In this installment we’ll take a look at setting up Citrix Secure Gateway (CSG) 3.2 and Web Interface (WI) 5.3 together on a single server to provide secure connections to a Citrix XenApp farm. CSG allows clients to make secure connections to our XenApp servers from the Internet without the use of a VPN. I will be using the versions of CSG and WI that are provided with Citrix XenApp 6 and I’ll be installing them on Windows Server 2008 R2. The server will be set up in a DMZ and will not be a member of my Active Directory domain.
This tutorial assumes that you have already installed a XenApp 6 server farm and configured it with published applications. Click here for details on how to install XenApp 6. Also you’ll need to make sure and publish an application on your XenApp server, you can find details in this post. In addition, you’ll need to configure a DNS server or hosts file on your client to allow a domain name to be used when accessing the CSG/WI server from the client.
In a previous post I discussed configuring an IPsec VPN between a Cisco router and a Windows PC with the Cisco VPN client installed. Today I’ll expand on this by configuring the VPN to utilize the RADIUS protocol to authenticate VPN users. This will ease administration and will allow users access to their VPN sessions using their directory services user accounts. For the RADIUS server I will use a Windows Server 2003 R2 that is part of an Active Directory domain with the IAS service installed. The IAS service can be just as easily configured with local user accounts on the Windows workgroup server if desired. When I first started implementing this I had great difficultly getting the IPsec VPN to work with RADIUS, I guess the IOS configuration commands can be a bit tricky. But now it just keeps on working!
Configure the Cisco Router IOS
In this example my router is configured as in the example Configure Cisco Router for Remote Access IPsec VPN Connections. Run through that article and come back here once you’ve completed it.
Next we need to modify AAA to allow user authentication using the RADIUS server.
R1# conf t R1(config)# aaa authentication login VPN_CLIENT_LOGIN group radius local
Now we need to add the RADIUS server. Specify the IP address and a key to use.
R1(config)# radius-server host 192.168.2.4 auth-port 1645 acct-port 1646 key RadiusKey
That’s it for the configuration in the Cisco IOS. Now let’s move over to the Windows 2003 IAS configuration.
Configure Windows Server 2003 IAS RADIUS Service
If you have previously read my article Set Up Windows 2003 IAS Server with RADIUS Authentication for Cisco Router Logins, you have a Windows IAS server already set up and the configuration should be able to authenticate your IPsec VPN connections. One thing that I have noticed is that my IPsec VPN authentication does not work when I have the IAS service installed on a domain controller. If the IAS service is installed on a domain member server the VPN connections do work fine. To configure the Windows IAS service follow these steps:
On a domain controller go into Start > Admin Tools > Active Directory Users and Computers. Optionally you can create a new group and add users to it that you want to grant router login access. In this example I will grant access to the existing Domain Admins user group.
Now double click a user account that you want to provide router login capability. I will use the Administrator account.
In the user properties dialog click the Dial-in tab, then make sure that Remote Access Permission is set to “Allow access”. You can also set this to “Control access through Remote Access Policy”, in which case the user account will be granted permission by its group membership that will be specified in the policy. Since we’ll specify a group in the Remote Access Policy, the above step actually should not be necessary. Click OK.
In this article I’ll walk through the configuration of the IOS on a Cisco router to support remote access IPsec VPN connections. IPsec is a suite of protocols that provides for authentication and encryption of packets. Traditionally PPTP has been extensively used as a VPN because of it’s simplicity of configuration, especially on the client side. However, the security vulnerabilities of the PPTP protocol have been well documented. Cisco now has a feature called EasyVPN that allows us to specify client configuration on the server and minimize direct configuration of the VPN on the client.
In this example I will make use of the fantastic GNS3/Dynamips software for router emulation. I’ve had some difficulties with IPsec and the Dynamips emulator, the VPN connection will start and work for a short time but then the connection will freeze. I have tested this configuration and it does work on a physical router, however.
I have set up my Cisco router with two interfaces, FastEthernet0/0 and FastEthernet0/1. The router is also configured with NAT overload for the internal network. Here is my network diagram, pretty basic configuration with an external and an internal network:
Here is my starting configuration of the router. Basically I’ve assigned IP addresses to the interfaces, configured the default route, and activated NAT. I’m using an extended access list to permit NAT traffic, this will be important later because we’ll need disable NAT between the internal interface and the IP address pool that our VPN clients will use.
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 ip cef ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! interface FastEthernet0/0 ip address 192.168.10.2 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet0/1 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.10.254 ! ip http server no ip http secure-server ip nat inside source list NAT interface FastEthernet0/0 overload ! ip access-list extended NAT permit ip any any ! control-plane ! line con 0 line aux 0 line vty 0 4 ! end
In this installment we’ll run through the configuration of a Cisco router to support PPTP VPN remote access clients. Much has been documented in the last decade over the the weaknesses of using a PPTP VPN in combination with MS-CHAP-V2 for authentication, which is a commonly supported and simpler configuration. Namely, PPTP/MS-CHAP-V2 relies on a strong user password to be used to limit the ability of hackers to compromise the VPN session. The advantage of using the PPTP VPN is that it is fairly simple to set up and will allow Windows and Mac clients to access our secured network without installing the Cisco VPN client software. More secure configurations of PPTP are available using EAP-TLS for the authentication, these involve configuring client certificates and are beyond the scope of this article. In a future posting I plan to discuss the set up a more secure IPSec based VPN with a Cisco router.
In this example I will make use of the fantastic GNS3/Dynamips software for router emulation. I have set up a router with the NM16-ESW adapter to give the router basic switching functionality to test with an internal VLAN. The router is also configured with NAT overload for the internal network. Here is my network diagram, pretty basic configuration with an external network and an internal VLAN network: