Before installing the Web Interface, you must configure your server to add the Web server role and install IIS and ASP.NET.
To use IIS 7.x on Windows Server 2008, install the Web Server (IIS) role and then enable the following role services:
- Web Server > Application Development > ASP.NET
- Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
If you plan to enable pass-through, pass-through with smart card, and/or smart card authentication, you also need to install the following role services:
- For pass-through and pass-through with smart card authentication, enable Web Server > Security > Windows Authentication
- For smart card authentication, enable Web Server > Security > Client Certificate Mapping Authentication
Launch the “Citrix Web Interface Management” console from Windows Start –> Programs –> Citrix –> “Management Consoles” path as shown below
Creating New Web Interface Site:
In the Citrix Web Interface Management Console, right click on the “XenApp Web Sites” under the “Citrix Web Interface” and click on the “Create Site” as shown below:
- You’ll now be presented with “Create Site” wizard as shown below. At this screen
- choose the IIS site you plan to use for Web Interface
- Specify the path to place the site files under inetpub folder. In my case it, resolves to “C:inetpubwwwrootCitrixXenApp”.
- Provide the name for your new Web Interface Site
- The next step follows specifying the authentication type for the Web Interface Access by the user. You can choose one among the below options as per your needs
- At the web Interface
- At Microsoft AD FS account partner
- At Access Gateway
- At third party using Kerberos
- At Web Server
- At the web Interface
- Review the summary of settings and press next to have the site created
- Upon successful site creation, you can have it configured for it’s further behavioral settings.
Configuring Web Interface Site:
- Provide the appropriate “Farm Name” and add the servers that running the XML service. The Citrix XML Service is a component of XenApp that acts as the point of contact between the server farm and the Web Interface server. By default XenApp installs XML service on each XenApp server. One can have dedicated XML service serving server as well.
- Enter the port number in the XML Service port box. This port number must match the port used by the Citrix XML Service on all the servers specified in the Servers list.
- From the Transport type list, choose one of the following options:
- HTTP. Sends data over a standard HTTP connection. Use this option if you made other provisions for the security of this link.
- HTTPS. Sends data over a secure HTTP connection using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). You must ensure that the Citrix XML Service is set to share its port with Internet Information Services (IIS) and that IIS is configured to support HTTPS.
- SSL Relay. Sends data over a secure connection that uses the SSL Relay running on a server running XenApp to perform host authentication and data encryption.
- If you are using SSL Relay, specify the TCP port of the SSL Relay in the SSL Relay port box (the default port is 443). The Web Interface uses root certificates when authenticating a server running the SSL Relay. Ensure all the servers running the SSL Relay are configured to listen on the same port. Note: If you are using SSL Relay or HTTPS, ensure the server names you specify match exactly (including the case) the names on the certificate for the server running XenApp or XenDesktop.
- On the following screen, select the Authentication method as appropriate for you.
You can configure the following authentication methods for the Web Interface:
- Explicit (XenApp Web sites) or prompt (XenApp Services sites). Users are required to log on by supplying a user name and password. User principal name (UPN), Microsoft domain-based authentication, and Novell Directory Services (NDS) are available. For XenApp Web sites, RSA SecurID and SafeWord authentication are also available.
- Pass-through. Users can authenticate using the credentials they provided when they logged on to their physical Windows desktop. Users do not need to reenter their credentials and their resource set appears automatically. Additionally, you can use Kerberos integrated Windows authentication to connect to server farms. If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication also fails and users cannot log on. For more information about Kerberos, see XenApp Administration.
- Pass-through with smart card. Users can authenticate by inserting a smart card in a smart card reader attached to the user device. If users have installed the Citrix online plug-in, they are prompted for their smart card PIN when they log on to the user device. After logging on, users can access their resources without further logon prompts. Users connecting to XenApp Web sites are not prompted for a PIN. If you are configuring a XenApp Services site, you can use Kerberos integrated Windows authentication to connect to the Web Interface, with smart cards used for authentication to the server farm. Note: Because of the security enhancements introduced in Windows Vista, smart card users running Windows Vista or Windows 7 are required to provide their PINs when they access an application, even if you enable pass-through with smart card authentication.
- Smart card. Users can authenticate using a smart card. The user is prompted for the smart card PIN. Note: Pass-through, pass-through with smart card, and smart card authentication are not available with Web Interface for Java Application Servers.
- Anonymous. Anonymous users can log on without supplying a user name and password, and access resources published for anonymous users. Important: Anonymous users can obtain Secure Gateway tickets despite not being authenticated by the Web Interface. Because Secure Gateway relies on the Web Interface issuing tickets only to authenticated users, this compromises one of the security benefits of using Secure Gateway.
- Choose the option for domain restriction by which you can all only users of selected domains to logon to the servers. Only the entered domain names appear appear in the Logon domain box.
- Choose the Logon Scree Appearance
- Choose the type of the published content that users can access from the Web Interface Site. Note: Users must have appropriate client plug-in to run the published applications.
- Review the summary of options you choose for the new sites and click Finish to complete the wizard.
0 thoughts on “Creating and Configuring New Citrix Web Interface Site in XenApp 6”
Nice post, Govardhan!
🙂
Hi,
We want to integrate third party authentication with Citrix Web Interface. We do not get any idea how to implement this. We want the approach as listed in the following points-
1. User enter the Citrix Web Interface URL on browser. A Citrix web interface login page is loaded.
2. Once user enters the “username”, “password” and “domain”, the user should be authenticated to some third party authentication system say a web service.
3. Once user is authenticated by the third party system, the user should be added to the Citrix XenApp domain controller and grant required permission to access the XA websites.
We have the following questions –
1. Can we modify the user interface code or simply add a new authentication page in C# which can connect to the 3rd party authentication web service?
2. Is it possible to add a new user to XenApp AD from the WebInterface programmatically in C#?
3. Can we user XenApp without using the Active directory?
4. How is the ADFS used in XenApp? Can it be fit into our implementaiton as explained above?
Or even, Do we any mechanism to implement as stated above? I do not understand how third party authentication with Kerberos works in Web Interface..
Please help !!
Vikram,
Why do you want to implement a thrid party authentication against default AD authentication? Are you trying to authenticate/validate users out of your organization domain? Where from those users coming?
Answers to your queries:
1. Can we modify the user interface code or simply add a new authentication page in C# which can connect to the 3rd party authentication web service?
2. Is it possible to add a new user to XenApp AD from the WebInterface programmatically in C#?
I hope that can be implemented.
3. Can we user XenApp without using the Active directory?
Yes, you can use the local ssytem users. However, XenApp without AD implementation doesn’t make much sense as most of the settings needs to be managed separate for non-domin users.
4. How is the ADFS used in XenApp? Can it be fit into our implementaiton as explained above?
ADFS can be used if you need to authenticate users belonging to other domains (of other organizations). It again turns out to be one of AD intergrated technology.
Hi Govardhan,
Thanks for your valuable comments. The scenario is like this –
1.Setup Citrix XenApp server with Web Interface and publish an IE which will run a website.
2. We do not want to provide the anonymous access to Web Interface as any user can copy the URL and access the site.
3. The website which will be running on published IE on XA server currently has an authentication system so we want we should authenticate the users from this before accessing the actual XenApp Web Interface.
4.We tried to use with the Anonymous user and it worked well on our development environment and but it was failing once we deployed that on CLoud platform (AWS EC2).
5. So we need this kind of mechanism to integrate third party authentication system which is already in p[lace and working well for the website. The XA solution is being implemented for supporting the website on MAC and other Android platforms which is not supported onwhile accessing directly from these platforms.
I see that as a failry simple requirement for any platform that has to go live on cloud via Citrix XA.
IIUC, at the end of the day you are allowing only a set of people who has the credentials for third party authentication system. In that case, you can simply configure your XA application for the same set of users. With this people who has credentials that work for both XA web interface and your third party authentication system, can only get to connect to the session. You fully avoid any other users be able to login to the session.
However, if it’s not desirable to have same user to authenticate at two levels you can rather automate login to the thrid party authentication system once user manually logs into the web Interface and launches the application.
Hope this helps you!
Govardhan,
What we want to implement is not like this. Actually our customer has already an authentication system and he wants to user credentials from that only rather than from XenApp AD users. As this is case of millions of users so its not good to create all those users in XenApp AD. So we are looking to integrate authentication system with XA. We have also gone through the XenApp web interface code but we could not find the event of LOGIN button where we want to pass the username/password to the existing third party system and if authenticated then simply provide the access to the XenApp application. Even if we can add out own Login page to Web interface and authenticate users and then redirect to XenApp then it would work for us. Unfortunately we have not found any way to do this…
It’s possible to author your own web interface page and redirect the login to somewhere else. But the challenge that would remain is redirecting the user page back to the application on the XA. XA by default doesn’t allow that as it’s not supposed to.
You could probably get better solution for your requirement by contacting the Citrix, particularly such requirements will be accomodated if your organization is a Citrix Partner or gets Citrix developers support for your product.
While we create a web site using “At web interface” option…website created with https://xx…Is it designed to create website by default with https instead of http? or is it intentionally to make the site secured? Could you brief a bit about that?