390 likes | 661 Views
Jay Tomlin Citrix Technical Support January 2002. Now everything computes. Enterprise Services for NFuse Technical Training. Speaker notes included. NFuse Enterprise. By the end of this session… You should be able to: Explain the role of Enterprise Services for NFuse (aka ESN)
E N D
Jay Tomlin Citrix Technical Support January 2002 Now everything computes Enterprise Services for NFuseTechnical Training Speaker notes included
NFuse Enterprise By the end of this session… You should be able to: • Explain the role of Enterprise Services for NFuse (aka ESN) • Identify target customers • Describe the architecture • Install and use the product
What is NFuse? One MetaFrame Server Farm • NFuse is an application access broker providing end users access to published applications over the web. • Users logging into NFuse must have valid logon credentials on the target MetaFrame servers NFuse End user
What is NFuse Enterprise? Many MetaFrame Server Farms • Enterprise Services for NFuse (ESN) is an application access broker providing scalability, manageability, and published application aggregation. • ESN provides a single point of access to MetaFrame installations with multiple farms in separate administrative domains • Users logging into ESN receive seamless access to MetaFrame servers in different domains ESN NFuse End user
NFuse Enterprise Architecture ESN admin HTTP/S MetaFrame Farm 1 XML NFuse 1.61 ESN XML MetaFrame Farm 2 JDBC SQL Database HTTP/S MetaFrame Farm 3 MetaFrame Farm n ICA Client ICA
Example Security Scopes Primary Account Authority Secondary Account Authorities MetaFrame Farm 1 NT Domains in a trust relationship ESN Active Directory Domain XML MetaFrame Farm 2 JDBC SQL Database MetaFrame Farm 3 UNIX NIS Domain MetaFrame Farm 4 Novell NDS Tree Security Scopes Publishers
Account Mappings • Account Mappings • In order to provide single sign-on for users in multiple domains, ESN associates accounts in one domain to their corresponding accounts in other domains. • There are two types of account mapping: Manual and Automatic • Manual mappings are maintained by the end users • Automatic mappings are created by the ESN administrator • For farms in the ESN domain, no mapping is necessary Account in Domain B Account in Domain A Account in Domain C
Defining the ID Mapping Policy Click here if this MetaFrame Farm is in the same domain as the ESN server. Click here to use “Manual” mapping, where end-users provide a username and password Click here to use “Automatic” mapping, where users are unaware of the account they have in the foreign domain • For each farm added to ESN, you define an ID Mapping policy:
Manual Account Mapping • Manual Mapping • Manual for the end user • Users must specify the username and password for the foreign domains • Until they do so, applications from publishers in those domains are not visible • ESN stores their password for future use • Passwords in the database are obfuscated, but this is not considered strong encryption. Admins are therefore warned to protect the database carefully
Automatic Account Mapping • Automatic Mapping • Automatic for the end-user • ESN administrator must work with the domain administrator(s) to create a set of user accounts • The accounts should be new user accounts, all with the same password and all members of the same group • ESN users are mapped to the next available domain user account automatically • Domain B usernames are irrelevant, but passwords must be the same for all users in that group • The group name and group password must be provided to the ESN server Account JohnB in Domain A An unassigned user in Domain B is chosen to be associated with JohnB Unused accounts in Domain B, all members of the same group
Sample Deployment Scenario 1 • General ESN Deployment
Sample Deployment Scenario 2 • ESN Deployed in its own Security Scope
Sample Deployment Scenario 3 • Multiple Publisher Security Scopes, ESN in its own Security Scope
Sample Deployment Scenario 4 • Multiple Security Scopes, ESN in a Publisher Security Scope
Installing NFuse Enterprise 1.0 • The NFuse Enterprise Web Server • Windows 2000 Server in a Domain • IIS 5.0 with SSL enabled, NFuse 1.61 or later • Java Development Kit 1.3.1 (not just the JRE)Set a JAVA_HOME system environment variable equal to the JDK location, e.g. c:\jdk1.3.1_01 • Apache Tomcat 3.2.3 gets installed and integrated with IIS for you as part of the setup process. “Tomcat Jakarta” service will be added to the Services control panel • The Database Server • May be the same machine as above • Microsoft SQL 7.0 or SQL 2000 (no Oracle support in version 1.0) • Database will be created automatically and named “NFUSE” by default • Installer creates a SQL logon account • ESN uses NetDirect’s JDataConnect JDBC library to connect to the database JDBC NFUSE
Installing NFuse Enterprise • MetaFrame Server Farms • All MetaFrame servers must be MetaFrame XP FR1 for Windows or MetaFrame 1.1 FR1 for UNIX (or later) • MetaFrame servers must be in some sort of domain (NT4, ADS, NDS, NIS, NIS+), not just a workgroup • XP FR1 contains an upgraded version of the XML service required for NFuse Enterprise Note: ESN ≠MetaFrameThe ESN server should not also be a MetaFrame server. If it is, be sure to move the Citrix XML service to its own port (8080); don’t attempt to share the port with IIS.
Installation and initial configuration MSI-based installation • After installing Win2K SP2, IIS, NFuse 1.61, JDK 1.3.1, and MS SQL Server, you are ready to install NFuse Enterprise • The SQL Server can be on a separate machine, but for the 1.0 release NFuse 1.61 and ESN 1.0 must be on the same server
Files copied to Program Files\Citrix \Program Files\Citrix\NFuse Enterprise\ • By default, Tomcat and some ESN configuration files are installed beneath \Program Files\Citrix. • End-user web pages are also created beneath Inetpub\ wwwroot\Citrix\ NFuseEnterprise.
IIS-Tomcat integration requires IIS restart IIS is restarted during setup • To continue installation, you must agree that it is OK to restart IIS • The installer modifies the IIS metabase for Tomcat integration • This action allows IIS to provide Java servlets through the normal HTTP port (80) instead of the default Tomcat port (8080)
Creating the NFUSE database MS SQL Server Database creation • If this is the first ESN server, choose to install the database. • You may change the database name to something other than NFUSE if desired • If you are adding an ESN server to an existing deployment, don’t install the database again
SQL Server Authentication Must be an existing SQL system administrator. The password can not be blank. Installer will create this new SQL login. Database admin accounts • First, enter the SQL username and password of a SQL system admin (like sa). The password can not be blank. • Next, enter a new SQL login and password. The installer will create this account and a new role (EUPH_Role) for accessing the database from now on. Don’t forget the password…
First time setup - Configuring database access Configure the ESN web server (first time only)Go to http://<ESN_server>/NFuseEnterprise/admin/ • Each ESN server needs to be told where the NFUSE database resides, and what SQL login to use (there may be more than one ESN server per database). Enter the database details here. • Version 1.0 supports MSSQL only, later versions will add support for Oracle • The database user entered here should match the “NFuse Enterprise system user” created during installation
Select the Primary Account Authority Type Select the ESN Server Account Authority Type • The ESN server must belong to an NT4, Active Directory, NDS or NIS domain. Select the authority type from the drop-down menu and provide additional details if necessary. • Users will log into NFuse Enterprise using credentials from this authority • Accounts from this authority can be mapped to accounts in other domains
Define ESN Administrators Group Select the ESN Server Account Authority Type • As with the CMC, a group of administrators are recognized as having authority to alter ESN settings. Select a group from the drop-down menu. • In order to add MetaFrame farms to the ESN site or make any other behavioral changes, you must log into the admin site as a user who belongs to this group.
Log in to /NFuseEnterprise/admin/login Log in to configure ESN preferenceshttp://<ESN_server>/NFuseEnterprise/admin/login • After completing the first-time setup screens, you can log in as an NFuse Enterprise administrator. • You must log in with an account that belongs to the group selected on the previous screen
ESN Administration - Overview Web-based GUI admin tool
ESN Administration - Farms Add farms to NFuse Enterprise
ESN Administration - Appearances Customize end-user appearances for each group
ESN Administration – Global Settings • To enable single sign-on, add the following line to NFuse.conf: • NFuseEnterprisePassword=secret • Enable only “Windows Authentication” in IIS on the /Citrix/NFuseEnterprise folder • Enable the “Allow web-server based authentication” checkbox, add the IP address of the NFuse web server (127.0.0.1) and its password as a Presentation Tier Identity • Users who are authenticated at their workstations will now receive their applications without having to sign in! Configure ESN administrators, single sign-on
More detail: Single Sign-On Web server identified by ESN as a Presentation Tier Identity. App icons are returned to the user NFuse.conf configured with an NFuseEnterprisePassword entry IIS IIS, set for Integrated Windows Authentication, triggers NTLM authentication at the web server. IIS now knows the username HTTP ICA clients must be configured to use Desktop Credentials Pass-Through Workstation, already authenticated to the Domain, visits website using Internet Explorer NFuse 1.61 XML ESN MetaFrame Farm ICA Client
ESN Administration – Group Settings A user should not belong to more than one configured group Configure Independent Group Default Settings • Each domain group can be given its own set of defaults for home farm, appearance, window size, color depth, audio and encryption, including whether to allow users an override option
ESN Administration – Event log • Events are stored in the ESN database and can be searched/filtered for recent events. • The “Never discard” option is enabled by default, but should be changed after installation so that the database does not grow indefinitely.
Sample HTML event log Event log can be exported to a text file
ESN Administration – Online Help Online Help is included in the administration tool
The end-user view Users sign on to the primary domainhttp://<ESN_server>/Citrix/NFuseEnterprise/ • End users connect to the URL shown above • If single sign-on has not been enabled, users will prompted to sign on using credentials from the authority to which the ESN server belongs • Signing on as a guest, if permitted from the Global Settings page, will allow connectivity to anonymous applications
Viewing applications Users sign on to the primary domain • Applications from foreign domains with manual account mapping will not appear until the user provides credentials for those domains • Users can choose between tree view or folder view • App list can be searched for keywords
End-user Settings Enables app-specific settings override, e.g. make one app 800x600 but leave all others set to seamless If permitted by the admin, users can alter settings
Changing passwords, expired or not Manage primary and secondary IDs • Click the ‘Edit Table’ button to manage login IDs in foreign domains • If your primary password has expired, you are prompted by the web server to change it • After signing on, you can click the User IDs tab to change your primary password