| Security is always a concern and with the help of SSL and a few utilities, you can get a head start on securing the web servers. However, all this is fine and dandy but if you do not stay current with the latest Microsoft and Citrix hotfixes and security updates then you are still at high risk for attacks. With this in mind, I highly recommend utilizing tools like Microsoft Baseline Security Analyzer and hfnetchk.exe to analyze the servers for the latest hotfixes and other known vulnerabilities as discussed in the step 39 on the Tweak Windows 2000 / MetaFrame XP section of this document. There are also many other third party products that assist with this matter. The following procedures are defined in this section: How to install and configure IIS Lockdown Utility version 2.1 How to enable SSL on a NFuse IIS Web Server q How to create and install a certificate with a public Certificate Authority q How to create and install a certificate with Microsoft Certificate Server q How to Add the Certificate MMC snap-in q How to backup your SSL certificate q How to restore your SSL certificate How to force the use of SSL encryption on the NFuse web site. Note: It is far beyond the scope of this document to go in to any detail on, how to secure a web server BUT I believe it is very important and it is something that is very much over looked. I have started to add some content to this section but it is really up to us all. Please email me suggestion on how to improve this section. dbrown@dabcc.com.
Microsoft IIS Lockdown Tool is a wizard driven utility that works by turning off unnecessary features within IIS. For more information, please visit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33961. IIS Lockdown Tool requires Windows NT 4.0 running IIS 4.0 or Windows 2000 running IIS 5.0. Note: The following procedures do NOT work on a web server running the Citrix Web Console. I have not been able to successfully lock down an IIS server running the CWC with the IIS Lockdown utility and still have it function. If you have any suggestions please email: dbrown@dabcc.com and I will add them to the next release of MIAB. The following details how to install and configure the IIS Lockdown utility to work with NFuse 1.71. 1. Download the IIS Lockdown Utility from Microsofts web site 2. Start iislockd.exe and click Next 
3. Click the I agree radio button and click Next. 
4. Select Dynamic Web Server (ASP enabled) and check the View templates settings checkbox and click Next. 
5. Click Next. 
6. Click Next. 
7. Uncheck the Scripts checkup and click Next. 
8. Click Next. 
Note: If you will be using URLScan then you will need to be aware that the default URLScan configuration prevents any reference to .EXE and .DAT files on the IIS Web Server. What does this mean to an NFuse Classic deployment? It means that if you accept to install URLScan you will prevent anyone from having the ability to download the web ICA32T.EXE file from the NFuse Classic Application portal, it also stop the JAVA client from downloading the ICAPRINTERS.DAT file. In order to workaround this issue you will need to comment out the .dat extension in the urlscan.ini file on the server and reset IIS. 
As for the ICA32t.EXE file you either have to rename it (maybe .zip or .ex_) and change the associated name for the file in the \Nfuse17\Include\Install.vbs file or change the download link to point to the Citrix web site for the ICA client download - this requires a bit of editing in the same Install.vbs file. 9. Click Next. 
10. Click Next. 
11. Click Finish 
Internet Information Server Wizard creates two new local groups. Web Anonymous Users Web Applications. The local IUSR_COMPUTERNAME account is now member of Web Anonymous Users group. The wizard sets permissions using these two groups. NFuse requires that the IUSR_COMPUTERNAME account have at least modify rights to C:\Inetpub\wwwroot\NFuseIcons folder. If IUSR_COMPUTERNAME account does not have the right permission to the folder, then the user will not see the icon for the published application on the NFuse page.
I would imagine that most of the small to medium size deployments forget about or do not see a need to enable SSL certificates but they are wrong. Without SSL, username and password information is sent from the client to the web server in clear text that gives anyone the ability to compromises user credentials. Another misconception is that working with SSL certificates is a difficult thing. It is not. All you need to remember is that every web certificate (private key) needs a root certificate (public key). This is why I highly recommend using a certificate generated from a public CA. Certificates generated from a public CA already has a root certificate installed in most popular browsers thus requiring zero administration on the workstation. Without this, you would be required to manually install the root certificate on every device that would be connecting to the web server. The following is a list of just a few public Certificate Authorities. http://www.entrust.com http://www.geotrust.com http://www.instantssl.com/ http://www.verisign.com/products/site/ With this in mind you need to secure the NFuse web server(s) with an SSL certificate. The following procedures assist with the installation and maintenance of SSL certificates.
In order to obtain a SSL certificate from a certificate authority you must first generate a Certificate Signing Request (CSR) file for use in generating the web server certificate. When you have completed this process, you will need to send it to your CA or follow the CAs instructions for generating a certificate. The following defines how to generate a CSR file for a Microsoft Internet Information Server (IIS) 5.0 Web site. 1. Click Start click Programs click Administrative Tools click Internet Information Services. 2. Select the computer and web site (host) that you wish to secure. Right mouse-click to select Properties. 
3. Select the Directory Security tab and click the Server Certificate button under Secure Communications 
4. Click Next to continue 
5. Click the Create a new certificate radio button and click Next. 
6. Click the Prepare the request now, but send it later radio button. Click Next. 
7. At the Name and Security Settings screen, fill in the [friendly] name field for the new certificate. Select bit length. We recommend using 1024-bit length. Click Next. 
8. Enter an Organization name (The exact legal name of your organization. Do not abbreviate your organization name) and Organizational Unit (Section of the organization) and click Next. Note: The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?&. This includes commas. 
9. Enter the Common Name (The fully qualified domain name for your web server. This must be an exact match) 
10. Enter the Country/Region (The two-letter ISO abbreviation for your country), State/province (The state or province where your organization is legally located. Cannot be abbreviated) and City/locality (The city where your organization is legally located). Click Next. 
11. Enter a path and file name for the CSR. 
12. Verify your request and then click Next. 
13. At the Completing the Web Server screen, click Finish.
Note: DO NOT REMOVE the pending request or the .crt file will not match and your certificate will not install. 
14. Submit your CSR to the public CA of choice and wait to receive your SSL certificate. When you receive your SSL certificate from the CA you will need copy the certificate from the body of the email and paste it into a text editor (such as notepad) to create a text file. The following documents how to install your new SSL Web Server Certificate. 1. Click Start Programs Administrative Tools Internet Services Manager 2. Right click on the web site you want to secure and click Properties. 
3. Click the Directory Security tab and click the Server Certificate button 
4. The Welcome to the Web Server Certificate Wizard windows opens. Click OK. 
5. Click the Process the pending request and install the certificate radio button and Click Next. 
6. Enter the location for the certificate file you received from the CA and Next. 
7. Verify the Certificate Summary to make sure all information is accurate.
Click Next. 8. Select Finish. Test your certificate by connecting to your server. Use the https protocol directive (i.e., https://web_server/) to indicate you wish to use secure HTTP. The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.
The following details how to create and install a SSL certificates with Microsofts Certificate Server. Note: You will need to install the Certificate Server in your domain 1. Click Start Programs Administrative Tools Internet Infromation Services Expand web server Right click on he web site (Default Web Site) you want to SSL enable Click Server Certificates button 
2. Click Next 3. Click Create a new certificate Click Next 4. Click Prepare the request now, but send it later Click Next
5. Enter the name of the web server (www.dabcc.com) in the Name: test box and select a Bit Length of at least 1024 and click Next 
6. Select or type your organizations name and your organizational unit and click Next. 
7. Enter the common name for your web site. This would be the FQDN such as www.dabcc.com Click Next 
8. Enter your geographical information and click Next 
9. Enter the filename and path for the certificate request file (c:\certreg.txt) click Next 
10. The next screen you are presented with informs you of the settings you have confiured for your approval. Verifiy everything is correct and Click Next. 11. Open Internet Explorer and browse to the the server you installed Microsoft Cerificate Server/certserv (http://db2kad2/certserv) 12. Click Request a certificate Click Next 
13. Click the Advanced request radio button and click Next 
14. Click the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file radio buton click Next 
15. Click Start |