June 22, 2010
If you have an environment where different users share the same IP address, IP-mapped (transparent) authentication will not work because iPrism will not be able to discriminate requests sent by different users. The appropriate configuration for these environments is Proxy Mode.
This document only applies to the Windows Auto-Login authentication issues encountered by iPrism and Citrix/Terminal Servers. If Windows Auto-Login authentication is not being implemented, no special configuration is required by the iPrism or Citrix/Terminal Servers.
In order to configure Auto-Login to work from a Citrix/Terminal Server, you must first meet the following requirements:
Citrix/Terminal Servers must be members of the same domain as the iPrism, or in a trusted domain and run Internet Explorer v5.0 (or later).
Windows Authentication must be functional on the iPrism and enabled for proxy mode.
You must have a basic understanding of Active Directory and Group Policy.
IPrism must be running version 3.3 (or later).
iPrism Auto-Login will only function correctly in Proxy mode on a Citrix/Terminal Server. Two different topologies can be used, depending on the presence of non-thin-client devices on the network.
If the only clients that will be filtered by the iPrism are thin-client devices using Citrix/Terminal Server, then the iPrism can be placed in standalone mode. Standalone mode requires only the internal interface of the iPrism be connected to the network (see Figure 1).
If there will be a mixture of thin-clients and workstations, the iPrism can be installed in transparent or standalone mode. Transparent mode requires that both the internal and external interfaces be connected to the network (see Figure 2).
Note: If standalone mode is used, all workstations must be configured to use the iPrism as a proxy server.
The proxy server setting on a Citrix/Terminal Server is user-specific, so the server must be configured to use the proxy for all users. The preferred way to do this is to push down the settings from Active Directory via Group Policy or Login Script. See:
Configuring Clients to Proxy using Group Policy or Login Script
Note: it is recommended that internal traffic be exempted from being sent to iPrism, see "Tip" below. Exceptions can be included in the group policy.
The "Group Policy" and "Login Script" deployments above can be easily verified by looking for expected proxy settings in the Browser, as follows:
Allow enough time for the Group Policy to refresh.
Log into the Citrix/Terminal Server as a test user.
Open Internet Explorer and go to Tools > Internet Options > Connections > LAN Settings and verify that the "Use a proxy server &ldots;" setting is checked and the correct address and port are entered.
By clicking the Advanced button (shown above), internal traffic can be exempted from being sent to iPrism. These exceptions are recommended for proxied users so that internal traffic is not sent to iPrism. We recommend that you add exceptions for local resources based on both IP range and domain name, similar to the example shown below.
Note: specifying exceptions can be included in the group policy deployment of proxy settings as described in:
Configuring Clients to Proxy using Group Policy or Login Script (look for highlighted "Exceptions" field)
If using the iPrism as a proxy, it is recommended that you secure access to the LAN Settings in Internet Explorer. If the "Use a proxy server&ldots;" setting is disabled, then users may be able to bypass the iPrism.
Proxy Authentication will not work if another proxy server is between the workstations and iPrism. This is because proxies typically do not forward authentication credentials to a parent proxy.
If using BasicAuthentication, note that credentials are not encrypted by the browser. (Other forms of Direct Authentication, such as NTLM, are encrypted.)