如何对 Citrix 网站进行编码以使用安全网关 (CSG)?

发布于 2024-07-14 08:18:40 字数 1481 浏览 11 评论 0原文

我使用 Citrix 的示例代码作为基础,并尝试让它生成 ICA 文件,指导客户端使用其安全网关 (CSG) 提供商。 我的配置是 ICA 文件的服务器地址替换为 CSG 票证,并且流量强制流向 CSG。

挑战在于 Citrix 应用程序服务器(在 1494 上提供 ICA 会话)和 CSG 都必须通过安全票证授权 (STA) 进行协调。 这意味着我的代码在创建 ICA 文件时需要与 STA 进行通信,因为 STA 持有 CSG 需要嵌入到 ICA 文件中的票证。 令人困惑? 当然! 但它更安全。

CSG 之前的代码如下所示:

AppLaunchInfo launchInfo = (AppLaunchInfo)userContext.launchApp(appID, new AppLaunchParams(ClientType.ICA_30));
ICAFile icaFile = userContext.convertToICAFile(launchInfo, null, null);

我尝试将 SSLEnabled 信息传递给 ICA 生成,但这还不够。 这是代码:

launchInfo.setSSLEnabled(true);
launchInfo.setSSLAddress(new ServiceAddress("CSG URL", 443));

现在,我在配置场时似乎需要注册 STA:

ConnectionRoutingPolicy policy = config.getDMZRoutingPolicy();
policy.getRules().clear();

//Set the Secure Ticketing Authorities (STAs).
STAGroup STAgr = new STAGroup();
STAgr.addSTAURL(@"http://CitrixAppServerURL/scripts/ctxsta.dll");

//creat Secure Gateway conenction
SGConnectionRoute SGRoute = new SGConnectionRoute(@"https://CSGURL");
SGRoute.setUseSessionReliability(false);
SGRoute.setGatewayPort(80);
SGRoute.setTicketAuthorities(STAgr);
// add the SGRoute to the policy
policy.setDefault(SGRoute);

这是基于我在 Citrix 论坛; 但是,它破坏了我与农场连接并获取我的申请列表的能力!

有人能给我指一个有效的代码示例吗? 或者参考文档?

I'm using Citrix's sample code as a base and trying to get it to generate ICA files that direct the client to use their Secure Gateway (CSG) provider. My configuration is that the ICA file's server address is replaced with a CSG ticket and traffic is forced to go to the CSG.

The challenge is that both the Citrix App Server (that's providing the ICA session on 1494) and the CSG have to coordinate through a Secure Ticket Authority (STA). That means that my code needs to talk to the STA as it creates the ICA file because STA holds a ticket that the CSG needs embedded into the ICA file. Confusing? Sure! But it's much more secure.

The pre-CSG code looks like this:

AppLaunchInfo launchInfo = (AppLaunchInfo)userContext.launchApp(appID, new AppLaunchParams(ClientType.ICA_30));
ICAFile icaFile = userContext.convertToICAFile(launchInfo, null, null);

I tried to the SSLEnabled information to the ICA generation, but it was not enough. here's that code:

launchInfo.setSSLEnabled(true);
launchInfo.setSSLAddress(new ServiceAddress("CSG URL", 443));

Now, it looks like I need to register the STA when I configure my farm:

ConnectionRoutingPolicy policy = config.getDMZRoutingPolicy();
policy.getRules().clear();

//Set the Secure Ticketing Authorities (STAs).
STAGroup STAgr = new STAGroup();
STAgr.addSTAURL(@"http://CitrixAppServerURL/scripts/ctxsta.dll");

//creat Secure Gateway conenction
SGConnectionRoute SGRoute = new SGConnectionRoute(@"https://CSGURL");
SGRoute.setUseSessionReliability(false);
SGRoute.setGatewayPort(80);
SGRoute.setTicketAuthorities(STAgr);
// add the SGRoute to the policy
policy.setDefault(SGRoute);

This is based on code I found on the Citrix Forums; however, it breaks my ability to connect with the Farm and get my application list!

Can someone point me to an example of code that works? Or a reference document?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

避讳 2024-07-21 08:18:40

问题中的代码基本上是正确的,但我太努力地将配置注入到启动 ICA 生成器中。

注意:使用 WebInterface.conf 文件作为指导是确定正确配置设置的好方法。 即使代码是正确的,配置也非常敏感!

大多数 Citrix Secure Gateway (CSG)/Secure Ticket Authority (STA) 魔法是在建立与场的初始连接的策略时发生的。 具体来说,在 Global.asax.cs 中,您必须具有以下代码块:

1) 您必须具有有效的 STAGroup:

//Set the Secure Ticketing Authorities (STAs).
STAGroup STAgr = new STAGroup();
STAgr.addSTAURL(@"http://[STA URL]/scripts/ctxsta.dll");

2) 您必须创建 CSG 连接(具有映射的 STA):

 //create Secure Gateway conenction
 SGConnectionRoute SGRoute = new SGConnectionRoute(@"[CSG FQDN without HTTPS]");
 SGRoute.setUseSessionReliability(false);
 SGRoute.setGatewayPort(443);
 SGRoute.setTicketAuthorities(STAgr);

3) 您需要设置默认策略

 // Create a DMZ routing policy
 ConnectionRoutingPolicy policy = config.getDMZRoutingPolicy();
 policy.getRules().clear();
 policy.setDefault(SGRoute);

4) 您需要告诉 launchInfo 您想要启用 CGP:

launchInfo.setCGPEnabled(true);

警告:启用 SSL 是为了转移注意力。

The code in the question is basically right, but I was trying too hard to inject configuration into the launching ICA generator.

Note: Using the WebInterface.conf file for guidance is a good way to determine the right config settings. Even if the code is right, the configuration is very touchy!

Most of the Citrix Secure Gateway (CSG) / Secure Ticket Authority (STA) magic happens when the policy for the initial connection to the farm is established. Specifically, in Global.asax.cs, you must have the following blocks of code:

1) you must have a valid STAGroup:

//Set the Secure Ticketing Authorities (STAs).
STAGroup STAgr = new STAGroup();
STAgr.addSTAURL(@"http://[STA URL]/scripts/ctxsta.dll");

2) the you must create a CSG connection (with the STA mapped):

 //create Secure Gateway conenction
 SGConnectionRoute SGRoute = new SGConnectionRoute(@"[CSG FQDN without HTTPS]");
 SGRoute.setUseSessionReliability(false);
 SGRoute.setGatewayPort(443);
 SGRoute.setTicketAuthorities(STAgr);

3) you need to set the policy default

 // Create a DMZ routing policy
 ConnectionRoutingPolicy policy = config.getDMZRoutingPolicy();
 policy.getRules().clear();
 policy.setDefault(SGRoute);

4) you need to tell the launchInfo that you want to be CGP enabled:

launchInfo.setCGPEnabled(true);

WARNING: The SSL enabled as a red herring.

鹊巢 2024-07-21 08:18:40

还有另一种更干净、更可配置的方法可以做到这一点。 可以将代码设置为使用默认 Citrix Web Interface 使用的 webinterface.conf 文件。

以下代码应替换上述示例中的所有 farmConfig、STAGroup、ConnectionRoutinePolcy 等。

InputStream inputStream = new FileInputStream(@"C:\temp\WebInterface.conf");
CtxConfig configInput = new CtxConfig(inputStream);
Map settingsMap = configInput.getSettingsMap();
WIConfiguration wiConfiguration = ConfigurationParser.buildWIConfiguration(settingsMap);

com.citrix.wing.config.Configuration config = new com.citrix.wing.config.Configuration();
config.setGlobalConfig(wiConfiguration.getGlobalConfig());
config.setMPSFarmConfigs(wiConfiguration.getMPSFarmConfigs());
config.setDMZRoutingPolicy(wiConfiguration.getDMZRoutingPolicy());
config.setClientProxyPolicy(wiConfiguration.getClientProxyPolicy());

// Create a StaticEnvironmentAdaptor instance.
WIASPNetStaticAdaptor staticEnvAdaptor = new WIASPNetStaticAdaptor(this);

// Create a WebPNBuilder instance.
WebPNBuilder builder = WebPNBuilder.getInstance();
Application["WebPNBuilder"] = builder;

// Create a WebPN instance from the configuration.
WebPN webPN = builder.createWebPN(config, staticEnvAdaptor);
Application["WebPN"] = webPN;

There's another way to do this that is cleaner and more configurable. The code can be setup to use the webinterface.conf file that the default Citrix Web Interface uses.

The following code should replace all of the farmConfig, STAGroup, ConnectionRoutinePolcy, mess in the above sample.

InputStream inputStream = new FileInputStream(@"C:\temp\WebInterface.conf");
CtxConfig configInput = new CtxConfig(inputStream);
Map settingsMap = configInput.getSettingsMap();
WIConfiguration wiConfiguration = ConfigurationParser.buildWIConfiguration(settingsMap);

com.citrix.wing.config.Configuration config = new com.citrix.wing.config.Configuration();
config.setGlobalConfig(wiConfiguration.getGlobalConfig());
config.setMPSFarmConfigs(wiConfiguration.getMPSFarmConfigs());
config.setDMZRoutingPolicy(wiConfiguration.getDMZRoutingPolicy());
config.setClientProxyPolicy(wiConfiguration.getClientProxyPolicy());

// Create a StaticEnvironmentAdaptor instance.
WIASPNetStaticAdaptor staticEnvAdaptor = new WIASPNetStaticAdaptor(this);

// Create a WebPNBuilder instance.
WebPNBuilder builder = WebPNBuilder.getInstance();
Application["WebPNBuilder"] = builder;

// Create a WebPN instance from the configuration.
WebPN webPN = builder.createWebPN(config, staticEnvAdaptor);
Application["WebPN"] = webPN;

关于此问题的另一个说明是使用具有内部证书(不可信根)的 JICA 客户端。

JICA 客户端不允许您接受来自不可信根的证书,因此需要将证书添加到 Java CA 存储中。 将其添加到 Windows 商店并没有任何好处!

获取您的开发根 CA,然后导航到最新 Java 安装的 bin 目录(通常位于 c:\program files\java\jre*** 下)

执行以下命令:

keytool -import -trustcacerts -keystore "..\lib\security\cacerts" -file "c:\temp\root.cer" -alias myroot 

我会让您 Google 获取密码,因为您认为更改它[原文如此]。

Another note on this problem from using the JICA client with an internal certificate (non-trusted root).

The JICA client does not let you accept a certificate from a non-trusted root, so it was required to add the certificate to the Java CA store. Adding it to the Windows store does not do any good!

Get your dev root CA, then navigate to bin directory of the latest Java install (typically, under c:\program files\java\jre*** )

Execute the following command:

keytool -import -trustcacerts -keystore "..\lib\security\cacerts" -file "c:\temp\root.cer" -alias myroot 

I'll let you Google for the password because your supposed to changeit [sic].

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文