Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Citrix Integration > Initial Setup of Citrix integration

Initial Setup of Citrix integration
Applies to
*
Web Filter v7.6
*
Web Security v7.6
*
Web Security Gateway v7.6
In this topic
*
Configuring for Citrix Virtual IP Addresses
*
Combining Citrix with another integration
*
Deployment scenarios
*
Deploying with Network Agent
*
Configuration
*
Configuring the non-Citrix integration
Configuring for Citrix Virtual IP Addresses
If an integrated Citrix server is configured to use virtual IP addresses, you must configure Network Agent to monitor the entire range of the IP addresses.
You should also set a single Websense filtering policy for this range of virtual IP addresses.
See the Network Configuration topic in TRITON - Web Security Help for instructions on adding and editing IP address ranges for Network Agent, and configuring policies for specific IP address ranges.
Combining Citrix with another integration
Websense Web Filter or Web Security can be set up to filter both Citrix and non-Citrix users. This section provides instructions for configuring Websense Web Filter or Web Security (deployed either as stand-alone or integrated with another integration product) to work with the Citrix integration product.
Some configurations allow a single installation of Websense Web Filter or Web Security in the same network to filter both Citrix users and non-Citrix users. Citrix users may be working from remote locations, while non-Citrix users may be located in the office where Websense Web Filter or Web Security is installed.
Deployment scenarios
The corporate network (non-Citrix users) can access the Internet through an integration product, such as Cisco® PIX®; Check Point®; Microsoft® Internet Security and Acceleration (ISA) Server or Forefront TMG; or Network Agent (in a stand-alone deployment of Websense Web Filter or Web Security, Network Agent serves in the place of an integration product). The integration product sends Internet requests to Websense Web Filter or Web Security for filtering.
Citrix clients access the network through a Citrix Presentation Server, MetaFrame Presentation Server, or XenApp. Depending on the number of Citrix users, the access may be through one server, or through a server farm consisting of multiple Citrix servers. For more information on deploying Websense Web Filter or Web Security with Citrix, see Filtering Citrix server users.
Websense filtering is accomplished by installing the Websense Citrix Integration Service on each Citrix server. See Installing the Citrix Integration Service, for instructions.
In lower volume networks, each Integration Service communicates with the same Filtering Service. The non-Citrix users can be pointed to the same instance of Filtering Service as the Integration Service.
Deploying with Network Agent
If Websense Web Filter or Web Security is deployed as stand-alone, using Network Agent for filtering, separate instances of Network Agent are needed for the Citrix and non-Citrix users. See Stand-Alone Websense Web Filter or Web Security configuration for configuration information.
Configuration
If Websense Web Filter or Web Security is used to filter both Citrix users and users accessing the Internet through another integration product, the non-Citrix integration must be installed and running before integrating with the Citrix product.
1.
Install Websense Web Filter or Web Security as integrated with the non-Citrix integration product first. See Installing Websense Web Filter or Web Security to integrate with the non-Citrix product.
2.
Ii ns tall the Websense Citrix Integration Service on each Citrix server. See Installing the Citrix Integration Service, for instructions.
This component sends requests from Citrix clients to Filtering Service for filtering. Up to 10 Integration Services can be pointed to the same Filtering Service. If more than 10 Citrix servers are deployed, then additional Filtering Services can be used.
3.
Configure the non-Citrix integration product, as described in this chapter, to ensure that requests coming from the Citrix clients are not filtered twice.
Installing Websense Web Filter or Web Security to integrate with the non-Citrix product
Before the Citrix environment can be integrated, Websense Web Filter or Web Security must have been installed integrated with the non-Citrix integration product. If an older version of Websense Web Filter or Web Security is already installed, upgrade it first.
Websense Web Filter or Web Security installed in stand-alone mode uses Websense Network Agent in place of a third-party integration product.
The Websense Technical Library (www.websense.com/library) provides instructions for integrating Websense Web Filter or Web Security with supported integration products.
Only the following integration products may be combined with a Citrix integration:
*
Cisco PIX v6.3. See Cisco PIX configuration.
*
Check Point FireWall-1 NGX. See Check Point FireWall-1 configuration.
*
Microsoft Internet Security and Acceleration (ISA) Server 2006 or Forefront TMG. See Microsoft ISA Server/Forefront TMG configuration.
*
Network Agent (i.e., Websense Web Filter or Web Security in stand-alone mode). See Stand-Alone Websense Web Filter or Web Security configuration.
Configuring the non-Citrix integration
Before the integrations can be used together, the non-Citrix integration must be set up to prevent Internet requests sent via the Citrix servers from being filtered twice.
A request from a Citrix client is passed to the Citrix server. The Citrix Integration Service sends the request to Filtering Service for filtering. The request is either blocked or permitted by Websense Web Filter or Web Security. Simultaneously, the Citrix server sends the same request to the non-Citrix integration, which must be configured to allow the request to pass to the Internet without sending it to Websense Web Filter or Web Security for filtering.
Cisco PIX configuration
Use a console or TELNET session to configure your Cisco PIX Firewall (security appliance). This configuration has been tested for Cisco PIX version 6.3 and later.
1.
Access the security appliance and enter your password.
2.
Put the security appliance into privilege EXEC mode by entering enable, followed by your enable password.
3.
To activate the configure mode, enter configure terminal.
 
 
Note 
For help with individual commands, enter help followed by the command. For example, help filter shows the complete syntax for the filter command, and explains each of the options.
 
4.
Use the filter url except command with the IP address or addresses for the Citrix servers to disable the second filtering by Websense Web Filter or Web Security of requests from Citrix users.
*
For a group of Citrix servers in a server farm, you can enter a range:
filter url except <IP address range>
*
For one or two Citrix servers, you can add the commands individually:
filter url except <internal IP address> <internal subnet mask> <external IP address> <external subnet mask>
Here, the internal IP address and subnet mask refer to the Citrix server, and the external IP address and subnet mask are for a secondary machine, other than the PIX firewall, that is used for Internet access. The external settings are generally set to zero:
0.0.0.0 0.0.0.0.
5.
Type exit to leave configure mode.
See Cisco's PIX documentation and the Websense Technical Library (www.websense.com/library) for more information on this integration.
Check Point FireWall-1 configuration
To configure Check Point FireWall-1 to work properly with a Citrix integration, you must define a rule on FireWall-1 to allow requests from the Citrix server to pass to the Internet without sending those requests to Websense Web Filter or Web Security for filtering.
*
Using the Firewall-1 SmartDashboard™ (or Policy Editor in older versions) add the Citrix Presentation Servers to the Allow Rule. Do not add the Presentation Servers to the Block rule.
See Check Point's FireWall-1 documentation and the Websense Technical Library (www.websense.com/library) for more information.
Microsoft ISA Server/Forefront TMG configuration
The Websense ISAPI plug-in must be set to ignore traffic from the Citrix servers. This configuration is done by adding the host name of each Citrix server to the isa_ignore.txt file on the Microsoft ISA Server/Forefront TMG (ISA/TMG) machine.
Also, ensure that none of the Citrix servers are set to use the ISA/TMG machine as a proxy server.
1.
On the ISA/TMG machine, go to the WINDOWS\system32 directory and open the isa_ignore.txt file in a text editor.
 
* 
Note 
The default isa_ignore.txt file installed with Websense Web Filter or Web Security contains the following URL:
url=http://ms_proxy_intra_array_auth_query/
Do not delete this URL. It is used by ISA/TMG machines in a CARP array for communication. This URL must be ignored by Websense Web Filter or Web Security to allow filtering and logging to work properly when multiple ISA Servers are deployed in an array.
2.
Enter the host name for each Citrix server on its own line in the isa_ignore.txt file.
 
* 
Important 
You must enter each host name in the exact same format that ISA/TMG passes it to Filtering Service.
Use the following format: hostname=<host_name>
Replace <host_name> with the name of the Citrix server machine.
3.
Restart the ISA/TMG machine.
See Microsoft's ISAPI documentation and the Websense Technical Library (www.websense.com/library) for more information.
Stand-Alone Websense Web Filter or Web Security configuration
If Websense Web Filter or Web Security is running in stand-alone mode, separate instances of Network Agent must be installed to filter Citrix and non-Citrix users. The Network Agent monitoring non-Citrix users must be set to ignore the Citrix servers. This configuration allows protocol filtering of both Citrix and non-Citrix requests.
1.
Open TRITON - Web Security, and go to Settings > Network Agent.
2.
In the left navigation pane, select the IP address of the NIC used for monitoring Internet requests to open its Local Settings page.
3.
Under Monitor List Exceptions, add each Citrix server that Network Agent should exclude from monitoring.
a.
To identify a machine, click Add, and then enter the Citrix server's IP address, or a range of IP addresses for a group of Citrix servers in a server farm. Then, click OK.
b.
Repeat this process until all Citrix servers have been added, either individually or as part of a range.
4.
Click OK to cache your changes and return to the NIC Settings page. Changes are not implemented until you click Save All.
See the Network Agent section under the Network Configuration topic in TRITON - Web Security Help for instructions on configuring NIC settings.

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index
Citrix Integration > Initial Setup of Citrix integration
(c) 2011 Websense, Inc. All Rights Reserved.