How to limit access to the Web Interface service site by a Active Directory group? This is most often a question for external access using Access Gateway. Now Access Gateway Enterprise has the option as well as 2-factor authentication but Access Gateway Standard (VPX, Express) does not.

Today more and more companies allow access using the Mobile Receiver (iPad, iPhone etc.) but want to limit the access for a group of users. Again with the basic logon point in Access Gateway Standard that is not possible. Details about that can be found in the online documentation:

Configuring XenApp Connections By Using a XenApp Services Site
http://support.citrix.com/proddocs/topic/access-gateway-50/ag-user-connection-cr-mobile-devices-tsk.html

Looking closer at the Web Interface configuration you will find the option to limit access to an entire Citrix Farm using Active Directory groups. That means, if a user is not in a specific group he or she will NOT get access to any applications in that farm! This feature exists for a very long time and is for user roaming but who cares what it was meant to be.

Here a nutshell configuration:

1. Create an AD group; example: Mobile_Access_Allowed
2. Create a new Web Interface Service Site like Mobile
3. Configure the Service Site for remote access (Gateway)
4. Configure Access Gateway to forward to "Mobile" with a basic logon point
5. Make sure your setup works; launch an application etc.
6. Open the Webinterface.conf file and search for Farm1Groups and remove the "#"
7. Set Farm1Groups=mycompany.com\Mobile_Access_Allowed
8. If you have more than one farm you have to repeat it for all of them Farm2Groups etc.

Note that uses who are not in the group will get an error message that no applications are configured for them even they have internally. There is no way to change that message without "hacking" binaries, dll's etc. At last, here is the online Citrix documentation on how to configure user roaming that I used to limit access.

To configure user roaming
http://support.citrix.com/proddocs/topic/web-interface-impington/wi-configure-xd-user-roaming-gransden.html

How to import a root ca certificate with a mobile device like iPhone, iPad? Citrix is suggesting the iPhone configuration utility in the article "How To Install a Private Root Certificate on Your iPhone or iPad" http://support.citrix.com/article/CTX125655 but wouldn't it easier to have a simple web site to pick up the certifcate?

Have a look at the following

With the mobile browser (Safari) the user just opens the URL http://WebServer/ca and taps to import the root ca certificate. I created a very simple web site to do just that. So far I have only tested it with Apple iPad/iPhone but should work with other devices too.

Download the mobile site: ip_importca.v1.0.zip

I started tweeting some time ago because it's easy to post quick tips, important new article or issues I worked on. Here are some of my tweets:

• Microsoft update rollup for the printing core components in Windows 7 / Server 2008 R2 availabe! http://bit.ly/Hoj1ET < must have
• CTXKB: Colors in a Graphics-Specific or Intensive Apps is Not Displayed Correctly like Photoshop with XD 5.5/5.6 http://bit.ly/x0N9AL
• CTXKB: Server Windows 2003 Known Issue - ICA / RDP Connection Fail After Installing Microsoft Patch MS12-024 from Apr10 2012 http://bit.ly/Ijd62X 
• CTXKB: HP LaserJet Bidirectional or hpzbdi Related Performance Issues on XenApp http://bit.ly/HMLmBT < I'm not surprised...
• Be aware that Citrix Touch Optimized Desktop with XenApp 6.5 does NOT honor start menu! folder redirection! < Big security bug to me!
• Be careful using HDX Monitor 2.0 with XenApp 6.5 because it might end badly. DHCP Client, Eventlog Service stops... server restart nessasary
• No joke, If Storefront mmc snap-in doesn't work anymore, then set the system time before April 1st 2012! Update to 1.1 now
• Fixed a customer issue where Citrix PnSson 12.1.0.30 killed Windows asynchronous script processing. This ended in a logon delay

Dont miss anymore tweets and follow me at http://twitter.com/Koetzing

You want to meet me or attend one of my sessions? In the next three months you can do that at the following events:

Events and Sessions

• A&F Computer 2012 - Switzerland, Sursee
  April 25 and April 26 - Cloud Computing and SaaS in real world
• Citrix Synergy 2012 - USA, San Francisco
  May 9 - Geek Speak - Finally, let’s talk about real-world Citrix XenApp experiences!
  http://bit.ly/GSLSFO2012
  May 10 - Architecting your mobile enterprise (as Guest Speaker)
  http://bit.ly/I390ZN
• Citrix Technology Days - Germany, Munich
  Jun 20/21 - Geek Speak - Finally, let’s talk about real-world Citrix XenApp experiences!
  

Using Mobile devices like iPhone, iPad, Blackberry etc. with Citrix Access Gateway VPX is often a topic in Citrix Support forums. Quite some configuration needs to be done to make it work but here in a nutshell how to do the configuration with Access Gateway, Web Interface and mobile receiver.

I also added some troubleshooting and additional information for that topic.


Requirements

1. Web Interface 5.4 but at least 5.x

2. Access Gateway 5.02 or above (introduces basic authentication)

3. Required ports must be open and certificates must be trusted all the way

4. AG FQDN must be resolved from all Clients and match the certificates CN

Web Interface

1. Create a service site /mobile

2. Configure the mobile site with "Gateway Direct" in secure access

3. Set Authentication Method to Prompt

Access Gateway

1. Configure Applications and Desktops: ICA, CGP and STA (the same as in WI)

2. Create a Basic Logon Point and check Authenticate with Web Interface

3. Website Configuration:

Home Page: http://WI_Server/mobile/config.xml

Web Address: http://WI_Server

Citrix Receiver mobile

Now depending on the end device the configuration actually might be slightly different. You should try the following examples with other mobile devices. Also this might change with new releases of Receiver.

Here the configuration for iPad and iPhone:

1. The Root CA certificate that created the AG certificate must be present on the mobile device

2. iPad: URL: https://AG_FQDN/lp/mobile (No Access Gateway mode!)

3. iPhone: URL https://AG_FQDN/lp/mobile/http/WI_Server/mobile/config.xml

Troubleshooting

1. No error message or warnings when open https://AG_FQDN in a Browser

2. No certificate errors, make sure the lock is closed in the Browser

3. No blank page opening https://AG_FQDN/lp/mobile/http/WI_Server/mobile/config.xml in a Browser

Additional Information

1. Access Gateway VPX 5.04 requires now a Platform License to be present

2. With only a Platform License you can still use SmartAccess logon points and LDAP but NO VPN

3. Access Gateway 5.04 is the first version where you can customize the logon point

4. You can limit access the Web Interface Service site to a AD User Group

5. Basic Authentication enables reverse proxy functionality as it was with AG 4.x

6. 2-factor authentication with the service site and AG 5.04 is NOT supported

7. You can auto configure mobile receiver through a URL. 

Use the Online URL Generator http://bit.ly/URL_Generator

How do you Google? Really?? I read quite often that "I searched for hours, even days, and couldn't find anything" when it took me only seconds or minutes; of course not always.

The Google Basics
Check out the picture about some options you have to use Google.

For non nativ English speaker

1. Switch Google to search for English content. That's done through the "Settings" icon on the top right of the Google page. There is much more content to be found in English.

2. Translate error messages or search terms into English. Don't worry too much about correct spelling, Google will help you with that.

3. Americans, in particular, prefer to use acronyms for commonly used technical words and phrases; for example, RDS, TS and XA instead of Remote Desktop Services, Terminal Services and XenApp. This web site can help you http://www.acronymfinder.com

What to search for

You need the right keywords or your search will take a long time. What always helps are parts of an error message, event log IDs, stop codes, etc. in general, very unique words.

How to search for Citrix stuff
Citrix claims that their knowledge base uses a Google engine but I think it must be a very basic one. So instead of using Citrix search use the real Google engine.

Here are some search lines for Citrix:

inurl:support.citrix.com search words <- Search for sites with Citrix Knowledge Base URL

site:support.citrix.com search words <- Search only the Citrix Knowledge Base

inurl:forums.citrix.com search words <- Search for sites with Citrix Public Forums URL

site:citrix.com search words <- Search the entire Citrix domain incl. sub domains