With the release of the Web Interface 5.3 version from Citrix we now finally have what appears to be seamless SmartCard Access for AGEE customers who want to maintain their current level of ICAProxy without the need to turn on VPN. This is significant because of the looming compliance with HSPD-12 which is being met by many Federal Agencies through the use of Smart or CAC cards.
What this means?
This means that you can have your end user base authenticate to the Access Gateway with their smart card and they should have all of their applications presented to them in the same manor they have today when they log in with AD credentials. I just finished testing mine and going through a dry run on my AGEE with the smart card and it works very well.
What do I need?:
You need to upgrade your Access Gateway Enterprise to 9.2 in addition to installing/upgrading your web interface to 5.3. There are some detailed directions located here: http://support.citrix.com/article/CTX124603
What I do not like about the solution is the assumption that every Citrix engineer is a Domain Administrator, using the article above you will be required to manually set this up for every AD Computer Object. Well, my farm will be well in excess of 100 servers and since we do not have domain admin access we will need to tie up an AD engineer for an entire day just to get the constrained delegation set up. What I like about this solution, however, is that I do not need to use the middleware. Currently we are using Active Identity as our middleware and it ties up about 30 megs per session on my XenAPP boxes. This, on a scale of 1000’s of users can equate into a sizable hardware savings and may make the time spent on the initial configuration worth it.
There is more to come on this subject this week as I blog from Synergy this week, if you are a Fed and are at Synergy please find me if you have any question, I am a big ugly guy with black glasses. If you have any questions on how we got ours to work please send me an email at email@example.com and I will call you and we can work through it together. You CAN do this without setting up VPN now and you don’t appear to need ISA Server or have to lose your EPA Scans by setting up an SSL Bridge. This is great news for a lot of us Feds who have been dealing with the HSPD-12 spector for some time now.
More to come! Stay tuned this week as I blog from Synergy.
Sorry for the short post, I plan to cover how you can log these users and write their usernames and IP’s into a SQL database for reporting and referencing.