Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Citrix > Initial Setup of Citrix integration
Initial Setup of Citrix integration
Deployment and Installation Center | Web Security Solutions | Version 7.8.x
 
Applies to:                                         
In this topic                                       
*
Web Filter and Web Security, v7.8.x
*
Configuring for Citrix Virtual IP Addresses
*
Combining Citrix with another integration
*
Deployment scenarios
*
Deploying with Network Agent
*
Configuration
*
Configuring the non-Citrix integration
Configuring for Citrix Virtual IP Addresses
If an integrated Citrix server is configured to use virtual IP addresses, you must configure Network Agent to monitor the entire range of the IP addresses.
You should also set a single Websense filtering policy for this range of virtual IP addresses.
See the "Network Configuration" topic in the Web Security Help for instructions on adding and editing IP address ranges for Network Agent, and configuring policies for specific IP address ranges.
Combining Citrix with another integration
Websense Web Security solutions can be set up to manage both Citrix and non-Citrix users. This section provides instructions for configuring Websense software to work with the Citrix integration product.
Deployment scenarios
The corporate network (non-Citrix users) can access the Internet through Websense Network Agent, Content Gateway, or a third-party integration product, such as Cisco® ASA or Microsoft® Forefront TMG. The component or integration product sends Internet requests to Websense Filtering Service to determine whether to block or permit the request.
Citrix clients access the network through Citrix XenApp. Depending on the number of Citrix users, the access may be through one server, or through a server farm consisting of multiple Citrix servers. For more information, see Managing Internet requests from Citrix server users.
Websense policy management is enabled by installing the Websense Citrix Integration Service on each Citrix server. See Citrix Integration Service installation overview, for instructions.
In lower volume networks, each Integration Service communicates with the same Filtering Service. The non-Citrix users can be pointed to the same instance of Filtering Service as the Integration Service.
Deploying with Network Agent
If you have a standalone deployment of Websense Web Filter or Web Security, separate instances of Network Agent are needed for the Citrix and non-Citrix users. See Standalone Websense Web Filter or Web Security configuration for configuration information.
Configuration
To use a Websense Web Security solution to manage both Citrix users and users accessing the Internet through Network Agent or another integration product, the non-Citrix-related components must be installed and running before the Citrix integration is completed.
1.
Install your Web Security solution.
2.
Install the Filtering Service and Network Agent to be used for Citrix integration.
3.
Configure and iinstall the Websense Citrix Integration Service on each Citrix server.
This component sends requests from Citrix clients to Filtering Service for filtering. Up to 10 Integration Services can be pointed to the same Filtering Service. If more than 10 Citrix servers are deployed, then additional Filtering Services can be used.
See Citrix Integration Service installation overview, for instructions for steps 2 and 3.
4.
Configure the non-Citrix integration product to ensure that requests coming from the Citrix clients are not processed twice. See Configuring the non-Citrix integration.
Configuring the non-Citrix integration
Before the integrations can be used together, the non-Citrix integration must be set up to prevent Internet requests sent via the Citrix servers from being processed twice.
A request from a Citrix client is passed to the Citrix server. The Citrix Integration Service sends the request to Filtering Service, which determines whether to block or permit the request. Simultaneously, the Citrix server sends the same request to the non-Citrix integration, which must be configured to allow the request to pass through.
Microsoft Forefront TMG configuration
The Websense ISAPI plug-in must be set to ignore traffic from the Citrix servers. This configuration is done by adding the host name of each Citrix server to the isa_ignore.txt file on the Microsoft Forefront TMG (TMG) machine.
Also, ensure that none of the Citrix servers are set to use the TMG machine as a proxy server.
1.
On the TMG machine, go to the WINDOWS\system32 directory and open the isa_ignore.txt file in a text editor.
 
* 
Note 
The default isa_ignore.txt file installed with Websense software contains the following URL:
url=http://ms_proxy_intra_array_auth_query/
Do not delete this URL. It is used by TMG machines in a CARP array for communication. This URL must be ignored to allow filtering and logging to work properly when multiple TMG instances are deployed in an array.
2.
Enter the host name for each Citrix server on its own line in the isa_ignore.txt file.
 
* 
Important 
You must enter each host name in the exact same format that ISA/TMG passes it to Filtering Service.
Use the following format:
hostname=<Citrix_server_hostname>
Replace <Citrix_server_hostname> with the name of the Citrix server machine.
3.
Restart the TMG machine.
See Microsoft's ISAPI documentation and the Websense Technical Library (www.websense.com/library) for more information.
Standalone Websense Web Filter or Web Security configuration
In a standalone Websense Web Filter or Web Security deployment, separate instances of Network Agent must be installed to filter Citrix and non-Citrix users. The Network Agent monitoring non-Citrix users must be set to ignore the Citrix servers. This configuration allows protocol filtering of both Citrix and non-Citrix requests.
1.
Open the Web Security manager and go to Settings > Network Agent, then position the mouse over the Global menu item.
2.
When the lists of IP addresses appears, select the IP address of the NIC used for monitoring Internet requests to open its Local Settings page.
3.
Under Monitor List Exceptions, add each Citrix server that Network Agent should exclude from monitoring.
a.
To identify a machine, click Add, and then enter the Citrix server's IP address, or a range of IP addresses for a group of Citrix servers in a server farm. Then, click OK.
b.
Repeat this process until all Citrix servers have been added, either individually or as part of a range.
4.
Click OK to cache your changes and return to the NIC Settings page. Changes are not implemented until you click Save and Deploy.
See the "Network Configuration" topic in the Web Security Help for instructions on configuring NIC settings.

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Citrix > Initial Setup of Citrix integration
Copyright 2016 Forcepoint LLC. All rights reserved.