ICA

This chapter contains an example of a basic Fudo PAM configuration, to monitor direct ICA protocol connections.

../../_images/quickstart_overview_citrix_ica.png

Prerequisites

The following description assumes that the system has been already initiated. For more information on the initiation procedure refer to the System initiation topic.


Configuration

../../_images/data_modeling1.png

Adding a server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.


  1. Select Management > Servers.
  2. Click Add and select Static server.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ica_server
Description fail
Blocked fail
Protocol ICA
Bind address Any
Use TLS fail
   
Permissions  
Granted users fail
   
Server addresses  
IP address 10.0.0.21
Port 1494
  1. Click Save.

Adding a listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.


  1. Select Management > Listeners.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ica_listener
Blocked fail
Protocol ICA
   
Permissions  
Granted users fail
   
Connection  
Mode proxy
Local address 10.0.150.151
Port 2494
Use TLS fail
  1. Click Save.

Adding an account

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.


  1. Select Management > Accounts.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name admin_ica_server
Blocked fail
Type regular
Session recording all
Notes fail
   
Data retention  
Override global retention settings fail
Delete session data after 61 days
   
Permissions  
Granted users fail
   
Server  
Server ica_server
   
Credentials  
Domain fail
Login citrixuser
Replace secret with password
Password password
Repeat password password
Password change policy Static, without restrictions
  1. Click Save.

Adding a user

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed object definition (i.e. unique login and domain combination, full name, email address etc.) enables precise accountability of user actions when login and password are substituted with a shared account login credentials.


  1. Select Management > Users.
  2. Click Add.
  3. Provide essential user information:
Parameter Value
General  
Login john_smith
Fudo domain fail
Blocked fail
Account validity Indefinite
Role user
Preferred language English
Safes fail
Full name John Smith
Email john@smith.com
Organization fail
Phone fail
AD Domain fail
LDAP Base fail
   
Permissions  
Granted users fail
   
Authentication  
Authentication failures fail
Enforce static password complexity fail
Type Password
Password john
Repeat password john
  1. Click Save.

Defining a safe

Safe directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.


  1. Select Management > Safes.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ica_safe
Blocked fail
Notifications fail
Login reason fail
Require approval fail
Policies fail
Note access No access
   
Protocol functionality  
RDP fail
SSH fail
VNC fail
   
Accounts  
admin_ica_server ica_listener
  1. Select Users tab.
  2. Click Add user.
  3. Find John and click ..
  4. Click OK.
  5. Select Accounts tab.
  6. Click Add account.
  7. Find the admin_ica_server object and click ..
  8. Click OK.
  9. Click in the Listeners column.
  10. Find the ica_listener object and click ..
  11. Click OK.
  12. Click Save.

Note

In case of TLS encrypted connections, Fudo returns an .ica configuration file to the Citrix client, which has the FQDN server address (Address) set to the common name defined in the TLS certificate.

Creating .ica file with connection parameters

Direct connection with remote server over ICA protocol requires preparing a connection configuration file. This file specifies the listener used to connect to the remote host.

Note

Refer to ICA configuration file topic for details on the configuration file.

  1. Create configuration file containing the following:
[ApplicationServers]
ica_connection_example=

[ica_connection_example]
ProxyType=SOCKSV5
ProxyHost=10.0.150.151:2494
ProxyUsername=*
ProxyPassword=*
Address=john_smith
Username=john_smith
ClearPassword=john
TransportDriver=TCP/IP
EncryptionLevelSession=Basic
Compress=Off
  1. Save the file with .ica extension.

Connecting to remote resource

  1. Double-click the connection configuration file to launch ICA protocol client software.
  2. Proceed with using the service.

Viewing user session

  1. Open a web browser and go to the Fudo PAM administration page.
  2. Enter user login and password to log in to Fudo PAM administration panel.
  1. Select Management > Sessions.
  2. Find John Smith’s session and click i.

Related topics: