

Steps 2 and 3 above can be combined in the policy wizard. 

Using Scan Outputs to Filter Logon Page Visibility 

You can use the scanned information you discover about the client device to filter 

users’ ability to see the logon page. For more information, see “Setting 

Conditions for Showing the Logon Page” on page 141. 

Scan packages enable you to create scans to verify the properties of a client 

device, such as the installed version of an antivirus software product. Each 

package is designed to verify specific properties or software products. 

Scan packages are listed in the console under the Endpoint Analysis node. 

You can view individual properties of a scan package in the console, including a 

description of its scan outputs. Look at the scan output descriptions when you 

want to know which information about the client device is retrieved or verified. 

A scan output can take two forms: 

• Information about the client device. For example, the scan package Citrix 

Scans for Trend OfficeScan detects and retrieves a value that is the product 

version of Trend OfficeScan running on the client device, if any. 

• A true/false Boolean verification indicating if the scan’s required property 

values were detected. 

To view the scan outputs produced by a scan package 

1. In the console tree, select the scan package.


Adding Rules to Scans 

2. From the details pane on the right, select Properties from the display 

menu. The scan output table describes each output produced by the 

package. 

Rules are sets of conditions that define when to apply a scan and which property 

values to check. Multiple rules can apply to a single scan. The first rule of a scan 

is defined when you create the scan. After creating the scan, you can add more 

rules to make the scan apply to multiple scenarios. 

For example, the same scan can check for version X of an antivirus program on 

devices running Windows NT-based operating systems. You can create a different 

rule to check for version Y of the same antivirus program on devices running 

earlier Windows operating systems. 

To add a rule 

1. Select the scan in the console tree and click Create rule in Common Tasks. 

2. Follow the wizard prompts to define the rule’s name, condition settings, 

and property value settings. 

Example: Adding Multiple Rules to a Scan 

Assume that your network security policy is to prevent access to client devices 

unless they have Service Pack 4 installed for Windows 2000 and Service Pack 2 

installed for any machines running Windows XP. You have an exception for 

employees in the Tokyo office, because the Tokyo IT department decided not to 

upgrade Windows XP to Service Pack 2 until further testing takes place. You can 

use the same scan with different rules to verify the correct service pack for all 

three of these scenarios. 

Your environment includes a logon point named “Tokyo” that is used by your 

Tokyo office users. Logon points apply settings to the connections that initiate 

through their URLs. 

The following steps create a scan that verifies these three service pack 

requirements. 

1. Create a scan with the Citrix Scans for Windows Service Pack, selecting the 

Logon Point condition to configure.


2. Create the first rule during scan creation with these settings: 

• Conditions: set the Operating system to Windows 2000 and set the 

Logon point to all 

• Property value to verify: set the minimum required service pack to 

Service Pack 4 

3. Add a second rule to the same scan with these settings: 

• Conditions: set the Operating system to WindowsXP and set the 

Logon point to all except Tokyo 

• Property value to verify: set the minimum required service pack to 


4. Add a third rule to the same scan with these settings: 

• Conditions: set the Operating system to WindowsXP and set the 

Logon point to Tokyo 

• Required property value: set the minimum required service pack to 


Using Scan Outputs in Other Scans 

You can use scan outputs as conditions in other scans. This feature allows you to 

make the result of one scan a condition for another scan to run. 

To create conditions from scan outputs 

You can create conditions from scan outputs in the following three ways: 

• Select Endpoint Analysis or select a specific scan in the console tree and 

click Edit available conditions list in Common Tasks 

• On the Select Conditions page of the Create Scan wizard, select Use 

Another Scan’s Output as a Condition 

• Select a scan output in the Properties view for a specific scan and click 

Create condition 

Example: Using a Scan Output as a Condition 

Assume that you have two divisions, Sales and Finance, that are assigned their 

own domain. The Sales group requires all of its client devices connecting 

remotely to run Antivirus Program A, but the Finance group requires its client 

devices to run Antivirus Program B.


Follow the steps below to verify that these client devices are running the required 

antivirus program version. 

1. Create two scans using Citrix Scans for Domain Membership: 

• A Sales domain scan to verify that client devices belong to the Sales 

domain 

• A Finance domain scan to verify that client devices belong to the 

Finance domain 

2. Create a scan to check only Sales domain client devices for Antivirus 

Program A: 


Another Scan’s Output as a Condition and follow the prompts to 

identify the scan output for the Sales domain scan you created in Step 

1 

• Use the scan output “Verified-domain” from the Sales domain scan as 

your new condition and require it to have a value of “True” 

3. Create a scan to check only Finance domain client devices for Antivirus 

Program B: 


Another Scan’s Output as a Condition and follow the prompts to 

identify the scan output for the Finance domain scan you created in 

Step 1 

• Use the scan output “Verified-domain” from the Finance domain scan 

as your new condition and require it to have a value of “True” 

You can use scan outputs in custom filters to achieve similar results for complex 

scenarios. 

Editing Conditions and Rules 

Editing the Available Conditions 

All rules for a scan share the scan’s list of available conditions. The available 

conditions are the conditions that you can configure for the scan’s rules. 

Interdependencies exist between the various rules and conditions of a scan. 

If you edit the list of available conditions, be aware of the following 

considerations: 

• If you add to a scan’s list of available conditions, all existing rules for the 

scan receive the new condition with all possible values selected for use. To


make sure you do not change the conditions of existing rules in unexpected 

ways, check the properties for the scan’s rules after you add to the list of 

available conditions. 

• To remove a condition from a scan’s available conditions list, you must first 

remove all rules that use the condition or select all possible values for the 

condition in every rule that uses it. 

Editing Rules 

You can view all condition settings for a rule in the Properties display for the rule. 

For example, if you add to the conditions that are available for a scan, all existing 

rules of that scan receive the condition you added with all the settings selected. 

You might need to adjust the settings that are automatically copied to existing 

rules. 

To edit the condition settings for a rule, select the rule in the console tree and 

click Properties from the display menu in the details pane on the right. 

Using Data Sets in Scans 

Some scans reference a data set of values to compare against values detected on 

the client device. For example, you might require multiple operating system 

updates on the client device and need to verify that the entire set of updates are 

present. Such a list of required updates is an example of a data set. Data sets are 

stored in the farm database. You can create a data set by importing a commaseparated 

values (.csv) file or by entering individual values. 

Lists 

Lists are single-column data sets that indicate multiple required values for a 

single property. Scan packages that use lists include: 

• Citrix Scans for Windows Update verifies that client devices are running all 

of the updates you list in a data set 

• Citrix Scans for Internet Explorer Update verifies that client devices are 

running all of the updates you list in a data set 

Maps 

Maps, or double-column data sets, detect a value on the client device and map it 

to another value used in the scan.


For example, Citrix Scans for MAC Address detects the MAC address for each 

network interface card (NIC) or network adapter on the client device. The scans 

reference a double-column data set to map the address (the first column value) to 

a group name (the second column value). Scans use this mapping to verify the 

logical group to which the client device belongs. 

Creating Data Sets 

Follow the procedure below to create a named data set and then enter data into it. 

For a list (single-column data set), you can enter data manually or import it from 

a .csv file. For a map (double-column data set), you must import initial data from 

a .csv file. 

Important: Data set values can be treated as case-sensitive, depending on the 

scan package using the data set. If you are using such a package, avoid creating 

conflicting entries that differ in case. For example, with the Citrix Scans for MAC 

Address package, it is possible to create an entry for the same address and map it 

to two different groups. One entry might map the address 00:50:8b:e8:f9:28 to the 

Finance group. Another entry can map the same address with different case 

lettering, 00:50:8B:E8:F9:28, to the Sales group. Such entries make scan results 

unreliable. 

To create a data set 

1. Select Endpoint Analysis in the console tree and click Manage data sets 

in Common Tasks. 

2. Select New. 

3. Enter a name for the new data set. 

4. Enter data in one of the following two ways: 

• Enter a path to a .csv file containing initial data to import. You must 

use this method to create a double-column set. 

• Leave the file path blank to create an empty single-column data set. 

Add values by editing the data set after you create it. 

You can edit an existing data set from the Data Sets dialog box. To open Data 

Sets, select Endpoint Analysis in the console tree and click Manage data sets in 

Common Tasks. 

Example: Verifying a Set of Required Updates 

This example describes the steps for creating a scan to verify that client devices 

are running required updates for Version 6.0 of Internet Explorer.


1. Use the Citrix Scans for Internet Explorer scan package to create a scan that 

verifies whether or not the client device is running Version 6.0 of Internet 

Explorer. 

2. Create a single-column data set listing the Internet Explorer updates you 

require if the client device is running Version 6.0. Example values for such 

a data set might be KB834707, KB867232, and KB889293. 

3. Use the Citrix Scans for Internet Explorer Update scan package to create a 

scan to check for your required updates on client devices running Internet 

Explorer Version 6.0. 

A. On the Select Conditions page of the Create Scan wizard, click Use 

Another Scan’s Output as a Condition and identify the scan output 

that identifies product version from the scan you created in Step 1. In 

the Define Values dialog box, name this new condition and add the 

allowed value of 6.0. 

B. When prompted for the property values of the required updates, select 

the data set you created in Step 2. 

Adding Scan Packages 

Each scan package is designed to examine a set of properties for a specific 

software product. You can expand the default set of scan packages by importing 

new ones. Citrix, partners, or developers in your organization can develop 

additional scan packages using the Endpoint Analysis Software Development Kit 

(SDK) available on your product CD or the Citrix Web site at www.citrix.com. 

To import a scan package 

1. In the console tree, select a scan group or Endpoint Analysis and click 

Import scan package in Common Tasks. 

• If you want the package to appear in a scan group, you must select 

that scan group. 

• If you select Endpoint Analysis during the importing, the scan 

package does not appear under a scan group and appears directly 

under the Endpoint Analysis node. 

2. Browse to the scan package file and click OK.


Grouping Scans 

Default scan groups for such categories as antivirus, firewall, and operating 

system software are provided in the console tree to help organize scan packages 

and their scans. Scan groups can help you find scan packages or scans more 

quickly. You can create and name your own groups. 

Scan groups exist to organize items within the console tree only and have no 

effect on how scans run. 

To create a scan group, select Endpoint Analysis in the console tree and click 

Create scan group in Common Tasks. 

Adding Language Packs 

A scan package developer can create language packs to expand the languages in 

which the package creates scans. For example, a developer can first develop a 

scan package for English and decide later to add language packs for French, 

German, or Spanish as development proceeds. Language packs are typically 

distributed as .cab files. 

To import a language pack for a scan package 

Select Endpoint Analysis in the console tree and click Import language pack in 

Common Tasks. 

Scripting and Scheduling Scan Updates 

Two command utilities are available to assist you in writing scripts or scheduling 

scan updates. You can run these utilities from a command prompt in the following 

default location on the server: 

\\Program Files\Citrix\Access Gateway\MSAMExtensions\ 

Note: You must run discovery after using these utilitiesfor the console to find 

and display the new values. 

The next two sections describe each utility.


Updating Property Values in Scans 

You can use the CtxEpaParamUpdate utility to update the required property 

values for a scan. For example, if you require client devices to have a specified 

pattern version level of antivirus software, you can create a script to update the 

scan when you need to change which pattern file is being detected. This 

command is designed for use as a scheduled task on a server with the Access 

Management Console installed. 

Use the following syntax, including quotation marks: 

“ctxepaparamupdate” package_uri package_version “scan_name” 

“rule_name” “param_name” “new_value” 

where the parameters are: 

Parameter 

package_uri 

package_version 

scan_name 

rule_name 

param_name 

new_value 

Description 

URI of the scan package to which the scan belongs. You can 

find the URI information for a scan package in the 

management console Properties view for the scan package. 

Version of the scan package to which the scan belongs. You 

can find the version information for a scan package in the 

management console Properties view for the scan package. 

Name of the scan in which the property is set. 

Name of the rule in which the required property value is set. 

Parameter name for the required value. You can find the 

parameter name and its current setting in the management 

console in the Properties view for the scan rule. 

The new value. If the required property has a restricted value 

range, this new value must be within that range. 

Example: To update a scan with the CtxEpaParamUpdate utility 

Let us assume you want to update an existing scan from the scan package Citrix 

Scans for McAfee VirusScan Enterprise. To update the required engine version to 

4.4 and the pattern version to 4641, type: 

“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\ 

CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\ 

Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name” 

“PatternVersion” “4641” 

and also type: 

“C:\Program Files\Citrix\Access Gateway\MSAMExtensions\ 

CtxEpaParamUpdate.exe” C:\Program Files\Citrix\Access Gateway\ 

Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 “scan_name” “rule_name” 

“EngineVersion” “4.4”


where scan_name and rule_name are the existing scan name and rule name. 

Updating Data Sets 

You can use CtxEpaDataSetUpdate to script or schedule updates to data sets. For 

example, you might prefer to create your own script to automate a task such as 

updating the pattern file number required for an antivirus program. 

Use the following command options (switches) with this utility: 

Switch option Description Syntax 

/import 

Creates a new data set by 

importing a .csv file 

ctxepadatasetupdate /import 

file_name.csv dataset_name 

/reimport 

Replaces all contents of an 

existing data set by importing 

a new .csv file 

ctxepadatasetupdate /reimport 


/export 

Exports the data set in a .csv 

file 

ctxepadatasetupdate /export 


/destroy Deletes the data set ctxepadatasetupdate /destroy 

dataset_name 

/add 

/overwrite 

Adds an additional value to 

the specified data set 

Replaces an entry in a 

mapping (double-column) 

data set 

ctxepadatasetupdate /add dataset_name 

key [value] 

ctxepadatasetupdate /overwrite 

dataset_name key value 

/remove Deletes an entry in a data set ctxepadatasetupdate /remove 

dataset_name key 

Use the following parameters in the command options above: 

Parameter 

file_name.csv 

dataset_name 

key 

value 

Description 

The name of the .csv file that contains the data set 

The name for the data set 

If the data set is a list (single-column data set), this is a value 

in the list. If the data set is a map (double-column data set), 

this is the first column value. 

If the data set is a map (double-column data set), this is the 

second column value. If the data set is a list (single-column 

data set), this parameter does not exist.


For more information about data sets, see “Using Data Sets in Scans” on page 

172. 

To locate official parameter names in scans 

You can find parameter names from the scan properties in the console. 

1. In the console tree select a rule associated with the scan and choose the 

Properties view in the right details pane. 

2. Select the row that displays the property and look in the Parameter Name 

column. 

Creating Continuous Scans 

Continuous scans verify required files, processes, or registry entries on client 

devices connecting to your network. These scans run repeatedly during the user 

session to ensure that the client device continues to meet your requirements. You 

use continuous scans to define requirements for connection policies. If a file, 

process, or registry scan required by a connection policy ceases to be verified, the 

connection is disconnected. 

Each continuous scan checks a single file, process, or registry entry on the client 

device. You can bundle multiple scans together when you create a continuous 

scan filter. When assigned to a connection policy, the filter represents the 

requirements that are checked continuously during a connection. Unlike 

continuous scan filters, other filters attached to policies verify their requirements 

only at logon. 

To create a file scan 

1. In the console tree, select Policies > Continuous Scans > File Scans and 

click Create file scan from Common Tasks. 


3. Enter the file path. 

4. Enter the following optional information you can require the scan to find: 

• For Date on or after, enter a date to be verified against the file’s 

creation date. 

• The MD5 digital signature is added automatically from the entered 

file path. You can modify this value if a different signature is required 

on the client device. Because the MD5 signature for an executable 

file can differ among different machine platforms, verify that the 

signature you enter is used by your client devices.


To create a process scan 

1. In the console tree, select Policies > Continuous Scans > Process Scans 

and click Create process scan from Common Tasks. 


3. Type the name or browse to the process. 

4. The MD5 digital signature is added automatically from the entered file 

path. You can modify this value if a different signature is required on the 

client device. The MD5 digital signature is not required and can be left 

blank. Because the MD5 signature for an executable file can differ among 

different machine platforms, verify that the signature you enter is used by 

your client devices. 

To create a registry scan 

1. In the console tree, select Policies > Continuous Scans > Registry Scans 

and click Create registry scan from Common Tasks. 


3. Type the Registry path, Registry type, Entry name, and Entry value.


CHAPTER 12 

Providing Secure Access to 

Corporate Email 

Use Advanced Access Control to provide policy-based access to data on internal 

servers, including email servers. When you configure your content aggregation 

point—your intranet or corporate portal—you can provide your users with secure 

access to their email accounts. Using access policies, you can determine what 

level of access to give users and then what actions users can take after they are 

granted access. 

With Advanced Access Control, you can: 

• Integrate the email solution you are already using with the secure remote 

access Advanced Access Control provides. For example, if you are already 

using Microsoft Outlook Web Access or Lotus iNotes/Domino Web Access 

to allow users to access their email over the Web, you can integrate either of 

those front ends with a content aggregation point such as your intranet or 

corporate portal. Users then get remote access to their email from this 

aggregation point, whether you decide to use the Access Interface provided 

with Advanced Access Control or another portal solution you have in place. 

If you do not already use Outlook Web Access or iNotes/Domino Web 

Access to allow your users to access their email over the Web, you can use 

the Web-based email interface provided with Advanced Access Control. 

• Provide access to any email applications you publish with Citrix 

Presentation Server. You can include the links to published applications in a 

Presentation Server Web site. 

• Provide users with the ability to securely connect to their email accounts on 

Microsoft Exchange or Lotus Notes/Domino servers. Users can access all 

email functions as well as synchronize their email data to their client 

devices for offline use. 

• Provide users of small form factor devices, such as Personal Digital 

Assistants (PDAs), with secure remote access to email. 

• Allow users to attach to email message files stored on network shares 

without having to download the file to their local client device.


Similar to other resources accessible through Advanced Access Control, you 

control access to email through policies. For example, you can create a policy to 

grant specific user groups access to Web-based email and create another policy to 

prevent specific user groups from synchronizing the data in their email accounts 

to their client devices. 

Additionally, you can create a policy that allows a specific user group to 

download attachments they receive using Web-based email and another policy 

that prevents a different user group from performing this action. 

Note: If recipients access their email through Advanced Access Control and it 

contains an embedded link to a file share or Web resource, a policy allowing the 

recipients access to that resource is also required. However, if the email is sent to 

recipients not using Advanced Access Control to access their email, no additional 

permissions are required. These users can view the attachment without policy 

restrictions. 

Choosing an Email Solution 

To decide which email solution to provide, look at what type of access your users 

need, what resources you already have in use in your network, and how much 

control you want to have over user actions after they are granted access. 

For example, if you want to allow users to securely access their email accounts 

over the Internet and you are already using Outlook Web Access, you can 

integrate the Outlook Web Access interface into the Email tab of the Access 

Interface included with Advanced Access Control. 

Conversely, if you want to allow remote access to email and are not already using 

a Web front-end to your email servers, you can use the Web-based email interface 

included with Advanced Access Control. 

The following table lists the types of access to email and what you should 

consider when deciding whether or not to choose each option. For information 

about the minimum requirements for each email solution presented in this 

chapter, see “Feature Requirements” on page 46.

Chapter 12 Providing Secure Access to Corporate Email 183 

Web-based email 

with Outlook Web 

Access or iNotes/ 

Domino Web Access 

Web-based email 

with the Access 

Interface 

Synchronization of 

email data to client 

devices 

Email application 

published with 

Citrix Presentation 

Server 

Client Device 

Requirements 

Compatible browser; 

see product 

documentation for 

additional requirements 

Compatible browser 

only 

(no other client software 

required) 

Email software 

(Microsoft Outlook or 

Lotus Notes) and Secure 

Access Client 


Client 

Server 

Requirements 

Email server 

(Microsoft 

Exchange or Lotus 

Notes/Domino) 

Microsoft Exchange 

(Notes/Domino not 

supported in this 

configuration) 

Email server 

(Microsoft 

Exchange or Lotus 

Notes/Domino) 


Server 

Small Form Factor 

Support 

No 

Yes 

No 

No 

Policy Enforcement 

When Accessing File 

Attachments 

Yes 

Yes 

No 

No 

Providing Access to Published Email Applications 

If you are using Citrix Presentation Server to provide access to email applications 

published on internal servers, you can easily integrate access to these applications 

with your Advanced Access Control deployment. 

Providing access to email through published applications extends the 

SmartAccess capabilities of Advanced Access Control to Presentation Server by 

incorporating Advanced Access Control policy information such as endpoint 

analysis within Presentation Server policies. In addition, requiring users to access 

email by launching applications published with Presentation Server is the most 

secure method of providing email access because data never leaves the corporate 

network. 

Note: You can combine email access methods if you want to provide more than 

one method of remote access. For example, in addition to providing access to 

published email applications, you can also configure a Web-based email solution. 

To provide access to published email applications 

1. Publish and configure your email application for SmartAccess in 

Presentation Server.


2. Configure a Presentation Server Web site 

Providing Users with Secure Web-Based Email 

With Advanced Access Control, you can provide access to email accounts using 

the following Web-based interfaces. 

• The Web-based email interface included with Advanced Access Control 

allows users to access email accounts on Microsoft Exchange servers. 

Users do not need to download or install client software to access their 

email using this interface; they need to run only a supported browser. 

Additionally, the Web-based email user interface included with Advanced 

Access Control is the only way to provide Web-based email access to PDAs 

and other small form factor devices. 

• Microsoft Outlook Web Access allows users to access email accounts on 

Microsoft Exchange servers. 

• Lotus iNotes/Domino Web Access allows users to access email accounts on 

Lotus Notes/Domino servers. 

Important: Advanced Access Control supports one back-end cluster— Notes/ 

Domino or Exchange—per access server farm. However, you can configure 

multiple Outlook Web Access servers when using Exchange or multiple iNotes/ 

Domino Web Access servers when using Lotus Notes/Domino. 

If you are using a portal solution, you can integrate the Web-based email interface 

included with Advanced Access Control with these portal products. See 

“Integrating Web-Based Email Access with a Third-Party Portal” on page 187 for 

more information. 

When you configure Web-based email access, users access their email from the 

Email tab on the Access Interface. If you prefer, you can configure Advanced 

Access Control so that the Web-based email interface is the default interface users 

see when they log on to Advanced Access Control. See “Configuring Logon 

Points” on page 89 for more information about how to achieve this configuration. 

Enabling Access to Web-Based Email 

The basic steps to follow to enable access to Web-based email are: 

• Configure Web-based email in Advanced Access Control 

• Create policies to allow access to the email resource


Each of these steps is discussed in more detail below. 

To configure Web-based email for Microsoft Exchange 

Use the following procedure to allow users to send and receive Web-based email 

with Microsoft Exchange. 

1. In the console tree, select Web Email and click Configure Web email in 

Common Tasks. 

2. Select Microsoft Exchange. 

3. Select the Enable Web-based access check box. 

4. Select one of the following Web-based interfaces: 

• Email interface included with Advanced Access Control. Allows 

access to email without the need for users to download or install 

client software; they need to run only a supported browser. 

• Specify the IP address, FQDN, or NetBIOS name of your 

Microsoft Exchange server. 

• Display email as HTML to support advanced text formatting 

features including numbering, bullets, alignment, and linking to 

file shares and Web pages. Only enable this option when email 

messages originate from trusted sources within your corporate 

network. 

Caution: If email messages originate from outside your corporate 

network, configure Web email to display messages in plain text. 

Failure to do so may expose your Advanced Access Control servers 

and client devices to attacks using embedded malicious code within 

HTML-formatted messages. Displaying messages as plain text 

mitigates these types of attacks. Therefore, Citrix recommends 

configuring Web email to display messages in plain text when any 

email messages originate from outside your corporate network. 

• Use Microsoft Outlook Web Access. Allows access to email using 

Outlook Web Access. 

• Specify the application’s start page as well as the URLs for 

which the application requires access. The start page should 

resemble http://servername/exchange, where servername is the 

IP address, FQDN, or NetBIOS name of your Exchange server. 

If you use a load balancer to manage Outlook Web Access 

servers, enter the URL of the load balancer as the start page and


add the Outlook Web Access servers as URLs accessible by the 

application. 

Note: To allow access to an entire server, add http://servername to 

the URL list, where servername is the IP address, FQDN, or 

NetBIOS name of your Exchange server. This configuration is useful 

when providing access to dedicated Microsoft Exchange servers. 

• Enable the interface common for all browser types option to 

suppress the presentation of browser-specific ActiveX controls 

and other advanced display types. Citrix recommends this 

option if you have users who cannot download ActiveX 

controls or who use a variety of browser versions. 

Note: Citrix recommends that you first test your Web-based email 

application with this option disabled. If your testing reveals that the 

application displays improperly, enable this option and verify that the 

issue no longer exists. 

To configure Web-based Email for Lotus Notes/Domino 

Use the following procedure to allow users to send and receive Web-based email 

with Lotus Notes/Domino. 

1. In the console tree, select Web Email and click Configure Web email in 

Common Tasks. 

2. Select Lotus Notes/Domino or other email applications. 

3. Select Enable Web-based access. 

4. Specify the application’s start page as well as URLs for which the 

application requires access. If you use a load balancer to manage iNotes 

servers, enter the URL of the load balancer as the start page and add the 

iNotes servers as URLs accessible by the application. 

You can use dynamic token replacement to accommodate explicit links to 

individual user database files. For example, enter 

http://servername/mail/#.nsf, where servername is the 

NetBIOS name, IP address, or FQDN of your Lotus Notes/Domino server 

and the username token is replaced with the user’s user name obtained from 

Active Directory or Windows NT Directory Services. For a complete list of 

tokens supported by Advanced Access Control, see “Using Dynamic 

System Tokens” on page 128.


Note: To allow access to an entire server, add http://servername to the 

URL list, where servername is the IP address, FQDN, or NetBIOS name of 

your Lotus Notes/Domino server. This configuration is useful when 

providing access to dedicated Lotus Notes/Domino servers. 

5. Enable the interface common for all browser types option to suppress the 

presentation of browser-specific ActiveX controls and other advanced 

display types. Citrix recommends this option if you have users who cannot 

download ActiveX controls or who use a variety of browser versions. 

Note: Citrix recommends that you first test your Web-based email 

application with this option disabled. If your testing reveals that the 

application displays improperly, enable this option and verify that the issue 

no longer exists. 

6. Select the appropriate version of Lotus iNotes/Domino Web Access from 

the available email application types. 

When you are done configuring Web-based email, you must create a policy that 

allows users to access email. 

To allow user access to email, create a policy following the steps in “Creating 

Access Policies” on page 135. 

Note: For a recipient to access an email attachment through Advanced Access 

Control, an email policy enabling the recipient at least one of the following is 

required: download, HTML Preview, or Live Edit. Web-based email attachments 

cannot be accessed through file type association. 

Integrating Web-Based Email Access with a Third-Party 

Portal 

If you are using the Web-based email interface included with Advanced Access 

Control to provide users with access to their email, you can integrate this 

interface into any portal solution. For example, if you are using Microsoft 

SharePoint as your corporate portal or information aggregation point, you can 

display the Web-based email interface included with Advanced Access Control in 

the SharePoint portal.


To integrate the Web-based email interface with a third-party portal 

1. Configure the Web-based email interface included with Advanced Access 

Control. See “Providing Users with Secure Web-Based Email” on page 184 

for instructions about how to do this. 

2. Configure your portal product’s Web site viewer to display the Web-based 

email interface at http://servername/citrixfei/classic.asp, where servername 

is the name of a Web server running Advanced Access Control. 

Providing Users with Secure Access to Email Accounts 

Use Advanced Access Control to allow users to securely access their email 

accounts on Microsoft Exchange servers or Lotus Notes/Domino servers. 

Important: To securely connect to email accounts and synchronize email to 

client devices, users must have the Secure Access Client installed on their client 

device. 

When you configure this feature, roaming workers—whether connected over the 

Web or within the enterprise—can securely connect to their email accounts on the 

Exchange or Lotus Notes/Domino server and synchronize their locally installed 

email application with the data stored on the corporate email server. This allows 

users to work with their calendars, tasks, and contacts in real time when working 

online, and then to synchronize their folders in preparation for working offline. 

Use this feature if you want remote users with laptops to be able to securely 

access and synchronize email as they move between office workstations, laptops, 

and home workstations. 

Important: Advanced Access Control does not control access to any 

attachments users receive when they connect to their email accounts through the 

Secure Access Client. If you enable and configure the email synchronization 

feature, users can access any attachments they receive without policy-based 

restrictions. 

The basic steps involved in allowing users to work with and synchronize their 

email accounts to their client devices are: 

• Configure the email synchronization feature 

• Create a policy to allow users to use the email synchronization feature 

• Open the appropriate ports on the firewall between the Access Gateway and 

internal mail servers


Each of these steps is discussed in more detail below. 

To configure email synchronization 

1. In the console tree, select Email Synchronization and choose Configure 

email synchronization from Common Tasks. 

2. Select Enable Email Synchronization. 

3. Select the appropriate email server for your environment. 

• If you select Microsoft Exchange, click New to enter the NetBIOS 

name, IP address, or FQDN of your Exchange server. Add additional 

Exchange servers if users will be connecting to more than one server. 

When you add an Exchange server, Advanced Access Control 

connects to the specified host and determines the secondary port 

required for Messaging Application Programming Interface (MAPI). 

Because this information is stored and not dynamically updated, 

consider configuring your Exchange servers so that all MAPI ports 

remain static. If you do not configure your Exchange servers this 

way, you will need to reconfigure email synchronization in Advanced 

Access Control each time the Exchange server restarts. 

• If you select Lotus Notes/Domino, enter the NetBIOS name, IP 

address, or FQDN of your Lotus Notes/Domino server. Port 1352 is 

used by default. Modify the port if necessary. 

Note: If you are using a TCP/IP-based email application other than 

Exchange or Notes/Domino, you can use network resources to provide the 

same level of functionality available with the email synchronization 

feature. For more information about configuring network resources, see 

“Creating Network Resources for VPN Access” on page 119. 

When you are done configuring email synchronization, you must create a policy 

that allows users to access this resource. 

To create a policy to allow email synchronization 

Create a policy to allow users to synchronize their email data to their client 

devices following the steps in “Creating Access Policies” on page 135. 

When you are done creating a policy to allow users to synchronize their email 

data to their client devices, you must configure your firewall ports to allow users 

to connect.


To configure your firewall for email synchronization 

1. Open your firewall application. 

2. Set the port status as required for your environment. If the traffic between 

your email server and the Access Gateway is secured, the data runs over 

port 443. 

Enabling Users to Attach Files to Web-Based Email 

You can configure Advanced Access Control to allow users to attach documents 

to new email messages directly from Web resources and file shares. When you 

enable this feature, users can see and use the Send as attachment option from 

configured Web resources and file shares. In addition, users can send files as 

email attachments when using the Live Edit feature. When a user selects this 

option, the file is attached to the Web-based email interface configured for your 

environment. 

To configure Web email to support sending email attachments 

1. In the console tree, select Email and choose Configure Web email from 

Common Tasks. 

2. On the Enable Web-based Email page, select the Enable Send as 

Attachments for file shares check box. 

3. Additional configuration depends on the email application server selected. 

• Microsoft Exchange. Specify the NetBIOS name, IP address, or 

FQDN of your Microsoft Exchange server. Advanced Access Control 

uses the Microsoft Exchange server configuration information to 

determine the MAPI server. 

• Lotus Notes/Domino. Specify the name or IP address of the SMTP 

(Simple Mail Transfer Protocol) and LDAP (Lightweight Directory 

Access Protocol) servers. 

Note: If you are using Notes/Domino servers, ensure SMTP port relay 

outbound restrictions do not prevent users outside of the corporate network 

from sending emails. For example, you can configure Notes/Domino 

servers to allow all authenticated users to send outgoing email. Refer to 

your Notes/Domino product documentation for additional information 

about configuring SMTP port relay outbound restrictions.


4. Create a file share policy permitting the emailing of files as attachments. 

For more information about the email as attachment permission, see 

“Allowing Email Attachments” on page 139. 

Restricting File Attachment Types 

The Web-based email interface included with Advanced Access Control provides 

two levels of security for file attachments. The first level of security includes file 

types blocked by Advanced Access Control. The second level of security includes 

file types that can be downloaded only to the user’s client device and cannot be 

accessed using HTML Preview, Live Edit, or file type association. 

The default file types included in each level of security are defined in the table 

below. 

File Type 

Level 1 (Blocked File 

Types) 

Level 2 (Download Only 

File Types) 

.ade .adp .app .asx .bas .bat .chm .cmd .com .cpl .crt .csh 

.exe .fxp .hlp .hta .inf .ins .isp .js .jse .ksh .lnk .mda .mdb 

.mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif 

.prf .prg .reg .scf .scr .sct .shb .shs .url .vb .vbe .vbs .wsc 

.wsf .wsh 

.ade .adp .asx .bas .bat .chm .cmd .com .cpl .crt .dcr .dir 

.exe .hlp .hta .htm .html .htc .inf .ins .isp .js .jse .lnk .mda 

.mdb .mde .mdz .mht .mhtml .msc .msi .msp .mst .pcd .pif 

.plg .prf .reg .scf .scr .sct .shb .shs .shtm .shtml .spl .stm 

.swf .url .vb .vbe .vbs .wsc .wsf .wsh .xml 

You can add and remove file types from either security levels by using Registry 

Editor. If a file type is added to both levels, it is treated as a Level 1 file type. 

Caution: Using Registry Editor incorrectly can cause serious problems that can 

require you to reinstall the operating system. Citrix cannot guarantee that 

problems resulting from incorrect use of Registry Editor can be solved. Use 

Registry Editor at your own risk. Make sure you back up the registry before you 

edit it. 

To modify file attachment type security lists 

1. In Registry Editor, find the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MSAM\FEI\FileExt 

2. Edit the NoActivations value to modify Level 1 (blocked) file types and the 

DownloadOnly value to modify Level 2 (download only) file types.


Note: New file types must be separated by a new line with no additional 

spaces and contain the preceding dot. 

Enabling Access to Email on Small Form Factor Devices 

Using the Web-based email interface included with Advanced Access Control, 

you can provide email access to users of specific PDAs and other small form 

factor devices. For a list of supported small form factor devices, see “Client 

Requirements” on page 58. 

To allow users of small form factor devices to access their email, choose one of 

these options: 

• Configure the Web-based email interface included with Advanced Access 

Control as the default Web-based email interface. If you configure the 

Advanced Access Control Web-based email interface as the default, all 

users access this interface for their Web-based email, regardless of the type 

of device from which they connect. See “Providing Users with Secure Web- 

Based Email” on page 184 for information about how to make the 

Advanced Access Control Web-based email interface the default interface. 

• Configure the Web-based email interface included with Advanced Access 

Control to be displayed specifically to users connecting from small form 

factor devices. Use this configuration if you want users to see the Outlook 

Web Access interface when they connect from other device types. 

If you configure the Web-based email interface included with Advanced 

Access Control to be displayed specifically to users connecting from small 

form factor devices, the logon point detects that the connection is from a 

small form factor device and automatically presents the Advanced Access 

Control Web-based email interface. 

To configure the Web-based email interface included with Advanced Access 

Control to be displayed specifically to users connecting from small form factor 

devices, follow the instructions below. 

Note: 

This feature is not available to Lotus iNotes/Domino Web Access users.


To configure the Web-based email interface for use with small form factor 

devices 

When configuring Web-based access to Exchange as described in “Providing 

Users with Secure Web-Based Email” on page 148, select one of the following 

options: 

• Email interface included with Advanced Access Control. Displays the 

email interface included with Advanced Access Control for all users, 

regardless of the type of connecting device's form factor. Advanced Access 

Control detects the form factor of the connecting device and presents the 

appropriate interface for that connection. For example, Advanced Access 

Control displays a small interface for users connecting with a small form 

factor device. 

• Microsoft Outlook Web Access and enable the Provide support for small 

form factor devices feature. Advanced Access Control detects the form 

factor of the connecting device and displays the email interface included 

with Advanced Access Control for users connecting with small form factor 

devices. Microsoft Outlook Web Access is provided for standard form 

factor devices such as workstations and home computers. 

Updating the Mapisvc.inf File 

If you are using Microsoft Exchange 2000 and you want to use the default Email 

Interface, install Microsoft Exchange System Management Tools before you 

install Advanced Access Control. Then, update the mapisvc.inf file. If you are 

using Microsoft Exchange 2003, you do not need to change the mapisvc.inf file. 

To update the mapisvc.inf file 

1. Save a copy of the mapisvc.inf file. 

2. Insert the following lines: 

[SERVICES] 

MSEMS=Microsoft Exchange Server 

[MSEMS] 

PR_DISPLAY_NAME=Microsoft Exchange Server 

Sections=MSEMS_MSMail_Section 

PR_SERVICE_DLL_NAME=emsui.dll 

PR_SERVICE_ENTRY_NAME=EMSCfg 

PR_RESOURCE_FLAGS=SERVICE_SINGLE_COPY 

WIZARD_ENTRY_NAME=EMSWizardEntry 

Providers=ems_dsa, ems_mdb_public, ems_mdb_private 

PR_SERVICE_SUPPORT_FILES=emsui.dll, emsabp.dll, emsmdb.dll 

[Default Services] 

MSEMS=Microsoft Exchange Server 

[EMS_MDB_public]


PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER 

PR_PROVIDER_DLL_NAME=EMSMDB.DLL 

PR_RESOURCE_FLAGS=STATUS_NO_DEFAULT_STORE 

66090003=06000000 

660A0003=03000000 

34140102=78b2fa70aff711cd9bc800aa002fc45a 

PR_DISPLAY_NAME=Public Folders 

PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store 

[EMS_MDB_private] 

PR_PROVIDER_DLL_NAME=EMSMDB.DLL 

PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER 

PR_RESOURCE_FLAGS=STATUS_PRIMARY_IDENTITY|STATUS_DEFAULT_STORE 

|STATUS_PRIMARY_STORE 

66090003=0C000000 

660A0003=01000000 

34140102=5494A1C0297F101BA58708002B2A2517 

PR_DISPLAY_NAME=Private Folders 

PR_PROVIDER_DISPLAY=Microsoft Exchange Message Store 

[EMS_DSA] 

PR_DISPLAY_NAME=Microsoft Exchange Directory Service 

PR_PROVIDER_DISPLAY=Microsoft Exchange Directory Service 

PR_PROVIDER_DLL_NAME=EMSABP.DLL 

PR_RESOURCE_TYPE=MAPI_AB_PROVIDER 

[MSEMS_MSMail_Section] 

UID=13DBB0C8AA05101A9BB000AA002FC45A 

66000003=01050000 

66010003=04000000 

66050003=03000000 

66040003=02000000 

3. Restart the Access Gateway Server COM+ application. For more 

information, see “Restarting COM+ Applications” on page 216.

CHAPTER 13 

Rolling Out Advanced Access 

Control to Users 

The last step in deployment is providing users with the information and tools 

necessary to access corporate resources. This process includes determining if 

your implementation requires the distribution of client software and if so, 

developing a strategy for deploying this software. In addition, training and other 

forms of communication detailing how your deployment impacts the workplace 

assist users as they transition to their new environment. 

The topics in this section discuss the issues to consider when developing an 

overall plan for rolling out Access Gateway Advanced Edition to users. 

• “Developing a Client Software Deployment Strategy” on page 195 

• “Managing Client Software Using the Access Client Package” on page 200 

• “Downloading Client Software on Demand” on page 203 

• “Ensuring a Smooth Logon Experience with the Secure Access Client” on 

page 205 

• “Ensuring a Smooth Rollout” on page 208 

• “Browser Security Considerations” on page 209 

• “Customizing the Logon Error Message” on page 211 

Developing a Client Software Deployment Strategy 

Software deployment is the process of distributing and installing software on 

client devices. If your corporation already uses a software deployment solution, 

consider deploying Advanced Access Control clients using the same technique. 

However, if you need to develop a strategy, you must determine who is 

responsible for installing client software and then create a solution that supports 

this decision.


The following sections discuss issues to consider when determining who is 

responsible for installing client software as well as deployment methods 

supporting these use cases. 

Determining Responsibility for Installing Client 

Software 

There are several methods of deploying client software ranging from automated 

solutions that download and install the software from a centralized location to 

posting an installation package to a network share and instructing users to 

manually install the software on their client device. Before you can determine 

how to deploy client software, you must determine who is responsible for 

installing the software on the client device. 

Depending on your corporate needs, you, support personnel, users, or a 

combination thereof may be responsible for this task. This decision is a result of 

several factors including: 

• User needs and administrative costs. Consider the needs of your users 

because their collective experience is critical to the adoption of access 

control in your corporation. If the needs of your users greatly outweigh the 

administrative costs associated with managing a deployment strategy, 

consider a plan that places the responsibility of installing client software on 

a team specializing in this area. Conversely, if the administrative costs 

associated with managing a deployment solution is too great for your 

organization, consider shifting this responsibility to individual users. 

• The technical abilities of your users. If your user base is not technically 

savvy, consider installing the software for them. In this scenario, a support 

department such as IT or Technical Support is responsible for installing the 

software. When deciding whether or not users should be responsible for 

their own installations, consider the possible support issues as well. 

Depending on the technical abilities of your users, the support costs 

associated with users installing their own software could justify the 

implementation of a centrally managed deployment strategy. However, if 

your users are technically savvy, it may be more efficient for you to post the 

software to a network share and allow users to install the software from this 

location. 

• Number of client devices in your corporation. Larger companies benefit 

from centrally managed deployment strategies because they tend to scale 

well and yield a higher return on investment as compared to manual 

solutions. For this reason, medium to larger sized corporations should 

consider using their Microsoft Active Directory infrastructure or a standard 

third party deployment tool such as Systems Management Server.

Chapter 13 Rolling Out Advanced Access Control to Users 197 

However, for smaller companies, the costs associated with planning and 

preparing an automated deployment could outweigh the benefits. These 

companies should consider alternative deployment methods such as posting 

client software to a network share or an on-demand deployment solution. 

Both of these methods are described in detail in later sections. 

• Corporate security requirements. If your corporation configures client 

devices so that users do not have installation rights on their machines, you 

must develop a strategy that allows someone with administrative rights to 

perform the installation. In this scenario, larger companies should consider 

a corporate deployment tool such as Systems Management Server. Smaller 

companies should consider posting client installation packages to a file 

share and having someone with administrative rights manually install the 

software on each client device. 

• Corporate management practices. If your organization maintains strong 

centralized control over client software deployment—for example, if you 

use Microsoft Systems Management Server to help control software 

distribution—you can more reliably update client devices. Therefore, if 

your goal is to ensure that all users have the most up-to-date software, 

allowing them to install their own client software is not a recommended 

option. Rather, a team dedicated to maintaining client software should be 

responsible for ensuring client software is installed and updated properly. 

• Cost factors. Consider the overall cost associated with each deployment 

option including planning, preparation, and training costs. In addition, 

determine if some of these costs are justifiable because of the return on 

investment over a period of time. For example, the return on investment of 

a centrally managed solution is usually much better than that of a manual 

solution over time. 

• Access to client devices. If your corporation supports remote access 

scenarios such as using an Internet kiosk to check email, you will not have 

the ability to install client software on these devices before users access the 

corporate network. In these cases, consider an on-demand deployment 

strategy where you configure Advanced Access Control so that client 

software is automatically downloaded to the client device only when 

required. However, if access to client devices is readily available, consider 

deploying the client software prior to the user accessing Advanced Access 

Control. 

Weigh all of these factors when determining who should be responsible for 

installing the client software on the client device. Then, select the deployment 

solution that makes the most sense for your corporation.


Supported Deployment Options 

Advanced Access Control supports the following client deployment options: 

Integration with enterprise software deployment tools. Deploy client software 

using a Microsoft Active Directory infrastructure or a standard third party MSI 

deployment tool such as Systems Management Server. If you use a tool that 

supports Windows Installer packages, you can use the Access Client package to 

create a single installation package containing the Advanced Access Control 

clients required for your environment. Then, use your client deployment tool to 

deploy and install the software on the appropriate client devices. 

Advantages of using a centralized deployment tool include: 

• Ability to adhere to corporate security requirements. For example, you can 

install client software without enabling software installation privileges for 

non-administrative users. 

• Control over software versions. You can deploy an updated version of client 

software to all users simultaneously. 

• Scalability. Easily scales to support additional users. 

• Positive user experience. You can deploy, test, and troubleshoot 

installation-related issues without involving users in this process. 

Citrix recommends this option when administrative control over the installation 

of client software is preferred and access to client devices is readily available. 

Network share point. Post installation packages on a network share point. For 

example, you can use the Access Client package to create an installation package 

containing the clients required for your environment and post it to a network 

share. In addition, the Server CD contains installation packages for certain client 

software. Citrix recommends posting installation packages to a share point when 

software is manually installed on client devices. For example, you can post client 

software installation packages to an FTP site for remote users responsible for 

installing client software on their home computers. 

On demand. Configure the deployment of client software only when required. 

Users connect to their network and clients are automatically downloaded on an 

“as needed” basis. This option is preferable when access to client devices is not 

readily available such as an Internet kiosk. 

You can combine deployment options to create your deployment strategy. For 

example, you can post installation packages on a network share point for users 

within the corporate network and also enable on-demand deployment of clients 

for those users connecting from an Internet kiosk. 

The table below summarizes the deployment options supported for each client.


Client Software 

Supported by 


package 

On-demand 

Secure Access Client Yes Yes Yes 

Endpoint Analysis Client Yes Yes Yes 

Live Edit Client Yes Yes No 

Client for Java No Yes No 

Web Client Yes Yes No 

Network Share 

Point 

Note: The Endpoint Analysis Client is available as a stand-alone MSI and EXE 

on the Server CD in the \Setup\EndpointAnalysisClient\lang directory. In 

addition, individual installation packages can be created for all client software 

components supported by Access Client package. For more information, see 

“Managing Client Software Using the Access Client Package” on page 200. 

Determining Which Clients to Deploy 

If your Advanced Access Control deployment does not require any client 

software on client devices, your deployment is considered to provide browseronly 

access. In this scenario, users need only a Web browser to access corporate 

resources. However, there are certain features that require client software on the 

user’s device. To determine if client software is required for your access strategy, 

use the matrix below. For additional information about feature-specific 

requirements, see “Feature Requirements” on page 46. For additional information 

about client software minimum requirements, see “Client Requirements” on page 

58. 

Note: Small form factor devices are not compatible with the Advanced Access 

Control client software. Therefore, features requiring client software are not 

available on small form factor devices.


Feature Client Software For more information, see... 

Verifying requirements on 

client devices 

Convenient editing and 

saving of remote files 

Access email accounts and 

synchronize email to client 

devices 

TCP access to services on 

corporate servers 

Accessing published 

applications through file type 

association 

Bypassing the Web proxy to 

access resources 

Endpoint Analysis 

Client 

“Verifying Requirements on Client 

Devices” on page 165 

Live Edit Client “Allowing Live Edit” on page 140 

Secure Access 

Client 


Client 


Server Client for 

Java or Web Client 


Client 

“Providing Users with Secure Access 

to Email Accounts” on page 188 

“Creating Network Resources for VPN 

Access” on page 119 

“Configuring File Type Association” 

on page 163 

“Bypassing URL Rewriting” on page 

144 

Managing Client Software Using the Access Client 

Package 

If you decide that you will control the deployment of client software, consider 

using the Access Client package to create a Windows Installer package of specific 

client software. After creating the package, you can deploy it using your 

Microsoft Active Directory infrastructure or a standard third party MSI 

deployment tool such as Systems Management Server. 

The Access Client package contains a number of the client-side pieces of the 

Citrix Access Suite, allowing you to quickly and easily deploy and maintain the 

client-side software to your users using one convenient Windows Installer 

package. After you deploy your client software, you can update your installations 

simply by creating and deploying an updated installation package using the latest 

version of the Access Client package. 

The Access Client package is available in the Download section of the Citrix Web 

site, www.citrix.com, and contains up-to-date client software and hotfixes for a 

number of the client-side pieces of the Citrix Access Suite.


Client Software Available for the Access Client 

Package 

Access Suite Component 


Access Gateway 

Citrix Password Manager 

Client-Side Software 

Program Neighborhood, Program Neighborhood 

Agent, Web Client 

Secure Access Client, Live Edit Client, Endpoint 

Analysis Client 

Citrix Password Manager Agent 

Creating a Client Distribution Package 

You can run the Access Client package in administrative mode to select the 

client-side software pieces you want to package together. Enter the following 

command at a command prompt to run in administrative mode: 

msiexec.exe /a [path to msi file] 

Select your client components and optionally customize the installation process 

of each client. To create an installation package for a specific piece of client 

component, select only that client. Additionally, you can choose to reduce the 

overall size of the final distribution package by selecting the option to remove 

unused files. 

Note: Each client installation that includes a Citrix Presentation Server Client 

includes the Program Neighborhood Connection Center, allowing users to see 

information about their current ICA connections. 

Distributing and Installing Your Client Software 

Package 

After you create your client software package, you can make it available to your 

users on a network share point or distribute it using your Active Directory 

infrastructure. 

Client devices must meet the requirements of each client software component 

within your package. For example, if you attempt to install a package that 

includes the Web Client and the Secure Access Client on a device that does not 

meet the requirements for the Secure Access Client, only the Web client is 

installed.


The Access Client package installs and upgrades all available clients, as specified 

when you build your software package. Every item included in your original 

client software package should be included in any subsequent upgrade packages 

you create. 

For example, if you create a software package that includes the Endpoint 

Analysis Client and the Web Client, subsequent upgrade packages must include 

both client software packages. If you create an upgrade package that includes 

only the Endpoint Analysis Client, the Access Client package uninstalls the Web 

Client. 

Important: The Gateway Client and Advanced Gateway Client are no longer 

supported by Advanced Access Control and therefore, are removed from the 

Access Client package. However, the Access Client package now includes the 

Secure Access Client, the client software component that replaces the Gateway 

Client and Advanced Gateway Client. As a result, the Access Client package 

uninstalls the Gateway Client and Advanced Gateway Client from all client 

devices. If users require the functionality previously available with these clients, 

include the Secure Access Client in your package. 

Conversely, if you later want to add the Secure Access Client to your 

environment, rebuild your package to include the Endpoint Analysis, Web, and 

Secure Access Clients. When this installation package is run on client devices 

that have your original package installed, the Secure Access Client is installed, 

while the Endpoint Analysis and Web clients will simply be verified as installed 

and not changed in any way. 

To uninstall a client that was installed or upgraded using a Windows Installer 

package, users must run the Add/Remove Programs utility from the Control 

Panel or run the installer package again and select the Remove option. 

Important: To install the client software using the Windows Installer package, 

the Windows Installer Service must be installed on the client device. This service 

is present by default on Windows 2000 systems. To install clients on client 

devices running earlier versions of the Windows operating system, you must use 

the self-extracting executable or install the Windows Installer 2.0 Redistributable 

for Windows, available at http://www.microsoft.com/. 

For more information about the Access Client package, including a full list of 

included clients, see the Download section of the Citrix Web site at 

www.citrix.com.


Posting Client Software to a Share Point 

You can post available client software on a network share point so users or 

support personnel can install the client software at their convenience. You can use 

the Access Client package to create installation packages for each client software 

component or a single installation package containing all of your Advanced 

Access Control clients following the instructions above. Alternatively, for the 

Endpoint Analysis Client, you can use the installation package available as an 

EXE or MSI in the \Setup\EndpointAnalysisClient\lang directory of the Server 

CD. 

Downloading Client Software on Demand 

You can configure client software so that it downloads and installs on the client 

device on an “as needed” basis. Advanced Access Control supports this type of 

deployment for the Secure Access Client, Endpoint Analysis Client, Web Client 

and Client for Java. Use this deployment option when non-corporate devices such 

as Internet kiosks are used to access the corporate network. 

On-demand deployment of the Secure Access Client is configured within 

connection policies. If a connection policy is configured to launch the Secure 

Access Client, Advanced Access Control detects whether the Secure Access 

Client is already installed on the client device. If the Secure Access Client is 

detected, it is launched. If the Secure Access Client is not detected, it is 

downloaded to the client device and then launched. If the client software cannot 

be downloaded to the client device, Advanced Access Control attempts to 

connect to resources using browser-only access. 

Important: Access to Web applications configured to bypass the Web proxy, 

email synchronization, and network resources require the Secure Access Client. 

If you integrated Advanced Access Control with a farm running Presentation 

Server, you can specify which Presentation Server Client to deploy for each logon 

point. This allows you to configure the deployment of Presentation Server Clients 

based on specific access scenarios. For example, you could configure on-demand 

client downloads for the logon point available to users logging on over the 

Internet. However, you could disable this feature for the logon point available to 

users from an enclave within the corporate network.


The requirements for installing on-demand clients include configuring the client 

browser to accept client software such as ActiveX controls, plug-ins, and Java 

applets. In addition, users running Windows XP or Windows 2000 must be 

members of the Power Users or Administrators group to install the software on 

their devices. For additional information about client software minimum 

requirements, see “Client Requirements” on page 58. 

You cannot configure the on-demand deployment of the Endpoint Analysis 

Client. Rather, Advanced Access Control determines if, based on policies 

associated with that logon point, an endpoint analysis scan is required. If a scan is 

required, Advanced Access Control detects if the Endpoint Analysis Client is 

present on the client device. If the client software is detected on the client device, 

the Endpoint Analysis Client performs the appropriate scans. However, if the 

software is not detected, users are prompted to download and install the Endpoint 

Analysis Client as an ActiveX control when running Internet Explorer or a plugin 

when running Netscape Navigator or Firefox. 

If users refuse to allow the Endpoint Analysis Client to install and scan the client 

device, they receive the same level of access they would if the policies associated 

with the scans were denied. This level can be limited or no access. Consider 

deploying the Endpoint Analysis Client in advance if you want to avoid the ondemand 

downloading of this client. 

Note: Some endpoint analysis information is cached on the client device. Users 

can empty this cache through the Manage Endpoint Analysis tool (Start > 

Programs > Citrix > Endpoint Analysis Client). 

To configure on-demand client deployment of Presentation Server Clients 

1. In the console tree, select the appropriate logon point and choose Edit 

Logon Point from Common Tasks. 

2. On the Clients page, select the clients you want to deploy to users ondemand 

from the options below. 

• Web Client (ActiveX or Netscape plug-in). Select this option if 

your users do not already have a Presentation Server Client installed 

on their client device. 

Select Use the Client for Java if the Web Client cannot be used to 

deploy the Client for Java if the Web Client cannot be used or the user 

chooses not to allow its download. In addition, you can configure the 

automated update of the Web Client at logon (available for ActiveX 

only). This option provides an automated method of updating client


software. Clear this option if you do not want to upgrade existing 

installations of the client on each user’s computer. 

• Client for Java. Deployed in applet mode, this client does not 

require the user to install any software. The user’s browser caches the 

Java applet for the duration of the browser session. Select the Client 

for Java as an alternative for users who cannot use the Web Client 

software. 

• None (use installed client). Select this option if you already 

deployed the required client software to client devices. 

To configure on-demand client deployment of Secure Access Client 

1. In the console tree, select Connection Policies. 

2. Double-click the connection policy you want to edit. 

3. On the Settings page, click Launch Secure Access Client and click Yes to 

allow this setting for the connection. 

See the Access Gateway Standard Edition Administrator’s Guide for additional 

information on configuring the deployment of the Secure Access Client. 

Ensuring a Smooth Logon Experience with the Secure 


If users do not have the Secure Access Client installed when they log on, they 

must download and install it. However, if the Secure Access Client does not 

install and connect to the Access Gateway promptly, users will experience 

difficulty in accessing the home page you designate for the logon point. To avoid 

this, you can perform the following tasks: 

• Enable the Web browser to redirect users to a URL outside of the internal 

network 

• Modify the browser delay setting 

• Modify the ticket lifetime setting


Modifying the Logon Point Redirect URL 

When a user logs on to the Access Gateway, the Logon Agent verifies that the 

user is allowed to log on and, if required by policies, the user’s Web browser 

attempts to launch the Secure Access Client. Afterward, the Web browser 

redirects the user to the home page designated for the logon point. By default, the 

Web browser redirects the user to the SessionInit.aspx page using an internal 

URL after 10 seconds elapse. If the Secure Access Client does not launch 

successfully during this time, the user cannot access resources on the internal 

network. 

To ensure users can access resources in this case, you can enable the Web browser 

to redirect users to an external URL. When you do this, users are redirected to the 

SessionInit.aspx page using the URL for the Access Gateway appliance (for 

example, https://AccessGatewayFQDN). 

To modify the redirect URL 

1. In Windows Explorer, navigate to the logon point’s virtual directory. For 

example, C:\inetpub\wwwroot\CitrixLogonPoint\logonpointname, where 

logonpointname is the name of the logon point. 

2. Open the web.config file in a text editor and add the following line to the 

appSettings section: 

 

3. Repeat steps 1-2 for all logon points you want to modify. 

Modifying Browser Delay Settings 

When a user launches the Secure Access Client and logs on to the Access 

Gateway, the user’s Web browser delays displaying the home page while the 

Secure Access Client establishes a connection with the Access Gateway. When 

using Mozilla Firefox or Netscape Navigator, the Secure Access Client connects 

after the default time period elapses. By default, this delay lasts 10 seconds. If the 

Secure Access Client does not connect within this time period, the Web browser 

will not display the home page unless the user refreshes the Web browser. 

To ensure the Secure Access Client has sufficient time to connect and the home 

page appears for Mozilla Firefox and Netscape Navigator, you can increase the 

time period that the Web browser delays displaying the home page. To do this, 

you modify the AdvancedGatewayClientActivationDelay key of the logon point’s 

web.config file. If you choose to make this change on one server running 

Advanced Access Control, you must make the same change on all servers in your 

access server farm.


To modify browser delay settings 

1. In Windows Explorer, navigate to the logon point’s virtual directory. For 

example, C:\inetpub\wwwroot\CitrixLogonPoint\logonpointname, where 

logonpointname is the name of the logon point. 

2. Open the web.config file in a text editor and locate the following line: 

 

3. Change the key value to the length of time, in seconds, you want to allow 

the Secure Access Client to establish a connection with the Access 

Gateway. 

4. Repeat steps 1-3 for all remaining servers running Advanced Access 

Control. 

Modifying Ticket Lifetime Settings 

When a user launches the Secure Access Client and logs on to the Access 

Gateway, the user’s Web browser receives a ticket from the Citrix Authentication 

Service which must be used within a certain period of time. The default time 

period is 85 seconds. When the ticket is used within this time period, the home 

page appears in the user’s Web browser. If the Secure Access Client does not 

connect within this time period, the ticket expires and the home page does not 

appear. The user must access the logon point again and receive a new ticket. 

To ensure the Secure Access Client has sufficient time to connect and tickets are 

presented promptly, you can increase the lifetime of tickets issued to users. To do 

this, you modify the Ticket Profile keys located in the web.config file of the 

Citrix Authentication Service. If you choose to make this change on one server 

running Advanced Access Control, you must make the same change on all servers 

in your access server farm. 

To modify the ticket lifetime settings 

1. In Windows Explorer, navigate to the Citrix Authentication Service Web 

directory (C:\inetpub\wwwroot\CitrixAuthService). 

2. Open the web.config file in a text editor and locate the following lines: 

 

 

3. Change the first numeric value in both keys to the length of time, in 

seconds, in which you want tickets to remain valid from the time of issue. 

4. Repeat steps 1-3 for all remaining servers running Advanced Access 

Control.


Ensuring a Smooth Rollout 

After your client software deployment strategy is implemented and tested, you 

are ready to provide users with the information they need to access corporate 

resources through Advanced Access Control. To ensure all users are aware of the 

upcoming deployment of Advanced Access Control, consider a formal method of 

communication such as posting information on your corporate intranet, training 

sessions, and email. 

If there are budgetary restrictions, determine if some of the costs of your 

deployment strategy actually improve the company’s bottom line. For example, 

the costs associated with user training could be justified if there is a significant 

savings as a result of fewer support calls. 

Topics to consider providing additional information to users include: 

• Client software. Depending on your client deployment strategy, users may 

need to install client software on their own device. In this scenario, provide 

users with the location of the file share from which they can access the 

installation packages. If you implemented an on-demand client software 

strategy, instruct users to accept these clients when prompted. In addition, 

inform users that failure to accept the installation of on-demand clients 

results in reduced functionality for that session. 

• Logon points. If users can access the corporate network from multiple 

logon points, you must provide users with the URLs for these logon points. 

For example, if you created two logon points—one for access from a 

network enclave and another for external access through the Internet— 

users will need the URLs for both logon points. Additional information 

about providing logon information to users is discussed in the next section. 

• Policy-based access. Inform users if you developed an access strategy that 

includes different levels of access to corporate resources based on factors 

such as endpoint analysis results, authentication type, or logon point. 

For example, you may create a policy that allows users to download a 

document when accessing it from within a network enclave and create 

another policy that denies this level of access when accessing the document 

from their home computer. Informing users of this type of access control 

reduces user confusion as well as unnecessary support calls. 

Providing Logon Information to Users 

Users can access a specific logon point by navigating to the following URL: 

https://GatewayApplianceFQDN/CitrixLogonPoint/LogonPointName/


where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of 

the Access Gateway server on which you deployed the logon point and 

LogonPointName is the name of the logon point. 

For example, if the FQDN of the Access Gateway server is 

“companyserver.mydomain.com” and the logon point is “remote,” the URL for 

logging on is https://companyserver.mydomain.com/CitrixLogonPoint/remote. 

Alternatively, users can access the default logon point by navigating to the 

following URL: 

https://GatewayApplianceFQDN/ 

where GatewayApplianceFQDN is the fully qualified domain name (FQDN) of 

the Access Gateway server on which you deployed the logon point. 

Browser Security Considerations 

Certain custom Web browser security settings can prevent users from accessing 

Advanced Access Control. Therefore, follow the guidelines below to ensure users 

can access the appropriate servers within your network. 

• For users to properly access corporate resources through Advanced Access 

Control, the following browser settings must be enabled. 

• Cookies. Advanced Access Control uses per-session cookies that are 

not stored on disk. Therefore, third parties cannot access the cookies. 

Disallowing per-session cookies prevents connections to Advanced 

Access Control. Users cannot log on to Advanced Access Control 

because logging on requires a session cookie. 

• File download. Disabling “File download” prevents the downloading 

of files from the corporate network, the launching of any seamless 

ICA sessions, and access to internal Web servers outside the access 

server farm. 

• Scripting. Disabling active scripting makes Advanced Access 

Control inaccessible. Disabling Java applet scripting prevents users 

from launching published applications with the Client for Java. 

• Change the security settings only for zones that contain resources accessed 

through Advanced Access Control. If you fully trust the sites on your 

company’s intranet, you can set the Local Intranet zone security level to 

Low. If you do not fully trust the sites on your intranet, keep the Local 

Intranet zone set to Medium-Low or Medium. 

• Several browser security settings required to access Advanced Access 

Control servers are disabled under the High security settings. Therefore, if


the security level for the Local Intranet zone is set to High, customize the 

browser security settings as described in the next section. 

• If you want to keep the default security settings but also customize 

individual security settings of your Advanced Access Control servers, you 

can configure each server in the access server farm as a “trusted site.” 

Configuring servers as trusted sites lets you customize their security 

settings without affecting the Internet and Local Intranet settings. 

Important: If your access server farm requires SSL, make sure that SSL is 

required for all sites in the Trusted Site zone. 

Customizing Browser Security Settings 

The following table lists additional Internet Explorer browser security settings 

required for those deployment scenarios requiring client software. Most of these 

settings are available from the Security tab of the Internet Options dialog box. 

Deployment Scenario 

Required Settings 

Endpoint Analysis Client • Run ActiveX controls and plug-ins (Enable) 

• Script ActiveX controls marked safe for scripting 

(Enable) 

• File download (Enable) 

Live Edit Client • Run ActiveX controls and plug-ins (Enable) 


(Enable) 


Web Client • Run ActiveX controls and plug-ins (Enable) 


(Enable) 


• Do not save encrypted pages to disk (Disable) 

Client for Java • Java Permissions (High safety or Custom) 

If you select Custom, set the following options: 

• Run Unsigned Content (Run in sandbox) 

• Run Signed Content (Prompt or Enable) 

• Do not save encrypted pages to disk (Disable) 

• All Additional Signed Permissions must also be 

set to Prompt or Enable

Customizing the Logon Error Message 


Users may see an “Access Denied” page when attempting to access the logon 

page. This can occur if users do not meet the requirements in a policy controlling 

the Allow Logon permission or do not meet the requirements configured in logon 

point properties for displaying the logon page. 

You can modify the “Access Denied” page to provide users with troubleshooting 

information or redirect them to a different Web page that contains remedies for a 

specific problem that is detected. In addition, because each logon point is 

associated with its own “Access Denied” page, you can customize this message to 

accommodate the specific access scenarios associated with each logon point. 

For example, you can customize a logon point’s “Access Denied” page with 

frequently asked questions and technical support contact information. Another 

possible “Access Denied” page customization is to redirect users to a Web page 

containing links to client software installation packages. 

You can create and deploy a logon point for the sole purpose of testing your 

modifications to the “Access Denied” page. Then, when you are ready to 

incorporate the customized page into your production environment, copy the page 

to the appropriate location on the Logon Agent server. 

The “Access Denied” message is generated by an ASP.NET user control that can 

be modified using any text editor that supports ASCX files. 

To edit the “Access Denied” message 

1. On an Advanced Access Control server, navigate to: 

%systemdrive%:\Inetpub\wwwroot\Citrixlogonpoint\logon point name 

where logon point name represents the name of the logon point associated 

with the page you want to customize. 

2. Make a backup copy of the disallowed.ascx file. 

3. Edit disallowed.ascx. 

For example, if you have a troubleshooting site named 

www.gotoassist.com, add the following syntax to the end of 

disallowed.ascx: 

Click here to 

launch GoToAssist 

Caution: Do not modify the logic contained in the page because doing so 

can yield undesirable results.


4. Repeat Steps 1 - 3 to customize the “Access Denied” message for other 

logon points. 

5. Update logon page files on the Access Gateway as described in “Updating 

Logon Page Information” on page 93.

CHAPTER 14 

Managing Your Access Gateway 

Environment 

After configuring the servers in your access server farm, you perform a variety of 

tasks to manage your deployment. These tasks help you ensure your deployment 

runs smoothly and efficiently. 

This section describes how to: 

• Administer your access server farm using multiple Consoles 

• Secure the Access Management Console with COM+ 

• Add and remove farms and servers 

• Change the service account or database credentials 

• Change the server roles 

• Minimize downtime of your access server farm 

• Monitor user sessions 

Managing Access Server Farms Remotely 

You can use the Access Gateway Administration Tool and the Access 

Management Console on remote workstations to manage your access server farm. 

You can install the Administration Tool from the Access Gateway Administration 

Portal. Use the Advanced Access Control Server CD to install the Access 


To download and install the Administration Tool 

1. In a Web browser, type the URL of the Access Gateway and enter your 

administrator credentials. 

2. In the Access Gateway Administration Portal, click Downloads. 

3. Under Administration, click Download Access Gateway Administration 

Tool Installer.


4. Select a location to save the installation application and click Save. The 

installation tool is downloaded to your computer. 

5. After downloading the file, navigate to the location it was saved and then 

double-click the file. 

6. To install the Administration Tool, follow the instructions in the wizard. 

7. To start the Administration Tool, click Start > Programs > Citrix Access 

Gateway Administration Tool > Citrix Access Gateway Administration 

Tool. 

8. In Username and Password, type the Access Gateway administrator 

credentials. The default user name and password are root and rootadmin. 

To install the Access Management Console 

1. Insert the Server CD or start AutoRun.exe from the CD image. 

2. Select Product Installations and Advanced Access Control to open 

Setup. 

3. Accept the license agreement and proceed to the Components Selection 

page. 

4. Select Management console and clear the selection of any other 

components selected by default. 

5. Proceed through the remainder of the wizard. 

Controlling Access by Multiple Consoles 

When a Console connects to an access server farm, other Console instances can 

actively manage the server farm at the same time. If any changes are made to the 

same configuration settings, Advanced Access Control writes the first change 

saved to the database based on the timestamp at which the change occurred. If 

two changes are saved simultaneously, the change with the earlier timestamp 

prevails. 

You are notified if an instance of the console connects to a farm and another 

instance is detected. If you make any configuration changes, they may be 

overridden depending on when each Console instance saves each change. Choose 

Yes to acknowledge and close the message. 

Important: Administering Advanced Access Control using multiple Console 

instances simultaneously can result in data corruption and inconsistent server 

performance. Citrix recommends you use only one Console instance at a time to 

administer access server farms.

Chapter 14 Managing Your Access Gateway Environment 215 

Using Groups in Policy Assignments 

It is generally good practice to assign policies to domain user groups or account 

authority groups only. If, however, you use the console on a remote workstation 

and assign the workstation’s local users to a policy, you may receive an error 

message when editing the policy from another Console. You can remove or edit 

such a policy using the console on the server running Advanced Access Control. 

Securing the Access Management Console Using COM+ 

Depending on your organization’s needs, you may allow other administrators to 

manage your access server farm. Using COM+ role-based security, you can 

specify the users who can make changes to your access server farm using the 

Access Management Console. 

During installation, Advanced Access Control creates the following security roles 

for the Access Gateway Server COM+ application: 

• Administrators. Users in this role are allowed to make changes to the 

Advanced Access Control environment using the console. 

• Non Appliance Administrators. Users in this role are allowed to make 

changes to resources and policies only. Users assigned to this role are not 

allowed to modify gateway appliance settings. Users assigned to this role 

must not be assigned to the Administrators role as well. If the user is 

assigned to both roles, the Non Appliance Administrators role is not 

enforced. 

• System. This role includes the service account and other local accounts that 

require access to the Access Gateway Server COM+ application. 

If you add users to the Administrators or Non Appliance Administrators roles, 

they may have access to the API published by the application in addition to the 

console. Consider all risks carefully before adding other users to the 

Administrators role. 

Important: The accounts appearing in the System role are required for 

Advanced Access Control to function. You must also close the Access 

Management Console before adding users to the Administrators or Non 

Appliance Users role. If these System accounts are modified or if the console is 

open when COM+ security is applied, your access server farm may stop 

functioning and you may lose data. 

To allow administrators to use the Access Management Console 

1. Close the Access Management Console if it is open.



Component Services. 

3. In the console tree, expand Component Services > Computers > My 

Computer > COM+ Applications. 

4. Expand Access Gateway Library > Roles and select the role that is 

appropriate for the user(s) you want to add: 

• To allow administrators to access appliance and farm settings with 

the console, expand Administrators. 

• To allow administrators to access farm settings only, expand Non 

Appliance Administrators. 

5. Right-click Users and select New. 

6. Enter the user account(s) you want to add and click OK. 

7. Restart the Access Gateway Library COM+ application. 

8. Repeat steps 4-7 for the Access Gateway Server COM+ application. 

Restarting COM+ Applications 

Restart the Access Gateway Server COM+ application when: 

• You add users to the Administrators or Non Appliance Administrators role 

so they can make changes to your deployment using the Access 


• Components such as logon points or the Web proxy function incorrectly, as 

a preliminary troubleshooting measure. 

• You modify components that access the Access Gateway Server COM+ 

application, such as Web email. For example, if you modify mapisvc.inf to 

enable Microsoft Exchange 2000 to work with the default Email Interface, 

you restart the Access Gateway Server COM+ application to ensure the 

modifications are recognized at runtime. 

To restart the Access Gateway Server COM+ application 


Component Services. 

2. From the Component Services window, expand Computers > My 

Computer > COM+ Applications. 

3. Right-click Access Gateway Server and select Shut down. 

4. Right-click Access Gateway Server and select Start.

Adding and Removing Farms 


If your deployment consists of multiple access server farms, you can manage 

them using a single Console. To do this, you add the other access server farms to 

the console tree. 

To add access server farms 

1. In the console tree, select the Access Gateway node. 

2. Under Common Tasks, click Add access server farm. 

3. In the Server box, type the machine name or the IP address of any server in 

the farm you want to add. 

4. Click OK. The Access Management Console connects to the access server 

farm and displays the farm node in the console tree. 

Note: To manage multiple access server farms from Console instances running 

on other machines, you must add the farms to each Console. 

To remove access server farms 

1. In the console tree, expand the Access Gateway node and select the farm 

you want to remove. 

2. Under Common Tasks, click Remove farm. 

Adding and Removing Gateway Appliances 

To add gateway appliances to your access server farm, perform the following 

tasks: 

1. Install and configure the appliance as described in the Getting Started with 

Citrix Access Gateway Standard Edition. 

2. In the Access Gateway Administration Tool, enable the Advanced Access 

Control to administer the appliances. For more information, see “Enabling 

Advanced Access Control” on page 80. 

3. In the console, run discovery. 

To remove gateway appliances from your access server farm, perform the 


1. In the Access Gateway Administration Tool, disable gateway 

administration with the Advanced Access Control and remove all access 

server farm information.


2. In the console, remove the gateway appliance. 

When you remove a gateway appliance from the console, you remove only the 

registration information from the access server farm database. If you do not 

remove all access server farm information from the Access Gateway 

Administration Tool before removing the appliance from the console, the 

Advanced Access Control registers the appliance again and displays it in the 

Gateway Appliances node when you run discovery. 

To disable Access Gateway administration with the console 

1. Launch the Access Gateway Administration Tool and select the gateway 

appliance you want to remove. 

2. Click the Advanced Options tab and then clear the Advanced Access 

Control - includes an access server farm check box. 

3. In Server running Advanced Access Control, remove the name of the 

server running Advanced Access Control. 

4. Click Submit to save your changes. 

5. Restart the Access Gateway. 

To remove a gateway appliance from the console 

1. In the console tree, expand Gateway Appliances and select the gateway 

appliance you want to remove. 

2. Click Remove appliance and then click Yes to remove the gateway 

appliance from the farm. 

Changing Service Account and Database Credentials 

You can change the credentials of the service account or SQL access account if 

either of these accounts is deleted, is disabled, or changes passwords. If the 

credentials are not changed, Advanced Access Control does not function. 

Use the Server Configuration utility to change the credentials of these accounts. 

You can run the Server Configuration utility at any time without interrupting farm 

operations. However, the console must be closed on the machine on which it is 

running. If the console is running remotely and the account credentials are 

changed, the console displays an error message. Close and reopen the console to 

correct the problem. 

The Server Configuration utility and the account information are stored on each 

server running Advanced Access Control. To use the Server Configuration utility, 

you must log on to the server as an administrator.


To change account credentials 

1. On the server running Advanced Access Control, choose Start > Programs 

or All Programs > Citrix > Advanced Access Control > Server 

Configuration. 

2. Click Service Account to change the user name, password, or domain of 

the service account. For information about requirements for valid service 

accounts, see “Service Account Requirements” on page 44. 

3. Click Server Farm Information to change the farm database server, farm 

name, or database authentication method. 

Modifying Server Roles 

Each server running Advanced Access Control is assigned the HTML Preview 

server role by default. If you do not want all servers in your farm to perform this 

role, you can enable or disable it on a per-server basis. 

To modify server roles 

1. In the console tree, select Servers. 

2. Under Common Tasks, click Manage server roles. 

3. Select or clear the check boxes for each server you want to assign to or 

remove from the HTML Preview role. 

Removing Servers from the Farm 

When you remove servers from the farm, the services the server provided to your 

farm are no longer available. If you want to keep these services, ensure they are 

enabled on other servers in your farm. 

To remove servers from an access server farm 

1. Run discovery to ensure Advanced Access Control detects all servers in the 

farm. 

2. In the console tree, expand the Servers node. 

3. Select the server you want to remove. 

4. Under Common Tasks, click Remove server.


Maintaining Availability of the Access Server Farm 

Advanced Access Control maintains all configuration, session, and user data for 

the access server farm in a SQL database on the database server. If the database 

server becomes unavailable, Advanced Access Control cannot retrieve data in 

response to user or server requests. If the Advanced Access Control server 

becomes unavailable, users cannot log on to the server or access resources. This 

section describes how you can maximize the availability of your access server 

farm. 

• Create a backup of the SQL database. 

After you create the initial backup, you should ensure the database is 

backed up regularly at appropriate intervals. Additionally, you should 

verify the data can be restored from the backups. 

• Cluster the database server. 

This allows another database server to continue farm operations in the 

event the first database server becomes unavailable. The clustered servers 

appear to Advanced Access Control as a single database server. 

• Cluster the Advanced Access Control server. 

As with the database server, clustering allows another Advanced Access 

Control server to continue operations for an unavailable server. Users can 

continue to log on to the server and access resources. 

Exporting and Importing Configuration Data 

You can export and import your farm configuration data using the Access 

Management Console. This can be helpful when, for example, you want to save 

the configuration data from a farm in a staging environment and copy it to a farm 

in a production environment. 

When you export your farm configuration, a .cab file is created which consists of 

compressed XML files containing the following data: 

• Global farm settings such as display order of home page applications, 

license server, and authentication profiles 

• Presentation Server farm settings 

• Network and Web resource settings 

• Logon point settings 

• Policy settings 

• Endpoint analysis settings


• Continuous scan settings 

• Gateway appliance settings 

Data that is not exported includes: 

• Access server farm name 

• Data that is valid only when the Advanced Access Control server is 

running, such as user session data. 

• Server information such as computer names. 

After you export your farm configuration, you can import the .cab file to restore 

the configuration on another server running the same version of Advanced 

Access Control. 

Before you export your farm configuration, be aware of the following conditions: 

• You can import only .cab files that were exported using the same version of 

Advanced Access Control. For example, if you export the configuration of 

a farm running Version 4.5 of Advanced Access Control, you can import 

the configuration data only on another Advanced Access Control server 

running Version 4.5. If you import the configuration data on a server 

running a different version of Advanced Access Control, the import fails. 

Note: If you want to import configuration data from a previous version of 

Advanced Access Control, you must first use the Migration Tool to prepare 

your data for import into a farm running Version 4.5. For more information 

about migrating to Version 4.5 from a previous version of Advanced Access 

Control, see the Access Gateway Advanced Edition Upgrade Guide. 

• Incremental export or import of farm configuration data is not supported. 

You can export or import only entire farm configurations. 

• When you import farm configuration data, the existing farm configuration 

is deleted and replaced with the imported data. 

Important: Before you import farm configuration data, Citrix recommends 

creating a backup of the SQL database for the farm. 

To export your access server farm configuration 

1. From the console tree, select the farm node and then click Export Farm in 

Other Tasks. 

2. Enter the location where you want to create the .cab file.


Monitoring Sessions 

When you click Next, the XML files are compressed into a .cab file and saved to 

the location you specified. 

To import your access server farm configuration 

1. From the console tree, select the farm node and then click Import Farm in 

Other Tasks. 

2. Enter the location of the .cab file you want to import. 

When you click Next, the .cab file is decompressed and the existing configuration 

data is replaced with the imported data. 

The Access Gateway Advanced Edition Session Viewer is a session monitoring 

tool that allows administrators to review user access to the access server farm and 

terminate user sessions. 

Note: You must have administrative privileges to run the Session Viewer. An 

Advanced Access Control session is not required to run the Session Viewer. 

Session Viewer displays data from the server on which you are logged or from 

other Advanced Access Control servers. This data includes: 

• Client IP address 

• User name used to log on 

• Installed clients 

• Logon point accessed and default home page 

• Name of the Advanced Access Control server the user is accessing 

When you select a session from the Sessions pane, the data for that session 

displays in the Session Values pane. You can sort sessions by clicking the column 

headings in the Sessions pane. 

To access the Session Viewer 

Click Start > All Programs > Citrix > Access Gateway > Session Viewer. 

To terminate sessions 

1. From the Sessions pane, select the user session(s) you want to terminate. 

2. Click Delete.


If the user attempts to access resources after you terminate the session, an error 

page appears and the user must log on again.


CHAPTER 15 

Auditing Access to Corporate 

Resources 

The event logging capabilities in Advanced Access Control ensure you collect the 

information needed to monitor access to corporate resources. Event logs allow 

you to: 

• Prove compliance with regulatory requirements 

• Prove compliance with internal, corporate-specific requirements 

• Take proactive measures to address existing vulnerabilities such as 

evaluating incidents circumventing intended access and modifying your 

access strategy to resolve these issues 

• Assist support personnel in troubleshooting issues related to accessing 

corporate resources 

Configuring Audit Logging 

You can configure Advanced Access Control to record specific user activities for 

auditing purposes. For example, you can monitor endpoint analysis scan results; 

successful logon attempts; and unsuccessful attempts to access resources such as 

Web email, file shares, and so on. Before configuring event log settings, 

determine the information you need to collect and enable logging only for the 

associated events. This approach ensures logging does not impact system 

performance or use unnecessary hard disk space. In addition, limiting logging to 

only the information relevant to the auditing process streamlines the evaluation of 

this data. 

The table below describes the events available for logging.


Event 

Endpoint analysis scan results 

Logon page denied 

Logon allowed 

Logon denied 

User logged off 

Session timed out 

Web resources - HTML MIME 

type 

Web resources - other MIME 

type 

Web resources - image MIME 

type 

File shares 

Web email 

Resource access denied 

Description 

Logs all endpoint analysis scan results. Three events are generated for each scan. 

The first event contains the raw endpoint analysis data from the client device. The 

second event contains the scan results (true/false) based on analysis within 

Advanced Access Control. The third event contains the scan results (true/false) 

specific to the requirements for displaying the logon page. 

Logs an event when a logon page is not displayed to the user due to your 

configured requirements. 

Logs an event when a successful Windows NT authentication is passed to the 

domain controller. Events are not logged when a user sends valid credentials but is 

denied access due to policy restrictions. 

Logs an event when an unsuccessful Windows NT authentication is passed to the 

domain controller or when the Allow Logon policy denies a user access to the 

logon page. 

Logs an event when a user terminates a session. 

Logs an event when a session times out. The session time-out value is configured 

as a logon point setting. 

Logs an event for successful access to HTML content within a Web resource such 

as HTML and ASP pages. 

Logs an event for successful access to non-HTML content within a Web resource 

such as JavaScript, Flash, XML, and so on. 

Logs an event for successful access to images referenced within a Web resource 

such as a GIF or JPEG file. 

Logs an event for successful access to file shares or documents within a file share. 

Logs an event for successful access to Web-based email including Outlook Web 

Access, iNotes, and Advanced Access Control’s Web email interface. Outlook 

Web Access and iNotes use the same event ID (304) while Advanced Access 

Control’s Web email interface uses event ID (306). 

Logs an event for unsuccessful access to any resource within an access server 

farm. For Web resources, only unsuccessful access to the HTML MIME type is 

logged. Unsuccessful access to other or image MIME types is not logged. 

Important: Audit log configuration is set at the access server farm level and 

applies to all resources within the farm. Therefore, if your access server farm is 

distributed across multiple servers, audit logs are written to each server within the 

farm. 

The general steps involved in configuring event logging are:

Chapter 15 Auditing Access to Corporate Resources 227 

• Specify the events to log for the access server farm. Use the Access 

Management Console to specify the type of events logged by servers within 

an access server farm. 

• Configure log settings for each server within the farm. Use the Windows 

Event Viewer to configure log settings for each server including specifying 

the maximum log size, determining when to overwrite events, and so on. 

By default, the maximum size of the CitrixAGE Audit log is 5120KB and is 

retained for seven days before being overwritten. New events are not added 

if the maximum log size is reached and there are no events older than this 

period. If this configuration does not meet your auditing needs, consider 

increasing the size of the log file as well as modifying the event overwrite 

settings. 

• Consolidate event logs into a single view. Each server within an access 

server farm maintains its own event log. Use the Event Log Consolidator in 

Advanced Access Control to collect event log data from all servers within 

the farm and display this data in a single, consolidated view. After the data 

is collected by the Event Log Consolidator, you can perform additional 

analysis by running a variety of reports based on user access, resource 

access, and so on. 

To select events to be logged for an access server farm 

1. In the console tree, select the access server farm you want to audit and click 

Edit farm properties in Common Tasks. 

2. On the Event Logging page, select from among the auditing options 

described below. For detailed descriptions of these events, see the table in 

“Configuring Audit Logging” on page 225. 

• Endpoint analysis scan results 

• Allowed and denied access to resources (Web resources, file shares, 

and Web email) 

• Logon point data including logon page denial, logon denial, logon 

allowed, user log off, and session time-out 

Note: To generate session-based reports in the Event Log Consolidator, 

you must enable the “Logon allowed” event. 

To configure log settings for Advanced Access Control servers 

You must be logged on as an administrator or as a member of the Administrators 

group to configure Advanced Access Control auditing information within the 

Windows Event Viewer.


After auditing is enabled and configured within Advanced Access Control, you 

can use the Windows Event Viewer to configure audit log settings including: 

• Specifying the maximum log size 

• Determining when to overwrite events 

Important: By default, the maximum size of the CitrixAGE Audit log is 

5120KB and is retained for seven days before being overwritten. New events are 

not added if the maximum log size is reached and there are no events older than 

this period. If this configuration does not meet your auditing needs, consider 

increasing the size of the log file as well as modifying the event overwrite 

settings. 

1. Open the Windows Event Viewer of a server running Advanced Access 

Control. 

2. Select CitrixAGE Audit from the console tree. 

3. Configure logging properties as appropriate. 

4. Repeat this step for all servers in the farm. 

For help using the Windows Event Viewer, refer to the topic “Event Viewer” in 

the Windows online Help. 

To consolidate event logging results 

1. In the console tree, select Access Gateway and click View Events in 

Common Tasks. 

2. In the Event Log Consolidator, click File > Configure. 

3. In the Polling Interval box, specify the time interval (in seconds) at which 

the Event Log Consolidator collects audit log data from Advanced Access 

Control servers. 

4. Under Available Farms, select the access server farm for which you want 

to view auditing data. 

5. Click File > Collect to begin polling Advanced Access Control servers. 

Important: Excessive logging and polling can impact a system’s performance. 

Therefore, avoid logging unnecessary events for an access server farm. In 

addition, avoid unnecessary polling of audit log data by the Event Log 

Consolidator.

Interpreting Audit Events 

Chapter 15 Auditing Access to Corporate Resources 229 

Audit information is written to the Windows Event Viewer and contains 

information specific to the audit event as described in the table below. 

Field 

DateTime 

UserName 

ServiceName 

Status 

Machine Name 

Session ID 

PolicyReference 

EPAReference 

Resource 

Data 

Description 

Date and time of the request. 

Name of the authenticated user accessing the resource. 

Name of the Advanced Access Control component logging 

the request. 

Status of the request (accepted, denied, or completed). 

Name of the server logging the event. 

Reference number assigned to a session upon successful user 

authentication and license validation. This number is used to 

track session events such as logon allowed, user logged off, 

and session timed out. 

Reference number for denied attempts. This number is also 

displayed to users when access is denied. 

Reference number for endpoint analysis scans. This number 

is referenced by endpoint analysis before a user is 

authenticated to associate a session ID with scan results. 

Name or URI (Uniform Resource Identifier) of the resource 

requested. 

Additional data specific to a message. 

Although logging is enabled at the access server farm level, each server maintains 

its own log file. To gather logging information from all servers within the farm 

into a single view, use the Event Log Consolidator. 

To view logging results 

1. In the console tree, select Access Gateway and click View Events in 

Common Tasks. 

2. Sort events or generate reports to assist in the evaluation of this data.


Troubleshooting User Access to Resources 

There are a variety of reasons why a user may not be able to access a corporate 

resource ranging from failed endpoint analysis scans, incorrect authentication 

credentials, policy-based restrictions, and so on. Often, it is not possible for users 

to know why access was denied and therefore, they rely on support personnel for 

assistance in troubleshooting these issues. 

For each denial of access to a resource or failed endpoint analysis scan, a unique 

value is displayed in the user’s browser. This information is also written to the 

event log as the PolicyReference or EPAReference value, respectively. For this 

reason, consider instructing users to record reference numbers and provide this 

information to support personnel because it expedites the troubleshooting 

process. Support personnel can use this information to quickly search and identify 

the specific event and begin troubleshooting the problem. In addition, support 

personnel can use the table from the section “Interpreting Audit Events” on page 

195 as a resource when evaluating events. 

Performing Audit Log Maintenance 

Several third-party tools provide advanced maintenance of Windows event logs. 

For example, the Windows Event Viewer and Event Log Consolidator do not 

support automatic rotation of logs without overwriting existing log data. If your 

corporation requires archiving of log data on a regular basis, consider a thirdparty 

tool that automates this process. 

However, there may be situations when using the Event Log Consolidator or 

Windows Event Viewer to perform basic maintenance tasks is appropriate. For 

example, you may need to reimage a server within your access server farm. To 

ensure no audit data is lost, you can use the Windows Event Viewer to save the 

audit log prior to reimaging the server. 

The decision regarding how to manage and maintain audit logs depends on your 

corporate needs. Therefore, when determining how to manage audit data, 

evaluate the auditing needs of your corporation and ensure that your solution 

satisfies these needs.

APPENDIX A 

Glossary 

Access Client package. The tool administrators use to manage the distribution and 

upgrade of Access Suite clients. Allows administrators to quickly and easily 

deploy client-side software to end-users with one convenient Windows 

Installer package. 

Access Gateway Administration Desktop. A window where administrators can monitor 

Access Gateway network activity. Tools included in the Administration 

Desktop include the Citrix Real-Time Monitor, Ethereal Network Analyzer, 

xNetTools, My traceroute, fnetload, Gnome System Monitor, and the 

Workplace Switcher. 

Access Gateway Administration Portal. A Web-based interface for performing 

administration tasks for Access Gateway appliances. From the Administration 

Portal you can download other administration tools for remote use, such as the 

Administration Desktop and the Access Gateway Administration Tool. 

Access Gateway Administration Tool. A 32-bit management console downloaded from 

the Administration Portal and installed on a Windows computer in the secure 

network. The Administration Tool can administer individual settings for all 

gateway appliances in a cluster. 

Access Gateway Real-Time Monitor. A console window listing current users and their 

related information. You can close the VPN connection for any user from the 

Real-Time Monitor. The Real-Time Monitor is accessed using the 

Administration Desktop. 

Access Interface. The user-facing Web page that displays the available corporate 

resources, including URLs, email, and files. 

access policy. A policy that enforces configuration settings for user access under 

specified conditions. See also connection policy. 

access scenario. The access scenario includes all the information about the user and 

the user’s client device used to apply policies. Depending on the type of policy 

being evaluated, the access scenario can include the user identity, the client 

device, client device details discovered through endpoint analysis scans, the 

authentication method employed, the logon point used to enter the network, 

and so on.


access server farm. A logical grouping of servers on which Advanced Access Control 

Services run. An access server farm consists of one or more networked 

computers that run Advanced Access Control components such as the Web 

Server, database server, and so on. These components work together to provide 

access to corporate resources such as Web sites, file shares, and email. See also 

server farm. 

accessible networks. The IP addresses of the computers in the secure network to 

which the Access Gateway is allowed to connect. 

action controls. The permissions that users are granted for working with files through 

Access Gateway Advanced Edition such as Download, Send as Email, and file 

type association. 

activation server. A server that performs file activation services such as HTML 

Preview, Download, and Live Edit. It houses the Activation Host Service and 

Activation Engine Service; the Activation Host Service acts as a “sandbox” for 

the Activation Engine Service to activate a file. 

activation services. A service that provides stateless load balanced file activation 

including HTML Preview, Download, and Live Edit. 

Advanced Access Control. Software components and features in Access Gateway 

Advanced Edition which enable granular policy-based access control. 

Advanced Access Control allows you to control user access based on such 

factors as user location and authentication, endpoint analysis, and verification 

of the client device. 

Allow Logon. A permission (the ability to log on) that is controlled by policy. The 

Allow Logon permission is treated as a resource to enable administrators to 

add criteria for users to meet in addition to the usual authentication process. 

application policy. A policy that can be configured for any software program, 

including Web applications, when you are using the Access Gateway 

appliance. Application policies allow you to restrict applications to a specified 

network path and to make access to the application dependent upon endpoint 

policies. 

authentication profile. An authentication profile contains configuration settings that 

define the authentication to be used with a logon point. 

authentication type. The type of authentication being used, such as RADIUS, LDAP, 

SafeWord, and so on. 

authorization rejection page. The user-facing Web page that displays when a client 

environment does not possess the baseline requirements for accessing 

corporate network resources. 

browser-only access. The ability to access corporate network resources without 

requiring any client-side software other than a Web browser. 

Citrix Activation System (CAS). The Citrix license management system available from 

a secure area of the Citrix Web site that allows customers to generate license 

files for Access Suite products. CAS stores a downloadable copy of all license 

files generated and can display a list of licenses registered to an organization.

Appendix A Glossary 233 

Citrix administrator. System administrator responsible for installing, configuring, and 

maintaining computers running any product in the Citrix Access Suite. 

Citrix XML Service. A Windows service that provides communication between Citrix 

Presentation Server and Access Gateway, Web Interface, and some 

Presentation Server Clients. 

client device. Any hardware device used to access corporate resources. 

Client for Java. A Java applet that supports the launching and embedding of published 

applications. 

cluster. A group of like hardware components (such as Access Gateway appliances or 

Advanced Access Control servers) that can be managed as a single entity. 

condition. (1) In general terms, a condition is any configurable requisite for the 

enforcement of a policy. Policies can have multiple types of conditions, such 

as endpoint analysis or logon point or authentication conditions. 

(2) In endpoint analysis, a condition is a single required attribute of the client 

device evaluated during endpoint analysis, such as the operating system or 

browser being used. A rule is a set of conditions that are evaluated against the 

client device. If the client device meets all the conditions in a scan’s rule, the 

scan is applied and run on the client device. 

connection policy. A policy that allows Secure Access Client connections and applies 

settings to those connections. You must allow use of the Secure Access Client 

to establish connections to any network resource and for email 

synchronization, because these types of resources do not allow browser-only 

access. 

continuous scan. Scans of the client device that occur repeatedly throughout the 

session to ensure that the client device continues to meet requirements. The 

feature prevents, for example, users from changing the status of a client device 

requirement after establishing the connection. Types of continuous scans 

include file scans, process scans, and registry scans. 

continuous scan filter. A filter that defines the continuous scan requirements for a 

connection policy. A continuous scan verifies one item (a file, registry entry, or 

process) on the client device. The filter can include one or more continuous 

scans for verification. When associated with a connection policy, the filter 

defines all the requirements to be verified by continuous scans for the 

connection policy to take effect. 

device-specific presentation. The automatic display of content that is appropriate to 

the device when a user uses a non-PC device, such as a PDA. 

disconnected session. A client session in which the client is no longer connected to an 

application on Citrix Presentation Server, but the user’s applications are still 

running. A user can reconnect to a disconnected session. If the user does not 

do so within a specified time-out period, the server automatically terminates 

the session.


email synchronization. A comparison of separate email account instances resulting in 

both instances containing the same information. This feature allows remote 

users to access email in real time when working online and synchronize their 

folders in preparation for working offline. 

email synchronization group. A list of email servers that can be accessed for email 

synchronization. 

enclave deployment. A deployment scenario in which a network is segmented or 

fragmented in a manner (such as with firewalls) that forces users to log on 

through a specific logon point. 

endpoint analysis. A process that scans a client device and detects information such as 

the presence and version level of operating system, antivirus, firewall, or 

browser software. Endpoint analysis can verify that the client device meets 

your requirements before allowing it to connect. This information can be 

included as a filter within a policy to determine the appropriate level of access 

to corporate resources. Endpoint analysis scans are run against the client 

device once, during logon. See also continuous scan. 

Endpoint Analysis Client. An ActiveX control or browser plug-in used to discover 

information about a device’s configuration (such as the operating system, 

antivirus pattern, and so on). 

Endpoint Analysis SDK. The software development kit that allows customers and 

partners to modify and create endpoint analysis packages. 

endpoint policy. An endpoint policy is a Boolean expression that defines the files, 

processes, or registry entries that must be on the client computer before users 

can connect to corporate resources through the Access Gateway appliance. 

You can create and use endpoint policies on the appliance only. If you are 

using Access Gateway Advanced Edition, this functionality is configured 

through the logon point properties, where you can specify the requirements to 

be met by the client device before the user is shown the logon page. 

endpoint requirement. A file, process, or registry entry that must be on the client 

device. An endpoint requirement is configured with Access Gateway Standard 

Edition administration and then used to create an endpoint policy that is then 

added to one or more user groups. 

endpoint resource. A file, process, or registry entry that must be on the client device to 

log on. In the Access Gateway Standard Edition, a group of endpoint resources 

is used to create an endpoint policy. 

file activation. The actions a user can take on a file including HTML Preview, Live 

Edit, downloading, opening in a published application through file type 

association, and sending the file as an email attachment. 

file scan. A type of continuous scan that validates a specified file on the client device. 

file share. A directory (UNC) on a file server that is shared among a group of users. In 

Access Gateway Standard Edition, file shares are one of the corporate resource 

types available to users when they are logged on in kiosk mode. In Access 

Gateway Advanced Edition, file shares are available to users when an 

administrator publishes them to the Access Interface and configures policies 

allowing access.


file type association. A method that allows a document to be opened with an 

application published in Citrix Presentation Server that is registered to open 

documents of that type. 

filter. Configured criteria, including endpoint analysis, logon point, and 

authentication type, that can be used by policies to determine access to 

corporate resources. A filter is a single named entity that can be used in 

multiple policies. A filter may include another filter as part of its criteria. An 

access policy may have only one filter, but each filter can be associated with 

multiple access policies. 

In addition, filters created in Access Gateway Advanced Edition can be used 

in Citrix Presentation Server, which extends the SmartAccess capabilities to 

published applications. 

home page. The page the user sees after authentication. This page could be the default 

Access Interface, a third-party portal, or email access interface, such as iNotes 

or Outlook Web Access. 

HTML Preview. The name of the service that allows documents to be previewed in 

HTML rather than downloaded in their native format. This feature also refers 

to the role that an administrator can assign to a server for performing this 

service. 

Independent Computing Architecture (ICA). The architecture that Citrix uses to 

separate an application’s logic from its user interface. With ICA, only 

keystrokes, mouse clicks, and screen updates pass between the client and 

server on the network, while all the application’s logic executes on the server. 

intellectual property control. The protection of corporate intellectual property or 

sensitive information using features such as HTML Preview, file type 

association, and client drive mapping. The goal of intellectual property control 

is to prevent the exposure of sensitive corporate data. 

kiosk mode. Used in Access Gateway Standard Edition to describe a type of limited 

access to corporate resources from public computers, such as those found in 

airports or hotels. 

Live Edit. The feature that allows users to edit remote documents using the Live Edit 

Client. Users can conveniently edit and save documents without needing to 

download or upload them. 

Live Edit Client. The ActiveX control that integrates with a user’s local editing 

application to support the Live Edit feature. 

local users. Users who are created in Access Gateway Standard Edition. Local users 

are configured when they do not require authentication using other 

authentication types such as RADIUS, SafeWord, RSA SecurID, or LDAP. A 

realm for local authentication must be configured on the Access Gateway 

appliance for local users to connect. Authentication credentials are checked 

against the local user list if the user name does not match the authentication 

server’s list of users.


logon point. The URL from which users access corporate resources. The logon point 

settings determine access to server farms, Access Interface configuration, and 

other session-specific settings. In addition, a logon point can be used as a filter 

within policies. 

Microsoft SQL Server Desktop Engine (MSDE). A fully SQL Server-compatible data 

engine. SQL Server Express 2005, the newest version of MSDE, can be used 

in Access Gateway Advanced Edition for data storage in place of Microsoft 

SQL Server. See also SQL Server Express. 

network resource. A network resource defines subnets or servers on the corporate 

network that users can connect to through the Access Gateway using the 

Secure Access Client over specified ports. After defining network resources, 

you can create policies that control their user access and connection settings. 

pass-through authentication. The ability for Access Gateway to pass the user’s 

authentication information to another corporate resource requiring this 

information. Pass-through authentication is used for single sign-on to the Web 

Interface in an Access Gateway deployment. 

policy-based access control. The ability to grant granular access to users based on 

their access scenario. 

policy priority. A ranking system that allows you to prioritize policies to resolve 

conflicts when multiple policies apply to the same situation. The settings of a 

higher priority policy take precedence over conflicting settings in a lower 

priority policy. 

pre-authentication policy. A policy that allows users to log on if a set of scans validate 

the client device. Pre-authentication policies can be created only using the 

Access Gateway Administration Tool. If you are using Access Gateway 

Advanced Edition, you can create a logon policy for similar functionality. 

Presentation Server Client. Citrix software that enables users from a variety of client 

devices to connect to computers running Presentation Server. 

process scan. A type of continuous scan that verifies that a specified process is 

running on the client device. 

published application. An application installed on a server or server farm that is 

configured for multiuser access from clients through Citrix Presentation 

Server. 

realm. A realm is used in Access Gateway Standard Edition to specify the logical area 

of access granted through a specified type of authentication. Realms are 

replaced in the Advanced Edition by authentication profile settings. The 

Default realm authenticates against the local user list on the Access Gateway. 

Additional realms for LDAP, SafeWord, RADIUS, and RSA SecurID can be 

created or can be used as the Default realm. 

registry scan. A type of continuous scan that validates a registry setting on the client 

device. 

resource group. A resource group combines multiple resources of differing types into 

one named resource so that policies can be applied to the aggregate.


resources. The file shares, Web resources, email, and applications available through 

the Access Gateway. 

rule. In endpoint analysis, a rule is a set of conditions that define when to apply a 

scan and which property values to check. Multiple rules can apply to a single 

scan. The first rule of a scan is defined when you create the scan. After 

creating the scan, you can add more rules to make the scan apply to multiple 

scenarios. 

scan. A process that verifies specific properties of client devices connecting to your 

network, such as the installed version of an antivirus software product or 

verification that the device belongs to a required domain. 

scan output. A result of an endpoint analysis scan run on a connecting client device to 

detect or verify information about the client device. There are two types of 

scan outputs. One type is a property value that is detected and reported about 

the client device, such as the version number of an antivirus program running 

on the device. Another type is a simple Boolean (True or False) result 

indicating whether or not the client device passed the requirements of the scan. 

scan package. A package of code that allows administrators to configure endpoint 

analysis scans. Each scan package is designed to examine a set of properties 

for a specific software product. You can expand the default set of scan 

packages by importing new ones. Citrix, partners, or developers in your 

organization can develop additional scan packages using the Endpoint 

Analysis Software Development Kit (SDK). 

Secure Access Client. Citrix software used to connect users to network resources. In 

the Standard Edition, users access a secure URL to download the software and 

authenticate to the Access Gateway appliance. In the Advanced Edition, 

administrators create a connection policy to require use of the software when 

users access specific logon points. Users may download the software after they 

authenticate. 

Secure Sockets Layer (SSL). A standards-based security protocol for encryption, 

authentication, and message integrity. It is used to secure the communications 

between two computers across a public network, authenticate the two 

computers to each other based on a separate trusted authority, and ensure that 

the communications are not tampered with. SSL supports a wide range of 

ciphersuites. The most recent version of SSL is Transport Layer Security 

(TLS). 

server farm. A group of computers running Citrix Presentation Server and managed as 

a single entity, with some form of physical connection between servers and a 

database used for the farm’s data store. See also, access server farm. 

session reliability. Part of the collection of features that comprise SmoothRoaming, 

Session Reliability enables ICA sessions to remain active and on the user’s 

screen when network connectivity is interrupted. Session Reliability 

incorporates Common Gateway Protocol (CGP) which restores the user’s 

session quickly and transparently. 

small form factor device. A client device, such as a PDA, with limited display 

capabilities.


SmartAccess. A feature that allows organizations to control which resources users get 

access to, based on their access scenario, and what they can do with those 

resources when they get access. In addition, this functionality integrates with 

Citrix Presentation Server to give organizations this same level of granular 

control over published applications. 

SmoothRoaming. The ability to access information continuously across devices, 

locations, and networks. This feature includes Workspace Control, session 

reliability, and dynamic display reconfiguration. 

split DNS. A feature that enables failover to a user’s local DNS if the default remote 

DNS is unavailable. 

split tunneling. A feature enabling the client device to send only the traffic destined for 

the secured network through the VPN tunnel. With split tunneling, groupbased 

policies apply to the internal network interface only. For connections 

from inside of the firewall, group-based policies do not apply to traffic to 

external resources or resources local to the network; that traffic is not 

encrypted. 

SQL Server Express. The newest version of MSDE. See Microsoft SQL Server 

Desktop Engine (MSDE) for more information. 

Transport Layer Security (TLS). See Secure Sockets Layer (SSL). 

trusted. Refers to a user, service, or resource that is specifically allowed to access the 

corporate network. 

untrusted. Refers to a user, service, or resource that is specifically disallowed from 

accessing the corporate network. 

user groups. In Access Gateway Standard Edition, a user group consists of a 

collection of users, policies, and resources. User groups can be configured to 

correspond with user groups configured on authentication servers. All local 

users are automatically added to the Default user group. Users can also be 

added to other user groups you have configured. 

Web-based email. A method of receiving, composing, and sending email using a Web 

browser instead of a local email application. 

Web client. An ActiveX control that supports the launching and embedding of 

published applications. 

Web proxy. The URL rewriting component of Access Gateway Advanced Edition. 

Web resource. A set of URLs or Web applications that consists of virtual directory 

paths such as http://mycompany/mydocument. A Web resource is one of the 

corporate resources available to users through the Access Gateway. 

Web server. A computer that delivers Web pages to browsers and other files to 

applications using HyperText Transfer Protocol (HTTP).

APPENDIX B 

Scan Properties Reference 

Scan packages contain the software you need to create scans to detect information 

about client devices. When creating scans, you typically specify one or more 

property values that you’re looking for, such as an operating system version or 

service pack level. This reference topic lists the properties you can configure for 

Citrix scan packages. 

For information about creating scans, see “Creating Endpoint Analysis Scans” on 

page 166. 

Note: This topic is available from the online help system of any server running 

the Advanced Access Control software. If you need information about specific 

properties while creating scans, use your online help to locate this reference topic. 

Scan packages are organized alphabetically within the following groups by the 

type of product or properties being scanned: 

• “Antivirus Scan Packages” on page 240 

• “Browser Scan Packages” on page 245 

• “Firewall Scan Packages” on page 248 

• “Machine Identification Scan Packages” on page 253 

• “Miscellaneous Scan Packages” on page 255 

• “Operating System Scan Packages” on page 256


Antivirus Scan Packages 

Citrix Scans for McAfee VirusScan 

Detects if the required version of McAfee VirusScan software (personal edition) 

is running on the client device. 

Supported Versions 

• At least up to VirusScan 2006 v.11.0.209 

Properties You Can Specify 

Property Name 

Minimum required build 

version 

Description/Format 

Note that this property is mislabelled and appears incorrectly 

as “Minimum required engine version.” Use format N.N, 

where N is an integer. You can find the build version number 

in the “About” information box for the installed application. 

Scan Outputs 

Scan Output Name 

Program Version 

Verified-McAfee- 

VirusScan 

Description 

This is the version of the key program executable file. The 

major and minor version numbers are the same as those 

displayed in the program user interface. The rest of the 

version number may be ignored when reported. 

This Boolean output indicates if the required minimum 

version of the application is running on the client device. 

Citrix Scans for McAfee VirusScan Enterprise 

Detects if McAfee VirusScan software (Enterprise edition) is running on the 

client device. 


• At least up to VirusScan Enterprise v.8.0i Pattern 4825

Appendix B Scan Properties Reference 241 


Property Name 

Minimum required engine 

version 

Minimum required pattern 

file version number 


Use format N.N. For example, 4.4. Note that the application 

user interface and registry may display the engine version 

number in different formats. For example, engine version 4.4 

may display in the user interface as 4400 and the same engine 

version may display in the registry as 4.4.00. However, in 

both cases, you should enter the “minimum required engine 

version” as 4.4 when you create a scan. 

Use format N, where N is an integer. 

Scan Outputs 


Verified-McAfee-Virus- 

Scan-Enterprise 

Engine Version 

Pattern Version 

Description 

This Boolean output indicates if this application is running on 

the client device. 

Indicates the On-Access scan engine version running on the 

client device. If this product is not installed or is not 

executing, the version defaults to 0.0.0.0. 

Indicates the pattern file version running on the client device. 

If this product is not installed or is not executing, the version 

defaults to 0. 

Citrix Scans for Norton AntiVirus Personal 

Detects if Norton AntiVirus software (personal edition) is running on the client 

device. 


• At least up to Norton AntiVirus 2006 v.12.2.0.13 Pattern 2006 0809.018



Property Name 

Days between required 

virus scans 

Minimum required product 

version 




This is the number of days within which a full-system 

antivirus scan must have run. Zero (0) indicates that any or no 

scan is acceptable. Use an integer between 0 and 365. 

Use the format N.N.N, where N is an integer. 

Use the format YYYYMMDD.NNN, where YYYY is the 

four-digit year, MM is the two-digit month, DD is the twodigit 

day, and NNN is a three-digit integer. 

Scan Outputs 


Verified-Norton-Antivirus 

Product version 

Pattern version 

Description 

Indicates if this application is running on the client device. 

Indicates the software version running on the client device. If 

this product is not installed or is not executing, the version 

defaults to 0.0.0.0. 




Citrix Scans for Symantec AntiVirus Enterprise 

Detects if Symantec AntiVirus Enterprise software is running on the client 

device. 


• At least up to Symantec AntiVirus Enterprise v10.0.0.359 Pattern 2006 

0809.018



Property Name 


version 




Use the format N.N.N, where N is an integer. 

Use the format YYYYMMDD.NNN, where YYYY is the 

four-digit year, MM is the two-digit month, DD is the twodigit 

day, and NNN is a three-digit integer. 

Scan Outputs 


Verified-Symantec-AV- 

Enterprise 

Product version 

Pattern version 

Description 








Citrix Scans for Trend OfficeScan 

Detects if Trend OfficeScan antivirus software is running on the client device. 


• At least up to Version 7.3 Pattern 3.645.00 


Property Name 


version 




Use the format N.N, where N is an integer. 

The three-digit short form of the pattern file version running 

on the client device. Use the format N, where N is an integer. 

For example, for version 2.763, 763 is the short form you 

enter.


Scan Outputs 


Verified-Trend-OfficeScan 

Product Version 

Pattern Version 

Description 







defaults to -1. 

Citrix Scans for Windows Security Center 

Antivirus 

Detects if the Windows Security Center reports that the client device is using 

antivirus software. There are no properties for you to specify in this scan beyond 

specifying the conditions under which the scan is applied. 

Note that accurate scan results require that antivirus software be monitored 

through the Windows Security Center. If an antivirus software product does not 

register properly with the Windows Security Center, it is possible for the scan to 

indicate incorrectly that the client device has no antivirus software enabled. Test 

to ensure that Windows Security Center correctly registers the antivirus software 

products you deem acceptable or check the Windows Security Center 

documentation for details of the products it supports. 


• Windows XP SP2 - Security Center 

Scan Outputs 


Antivirus Enabled 

Description 

Indicates (True/False) if the Windows Security Center reports 

that the client device is using antivirus software.


Browser Scan Packages 

Citrix Scans for Browser Type 

Detects if specified browser software is being used to connect from the client 

device. You can scan for Microsoft Internet Explorer, Mozilla Firefox, Netscape 

Navigator, Safari, or other software. 

Scans from this package do not require client-side software to run on the client 

device. Scan outputs are determined by examining the communication sent by the 

user’s browser. 


• At least up to Microsoft Internet Explorer 6.0 

• At least up to Mozilla Firefox 1.5.06 

• At least up to Netscape Navigator 8.1 

• At least up to Safari 2.0 


Property Name 

Expected browser type 


This is the browser you want to check for on the client device. 

Select Microsoft Internet Explorer, Mozilla Firefox, Netscape 

Navigator, Safari, or Other. 

Scan Outputs 


Verified - Browser Type 

Browser Type 

Description 

Indicates whether (True or False) the browser type you 

specified is being used to connect from the client device. 

Returns the type of the client browser. “Other” is returned if a 

browser other than Microsoft Internet Explorer, Mozilla 

Firefox, Netscape Navigator, or Safari is being used. 

Citrix Scans for Internet Explorer 

Detects if the specified version of the browser software exists on the client 

device.



• At least up to Internet Explorer Version 6.0 Service Pack 2 


Property Name 

Minimum required version 


Use the format N.N.N.N, where N is an integer. However, you 

can specify a version as simple as N.N or as detailed as 

N.N.N.N (for example, 6.0.3790.1830). 

Scan Outputs 



Verified-Internet-Explorer- 

Installed 


Connecting 

Description 

The version of the key program executable file. The major 

and minor version numbers are the same as those displayed in 

the program user interface. The rest of the version number 

may be ignored when reported. 

This Boolean output indicates if the minimum or later 

required version of the application is running on the client 

device. 


required version of the application is being used to perform 

the connection. 

Citrix Scans for Internet Explorer Update 

Detects if the specified version (including update or hotfix version level) of the 

browser software exists on the client device. 


• At least up to Internet Explorer Version 6.0 SP2 


Property Name 

Data Set 


Provide the name of a data set file containing the specified 

updates or hotfix version levels required. See “Using Data 

Sets in Scans” on page 172 for more information.


Scan Outputs 



Patch 

Description 

Indicates if the updates specified in the data set are present on 

the client device. 

Citrix Scans for Mozilla Firefox 

Detects if the specified version of the Mozilla Firefox browser exists on the client 

device. The scan package uses the published Windows registry settings. 


• At least up to Firefox Version 1.5.06 


Property Name 



Use the format N.N.N.N, where N is an integer. However, you 

can specify a version as simple as N.N or as detailed as 


Scan Outputs 



Verified-Mozilla-Firefox- 

Installed 

Verified-Mozilla-Firefox- 

Connecting 

Description 


and minor version numbers are the same as those shown in 





device. 




Citrix Scans for Netscape Navigator 

Detects if the specified version of the Netscape Navigator browser exists on the 

client device. The scan package uses the published Windows registry settings.



• At least up to Netscape Navigator Version 8.1 


Property Name 



Use the format N.N.N.N, where N is an integer. However, 

you can specify a version as simple as N.N or as detailed as 


Scan Outputs 



Verified-Netscape- 

Navigator-Installed 

Verified-Netscape- 

Navigator-Connecting 

Description 


and minor version numbers are the same as those shown in 





device. 




Firewall Scan Packages 

Citrix Scans for McAfee Desktop Firewall 

Detects if the specified version of the firewall software exists on the client device. 


• At least up to McAfee Desktop Firewall 8.5 Build 260



Property Name 


number or combined 

version and build number 


To specify the version number, use the format N.N, where N 

is an integer. To specify the version and build number, use the 

format N.N.NNN, where N is an integer. 

Scan Outputs 


Version 

Verified-McAfee-Desktop- 

Firewall 

Description 







Citrix Scans for McAfee Personal Firewall Plus 

Detects if the specified version of the firewall software exists on the client device. 


• At least up to McAfee Personal Firewall Plus 2006 Version 7.1.113 


Property Name 


number 


N.N, where N is an integer.


Scan Outputs 


Version 

Verified-McAfee-Personal- 

Firewall-Plus 

Description 


and minor version numbers will be the same as those 

displayed in the program user interface. The rest of the 

version number may be ignored when reported. 



Citrix Scans for Microsoft Windows Firewall 

Detects if the specified version of the Microsoft Windows Firewall or Internet 

Connection Firewall (ICF) exists on the client device. 


The scan can detect the following firewalls on these operating systems: 

• Microsoft Windows XP Home and Professional: ICF 

• Microsoft Windows XP Home and Professional Service Pack 1: ICF 

• Microsoft Windows XP Home and Professional Service Pack 1: Windows 

Firewall 

• Microsoft Windows 2003: ICF 


Property Name 

Windows Firewall without 

exceptions is required 


Select True if you require Windows Firewall to be active 

without exceptions. Select False if you require ICF to be 

active on all connections or if you require Windows Firewall 

to be active (with exceptions). See “Adding Rules to Scans” 

on page 169 for an example showing how to add multiple 

rules with exceptions to a scan. 

Scan Outputs 


Description 

Verified-Windows-Firewall This Boolean output indicates if the required minimum 

version of the application is running on the client device.


Citrix Scans for Norton Personal Firewall 

Detects if the specified version of Norton Personal Firewall exists on the client 

device. 


• At least up to Norton Personal Firewall 2006 Version 9.1.0.33 


Property Name 


number 



Scan Outputs 


Version 

Version-Norton-Personal- 

Firewall 

Description 





This Boolean output indicates if the required version of the 

application is running on the client device. 

Citrix Scans for Windows Security Center Firewall 

Detects if the Windows Security Center reports that the client device is using a 

firewall. The Windows Security Center allows you to monitor various security 

items on a client device running the Windows XP SP2 operating system. There 

are no properties for you to specify in this scan beyond specifying the conditions 

under which the scan is applied. 

Note that accurate scan results require that the firewall be monitored through the 

Windows Security Center on the client device. If a firewall product does not 

register properly with the Windows Security Center, it is possible for the scan to 

indicate incorrectly that the client device has no firewall enabled. Test to ensure 

that Windows Security Center correctly registers the firewall products you deem 

acceptable or check the Windows Security Center documentation for details of 

the products it supports.



• Windows XP SP2 - Security Center 

Scan Outputs 


Firewall Enabled 

Description 

Indicates if (True/False) the Windows Security Center reports 

that the client device is using a firewall. 

Citrix Scans for ZoneAlarm 

Detects if the specified version of the free ZoneAlarm firewall exists on the client 

device. 


• At least up to ZoneAlarm 2006 Version 6.5.731.00 


Property Name 


number 



Scan Outputs 


Version 

Verified-ZoneAlarm 

Description 

The version of the key program executable. The major and 

minor version numbers are the same as those displayed in the 

program user interface. The rest of the version number may 

be ignored when reported. 



Citrix Scans for ZoneAlarm Pro 

Detects if the specified version of the ZoneAlarm Pro firewall exists on the client 

device.



• At least up to ZoneAlarm 2006 Version 6.5.731.00 


Property Name 


number 



Scan Outputs 


Engine Version 

Verified-ZoneAlarm-Pro 

Description 

The version of the key program executable. The major and 

minor version numbers are the same as those displayed in the 

program user interface. The rest of the version number may 

be ignored when reported. 



Machine Identification Scan Packages 

Citrix Scans for Domain Membership 

Detects if the client device belongs to a specified domain. 


Property Name 

A client domain name is 

required 

Domain name 


True means the client device must belong to a named 

domain. False means the client device is not required to 

belong to a domain. 

A valid domain name. Workgroup names are not valid.


Scan Outputs 


Domain 

Verified-Domain 

Description 

The name of the domain that the client device belongs to. If a 

client domain name is not required, the output is “unknown.” 

Indicates if the client device belongs to the specified domain. 

Citrix Scans for MAC Address 

Detects the media access control (MAC) address for each network interface card 

(NIC) or network adapter on the client device and compares the address against a 

data set containing the list of group names mapped to valid MAC addresses. 

This scan requires you to create a double-column data set listing valid MAC 

addresses mapped to group names. The scan detects the network adapter (the first 

value or column in the data set) and maps that address to a group name (the 

second value or column in the data set). Scans use this mapping to verify to which 

group the client device belongs. The MAC addresses in the data set should be in 

the format NN:NN:NN:NN:NN:NN, such as 00:11:11:06:B3:E9. Note that you 

should use a colon (:) as the separator in this format rather than a hyphen (-). 

Important: This scan package treats data as case sensitive. Avoid creating 

conflicting entries that differ in case. For example, it is possible to create an entry 

for the same address and map it to two different groups. One entry might map the 

address 00:50:8b:e8:f9:28 to the Finance group. Another entry can map the same 

address with different case lettering, 00:50:8B:E8:F9:28, to the Sales group. Such 

entries make scan results unreliable. 

For more information about using data sets, see “Using Data Sets in Scans” on 

page 172. 


Property Name 

Data set name 

Group name 


Name of a data set file that maps each MAC address to a 

group name. 

Name of a group to which the NIC or network adapter must 

belong.


Scan Outputs 


Group name 

Matched-MAC-Address 

Description 

Returns the group name associated with the MAC address of 

the client device network interface or adapter. 

This Boolean output indicates if the network interface or 

adapter belongs to the specified group of MAC addresses. 

Miscellaneous Scan Packages 

Citrix Bandwidth Scan 

Determines the connection bandwidth between the client and the Access Gateway 

appliance. You can use the results of this scan in policies to determine, for 

example, whether published applications can be launched. 

This scan determines the bandwidth of a client’s connection by reading an image 

file and calculating the time it takes to read the file during the time the scan runs. 

The image file, citrix_bw.gif, is located in the themes/default/images folder of the 

logon point’s virtual directory. To change the size of this image file, overwrite this 

file with another of the same name. 

Note that the accuracy of scan results is affected by the time allotted for the scan 

to run as well as the size of the image file. For example, users on slow 

connections may experience prolonged logon times if the image file is 72 MB and 

the scan runs for 120 seconds. If the scan runs for 5 seconds, however, the correct 

bandwidth may not be calculated. Test to ensure there is a balance between the 

size of the image file and the time allotted for the scan to run so that users with 

high bandwidth and low bandwidth connections have similar logon experiences. 


Property Name 

Desired Bandwidth 

Time 


The level at which a connection is considered “high 

bandwidth.” 

The maximum length of time the scan is allowed to run.


Scan Outputs 


Bandwidth 

Description 

This Boolean output indicates if the client connection meets 

the specified bandwidth. 

Operating System Scan Packages 

Citrix Scans for Macintosh 

Detects whether or not the client device is running the Mac OS system software. 

Scans from this package do not require client-side software to run on the client 

device. Scan outputs are determined by examining the communication sent by the 

user’s browser. 

There are no properties for you to specify in this scan beyond specifying the 

conditions under which the scan is applied. 


• Mac OS X 

Scan Outputs 


Client Is Macintosh 

Description 

Reports whether or not the client device is running Mac OS 

system software. 

Citrix Scans for Microsoft Windows Service Pack 

Detects if the operating system software on the client device is running at a 

required minimum service pack level. 


Property Name 

Minimum required service 

pack 


Select a Windows service pack version from the drop-down 

menu. Select None to detect a base, unpatched operating 

system version.


Scan Outputs 


Service Pack 

Verified-Windows-Service- 

Pack 

Description 

Returns the service pack version running on the client device. 


service pack level is met. 

Citrix Scans for Microsoft Windows Update 

Detects whether a set of specified operating system updates are installed on the 

client device. 

Note: This scan package requires you to create a single-column data set listing 

the update names you wish to detect. 


Property Name 

Data set name 


Name of a data set file that contains a single column list of 

updates appropriate for the detected operating system. 

Scan Outputs 


Description 

Verified-Windows-Updates This Boolean output indicates if the updates specified in the 

data set file exist on the client device.

Access Gateway Advanced Edition Administrator's Guide - Citrix ...

Create successful ePaper yourself

Delete template?

Save as template?