The Ultimate Citrix Install Guide 		 
 DABCC Home  |    MIAB eBook   |    Citrix Tips   |   MIAB 4.0   |    MIAB 3.0   |    MIAB 2.1   |    MIAB 1.0   |    Sponsors   |   Quotes    |    Site Map
1 - Preface
2 - Project Management
3 - Analysis Phase
4 - Design Phase
5 - Implementation Phase
  1. Implementation Overview

2. Prepare the Network Environment

3. Add Users to a Terminal Services Environment

4. 3rd Party IMA Data Store Installation Instructions

5. Install Operating System

6. Install MetaFrame XP

7. Tweak Windows 2000 / MetaFrame XP

8. Rapid Server Deployment

9. How to create a Zone & Move MetaFrame Servers to it

10. ICA Client Update Configuration Utility

11. How to Setup Automatic Reboot for MetaFrame Servers

12. Client Drive Mapping

13. Install Applications

14. Publishing through the Citrix Management Console

15. How to Build a Stable Printing Environment

16. NFuse Integration

17. Citrix Web Console (CWC)

18. How to Secure a Internet Information Services (IIS) Server

19. Citrix Management Console (CMC)

20. Microsoft Terminal Services License Server

21. Implement System Policies

22. Implementation - Checkpoint
6 - Readiness Phase
7 - Rollout Phase
8 - Appendix

18. How to Secure a Internet Information Services (IIS) Server

Security is always a concern and with the help of SSL and a few utilities you can get a head start on securing you web servers.   However to keep the server completely secure, Microsoft recommends to install all hotfixes, to stay protected against known security vulnerabilities.

The following procedures are defined in this section:

       How to install and configure IIS Lockdown Utility version 2.1

       How to enable SSL on a NFuse IIS Web Server

       How to create and install a certificate with a public Certificate Authority

       How to create and install a certificate with Microsoft Certificate Server

       How to Add the Certificate MMC snap-in

       How to backup your  SSL certificate

       How to restore your SSL certificate

       How to force the use of SSL encryption on the NFuse web site.

 

Note:  It is far beyond the scope of this document to go in to any great detail on, how to secure your web server.   I have started to add some content to this section but it is really up to us all.  Please email me suggestion on how to improve this section.  dbrown@dabcc.com  

 

18. 1.       How to install and configure the IIS Lockdown Tool (version 2.1)

Microsoft IIS Lockdown Tool is a wizard driven utility that works by turning off unnecessary features within IIS.   For more information please visit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33961.

IIS Lockdown Tool requires: Windows NT 4.0 running IIS 4.0 or Windows 2000 running IIS 5.0.

Download and extract the IIS Lockdown utility from Microsofts web site.  In order lockdown your IIS web server and still use NFuse follow the subsequent steps: 

1.       Start iislockd.exe and click Next

2.       Click the I agree radio button and click Next.

3.       Select Dynamic Web Server (ASP enabled) and check the View templates settings checkbox and click Next.

4.       Click Next.

5.       Click Next.

6.       Uncheck the Scripts checkup and click Next.


7.       Click Next.

8.       Click Next.

9.       Click Next.

10.    Click Finish

 

Internet Information Server Wizard creates two new group locally. 

      Web Anonymous Users

      Web Applications.

 

      The local IUSR_COMPUTERNAME account is now member of Web Anonymous Users

group. The wizard sets permissions using these two groups.

 

NFuse requires that the IUSR_COMPUTERNAME account have at least modify rights to C:\Inetpub\wwwroot\NFuseIcons folder. If IUSR_COMPUTERNAME account does not have the right permission to the folder, then the user will not see the icon for the published application on the NFuse page.  

18. 2.    How to Enable SSL on the NFuse IIS Web Server

I would imagine that most of the small to medium size deployments forget about or dont see a need to enable SSL certificates but they are wrong.  Without SSL username and password information is sent from the web browser to web server in clear text which gives anyone the ability to compromises user credentials. 

Another misconception is that working with SSL certificates is a difficult thing.  It is not.   All you need to remember is that every web certificate (private key) needs a root certificate (public key).   This is why I highly recommend using a certificate generated from a public CA.   Certificates generated from a public CA already has a root certificate installed in most popular browsers thus requiring zero administration on the workstation. 

The following is a list of just a few public Certificate Authorities.

       http://www.baltimore.com/servercert/index.asp

       http://www.entrust.com

       http://www.geotrust.com

       http://www.instantssl.com/

       http://www.verisign.com/products/site/

With this in mind you need to secure the NFuse web server(s) with an SSL certificate.   The following procedures assist with the installation and maintenance of a SSL certificates. 

 

18. 2. 1 How to create and install a certificate with a public Certificate Authority

In order to obtain a SSL certificate from a certificate authority you must first generate a Certificate Signing Request (CSR).  

Follow these instructions to generate a CSR for a Microsoft Internet Information Server (IIS) 5.0 Web site. When you have completed this process, you will want to send it to your CA or follow the CAs web instructions for generating a certificate. 

1.        Click Start click Programs click Administrative Tools click Internet Information Services.

2.        Select the computer and web site (host) that you wish to secure.  Right mouse-click to select Properties.

 

3.        Select the Directory Security tab and click the Server Certificate button under Secure Communications

4.        Click Next to continue


5.        Click the Create a new certificate radio button and  Click Next.

6.        Click the Prepare the request now, but send it later radio button and click Next.

7.        At the Name and Security Settings screen, fill in the [friendly] name field for the new certificate. Select bit length. We recommend using 1024-bit length. Click Next.

8.        Enter an Organization name (The exact legal name of your organization. Do not abbreviate your organization name)  and Organizational Unit (Section of the organization) and click Next.  

Note: The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?&. This includes commas.

 

9.        Enter the Common Name (The fully qualified domain name for your web server. This must be an exact match)

 

10.     Enter the Country/Region (The two-letter ISO abbreviation for your country), State/province (The state or province where your organization is legally located. Can not be abbreviated) and City/locality  (The city where your organization is legally located).  Click Next.

 

 

11.     Enter a path and file name for the CSR.

12.     Verify your request and then click Next.


13.     At the Completing the Web Server screen, click Finish.
Note: DO NOT REMOVE the pending request or the .crt file will not match and your certificate will not install.

 

14.     Submit your CSR to the public CA of choice and wait to receive your SSL certificate.

When you receive your SSL certificate you will need copy the certificate from the body of the email and paste it into a text editor (such as notepad) to create text files.

The following documents how to install your new SSL Web Server Certificate.

1.       Click Start Programs Administrative Tools Internet Services Manager  

2.       Right click on the web site you want to secure and click Properties.


3.       Click the Directory Security tab and click the Server Certificate button

 

4.       The Welcome to the Web Server Certificate Wizard windows opens.  Click OK.


 

5.       Click the Process the pending request and install the certificate radio button and Click Next.


6.       Enter the location for the certificate file you received from the CA and Next.

 

7.       Verify the Certificate Summary to make sure all information is accurate.
Click Next.

8.       Select Finish.

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

18. 2. 2 How to create and install a certificate with Microsoft Certificate Server

The following explains how to create and install SSL certificates with Microsofts Certificate Server.  

Note:  You will need to install the Certificate Server in your domain

 

1.       Click Start Programs Administrative Tools   Internet Infromation Services   Expand web server Right click on he web site (Default Web Site) you want to SSL enable Click Server Certificates button

 

2.       Click Next

3.       Click Create a new certificate Click Next

4.       Click Prepare the request now, but send it later Click Next

5.       Enter the name of the web server (www.dabcc.com) in the Name: test box and select a Bit Length of at least 1024 and click Next

6.       Select or type your organizations name and your organizational unit and click Next.

7.       Enter the common name for your web site.  This would be the FQDN such as www.dabcc.com Click Next

8.       Enter your geographical information and click Next

 

9.       Enter the filename and path for the certificate request file (c:\certreg.txt) click Next

10.    The next screen you are presented with informs you of the settings you have confiured for your approval.  Verifiy everything is correct and Click Next.

11.    Open Internet Explorer and browse to the the server you installed Microsoft Cerificate Server/certserv (http://db2kad2/certserv)

12.    Click Request a certificate Click Next

13.    Click the Advanced request radio button and click Next

14.    Click the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file  radio buton click Next

15.    Click Start click Run   type Notepad click File Open open the file you saved in step 9 Select the text inbetween the dashjesd and click Edit Click copy

 

16.    Copy the selected text in to the Base64 Encoded Certificate Request text box  select Web Server from the Certificate Template drop down box click Submit

17.    Select the Base 64 encoded radio button click the Download CA certificate hyperlink

18.    Save the certificate with the name of the web server

19.    Right click on the certificate file you downloaded in step 18 and click Install Certificate

20.    Click Next

21.    Click Next

22.    Click Finish

23.    Click OK 

24.    Return to the Internet Information Services management Console and click the Server Certificate button

25.    Click Next

26.    Click the Assign an existing certificate radio button Click Next

27.    Highlight the certificate you installed above and click Next

28.    Click Next

29.    Click Finish

30.    Click OK

You have now successfully setup you web server for https (SSL) communication.  

 

 

18. 2. 3 How to Add the Certificates MMC Snap-in

Certificate Snap-in consoles (MMC) are not preconfigured. You will need to configure the Snap-in before you can perform any Export/Import functionality.  The following steps require system administrator access. 

 

1.       Click Start click Run type: mmc click OK

2.       Click Console   Add/Remove Snap-in

3.       Click Add

4.       Highlight Certificates from the available snap-ins.  Click Add

5.       Click the Computer account radio button and click Next.

6.       Select the computer you want to select and click Finish.  

7.       Click OK

You are now ready to administrate your SSL certificates. 

 

18. 2. 4 How to backup your SSL Certificate

Now that you have installed you certificate it is very important to back it up.  A backup is also needed if you want to move the certificate to a new server.  

1.       Go to the Microsoft Management Console (MMC) and add the Cerficates snap-in as documented above. 

2.       Drill down to the Certificates folder.  ( Console Root Certificates(Local Computer) Personal Certificates )

3.       Right click on the Certificate All Tasks Export

4.       The Welcome to the Certificate Manager Import Wizard window opens Click Next.

 

5.       Click the Yes, export the private key and Click Next.


6.       Make sure the Personal Information Exchange- PKCS # 12(.PFX) radio button is selected and check the box Enable strong protection requires IE5.0, NT4.0 SP4 or above. Select Next.

Warning: Make sure that the Delete the private key if the export is successful is NOT checked.

7.       Type and confirm your export password.

Warning: If you lose the password, you might need to purchase another. 


8.       Specify a name and path  for the backup SSL cerficiate and click Next.

9.       Verify you have entered the information correctly and click Finish.

 

You have now successfully backup your SSL certificate.   I highly recommend making multiple copies and store them in different locations.

 

18. 2. 5 How to Restore a SSL Certificate

If you need to rebuild your web server or move the certificate to a new server with the same fully qualified domain name then you will need to backup and restore your SSL certificate. 

The following details how to restore a backed up SSL certificate. 

1.       Double click on the backup SSL certificate

2.       The Welcome to the Certficate Import Wizard open.  Click Next to continue.

3.       Enter the location of the certificate you want to import and click Next.

4.       Enter the password that was entered when the certificate was backed up and click Next.

5.       Click the Place all certficates in the following store radio button and then click Browse.

 

6.       Click the Personal folder and click OK.

 

7.       Verify the settings are correct and click Finish.

 

8.       Click OK

9.       Follow the procedures documented in How to Add the Certificates MMC snap-in except for step 5 where you will want to click the My user account radio button as shown below.

10.    Once you have finished adding the plug-in you will want to verify the certificate is located in the proper location.   In most cases you will find it located in the Current User Personal Certificates folder.  If this is the case you will need to drag it to the Certificates Personal Certificates folder. 


11.    Click Start Programs Administrative Tools Internet Services Manager

12.    Right click on the web site you want to add the certificate too and click Properties

13.    Click on the Directory Security tab and click the Server Certificate button.

14.    Click Next.

15.    Click the Assign an existing certificate radio button and click Next.

 

16.    Select the certificate you want to apply and click Next.

17.    Verify the certificate is correct and click Next.

 

18.    Click Finish.

 

You are now ready to utalize SSL security of your web server. 


18. 3.    How to Force the use of SSL Encryption on the NFuse Web Site

Now that you have implemented a SSL certificate you will want to force SSL encryption for the NFuse portal.   

The following procedures document how to force the use of SSL on the NFuse web site without forcing the end-users from being required to enter https// prior to the NFuse address. 

The first thing I do is to move the NFuse web site to a sub folder underneath the exsiting foler.  (i.e., if the NFuse web site sits in the Portal folder then you will want to create a folder underneath the Portal folder called Columbia6 and move the contents of the Portal folder to it.

1.       Browse to the NFuse wb site folder.  Click File New Folder and give the folder a name.  (if you are using Project Columbia you might want to give it a name such as: Columbia6)

2.       Copy the contents of the NFuse Web site folder to the folder created during step 1

3.       Click Start Run type: notepad and click OK

4.       Type in the following:  

Note: In the windows.location= you will enter the NFuse web server and the folder of the NFuse web site.  Also note the use of HTTPS://

5.       Save the file to the original NFuse web site folder.  i.e. (c:\inetpub\wwwroot\portal)  

6.       Click Start Programs Administrative Tools Internet Services Manager   Browse to the original (top level) NFuse web site and right click on it and select Properties

7.       Click on the Directory Security tab and then click the Edit button.

8.       Click to check the Require secure channel (SSL) checkbox and then click the select the Require 128-bt encryption checkbox..   Click OK

 

You are now ready to inststuct your end-users to browse to the orginal NFuse web site folder (i.e., www.mycompany.com/portal) and they will automattly be routed to the NFuse web folder via HTTPS (SSL)

 

 

DABCC Site Map | Legal Notice | Privacy Statement | All Rights Reserved for DABCC, Inc.