You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Remote Access > Citrix Templates > Creating Resource Profiles Using Citrix Web Applications

Creating Resource Profiles Using Citrix Web Applications

The Citrix Web template enables you to easily configure Citrix access using the Pulse Secure Citrix Services Client proxy, JSAM, or WSAM.

To create a resource profile using the Citrix template:

  1. Select Users > Resource Profiles > Web in the admin console.
  2. Click New Profile.
  3. Select Citrix Web Interface/JICA from the Type list.
  4. Enter a unique name and optionally a description for the Citrix resource profile.
  5. Enter the URL of the Web server that hosts your ICA files in the Web Interface (NFuse) URL field. Use the format: [protocol://]host[:port][/path]. For instance, enter the URL of an NFuse server, the Web interface for a Citrix Metaframe Presentation Server, or a Web server from which the system can download Citrix Java applets or Citrix cab files. (The system uses the specified URL to define the default bookmark for the Citrix resource profile.) You may enter a directory URL or a file URL.
  6. Specify which type of Citrix implementation you are using in your environment by selecting one of the following options:
    • Java ICA Client with Web Interface (NFuse)—Select this option if you have deployed the Citrix Web Interface for MPS (that is, NFuse) to deliver Java ICA clients.
    • Java ICA Client without Web Interface (NFuse)—Select this option if you have deployed a generic Web server to deliver Java ICA clients.
    • Non-Java ICA Client with Web Interface (NFuse)—Select this option if you have deployed the Citrix Web Interface for MPS (that is, NFuse) to use any of the different clients (Java, ActiveX, local).
    • Non-Java ICA Client without Web Interface (NFuse)—(Read only) If you have deployed a non-Java ICA client without the Citrix Web Interface for MPS (that is, NFuse), you cannot create a Citrix resource profile through this template. Instead, click the client application profile link beneath this option. The link brings you to the Client Application Profiles page, where you can create a SAM resource profile.
  1. From the Web Interface (NFuse) version list, select which Citrix version you are using. (The system uses this value to pre-populate the Forms POST SSO values in your single sign-on autopolicy.
  2. Specify the Metaframe Servers to which you want to control access in the MetaFrame servers area. Then click Add. When specifying servers, you can enter wildcards or IP ranges.

    The system uses the values that you enter to automatically create a corresponding resource policy that enables access to the necessary resources:

    • If you select either Java ICA Client with or without Web Interface, the system creates a corresponding Java ACL resource policy that enables Java applets to connect to the specified Metaframe servers.
    • If you select Non-Java ICA Client with Web Interface, and then you select ICA client connects over WSAM or JSAM, the system creates a corresponding SAM resource policy that enables users to access the specified Metaframe servers.
    • If you select Non-Java ICA Client with Web Interface, and then you select ICA client connects over CTS, the system creates corresponding Terminal Services and Java resource policies that enable users to access the specified Metaframe servers.
  1. (Java ICA clients only.) If you deployed Citrix using a Java ICA Client, select the Sign applets with uploaded code-signing certificate(s) check box to re-sign the specified resources using the certificate uploaded through the System > Configuration > Certificates > Code-signing Certificates page of the admin console.

    When you select this option, the system uses all of the “allow” values that you enter in the resource profile’s Web access control autopolicy to automatically create a corresponding code-signing resource policy. Within this policy, the system uses the specified Web resources to create a list of trusted servers.

  1. (Non-Java ICA clients only) If you have deployed Citrix using a non-Java ICA Client with a Web interface, you must use the Pulse Secure Citrix Services Client proxy, Secure Application Manager, or VPN Tunneling to secure traffic to your Metaframe servers instead of the Content Intermediation Engine.

    To secure traffic through the Juniper Citrix Terminal Services proxy or the Secure Application Manager, select one of the following options in the ICA Client Access section:

    • ICA client connects over CTS Client—Select this option to secure your Citrix traffic through the Citrix Terminal Services client (if your users are using Active X clients) or Java rewriting engine (if your users are using Java clients). (When you select this option, the system automatically enables the Terminal Services option on the Users > User Roles > Select_Role > General > Overview page of the admin console.)

    http://www.juniper.net/techpubs/images/note.gif

    Note: If you are using a third-party Web server such as your company’s Intranet server to deliver the ICA file, make sure the Content-Type of the HTTP Response header is application/x-ica. Only then does the system automatically intermediate the ICA file and launch its Citrix Terminal Services client to tunnel the traffic.

    http://www.juniper.net/techpubs/images/note.gif

    Note: If you select this option, we recommend that you disable Citrix client downloads through the Citrix Web Interface. Otherwise, users could inadvertently start two different windows downloading two versions of the Citrix client simultaneously–one through the system (which automatically attempts to download the Citrix client if one is not present on the user’s computer) and one through the Citrix Web Interface.

    • ICA client connects over WSAM—Select this option to secure traffic using WSAM. (When you select this option, the system automatically enables the Secure Application Manager option on the Users > User Roles > Select_Role > General > Overview page of the admin console.)
    • ICA client connects over JSAM—Select this option to secure traffic using JSAM. Then, configure the following options:
      • Number of Servers/Applications—Enter the lesser of the following two numbers: maximum number of Citrix servers in your environment or the maximum number of published applications that a user can open simultaneously. For instance, if your environment contains one server and five published applications, enter 1 in this field. Or, if your environment contains 20 servers and 10 published applications, enter 10 in this field. The maximum value this field accepts is 99.
      • Citrix Ports—Specify the ports on which the Metaframe servers listen.

      When you select the ICA client connects over JSAM option, the system automatically enables the Secure Application Manager option on the Users > User Roles > Select_Role > General > Overview page of the admin console.

http://www.juniper.net/techpubs/images/note.gif

Note: You cannot enable WSAM and JSAM for the same role. Therefore, if you try to create a Citrix resource profile that uses one of these access mechanisms (for instance, JSAM) and another profile associated with role already uses the other access mechanism (for instance, WSAM), the system does not enable the new access mechanism (JSAM) for the role. Also note that you can only use WSAM or JSAM to configure access to one Citrix application per user role.

  1. (Non-Java ICA Client with Web Interface only.) If you want to allow users to access local resources such as printers and drives through their Citrix Web Interface sessions, select the Configure access to local resources check box. Then, select from the following options:
    • Select Connect printers if you want to enable the user to print information from the terminal server to his local printer.
    • Select Connect drives if you want to enable the user to copy information from the terminal server to his local client directories.
    • Select Connect COM Ports if you want to enable communication between the terminal server and devices on the user’s serial ports.

    http://www.juniper.net/techpubs/images/note.gif

    Note: To control access to local resources exclusively through your Citrix Metaframe server settings, clear the Configure access to local resources check box. When you clear the option, the Metaframe server settings take effect. Or, if you want to selectively override Citrix Metaframe server settings for the bookmark, select the Configure access to local resources check box and then specify the local resources to which you want to enable or disable access. Note that if you enable access to a local resource through the system, you still must enable access to it through the Metaframe server as well.

    When you enable local resources through the terminal server, each user can only access his own local resources. For instance, user 1 cannot see user 2’s local directories.

  1. Select the Autopolicy: Web Access Control check box to create a policy that allows or denies users access to the resource specified in the Web Interface (NFuse) URL field. (By default, the system automatically creates a policy for you that enables access to the resource and all of its subdirectories.)
  2. If you selected one of the Web interface options above, update the SSO policy created by the Citrix template. Select the Autopolicy: Single Sign-on check box. (Single sign-on autopolicies configure the system to automatically pass data such as usernames and passwords to the Citrix application. The system automatically adds the most commonly used values to the single sign-on autopolicy based on the Citrix implementation you choose.)

    When you select single sign-on, the WIClientInfo and WINGSession cookies are prepopulated automatically in addition to the POST Resource and URL.

    Or, if you selected the non-Web interface option, you may optionally create your own single sign-on autopolicy.

  1. Click Save and Continue.
  2. Select the roles in the Roles tab to which the Citrix resource profile applies and click Add.

    The selected roles inherit the autopolicies and bookmarks created by the Citrix resource profile. If it is not already enabled, the system also automatically enables the Web option in the Users > User Roles > Select_Role > General > Overview page of the admin console and the Allow Java Applets option in the Users > User Roles > Select_Role > Web > Options page of the admin console for all of the roles you select.

    Also enable the Terminal Services access feature under User Roles > Select_Role > General Overview. If the user role does not have this feature enabled, the Citrix ICA file is delivered as is (without being rewritten) and the Juniper Citrix component (CTS) will not start. In this case, the Citrix native client attempts to establish a connection with the back-end server directly (without going through the system) and will fail.

  1. Click Save Changes.
  2. (Optional.) In the Bookmarks tab, modify the default bookmark created by the system and/or create new ones.

    By default, the system creates a bookmark to the Web interface (NFuse) URL defined in the Web Interface (NFuse) URL field and displays it to all users assigned to the role specified in the Roles tab.

Related Topics