Citrix NetScaler Application Switch SSL VPN User's Guide for the ...

ContentsChapter 1 - SSL VPN Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11.1 SSL VPN : Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11.2 SSL VPN : Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Chapter 2 - Getting Started with SSL VPN . . . . . . . . . . . . . . . . . . . . 2-12.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12.2 Starting a SSL VPN Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22.3 Using the SSL VPN Browser Plug-in . . . . . . . . . . . . . . . . . . . . . . . . 2-62.3.1 Accessing Client/Server Applications . . . . . . . . . . . . . . . . . . . . . 2-72.3.2 Using Web-based Applications. . . . . . . . . . . . . . . . . . . . . . . . . . 2-92.3.3 Accessing a Remote File System . . . . . . . . . . . . . . . . . . . . . . . .2-112.3.4 Accessing Internal Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . .2-152.3.5 Using Portal Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-162.3.6 Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-162.3.7 Terminating the SSL VPN Session . . . . . . . . . . . . . . . . . . . . . . .2-21Chapter 3 - Troubleshooting the SSL VPN Browser Plug-in. . . . . . . 3-13.1 Debugging the SSL VPN Browser Plug-in . . . . . . . . . . . . . . . . . . . . . 3-13.2 SSL VPN Session Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1SSL VPN User’s Guidei

ContentsiiSSL VPN User’s Guide

Chapter 1SSL VPN OverviewThe SSL VPN is a secure remote access solution that provides point-to-pointcommunication between remote users, such as mobile employees, partners, orresellers, and a private enterprise network. It does so by creating a secureSSL-based tunnel between a standard Web browser and a system. This allowsauthorized remote users to gain access to critical business resources such ascorporate intranets, shared file systems, native client/server applications, andterminal services.This chapter provides an overview of the SSL VPN features. The following topicsare described in this chapter:• SSL VPN : Architecture• SSL VPN : Key Features1.1 SSL VPN : ArchitectureWhen you log on to a Web site that is secured by the SSL VPN, the systeminstructs the browser to download the SSL VPN browser plug-in onto yourcomputer. The plug-in is a Java applet that creates a secure channel of communicationbetween your browser and the system, thus allowing you toremotely access those resources you are authorized to use.Before the plug-in is downloaded, you will be prompted to permit it to execute.The plug-in first initializes itself by fetching the intranet applications, it supports,from the system. The network administrator configures the system withthese applications. Once initialized, the plug-in listens on preconfigured ports.When it receives a request from the client, it opens a server-side connection,authenticates that connection with the user's credentials, and then tunnelssubsequent data packets between the client and the server across the connection.This is illustrated in the following figure.SSL VPN User’s Guide 1-1

SSL VPN OverviewFigure 1-1 SSL VPN browser plug-in architectureThe following section provides a step-by-step description of the preceding diagram.1. The client application looks up the Hosts file for the address of the server.2. The Hosts file points to localhost. The plug-in listens for requests, from theclient application, on preconfigured ports.3. The client application sends a request to the plug-in.4. The plug-in forwards the request to the SSL VPN gateway.5. The SSL VPN gateway forwards the request to the Application server.6. The Application server responds to the SSL VPN gateway.7. The SSL VPN gateway replies to the plug-in.8. The plug-in replies to the client application.1.2 SSL VPN : Key FeaturesThe SSL VPN supports:• SSL 3.0 and TLS1.0• 1024-bit encryption• Most TCP-based applications• Windows ® , Linux, and Mac OSX1-2 SSL VPN User’s Guide

Chapter 2Getting Started with SSL VPNThe preceding chapter covered the architectural details of the SSL VPNbrowser plug-in. In this chapter, you will learn to use the plug-in. This chapterbegins with a brief introduction to the system requirements for the plug-in.This is followed by detailed instructions on downloading and running theplug-in. The final section covers the various controls of the user interface. Thefollowing topics are described in this chapter:• System Requirements• Starting a SSL VPN Session• Using the SSL VPN Browser Plug-in2.1 System RequirementsThe minimum system requirements are:Windows Platform• Web browsers: Internet Explorer 5.0+, Netscape 7.1, Mozilla Firefox1.2+• Java Plug-in: JRE1.4.2 or greaterMacintosh (MacOSX)• Web browsers: Safari v1.2(v125)• Java Plug-in: JRE1.4.2Linux Platform• Web browsers: Mozilla Firefox 1.2.1+• Java Plug-in: JRE1.3.1 or greaterNote You can download the Java Runtime Environment (JRE) from Sun Microsystem’sJava Web site if needed. Browse to http://www.java.com to find the JRE for youroperating system.SSL VPN User’s Guide 2-1

Getting Started with SSL VPN2.2 Starting a SSL VPN SessionAs mentioned earlier, the SSL VPN has been designed to provide remote usersaccess to authorized resources on a private network, over a secure connection.To establish a secure connection, you must first log on to the SSL VPN Website. Contact your system administrator for the URL to this Web site, and thelogin credentials. The typical format for such a URL is as follows:https://companyname.comTo log on to your company’s SSL VPN Web site1. Open a Web browser and enter the URL of the SSL VPN Web site. If youradministrator has not configured a proper SSL certificate that identifies theserver, the operating system will prompt you with a Security Alert windowasking your permission to access the SSL VPN login window.Figure 2-1 Security Alert windowThe security alert indicates that there might be discrepancies in the certificate.For example:2-2 SSL VPN User’s Guide

Getting Started with SSL VPN• the certificate has expired.• the domain name in the certificate does not match the domain name of theserver.• the certificate is not trusted.Click the Cancel button and contact the system administrator.2. The SSL VPN login page is displayed.Figure 2-2 SSL VPN login page3. Enter your Login name and Password.4. Click Login. When you log on to the SSL VPN for the first time, a securitywarning is displayed as shown in the following figure. This warningprompts you to download the SSL VPN browser plug-in.SSL VPN User’s Guide 2-3

Getting Started with SSL VPNFigure 2-3 Security warningNote The appearance of these dialog boxes may differ across platforms and browsers.5. Click Trust. The Proxy Configuration alert is displayed.2-4 SSL VPN User’s Guide

Getting Started with SSL VPNFigure 2-4 Proxy Configuration alertNote This alert will not be displayed when you use Internet Explorer on Windows ® andSafari on Mac OS X. For details on configuring the proxy settings of your Webbrowser, refer to the section 2.3.2 of this chapter.6. Click the Run button. The Secure Remote Access Session window and theservices page are loaded as shown.SSL VPN User’s Guide 2-5

Getting Started with SSL VPNFigure 2-5 Secure Remote Access Session window and services pageNote The Secure Remote Access Session window may take a few seconds to appear.If your computer using Netscape Navigator was was unable to fully load thesmaller secure remote session window shown in the figure above, NetscapeNavigator may not have been installed with Sun Java 2 support. You may needto rerun the Netscape Navigator installer, ensuring that Sun Java 2 support isselected.Note Update the proxy settings of the your Web browser to the values displayed onthe Proxy Configuration alert or the Secure Remote Access Session window. Thiswill enable you to access Web-based applications.2.3 Using the SSL VPN Browser Plug-inThe Secure Remote Access Session window is the graphical user interface tothe browser plug-in. It allows you to securely access intranet portals, corporateapplications, file systems, or mail on a private network. Closing the SSLVPN Session window will end the session. As a result, you will be disconnectedfrom the private network.2-6 SSL VPN User’s Guide

Getting Started with SSL VPNFigure 2-6 Secure Remote Access Session windowThe components of the Secure Remote Access Session window are describedas follows:• Proxy: The IP address and port number that the Web browser’s proxy thatenables Web access.• Bytes sent: The quantity of data sent through the plug-in from the clientto the server.• Bytes received: The quantity of data received through the plug-in fromthe server to the client.• Home: Displays the portal page.• Applications: Click this button to view the list of intranet applications configuredon the system.• Compression Stats: Displays the compression statistics.• File Transfer: Click this button to download/upload files, from the network,via the Web-based interface.• Logout: Click this button to log off from the SSL VPN session. The messagedisplayed on the Secure Remote Access Session window, indicatesthat the SSL VPN session will be terminated if you close the window. Togracefully terminate the session, click the Logout button. Otherwise,changes to the Hosts file on the client computer and the proxy settings willnot be rolled back.The following sections cover the various tasks that you can perform with theplug-in.2.3.1 Accessing Client/Server ApplicationsAs a remote user, you are authorized to access and use a limited set of client/server applications on your company’s intranet. The administrator configuresthese client/server applications on the system. To view these applications,SSL VPN User’s Guide 2-7

Getting Started with SSL VPNclick the Applications button on the Secure Remote Access Session window.The Intranet Applications window, listing all the applications, is displayed.Figure 2-7 Intranet Applications windowDuring a SSL VPN session, you will access these applications via the plug-in.There are two methods for doing so. The methods are:• Hosts File Modification Method• SourceIP and SourcePort MethodThese methods are explained in the following sections.2.3.1.1 Hosts File Modification MethodIn this method, the plug-in adds an entry, corresponding to the applicationsconfigured by the VPN administrator, in the Hosts file. Note however that youmust be logged in with root or administrative privileges in order for the plug-into be able to modify this file. If you are not logged in to the system with theadequate privileges, you will need to manually edit the file yourself, adding theappropriate entries to the Hosts file as discussed in the following section.Consider a scenario where you need to open a Telnet session to a remote systemfrom your laptop. You use the laptop to work both within your company’sintranet and remotely.To ensure connectivity to the remote system from both within andoutside your company’s intranet1. Add an entry 10.100.101.77 telnet1 in the Hosts file on your computer.This entry consists of the IP address of the remote system and it’s hostname.2-8 SSL VPN User’s Guide

Getting Started with SSL VPNproxy settings to reflect the proxy server indicated on the Secure RemoteAccess Session window. These changes are rolled back when the user logs off.This behavior is restricted to Internet Explorer on Windows. Other browsersneed to be configured manually.2.3.2.1 Using SSL VPN on Netscape and FirefoxYou need to manually configure the proxy server settings of Netscape andFirefox. The following procedure lists the steps to do so.To configure the proxy settings on Netscape and Firefox1. Select the Preferences option from the Edit menu. The Preferences windowis displayed.Figure 2-8 Preferences window2. Expand the Advanced option in the Category pane and select the Proxiesoption. The Proxies pane is displayed.2-10 SSL VPN User’s Guide

Getting Started with SSL VPNFigure 2-9 Proxies pane3. Select the Manual proxy configuration option.4. Enter the IP and port address, displayed on the Secure Remote AccessSession Window, in the HTTP Proxy and SSL Proxy fields respectively.5. Click OK to save the changes.2.3.2.2 Using SSL VPN on SafariWhen accessing the SSL VPN from the Mac OS X Safari web browser, theappropriate proxy settings are automatically configured for the session by theplug-in. No proxy configuration is necessary by the user.2.3.3 Accessing a Remote File SystemTo access the remote file system, click the File Transfer button on the SecureRemote Access Session window. The SSL VPN: Remote Secure File SystemAccess page is displayed. This page allows you to log on to the intranet andaccess shared resources. The following figure illustrates the various componentsof this page.SSL VPN User’s Guide 2-11

Getting Started with SSL VPNFigure 2-10 File Transfer pageThe following sections cover the various components of the SSL VPN: RemoteSecure File System Access page.Top PanelThe top panel of the browser window displays a number of buttons that willallow you to perform various tasks, pertaining to the storage and transfer offiles.Click this button to log on to the corporate network or a specific computeron that network.Click this button to navigate to the preceding folder in the folder tree.Click this button to refresh the contents of the active folder.Click this button to create a subfolder within the folder that is selected.Click this button to download the selected file from the remote server.2-12 SSL VPN User’s Guide

Getting Started with SSL VPNClick this button to upload the selected file from the local client computerto a folder in the remote file server.Click this button to delete the selected file from the remote machine.Click this button to change the name of a file or folder, which isselected.Click this button to disconnect from the remote server.Left PanelThe servers, their directories, and the directory structure are displayed in atree format in the left panel as shown in the following figure. Click the + iconto view a subfolder.Figure 2-11 Left panelRight PanelThe right panel displays the Login Server window. Use this window to log on tothe file system on the intranet or an appropriate file server. To access the filesystem, leave the Login Server field blank or click the Network Neighborhoodlink in the left panel.SSL VPN User’s Guide 2-13

Getting Started with SSL VPNTo log on to a file server1. Enter the IP address or the name of the server in the Address field.Note If you leave this field blank, you will be logged on to the intranet and not anyspecific server.2. Enter your Login ID in the Login field.3. Enter your password in the Password field. If the remote server does notrequire a password, leave this field blank.4. Enter a valid domain name. If the remote server has not been assigned aspecific domain, leave the field blank.The right panel now displays the subfolders and files as shown in the followingfigure. The location of the active folder is displayed in the Address field.Note Authorization policies, configured by the SSL VPN administrator on the gateway,are not applied to this operation since it bypasses the gateway. As a result, on aWindows-based computer, it is advised that you access shared resources viaWindows Explorer instead of the File Transfer window.Figure 2-12 Right panelTo download a file from a remote server1. Select the file.2. Click the Download icon. The File Download window is displayed.2-14 SSL VPN User’s Guide

Getting Started with SSL VPN3. Click the Save button. The Save As dialog box is displayed.4. Navigate to the appropriate folder, and click the Save button to save thefile.To upload a file to the remote server1. Select the file on the local machine.2. Click to upload the file to the remote server.To remove a folder, subfolder, or file1. Select the file, folder, or subfolder.2. Click the Delete icon. The file is deleted from the remote machine.Note A parent folder that contains subfolders cannot be removed. To delete a parentfolder with sub folders, you need to delete the sub folders first and then deletethe parent folder.2.3.4 Accessing Internal Web SitesThe default Portal page is created based on the data configured by the SSLVPN administrator. The Portal page is shown in the following figure. This pagelists the most commonly accessed intranet Web sites and file systems. the SSLVPN administrator configures the links visible under the ‘Configured’ sectionson this page. You can create your own bookmarks to appear under the ‘Personal’bookmark sections. This chapter covers the various configuration tasksthat you can perform on the portal page.Note Your VPN administrator may have customized the Portal page. So the appearanceof the page may vary from what is shown in this guide.SSL VPN User’s Guide 2-15

Getting Started with SSL VPNFigure 2-13 Portal page2.3.5 Using Portal ToolsThe Portal page has several built in tools to assist you in using the SSL VPN.These tools include a ping interface for checking the accessibility of networkhosts, tips, online help, the SSL VPN file transfer utility, and the SSL VPNthemes utility.These tools have been placed under the home, file transfer, and themes tabson the SSL VPN portal page.2.3.6 HomeThe tools under this tab help you navigate your way through the SSL VPN. Thispage can be customized by the SSL VPN administrator by providing themesthat VPN users can apply for themselves. The individual tools are describedbelow2-16 SSL VPN User’s Guide

Getting Started with SSL VPNPing PaneThe ping pane allows you to check the accessibility of other computers on yourintranet and on the Internet. This feature can help you troubleshoot connectivityissues if any, with your SSL VPN session in addition to determining availabilityof a server hosting a resource on the network.Enter the IP address, host name, or domain name of the computer you wish toping and click the Ping button. The result of the ping query is displayed on thispane.Figure 2-14 Ping paneTip and Help PaneThe Tip pane offers helpful hints on using the SSL VPN and its various features.The Help tool is used to access the SSL VPN User’s Guide. The User’sGuide includes not only instructions on using the SSL VPN but also lists errorcode explanations and provides other troubleshooting assistance.Bookmarks PaneThe SSL VPN Portal allows you to create your own set of links to commonlyaccessed resources. These bookmarks may be links to either intranet or InternetWeb sites or network accessible file systems on the intranet.To create these bookmarks, click on the ‘add’ links on the right side of thepage. The following figure shows the New Bookmark page.In the ‘Name’ field, enter the label to be used for your new link. In the‘Address Field’ enter either the uniform resource locator (URL) of the Web siteor the network path to the file server. In the ‘Description’ field, enter a shortdescription for the created link. Once done, select the ‘Add’ button to apply thenew link or ‘Cancel’ to exit the window without making any changes.SSL VPN User’s Guide 2-17

Getting Started with SSL VPNFigure 2-15 Add Bookmark PageThe bookmark added here will be listed under the personal bookmarks on theSSL VPN home page.Note The system automatically differentiates between Web site addresses (URLs) andnetwork file system paths based on the format in which they are entered. Henceyou do not need to specify which type of resource your link is for when you createit.Remove a bookmarkTo remove a personal bookmark, click on the remove button on the right sideof the page. The ‘Remove Bookmark’ page is displayed as shown in the figure.Select the bookmark you want to remove and click on the ‘Remove’ button toconfirm removal or click on the ‘Cancel’ button to exit the window withoutmaking any changes.2-18 SSL VPN User’s Guide

Getting Started with SSL VPNFigure 2-16 Remove bookmark pageNote You can remove only bookmarks listed under the ‘Personal’ column and not thoseunder the configured column.2.3.6.1 File transferFor details, refer to the Accessing a Remote File System section.2.3.6.2 ThemesYou can select themes that have been made available by the SSL VPN administratorfor use with your SSL VPN session. The theme selected will be appliedacross all pages on the SSL VPN portal.If there are no themes configured by the VPN administrator then, on the‘Themes’ tab of the portal page, an error message is displayed as shown in thefigure below.SSL VPN User’s Guide 2-19

Getting Started with SSL VPNFigure 2-17 No themes configuredSelecting a theme for the SSL VPN sessionUnder the ‘Themes’ tab on the SSL VPN portal, you can see the themes thatthe VPN administrator has made available for use. Click on the ‘Select’ buttonnext to the theme name for the theme to be applied for your current VPN sessionand all further VPN sessions.Customizing your themeYou can click on the customize button next to the theme name and changeindividual parameters used in the theme. The changes made are stored in atheme called ‘Current Custom Theme’ and applied to the current theme.2-20 SSL VPN User’s Guide

Getting Started with SSL VPNFigure 2-18 Customize your themeSelect the colors you want for each item on the SSL VPN portal page, the fontstyle and size and then click the ‘Save Preferences’ button. The customizedtheme will now replace the old theme on the portal page.Note You can restore the default theme for the portal page by clicking on the ‘Reset tosite defaults’ button on the ‘Themes’ tab.2.3.7 Terminating the SSL VPN SessionTo log off from the SSL VPN session, click the Logout button.Note If you close the Secure Remote Access Session window (by clicking the Closebutton or by pressing Alt+F4), the changes to the Hosts file on the client computerand the proxy settings will not be rolled back.SSL VPN User’s Guide 2-21

Getting Started with SSL VPN2-22 SSL VPN User’s Guide

Chapter 3Troubleshooting the SSL VPN BrowserPlug-inThis chapter covers the troubleshooting of the SSL VPN browser plug-in. Thefollowing topics are described in this chapter:• Debugging the SSL VPN Browser Plug-in• SSL VPN Session Error Codes3.1 Debugging the SSL VPN Browser Plug-inBy default, the plug-in maintains a log of all of its activities in a separate ASCIIfile. This ASCII file, also known as a log file, is stored in the file system by thename mpSSLVpn.On a computer that runs the Windows operating system, this file is stored inthe root directory. For example, if the operating system resides on a partitionlabeled C of the hard disc, the log file is generated in the %tmp% folder. OnMac OSX and Linux, the log file is generated in the /tmp directory.3.2 SSL VPN Session Error CodesThe following table lists the error codes displayed by the SSL VPN session. Italso provides a description of these error codes.Table 3-1 Specific error codes displayed by the SSL VPN sessionMessage Explanation ActionHosts file updatefailed.This message indicates thatthe plug-in has been unableto update the Hosts file onthe client computer.Log on to the computer as anadministrator. This willensure that the Hosts file isupdated. Alternately, followthe procedure outlined in thesection “SourceIP andSourcePort Method” inchapter 2 of this guide.SSL VPN User’s Guide 3-1

Troubleshooting the SSL VPN Browser Plug-in3-2 SSL VPN User’s Guide