1. Manuals
  2. Brands
  3. Citrix Manuals
  4. Switch
  5. 9000 Series
  6. User manual

Citrix 9000 Series User Manual

Ssl vpn user’s guide for the windows platform
Hide thumbs
Table of Contents

Advertisement

Quick Links

Citrix NetScaler Application Switch
SSL VPN User's Guide for the Windows®
Platform
Release 7.0
Citrix Systems, Inc.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 9000 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Citrix 9000 Series

Summary of Contents for Citrix 9000 Series

  • Page 1 Citrix NetScaler Application Switch SSL VPN User’s Guide for the Windows® Platform Release 7.0 Citrix Systems, Inc.
  • Page 2 You can determine whether your equipment is causing interference by turning it off. If the interfer- ence stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment.
  • Page 3 BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScal- er Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation.

  • Page 5: Table Of Contents

    Contents Chapter 1 - SSL VPN Overview......1-1 1.1 SSL VPN : Architecture ....... . . 1-1 Chapter 2 - Getting Started .
  • Page 6 4.2.3 Managing Domain Conflicts ......4-11 4.2.4 Managing Network Conflicts ......4-13 4.2.5 Local LAN Access When Split Tunneling is Disabled .

  • Page 7: Chapter 1 - Ssl Vpn Overview

    Chapter 1 SSL VPN Overview SSL VPN is a secure remote access solution that provides point-to-point com- munication between remote users, such as mobile employees, partners, or resellers, and a private enterprise network. It does so by creating a secure SSL-based tunnel between a user's computer and the SSL VPN gateway.
  • Page 8 The agent is installed on your computer when you log on for the first time. You can configure it to log on directly to the gateway, without having to log on via the Web portal. This is known as the native login mode. Alternately, you can also log on to the gateway via the SSL VPN login page.

  • Page 9: Chapter 2 - Getting Started

    Chapter 2 Getting Started The preceding chapter covered the architectural details of the SSL VPN client. In this chapter you will learn to use both versions of the SSL VPN client and log on to the gateway and access intranet resources. System Requirements The system requirements for the SSL VPN client are: Operating system: Microsoft Windows 98, Windows 2000, Windows NT, Win-...
  • Page 10 Figure 2-1 Security Alert window The security alert indicates that there might be discrepancies in the certificate. The possible issues are: • The certificate has expired. • The domain name in the certificate does not match the domain name of the server.
  • Page 11 Figure 2-2 SSL VPN Login page 3. Enter your user name and password and click Login . When you log on to the SSL VPN gateway for the first time, a security warning is displayed as shown in the following figure. This warning prompts you to download the browser plug-in.
  • Page 12 Note On a Windows XP-based system, the following dialog box is displayed. Figure 2-4 Security warning on a Windows XP-based computer 4. Click Yes . The Secure Remote Access Session window is displayed as shown in the following figure, and the plug-in begins to download. A "Load- ing..."...
  • Page 13 5. When the download has completed, the Secure Remote Access Session window displays the following message: "Closing this window will exit SSL VPN Session". This indicates that the SSL VPN session is now active. The portal page configured by the SSL VPN administrator is displayed in the main browser window, as shown in the following figure.

  • Page 14: Using The Ssl Vpn Agent

    Figure 2-7 Download prompt page Note For details on working with a pop-up blocker, especially for a computer running Windows XP with SP2, consult the SSL VPN administrator. You can now access resources on the remote site. For example, if you have logged on to your office network, you can launch your e-mail client and access your messages.
  • Page 15 Figure 2-8 The Security Alert window The security alert indicates that there might be discrepancies in the certificate. The possible issues are: • The certificate has expired. • The domain name in the certificate does not match the domain name of the server.
  • Page 16 Figure 2-9 SSL VPN Login page 3. Enter your user name and password and click Login . When you log on for the first time, the following download page is displayed. Click the link to download and install the agent. SSL VPN User’s Guide...
  • Page 17 Figure 2-10 Download page 4. When the agent is successfully installed, a security alert is displayed as shown in the following figure. Figure 2-11 Security warning SSL VPN User’s Guide...

  • Page 18: Terminating The Ssl Vpn Session

    5. Click Yes . The portal page configured by the SSL VPN administrator is dis- played in the main browser window with the agent displayed in the system tray, as shown in the following figure. Figure 2-12 Portal page You can now access resources on the remote site. For example, if you have logged on to your office network, you can launch your e-mail client and access your messages.

  • Page 19: Terminating The Session For The Agent

    nate an SSL VPN session. 2.4.1 Terminating the Session for the Agent The following procedure covers the steps to terminate the session for the agent. 1. Check the Windows system tray for the agent is active and that you are currently logged on. Right-click the icon and select Logout from the short-cut menu.
  • Page 20 3. Select a cleanup option from the Select Cleanup Level box and click . The cleanup process is initiated and the status is displayed on the Cleanup dialog box as shown in the following figure. Figure 2-15 Cleanup dialog box with details 4.

  • Page 21: Terminating The Session For The Browser Plug-In

    2.4.2 Terminating the Session for the Browser Plug-in The following procedure covers the steps to terminate the session for the agent. 1. Click Logout on the plug-in window. The following message box is dis- played. Figure 2-17 Confirmation message box 2.
  • Page 22 Figure 2-18 List pane The Cleanup list consists of check boxes that allow you to select the data types that need to be deleted when you log off. Based on the configuration on the gateway, and the cleanup level might appear disabled. This is explained as follows. This check box indicates that you have selected the data set for deletion.
  • Page 23 • Applications that have accessed SSLVPN services • Application data • Passwords and autocomplete data stored by browser • History and URLs typed in the address bar • Browser cache cookies and temporary files NetScaler agent and activex browser plug-in When you select this option and initiate the cleanup process, all versions of the client are uninstalled from your computer.

  • Page 24: Cleanup Level

    Browser cache cookies and temporary files When you select this option and initiate the cleanup process, the client selects data that is stored in the browser for deletion. The client deletes all cached files regardless of whether they were cached from the remote network or the Internet.

  • Page 25: Chapter 3 - Using The Ssl Vpn Portal

    Chapter 3 Using the SSL VPN Portal The default Portal page is created based on the data configured by the SSL VPN administrator. The Portal page is shown in the following figure. This page lists the most commonly accessed intranet Web sites and file systems. the SSL VPN administrator configures the links visible under the ‘Configured’...

  • Page 26: Using Portal Tools

    Using Portal Tools The Portal page has several built in tools to assist you in using the SSL VPN. These tools include a ping interface for checking the accessibility of network hosts, tips, online help, the SSL VPN file transfer utility, and the SSL VPN themes utility.
  • Page 27 To create these bookmarks, click on the ‘add’ links on the right side of the page. The following figure shows the New Bookmark page. In the ‘Name’ field, enter the label to be used for your new link. In the ‘Address Field’...

  • Page 28: File Transfer

    Figure 3-4 Remove bookmark page Note You can remove only bookmarks listed under the ‘Personal’ column and not those under the configured column. 3.1.2 File Transfer This page allows you to log on to the intranet and access shared resources. The following figure displays this page.
  • Page 29 Figure 3-5 File Transfer page. The following sections cover the various components of the File Transfer page. Top Panel The top panel of the browser window displays a number of buttons that will allow you to perform various tasks, pertaining to the storage and transfer of files.

  • Page 30: Left Panel

    Click this button to upload the selected file from the local client com- puter to a folder in the remote file server. Click this button to delete the selected file from the remote machine. Click this button to change the name of a file or folder, which is selected.
  • Page 31 To log on to a file server 1. Enter the IP address or the name of the server in the Address field. Note If you leave this field blank, you will be logged on to the intranet and not any specific server.

  • Page 32: Themes

    3. Click the Save button. The Save As dialog box is displayed. 4. Navigate to the appropriate folder, and click the Save button to save the file. To upload a file to the remote server 1. Select the file on the local machine. 2.
  • Page 33 Using the SSL VPN Portal Figure 3-8 No themes configured Selecting a theme for the SSL VPN session Under the ‘Themes’ tab on the SSL VPN portal, you can see the themes that the VPN administrator has made available for use. Click on the ‘Select’ button next to the theme name for the theme to be applied for your current VPN ses- sion and all further VPN sessions.
  • Page 34 Figure 3-9 Customize your theme Select the colors you want for each item on the SSL VPN portal page, the font style and size and then click the ‘Save Preferences’ button. The customized theme will now replace the old theme on the portal page. Note You can restore the default theme for the portal page by clicking on the ‘Reset to site defaults’...

  • Page 35: Chapter 4 - Configuring The Ssl Vpn Client

    Chapter 4 Configuring the SSL VPN Client The client supports a minimal set of configuration tasks, based on the policies configured on the gateway. The following chapter covers all the tasks that you can perform on the client. Configuring Login Settings You can configure several login-related settings such as the login mode, gate- way, proxy server, etc.
  • Page 36 Figure 4-1 Gateway Enterprise Edition dialog box Enter the appropriate password in the Password field and click Connect . A security alert is displayed as shown in the following figure. The security alert indicates that there might be discrepancies in the certificate. The possible issues are: •...

  • Page 37: Configuring Native Login

    4.1.2 Configuring Native Login If you typically use the SSL VPN for non-Web browser related activities such as using an e-mail client, downloading files via FTP, etc., you might prefer the Native Login mode. When this mode is enabled, you can log on to the SSL VPN without having to launch a Web browser.
  • Page 38 Figure 4-4 Change Profile dialog box 4. Click the Options tab. The Options pane is displayed. Figure 4-5 Options pane SSL VPN User’s Guide...

  • Page 39: Setting The Ssl Vpn Gateway

    5. Select the Use native login window for next time login option and click . The updated configuration details of the profile are displayed. 4.1.3 Setting the SSL VPN Gateway When configured to function in the Native Login mode, the client uses the pre- configured IP address of the gateway to connect to it.

  • Page 40: Configuring Proxy Settings

    5. Enter the login credentials for the new gateway and click Connect . 4.1.4 Configuring Proxy Settings You can configure the client to connect to the SSL VPN gateway via a proxy server. The following procedure lists the steps to configure the proxy server settings on the client.

  • Page 41: Configuring A Secondary Password

    1. Check the Windows system tray for the agent is idle and that you are currently logged out. If the icon is absent, click Start > Programs > Citrix Access Gateway Enterprise Edition > Launch SSL VPN client 2. Right-click the icon and select Login from the short-cut menu. The Citrix Access Gateway Enterprise Edition dialog box is displayed as shown in Figure 4-1.

  • Page 42: Configuring Interception Settings

    2. Right-click the icon and select Login from the short-cut menu. The Citrix Access Gateway Enterprise Edition dialog box is displayed as shown in Figure 4-6. 3. Right-click Right-click for advanced options and select Show Secondary from the short-cut menu. An additional password field is added Password as shown in the following figure.
  • Page 43 Configuring the SSL VPN Client the traffic is sent to the local LAN or the Internet. You can view the list of IP addresses, ports, and applications in the Profile pane of the Configuration dia- log box as shown in the following figure. Figure 4-8 List of IP addresses, ports, and applications Consider a scenario where you have logged on to the SSL VPN and you need to...

  • Page 44: Configuring Split Dns

    • When you choose this option, Split Tunneling is enabled. The client compares the destination IP address, or port, or application name of the packets against the values configured by the SSL VPN administrator on the gateway. If one of the values match, the packets are send to the remote network via the SSL VPN tunnel.

  • Page 45: Managing Domain Conflicts

    when Split Tunneling is enabled. This setting has three options; Local, Remote, and Both. • : When you choose the Local option, all DNS lookups are sent to the Local DNS server on your local LAN. If you are connected to the Internet, the lookups are sent to your ISP’s DNS server.
  • Page 46 local and remote networks. As the domain exists on both networks, a domain conflict occurs. Figure 4-9 Domain conflicts caused by identical domains Note When split tunneling is disabled, the local domain is not included during the lookup and the Domain/IP Conflict pane is disabled. The following procedure lists the steps to configure the client for the scenario illustrated in Figure 4-9.

  • Page 47: Managing Network Conflicts

    Configuring the SSL VPN Client 8. Click OK to exit the Configuration dialog box. 4.2.4 Managing Network Conflicts As mentioned in the Configuring Split Tunneling section, a network conflict occurs when the client is unable to send traffic to a remote network as another network with an identical IP address range exists on the local LAN.

  • Page 48: Local Lan Access When Split Tunneling Is Disabled

    Figure 4-11 Incorrect routing of traffic due to network conflicts Note When split tunneling is disabled, access to the local network is disabled. This group box is unavailable when split tunneling is disabled. 1. Right-click the agent in the Windows system tray and select Configuration from the short-cut menu.
  • Page 49 The client is aware of your local LAN IP settings. When it intercepts traffic, it examines the destination IP address. It belongs to the local LAN, the client does not send it through the secure SSL VPN tunnel. Instead, it sends it to the local LAN.
  • Page 50 Configuring the SSL VPN Client 4-16 SSL VPN User’s Guide...

  • Page 51: Chapter 5 - Troubleshooting The Ssl Vpn Client

    Chapter 5 Troubleshooting the SSL VPN Client This chapter covers the troubleshooting of the SSL VPN browser plug-in and the agent. The following topics are described in this chapter: • Debugging the SSL VPN Client • SSL VPN Session Error Codes •...

  • Page 52: Ssl Vpn Session Error Codes

    from one of four levels of detail as shown in the following figure. Figure 5-1 Trace Tab SSL VPN Session Error Codes The error codes, displayed by the SSL VPN session window, are displayed in the following table. Table 5-1 Error codes Error Code Description...
  • Page 53 Table 5-2 Specific error codes displayed by the SSL VPN session Codes Message 0001 "Loading ..." 0002 “Closing this window will exit the SSL VPN session" 0003 "Exiting ..." 0004 "You are not logged in" "Session timed out, you are not logged in"...
  • Page 54 Codes Message 1001 "Internal Error, please report to admin" 1003 "Internal Error, please report to admin" 1004 "Internal Error, please report to admin" 1005 "Internal Error, please report to admin" 1006 "Internal Error, please report to admin" 1007 "Internal Error, please report to admin"...
  • Page 55 Codes Message 1008 "Internal Error, please report to admin" 1010 "Login failed (num)." 1011 "Failed to download configuration" 1012 "Failed to initialize plug-in (num)." SSL VPN User’s Guide Explanation This message indicates that the SSL VPN client has a socket-handling problem. The client failed to log on to the SSL VPN.
  • Page 56 Codes Message 1013 “Failed to parse configuration(n 1013(2 um)” 1013(3 1013(4 1015 "SSL connection failure" 2001 "SSL VPN session has been timed out" 2002 "Please install dsclient.exe" 2003 "SSLVPN configuration issue" 2004 "Need to install endpoint security software" Explanation The configuration downloaded by the client from the kernel is incorrect.
  • Page 57 Codes Message 2005 "Need to upgrade endpoint security software" 2006 "Required security software is not activated" 2007 "Hook doesn't match plug-in version" 2008 "Plug-in version mismatch" 2009 "Proxy requires unsupported authentication" 2010 "Proxy authentication failed, need to relogin." 2011 "Failed to validate SSL Certificate."...
  • Page 58 Codes Message 2013 "Failed to parse forward proxy setting." 2014 “Need to stop software "XYZ"“ "Incorrect OS Version" 2015 "Login exceeds maximum allowed users” 2016 "SSL VPN server is not reachable.” Explanation The plug-in failed to parse the Internet Explorer or Firefox forward proxy setting.
  • Page 59 Codes Message 2017 "You are in a quarantine group. Certain applications will be unavailable" “Custom message configured by the SSL VPN administrator through -clientsecuritym essage option.” 3001 "You are already logged into the SSL VPN " 3002 "You are not logged into the SSL VPN"...

  • Page 60: Compression Statistics

    Codes Message 3004 “Failed to load plug-in, contact VPN admin “ 3005 "Invalid user name or password" 4001 "Internal Error" Compression Statistics The compression tab displays statistics about the current SSL VPN session’s TCP traffic compression rates, broken down by individual connections. The col- umns on this tab include the following statistics.

  • Page 61: Connection Logs

    Figure 5-2 Compression Tab Connection Logs You can use the connection logs to troubleshoot connection-related issues. The following procedure lists the steps to access the connection logs. 1. Check the Windows system tray for the agent is active and that you are currently logged on. Right-click the icon and select Show Connection Log from the short-cut menu.
  • Page 62 Figure 5-3 Connection log If you are using the browser plug-in, use the following procedure. 1. Click Configuration in the plug-in window. The Configuration dialog box is displayed. 2. Click the Trace tab. The Trace pane is displayed. 3. Click Show Connection Log to view the log. The connection log window is displayed as shown in Figure 5-3.

  • Page 63: Chapter 6 - Faqs

    Chapter 6 FAQs Why does the SSL VPN need a Windows account with administrative privileges? The SSL VPN browser plug-in inserts a new layer between the application and Windows Kernel. This operation requires administrative privilege in a Windows account. Why does SSL VPN not work with MS Windows 9x? The MS Windows 9x operating system does not support encryption/ decryption for SSL/SSPI, which is required for SSL VPN.
  • Page 64 Why doesn't the SSL VPN work when my Personal Firewall is enabled? The SSL VPN opens a server port on the local PC. The default port number is 3128. If the port is used being by another application, the plug-in searches for the next available port.

  • Page 65: Appendix A - Uninstalling The Ssl Vpn Clients

    Appendix A Uninstalling the SSL VPN Clients This chapter covers the procedures for uninstalling the plug-in and the agent. Uninstalling the Browser Plug-in To uninstall the plug-in, perform the following procedure. 1. Launch Internet Explorer. 2. Select Internet Options from the Tools menu. The Internet Options dialog box is displayed.
  • Page 66 Figure A-2 Settings dialog box 2. Click View Objects. The Downloaded Program Files folder is displayed. This folder contains all of the Web browser plug-ins. The plug-in is labeled Nsload Control. SSL VPN User’s Guide...

  • Page 67: Uninstalling The Agent

    Figure A-3 Downloaded Program Files folder To uninstall the plug-in, delete Nsload Control by right-clicking it and selecting the Remove option from the shortcut menu. Uninstalling the Agent You can uninstall the agent by launching the Add/Remove Programs applica- tion. The following procedure lists the steps to uninstall the Agent. 1.

This manual is also suitable for:

Netscaler ssl vpn

Table of Contents

Save PDF