How to publish Citrix Xenapp/Xendesktop online without Netscaler using HTTP for workgroup computers

How to publish Citrix Xenapp/Xendesktop online without Netscaler using HTTP for workgroup computers

I always get this weired stuff, I am not sure if it is a curse or something, but I have got this request to publish Citrix XenApp 7.6 online without NetScaler and using HTTP for workgroup computers.

 

Previously, this was an easy task, but due to the changes Citrix has made to StoreFront and Citrix Receiver, it became a tedious task, so here are the simple guide that will give you the exact configuration to publish Citrix online, and allow workgroup computers to connect to it.

 

I will not walk you thought the Citrix Installation, I assume that Citrix installation and Configuration is done.

 

So let us go:

  • Modify the Citrix Storefront URL to match the External URL.

Because how Citrix Xenapp’s logic, you need to set the URL to match the External URL, you can do that from from the studio console:

Configure Base URL without Netscaler

Make sure that Delivery controller resolves the external name to its own internal IP, you can use hosts file to achieve this

  • Modify the global ICA settings file to include the external server name, the file is located at (C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica)

[Application]

Address=ExternalserverFQDN

TransportDriver=TCP/IP

DoNotUseDefaultCSL=On

BrowserProtocol=HTTPonTCP

LocHttpBrowserAddress=!

WinStationDriver=ICA 3.0

ProxyTimeout=30000

AutologonAllowed=ON

 

By now you are done with the server configuration, now you need to install the Citrix Receiver, you need to allow HTTP stores, add the PNA site, and configure the receiver NOT to use usernames and password (because these are workgroup computers), so let us go:

 

Install the receiver client usign the following command line:

CitrixReceiver.exe /ALLOWADDSTORE=A /ALLOWSAVEPWD=A /STORE0=”http://ExternalFQDN/Citrix/Store/PNAgent/config.xml;on;storename”

 

This will add the store and configure the receive to accept HTTP stores.

 

Now import the Receive ADM Files into the local group policy, and the authentication section and disable the username and password.

Configure Citrix Receiver password settings

By that time, you will be able to open your receiver and access your PNA store if the stars are alligned.

 

 

VDI Sample Design Document

VDI Sample Design Document

If you are looking for a sample VDI highlevel proposal and design document based on Citrix VDI Xendesktop and Xenapp, you can download the sample document from the below link.

The document has the following contents

Table of Contents.

Introduction. 1

Project Vision and Scope. 2

Vision Statement 2

Benefit Analysis. 2

Infrastructure Summary. 3

Conceptual Architecture: 3

XXX Business Requirements. 3

XXX Technical Requirements. 4

High Level Design. 5

Virtual Desktop Image Design. 5

Virtual Desktop Infrastructure Design. 6

Operating System Delivery Design. 10

Farm Design. 10

Desktop Delivery Design. 10

Application Delivery Design: 12

Xenapp Farms/Zones Design. 12

User Access Design: 14

Virtualization Layer Design: 14

Scope and Service Definition. 17

Desktop Virtualization Infrastructure. 17

Scope of Project 17

Criteria of Acceptance. 18

Assumptions and Guidelines: 18

Please note that this is a highlevel proposal document, but could be used as a good base for a low level detailed one

you can download the document after liking,tweeting or G+ our page

[sociallocker id=”2150″] http://www.sureskillz.com/?wpfb_dl=9 [/sociallocker]

Bypass Terminal Services/Citrix to gain access to command line from IE

 bypass Terminal Services Remote Apps/ Citrix XenApp to gain access to command line from Internet Explorer

Today, a friend of mine who works in our security team, shared with me a slick way to bypass published applications (in our case IE) to gain command line and PowerShell access.

Although users will have access based on his permissions; so if he is a user he won’t be able to do much, yet , in my opinion it bypasses the hall point of Remote Apps/ Citrix XenApp and gives the user access to execution capabilities on the server, if he is a knowledgeable enough, he will be able to compromise the server.

Setup:

XenApp 6.5 Server on Windows Server 2008 R2 with all patches installed, Only IE published.

How to:

Since IE is published only, we assume that user has no execution capabilities on the server, to gain access to PowerShell or command line, do the following:

    • From IE open help.
    • Within help, search for notepad.
    • click on How I can How can I use my devices and resources in a Remote Desktop session?

image

  • Scroll down and click open notepad

 

image

  • once note pad opened (note that we have access to another application now), type in the file PowerShell and save the file as filename.bat.
  • once you saved the file, from Internet Explorer choose, file, Open and open the saved file and voilaaaa, you have powershell and cmd access.

although we can discuss for years if this is a security issue or not, I believe it is for some organizations and it sheds some light on a area where people can bypass a specific published application and gain execution mechanism on servers, Any thoughts ?!