Check Point Connectra Citrix Troubleshooting (4th Edition) October 10, 2005

Transcription

1 Check Point Connectra Citrix Troubleshooting (4th Edition) October 10, 2005 IMPORTANT Check Point recommends that customers stay up-to-date with the latest service packs, HFAs and versions of security products, as they contain security enhancements and protection against new and changing attacks. In This Section Introduction Introduction page 1 Troubleshooting Checklist page 1 Common Connectra-Citrix problems page 2 This document pertains to Citrix-related issues that occur when working through Connectra without the use of SSL Network Extender (SNX). If you experience any problems with Citrix following the Connectra deployment, review: the relevant chapters in Connectra s Administration Guide. Connectra s release notes for additional information. the Troubleshooting Checklist on page 1. the description of the problem scenario in Common Connectra-Citrix problems. Troubleshooting Checklist Connectivity Make sure that: 1) The Connectra machine has a network route to all WI (NFuse) servers that are intended to be used and that all relevant server ports are accessible. Typically the server ports are 80 or 443. HTTP and/or HTTPS protocols must be traversable towards WI (NFuse) servers.

2 2) The Connectra machine has a network route to all MetaFrame servers intended to be used and that all relevant server ports are accessible. Typically the server ports are 1494 or ICA protocol must be traversable towards MetaFrame servers. 3) The Connectra machine has a network route to all STA servers intended to be used, if any, and that port 80 on STA servers is accessible, and that HTTP protocol is traversable. 4) Connectra users have a network route to the Connectra machine. Configuration Make sure that: 1) Citrix servers and clients are of those versions supported by Connectra. 2) All necessary STA servers are configured with corresponding Citrix Services on Connectra. 3) Connectra s server certificate is configured according to specifications and is trusted by client-side devices. See Server & Root Certificates for more information. Common Connectra-Citrix problems Common Connectra-Citrix topology integration issues are: 1) Server & Root Certificates 2) Security Restrictions 3) External STA Servers 4) Java Packages 5) JVM Environments 6) Published Links to Web Content Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

3 Server & Root Certificates When introducing Connectra into a Citrix topology, all traffic between ICA clients and Connectra becomes SSL-encrypted. SSL encryption requires the use of server certificates. Independent Citrix Architecture (ICA) requires gateway server certificates to be issued to a server s FQDN, and not to an IP address. To enable Citrix traffic to pass through Connectra, Connectra must utilize a server certificate issued to Connectra s FQDN. Connectra s FQDN must also be routable from the client side. The Windows Operating System and many Web browsers come preconfigured with a set of root certificates from reputable Certification Authorities (CAs). The list of trusted CAs installed by default includes, but is not limited to Thawte, VeriSign, GeoTrust, and EnTrust. To be economical, companies may opt to provide their own CA services. To do so, they must install and use their own certificate-generating service. Microsoft provides such a service with Microsoft Certificate Services, an optional Windows component. Should a company elect to use its own certificate server, the onus for distributing the CA root certificate to clients falls upon that company. As an additional service, Connectra is capable of producing and utilizing a self-signed server certificate. Connectra also aids with distribution of its root certificate in cases where Citrix architecture allows it. But in most cases, the onus for distributing your CA root certificate to clients falls upon you. Tip - Independent Citrix Architecture (ICA) allows automatic root-certificate distribution for Citrix Java clients 8.2 and earlier, deployed through the WI (NFuse) portal. In such a case, root-certificate distribution becomes transparent for both Connectra administrators and users. Server & Root Certificate Scenario #1 This indicates that your Connectra s server certificate is issued to an IP address instead of an FQDN. Make sure Connectra s server certificate is issued to FQDN that fully matches the FQDN of the Connectra server. Make sure the FQDN of the Connectra server is routable from the client side. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

4 Server & Root Certificate Scenario #2 Your Connectra s server certificate is issued by a private Certification Authority (CA), which is not trusted by the client-side browser. This includes Connectra s self-signed certificates. Add the root certificate of the private CA to the browser s list of Trusted Certification Authorities on each client-side device. When using Connectra s self-signed certificate, the root certificate is located on the Connectra machine under $CVPNDIR/var/ssl/server.crt Alternatively, set Connectra to use a server certificate signed by a reputable CA. Server & Root Certificate Scenario #3 (NFuse) portal. During the launch, the progress bar freezes: The following popup may also appear: The following are possible causes for this problem: Connectra s server certificate is issued to an FQDN that is not routable from the client side. In this case, Connectra s certificate was issued to cpmodule.checkpoint.com Connectra s server certificate is issued to an FQDN that does not match the FQDN of Connectra but matches the FQDN of a different computer instead. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

5 There is more than one machine with the specified FQDN, either rightfully or due to DNS problems or asymmetric routing problems. Make sure Connectra s server certificate is issued to FQDN that fully matches the FQDN of the Connectra server. Make sure that the FQDN of the Connectra server is routable from the client side. Server & Root Certificate Scenario #4 Connectra s server certificate is issued to a host-name instead of an FQDN. Make sure the Connectra s server certificate is issued to FQDN that fully matches the FQDN of the Connectra server. Make sure the FQDN of the Connectra server is routable from the client side. Security Restrictions Connectra utilizes many built-in security features that effectively screen the inner networks from external threats. In addition, Connectra s endpoint security features guard customers privacy on each particular client device. Occasionally, protection mechanisms may hamper legitimate user activities. In order to eliminate this possibility, Check Point recommends switching off all security features during troubleshooting. Problems of this nature are considered to be flaws and should be reported to Check Point for proper handling. User experiences may vary widely. The practical steps one should take include: Modifying Connectra s Protection Level (PL) settings to allow all caching. This might be especially helpful in the following cases: when working with non-standard ICA clients when working with non-standard Client versions when using the MetaFrame Presentation Server Client Packager Switching off Web Intelligence features Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

6 Switching off SmartDefense features Switching off Endpoint Security features External STA Servers Connectra supports WI (NFuse) servers configured to work in ticketed mode. This implies Connectra s ability to work with external STA servers. This also implies Connectra s ability to work aside other gateways, such as a Citrix Secure Gateway (CSG). In order to utilize these capabilities, Connectra must be configured in a manner similar to a CSG. Specifically, Connectra must know the IDs and the addresses of the STA servers used by each particular WI (NFuse) server. Tip - Currently, Connectra is capable of working with STA servers via HTTP on port 80 only. External STA Servers Scenario #1 The following are possible causes for this problem: Connectra s configuration of the Citrix Service lacks STA server configuration Connectra s configuration of the Citrix Service has an invalid STA server configuration Connectra encountered a problem while connecting to an STA server There is a problem with an STA server STA protocol version is not supported by Connectra Make sure Connectra s configuration of the Citrix Service includes all STA servers configuration, exactly matching the configuration of the WI (NFuse) server in question. Make sure all relevant STA servers are up and functioning. Make sure all relevant STA servers are routable from Connectra. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

7 External STA Servers Scenario #2 The following are possible causes for this problem: Connectra encountered a problem while connecting to an STA server Connectra s configuration of the Citrix Service has an invalid STA server configuration There is a problem with an STA server STA protocol version is not supported by Connectra Make sure Connectra s configuration of the Citrix Service includes STA servers configuration, exactly matching the configuration of the WI (NFuse) server in question. Make sure all relevant STA servers are up and functioning. Make sure all relevant STA servers are routable from Connectra. Java Packages When using Java clients, it is possible to specify what packages will be used by the Java client. Java packages are modules capable of supporting various added functionalities of the client. For example, SSL/TLS, ICA Encryption, Seamless Windows etc. Connectra enforces some of the added functionalities of the Java client. For example, SSL/ TLS encryption and ICA encryption. Therefore, some packages must be present. Connectra is capable of adding the enforced packages automatically. However, in various non-standard cases (e.g. custom-designed applets), this might not be sufficient. Problems of this nature are considered to be flaws and should be reported to Check Point for proper handling. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

8 Java Packages Scenario #1 This indicates that the WI (NFuse) server is configured to deploy ICA Java clients without the appropriate package. In this example, Java client is missing the ICA Encryption package. Configure the WI (NFuse) server to deploy ICA Java clients together with the required package. Java Packages Scenario #2 (NFuse) portal. During the launch, Java applet deployment freezes: Causes for this may vary. For instance, you may encounter this case when WI (NFuse) server was configured to deploy ICA Java clients without the SSL package. Make sure that WI (NFuse) server is configured to deploy ICA Java clients together with SSL & ICA Encryption packages. Try selecting all possible packages and then determine which one is missing. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

9 JVM Environments When using Java clients, a Java Virtual Machine (JVM) is required to run on the client device. Each particular version of Citrix Java client has a certain matrix of JVMs it supports and JVMs it does not support. Each particular JVM may also need to be configured in a certain way, in order for ICA Java client to function properly. Connectra has nothing to do with the inner-workings of this functionality. However, when introducing Connectra into Citrix topology, all traffic between ICA clients and Connectra becomes SSL-encrypted. This changes the way ICA Java client interacts with a JVM. It might be that particular versions of ICA Java clients must work with a different JVM when utilizing SSL/TLS. Connectra & Citrix administrators should be mindful of this fact and make sure Java clients are able to utilize SSL/TLS before introducing Connectra into Citrix topology. User experiences may vary widely. If at any point during the initial Connectra introduction, ICA Java client malfunctions or fails to deploy make sure the JVM requirements are up to Citrix specifications. Tip - Citrix Java clients 8.2 and earlier, utilizing SSL in IE - function only using MS JVM - this is a Citrix restriction, not Connectra's. Citrix Java clients 9.0 and later, utilizing SSL in IE - function only using SUN JVM - this is a Citrix restriction, not Connectra's. Please note that currently, ICA clients 9.x or later are supported through the use of SNX client only. This is due to the fact that Citrix changed the underlying communication protocol and canceled backward compatibility. Published Links to Web Content Citrix allows publishing of applications as well as web content accessible through URL links. Connectra administrators might not be informed about the nature of applications and / or web content published by Citrix administrators. This poses a problem since Connectra will not allow any web content to pass through unless the particular user is granted access to the web resource. Thus, Connectra administrators must take care of users accessing Citrix-published web content by defining special Web Applications in Connectra so that those particular users are able to browse to Citrix-published web content. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

10 Published Links to Web Content Scenario #1 A user clicks the aaa icon in the WI (NFuse) portal. The icon is a published URL link pointing to a web resource on a secure Web Server: After clicking the aaa icon, the user gets the following window: The reason the URL under the aaa icon has not been configured as a Web Application in Connectra. As a result, access to this URL has been blocked by Connectra. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,

11 Make sure that such URLs are accessible via Connectra by configuring corresponding Web Applications in Connectra administration GUI. Check Point Connectra - Citrix Troubleshooting (Public document). Last Update October 10,