Boring post this, it’s mainly for myself (and it’s a work-in-progress) to check up on when I’m onsite at a customer struggling to get the above mentioned combination working. Not too difficult, but there’s a lot of steps – get one wrong and you’re fucked. Non-IT bods might want to push off to somewhere more interesting like Looby’s, Vanessa’s or Martin’s blogs over there on the sidebar ———>
First things first:
Tokens=vasco digipass pro 300, the old kind that don’t have a cover to slide out. You hit the power, key in the PIN then choose the application mode. For my purposes, I used APPL1, the one time numeric password, since that’s supported by iChain 2.1 and 2.2. iChain 2.3 supports challenge/response passwords as well as token reset challenges but I don’t need that so sod ‘em.
Citrix version=God knows. That company change not only product names on a random basis, but also jump around versions like it’s going out of fashion. We ended up with two installations on the server, I’ll call them the nFuse server and the Metaframe server. What they’re called this week, fuck knows.
Portal=Good Old NPS. Or as the Novell product people like to call it, Extend Director 4.1 Standard edition. I call it NPS. All we needed from this product was a glorified menu system with links assigned according to dynamic group membership via LDAP query.
On with the show.
Install nFuse – easy.
Install Metaframe – easy.
Publish an application (make it notepad for now) – easy.
Install iChain – easyish. Make sure the hardware is supported (getting harder to find out since Novell no longer certify hardware for iChain, they just tell you to try it and see). We’ve used HP/Compaq DL360 and 380 servers, as well as some old Dell Poweredge servers (6300s). Suck it and see.
Create an authentication profile. – This links iChain to eDirectory. If in doubt, use the iChain management applet to do a test ping from the system menu.
Create two accelerators – One is going to be for nFuse and the other for Metaframe. The nFuse one requires authentication (via the LDAP profile) but the metaframe doesn’t. You can set SSL and what not on the nFuse accelerator, but don’t bother with this on the Metaframe one, since the ICA client will be doing a HTTP CONNECT to establish the client to server connection over port 80. SSL doesn’t enter into it, nor does it need to since Citrix have their own encryption technology on the ICA client to server connection. Let’s just trust them on this.
….tbc….it gets better.
