Web Filtering on Citrix and Windows Terminal Server

This article provides notes about installing the FortiClient application and configuring FortiGate firewall policies in this environment.

• FortiClient 3.0 Host Security application (MR5 or later)
• Citrix Presentation Server 4.5 or Windows Terminal Services
• Windows Server 2003 or Windows Server 2008 Beta 3

On a single Windows Terminal Server, the standard FortiClient installation works as expected, allowing filtering policies to be created for both local and domain users.

If you want to install the FortiClient application on multiple terminal servers with the same FortiClient configuration, there are two ways to easily propagate the configuration to all terminal servers:

• Use FortiManager to manage the FortiClient configurations. For more information, see the FortiManager Administration Guide.

or

• Configure the FortiClient application on one terminal server. Using regedit.exe, export the FortiClient key HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient and import it onto the other terminal servers.

When installing the FortiClient application, select the Custom installation option and make sure that you do not install the VPN feature. Citrix uses the Windows IPsec service, which the FortiClient VPN would disable.

After installing the FortiClient application, restart the Citrix server. This resolves the problem that the FortiClient installation can cause the Citrix console to lose communication with the server.

The FortiGate unit cannot authenticate Citrix or Windows Terminal Services users because it sees only the IP address of the terminal. These users are, however, authenticated by the Windows network when they log on.

Configure firewall policies as needed to permit the Citrix Server or Windows Terminal Server to access the Internet. These policies must

• have the server IP address as the source or destination
• require no authentication
• use a protection profile that has web filtering disabled.

When the user logs on to the Citrix or Windows Terminal Server, a FortiClient application instance starts and runs for the duration of the user's session. FortiClient web filtering applies the web filtering profile defined for that user.

If the user is logged on via Citrix, the remote FortiClient application's icon appears in the user's system tray. If the user's computer also has FortiClient installed locally, two FortiClient icons are visible. The remote FortiClient application's console pertains to the user’s environment on the server, with the user’s local drives appearing to the anti-virus component as network drives (C$, etc.).