Learning the Basics of Citrix XenApp 5 for Windows Server 2003 and XenServer 5.5 (Part 7 of 10)

In Part 6 of this series, you successfully updated the License Server to version 11.6.1 (if necessary), installed Java Runtime Environment 6 Update 17, installed the Microsoft Visual C++ 2005 SP1 Redistributable Package and installed Hotfix Rollup Pack 5 for XenApp 5 for Server 2003.

In Part 7, you will learn to create a Web Interface site and do basic configuration of that site to allow users access.

At the end of Part 6, you restarted your Virtual Machine (VM).  Login to Windows and you are at the server’s desktop with the Citrix ICA Toolbar at the far right (Figure 1).

Figure 1

Since the ICA Toolbar has been removed from XenApp 5 for Server 2008 and all future XenApp versions, you will not use it in the article.  This will also give you more space on your screen for the management consoles.  Right-click an empty spot on the toolbar and select Exit (Figure 2).

Figure 2

Click No so the ICA Toolbar will not start each time you logon to Windows (Figure 3).

Figure 3

What is ICA?  Independent Computing Architecture (ICA) is a proprietary protocol designed by Citrix for application servers. The ICA protocol describes a mechanism for passing data between server and clients, but is not bound to any one platform.

To start Citrix Web Interface Management, click Start -> All Programs -> Citrix -> Management Consoles -> Citrix Web Interface Management (Figure 4).

Figure 4

You are now at the Citrix Web Interface Management Console (Figure 5).

Figure 5

There are three methods to accomplish the same task in the Console:

  1. Right-click an item and select an action
  2. Click the Action menu and select an action
  3. Click an Action in the right Actions column.

You will use the last of these methods in this article.

Click XenApp Web Sites in the left column and then click Create site in the Actions column (Figure 6).

Figure 6

The Create Site wizard starts.  Click Next on the Specify IIS Location screen (Figure 7).

You can create separate IIS sites, for example, to have different sites for Internal and External users.  With different sites you can configure different authentications methods.  Users internal to your network can enter their username and password but you can require external users to use Smart Cards, Two Factor Authentication or one of several other authentication methods.

If you create separate IIS sites, you would enter their paths in the Path box.

In a Best Practice scenario where Web Interface is installed on a separate server, you would check the box for Set as the default page for the IIS site.  Since you have both the License Management Console and Web Interface installed on the same server you must not check that box.  Doing so will break the License Management Console.

Figure 7

Next is the Specify Point of Authentication.  There are five options:

  1. At Web Interface
  2. At Microsoft AD FS account partner
  3. At Access Gateway
  4. At third party using Kerberos
  5. At Web server

The default is At Web Interface.  The five screen shots explain the five options better than I can (Figures 8, 9, 10, 11 and 12).  Click Next to accept the default of At Web Interface (Figure 12).

Figure 8 (At Web server)

Figure 9 (At third party using Kerberos)

Figure 10 (At Access Gateway)

Figure 11 (At Microsoft AD FS account partner)

Figure 12 (At Web Interface)

Click Next on the Confirm Settings for New Site screen (Figure 13).

Figure 13

Make sure Configure this site now is checked and then click Next (Figure 14).

Figure 14

Change the Farm name from Farm1 to Learning and then click the Add… button (Figure 15).

Note: The Farm name entered here has no relation to the XenApp farm you created in Part 5.  Anything can be entered here for the Farm name.

Figure 15

Enter citrixone for the server name and click OK (Figure 16).

Figure 16

Click Next (Figure 17).

Note: In Part 5, you selected to share the XML Service Port between IIS and the XML Service.  If the port number had been changed during installation or from the command line after installation, you would enter the new port number here.

Figure 17

This information is taken from the Citrix eDocs online documentation for Web Interface 5.2:

You can configure the following authentication methods for the Web Interface:

  • Explicit (XenApp Web sites) or prompt (XenApp Services sites). Users are required to log on by supplying a user name and password. User principal name (UPN), Microsoft domain-based authentication, and Novell Directory Services (NDS) are available. For XenApp Web sites, RSA SecurID and SafeWord authentication are also available.

Note: Novell authentication is not available with Web Interface for Java Application Servers and is not supported by XenDesktop.

  • Pass-through. Users can authenticate using the credentials they provided when they logged on to their physical Windows desktop. Users do not need to reenter their credentials and their resource set appears automatically. Additionally, you can use Kerberos integrated Windows authentication to connect to server farms. If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication also fails and users cannot log on. For more information about Kerberos, see XenApp Administration.
  • Pass-through with smart card. Users can authenticate by inserting a smart card in a smart card reader attached to the user device. If users have installed the Citrix online plug-in, they are prompted for their smart card PIN when they log on to the user device. After logging on, users can access their resources without further logon prompts. Users connecting to XenApp Web sites are not prompted for a PIN. If you are configuring a XenApp Services site, you can use Kerberos integrated Windows authentication to connect to the Web Interface, with smart cards used for authentication to the server farm. If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication also fails and users cannot log on. For more information about Kerberos, see XenApp Administration.

Note: Because of the security enhancements introduced in Windows Vista, smart card users running Windows Vista or Windows 7 are required to provide their PINs when they launch an application, even if you enable pass-through with smart card authentication.

  • Smart card. Users can authenticate using a smart card. The user is prompted for the smart card PIN.

Note: Pass-through, pass-through with smart card, and smart card authentication are not available with Web Interface for Java Application Servers.

  • Anonymous. Anonymous users can log on without supplying a user name and password, and access resources published for anonymous users.

Important: Anonymous users can obtain Secure Gateway tickets despite not being authenticated by the Web Interface. Because Secure Gateway relies on the Web Interface issuing tickets only to authenticated users, this compromises one of the security benefits of using Secure Gateway.

Note: XenDesktop does not support anonymous users.

Click Next to accept the default of Explicit (Figure 18).

Figure 18

When users go to the Web Interface site, they will need to enter a user name, password and a domain name.  You may not want your users having to know or remember the domain name.  You can pre fill-in the domain name to keep users from having to know this information.  For this article, you will enter the domain name, which is the server name, of CITRIXONE.

Click Restrict domains to the following click the Add button (Figure 19).

Figure 19

Enter citrixone for the Logon domain name and click OK (Figure 20).

Figure 20

Click Next (Figure 21).

Figure 21

Click Next to accept the default of Minimal for the Web Interface logon screen appearance (Figure 22).

Figure 22

Click Next to accept the default of Online (Figure 23).  The other two resource types will be covered in a future Learning series.

Figure 23

Click Finish on the Confirm Settings screen (Figure 24).

Figure 24

You are now back at the management console with your Web Interface site created (Figure 25). Since this is not the default site for IIS you, and your users, will have to enter the entire site URL of http://citrixone/Citrix/XenApp.

Note: This is an unsecure connection as SSL is not being used.  For external access to your published applications, you need to use SSL.  The needs and requirements of your organization will dictate whether SSL is used for internal access to published applications.

Figure 25

The Create Site wizard has completed the basic configuration.  Now you need to test whether your site will load and display the logon page.

Start Internet Explorer and go to http://citrixone/citrix/xenapp.  Wait for the logon page to display (Figure 26).

Figure 26

Enter the Administrator’s name and password and click Log On (Figure 27).

Figure 27

Click the yellow bar at the top of the browser window and select Run Add-on (Figure 28).

Figure 28

Click Run (Figure 29).

Figure 29

The Web Interface Applications tab is displayed (Figure 30).

Figure 30

At this point, there are no Published Applications to run.  You have verified your site was created, loaded and logged into successfully.  Exit Internet Explorer and the Web Interface Management console.

You learned to create a Web Interface site and do basic configuration of that site to allow users access.  In Part 8, you will create a test user account, learn to publish applications, test access to the published applications from the Web Interface site and to perform other basic XenApp server administrative tasks.

, ,

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

No comments yet.

Leave a Reply