How to publish Citrix Xenapp/Xendesktop online without Netscaler using HTTP for workgroup computers

How to publish Citrix Xenapp/Xendesktop online without Netscaler using HTTP for workgroup computers

I always get this weired stuff, I am not sure if it is a curse or something, but I have got this request to publish Citrix XenApp 7.6 online without NetScaler and using HTTP for workgroup computers.

 

Previously, this was an easy task, but due to the changes Citrix has made to StoreFront and Citrix Receiver, it became a tedious task, so here are the simple guide that will give you the exact configuration to publish Citrix online, and allow workgroup computers to connect to it.

 

I will not walk you thought the Citrix Installation, I assume that Citrix installation and Configuration is done.

 

So let us go:

  • Modify the Citrix Storefront URL to match the External URL.

Because how Citrix Xenapp’s logic, you need to set the URL to match the External URL, you can do that from from the studio console:

Configure Base URL without Netscaler

Make sure that Delivery controller resolves the external name to its own internal IP, you can use hosts file to achieve this

  • Modify the global ICA settings file to include the external server name, the file is located at (C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica)

[Application]

Address=ExternalserverFQDN

TransportDriver=TCP/IP

DoNotUseDefaultCSL=On

BrowserProtocol=HTTPonTCP

LocHttpBrowserAddress=!

WinStationDriver=ICA 3.0

ProxyTimeout=30000

AutologonAllowed=ON

 

By now you are done with the server configuration, now you need to install the Citrix Receiver, you need to allow HTTP stores, add the PNA site, and configure the receiver NOT to use usernames and password (because these are workgroup computers), so let us go:

 

Install the receiver client usign the following command line:

CitrixReceiver.exe /ALLOWADDSTORE=A /ALLOWSAVEPWD=A /STORE0=”http://ExternalFQDN/Citrix/Store/PNAgent/config.xml;on;storename”

 

This will add the store and configure the receive to accept HTTP stores.

 

Now import the Receive ADM Files into the local group policy, and the authentication section and disable the username and password.

Configure Citrix Receiver password settings

By that time, you will be able to open your receiver and access your PNA store if the stars are alligned.

 

 

Bypass Terminal Services/Citrix to gain access to command line from IE

 bypass Terminal Services Remote Apps/ Citrix XenApp to gain access to command line from Internet Explorer

Today, a friend of mine who works in our security team, shared with me a slick way to bypass published applications (in our case IE) to gain command line and PowerShell access.

Although users will have access based on his permissions; so if he is a user he won’t be able to do much, yet , in my opinion it bypasses the hall point of Remote Apps/ Citrix XenApp and gives the user access to execution capabilities on the server, if he is a knowledgeable enough, he will be able to compromise the server.

Setup:

XenApp 6.5 Server on Windows Server 2008 R2 with all patches installed, Only IE published.

How to:

Since IE is published only, we assume that user has no execution capabilities on the server, to gain access to PowerShell or command line, do the following:

    • From IE open help.
    • Within help, search for notepad.
    • click on How I can How can I use my devices and resources in a Remote Desktop session?

image

  • Scroll down and click open notepad

 

image

  • once note pad opened (note that we have access to another application now), type in the file PowerShell and save the file as filename.bat.
  • once you saved the file, from Internet Explorer choose, file, Open and open the saved file and voilaaaa, you have powershell and cmd access.

although we can discuss for years if this is a security issue or not, I believe it is for some organizations and it sheds some light on a area where people can bypass a specific published application and gain execution mechanism on servers, Any thoughts ?!

Configuring Citrix Web Interface with RSA SecureID , Notes from the field

Configuring your Web Interface to work with RSA SecureID can be troublesome, I spent 2 days trying to figure how to make it work, here are the configuration steps:

Follow the steps mentioned in this CTX article: http://support.citrix.com/article/CTX126843

BUT, as usual there is a trick, completing the above configuration will not work, you will get the following error:

There was a problem with the RSA SecurID ACE/Agent. Check that the ACE/Agent is installed correctly and that the path to the file aceclnt.dll has been added to the PATH environment variable.

To solve this problem, first, follow the following steps:

– make sure to install the RSA Web Agent, the Web Agent must be installed as it will add some keys in the applicationhost.config that are needed by the IIS.

– Configure the Web interface not to send the domain name, from Explicit authentication, properties, Explicit/Two-Factor Authentication and uncheck (Send Domain and username to ACE/Server)

some additional troubleshooting steps are here (Like the PATH and secret key reset)

http://support.citrix.com/article/CTX125097