ICA via Citrix StoreFront

This chapter contains an example of a basic Fudo PAM configuration, to monitor access to a remote server over ICA protocol with the connection itself being initiated via the Citrix StoreFront.

../../_images/quickstart_overview_citrix_storefront.png

Prerequisites

The following description assumes that the system has been already initiated. For more information on the initiation procedure refer to the System initiation topic.


Configuration

../../_images/data_modeling1.png

Adding an ICA server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.


  1. Select Management > Servers.
  2. Click Add and select Static server.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ica_server
Description fail
Blocked fail
Protocol ICA
Bind IP Any
Use TLS fail
   
Permissions  
Granted users fail
   
Server addresses  
Address 10.0.0.21
Port 1494
  1. Click Save.

Adding an ICA listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.


  1. Select Management > Listeners.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ica_listener
Blocked fail
Protocol ICA
   
Permissions  
Granted users fail
   
Connection  
Mode proxy
Local address 10.0.150.151
Port 2494
Use TLS fail
  1. Click Save.

Adding an account for the ICA server

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.


  1. Select Management > Accounts.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ICA_forward
Blocked fail
Type forward
Session recording all
Notes fail
   
Data retention  
Override global retention settings fail
Delete session data after 61 days
   
Permissions  
Granted users fail
   
Server  
Server ica_server
   
Credentials  
Replace secret with fail
Forward domain fail
  1. Click Save.

Adding a Citrix StoreFront server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.


  1. Select Management > Servers.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name citrix_storefront
Blocked fail
Protocol Citrix StoreFront (HTTP)
HTTP timeout 900
Description fail
   
Permissions  
Granted users fail
   
Destination host  
IP address 10.0.90.1
Port 80
Bind address Any
Use TLS fail
URL http://10.0.90.1/Citrix/StoreWeb/
  1. Click Save.

Adding a Citrix StoreFront listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.


  1. Select Management > Listeners.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name citrix_storefront_listener
Blocked fail
Protocol Citrix StoreFront (HTTP)
   
Permissions  
Granted users fail
   
Connection  
Mode proxy
Local address 10.0.8.65
Port 7003
External address fail
External port fail
Use TLS fail
  1. Click Save.

Adding an account for the Citrix StoreFront server

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.


  1. Select Management > Accounts.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name citrixuser_at_SF
Blocked fail
Type regular
Session recording all
   
Data retention  
Override global retention settings fail
Delete session data after 61 days
   
Permissions  
Granted users fail
   
Server  
Server citrix_storefront
   
Credentials  
Domain tech.whl
Login citrixuser
Replace secret with password
Password password
Repeat password password
Password change policy Static, without restrictions

Adding a user

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed object definition (i.e. unique login and domain combination, full name, email address etc.) enables precise accountability of user actions when login and password are substituted with a shared account login credentials.


  1. Select Management > Users.
  2. Click Add.
  3. Provide essential user information:
Parameter Value
General  
Login john_smith
Fudo domain fail
Blocked fail
Account validity Indefinite
Role user
Preferred language English
Safes fail
Full name John Smith
Email john@smith.com
Organization fail
Phone fail
AD Domain fail
LDAP Base fail
   
Permissions  
Granted users fail
   
Authentication  
Authentication failures fail
Enforce static password complexity fail
Type Password
Password john
Repeat password john
  1. Click Save.

Defining a safe

Safe directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.


  1. Select Management > Safes.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ica_safe
Blocked fail
Notifications fail
Login reason fail
Policies fail
Note access No access
   
Protocol functionality  
RDP fail
SSH fail
VNC fail
   
Accounts  
citrixuser_at_SF citrix_storefront_listener
ICA_forward ica_listener
  1. Select Users tab.
  2. Click Add user.
  3. Find John and click ..
  4. Click OK.
  5. Select Accounts tab.
  6. Click Add account.
  7. Find the citrixuser_at_SF object and click ..
  8. Find the ICA_forward object and click ..
  9. Click OK.
  10. Click in the Listeners column, in the citrixuser_at_SF account row.
  11. Find the citrix_storefront_listener object and click ..
  12. Click OK.
  13. Click in the Listeners column, in the ICA_forward account row.
  14. Find the ica_listener object and click ..
  15. Click OK.
  16. Click Save.

Connecting to remote resource

  1. Navigate your web browser to the 10.0.8.65:7003 web address.
  2. Enter user login and password to log in into the Citrix StoreFront interface.
../../_images/citrix_storefront_login.png
  1. Click desired element to establish ICA connection with selected resource.
../../_images/citrix_storefront_app.png

Viewing user session

  1. Open a web browser and go to the Fudo PAM administration page.
  2. Enter user login and password to log in to Fudo PAM administration panel.
  1. Select Management > Sessions.
  2. Find John Smith’s session and click i.
../../_images/citrix_storefront_ongoing.png

Related topics: