This post has already been read 18736 times!
I was fortunate enough this week to speak to Rory from turbo.net after speaking to a Citrix CTP from xenappblog.com and was given a chance to test drive the Turbo Application Delivery method. Firstly, WOW! What an easy and simple way to deliver applications to Citrix workload’s. I was really taken aback by how easy it really was to deliver apps seamlessly to servers for users to consume, and in no time at all!! Seriously, it took about 10 minutes from logging in to having my first delivered published app available to my users, amazing!!
So, after the initial amazement I started to think of use cases that this could really bring some value to the IT Pro’s delivering apps day by day, after a couple of twitter chats with Rory i was drawn the the ability to add IP Routing to containerised apps within Turbo. I started to think, well – we could block rights to administration web portals (NetScalers) from default browsers and provide specific admin browsers with locked routing to ONLY allow the users to administer the NetScalers from those specific Apps. This open up loads of options around auditing and control of access to the admin portals without having to involve complex firewall rules and networking, its all done within the application itself, and in minutes !!
So, lets get going.
Lets assume we want to publish 2 Google Chrome Browsers, 1 for general internet use (without access to admin the NetScalers) and a specific Admin Browser with Access to the NetScalers Only.
NetScaler IP Address: 192.168.0.101
Local Network: 192.168.0.0/24
First, my CTP Friend has already written an excellent blog on getting started with Turbo. This can be found here: http://xenappblog.com/2016/getting-started-with-turbo/ and is well worth a read. I will walk you through downloading and setting up Turbo but Eric will walk you through automating the install!!
From your Citrix Server open up a browser and go to https://turbo.net
Click the Install Turbo Client link
Save the client to your desktop
Search for the command prompt and run it as administrator
Navigate to your downloads and run:
turbo-plugin.exe –all-users
Let the install run though, as you are installing it for all users your server will need to restart
While the install is running lets set up the 2 applications in Turbo.
Switch to an internet browser and navigate to https://turbo.net and log in as your admin account to the portal. You will be shown a list of published applications, in this case – none!
Click on the Hub tab
Click on Browsers on the right
Click on add next to Chrome
Rename the application to Chrome No Routes (This will be the default browser for the users – NO Administration Access
Click Save – this will default to the latest release and allow all internet access outbound – it WONT have any plugging however – that will be covered in another article
Once added and displayed in your portal click the clone icon.
Give the clone application a name Chrome NetScaler Admin – this will be the application we will restrict to only have access to our NetScalers
Click on Save and once displayed click the settings icon next to your NetScaler Admin application
Click on the Network tab then the Routes option
Add the following routes:
IP://0.0.0.0 – Deny – this will deny ALL outbound IP Traffic from the application
IP://192.168.0.101 – Allow – this will enable access to the NetScaler Admin Portal
Click save to commit the changes to the application
By this time your Turbo client should have installed and your server restarted. Log back into the server and run a command prompt as an administrator
Run the command:
turbo login
Login as your org account
run the command:
turbo subscribe –all-users bretty (bretty being the name of your user that you use for Turbo)
You will see your applications sync to your server
If you look in the Start Menu you will see your new applications available to run and use
Lets first run up the NetScaler Admin Browser
The first time the app runs it will cache and download the application container
Once it has launched lets test accessing our NetScaler Admin Portal
Excellent! We can access the portal – thats our network route to 192.168.0.101 being allowed. Lets try accessing google.com
Denied! Excellent – outbound internet access is being denied. What about another address on my local network. My router on 192.168.0.1
Also denied – brilliant! So thats the Admin browser sorted out – users can ONLY Access out NetScaler Admin portal and nothing else from the published browser.
Lets move onto our default user browser.
First lets try google.com
Excellent – outbound internet access is allowed from the published browser
Lets try out NetScaler Portal
Not good – we only want access to this to be allowed from the Admin Application
how about another address on the local network
OK – allowed. Not good. We want to block access to admin portals from the general browser and only allow it from the admin browser.
Switch back to the turbo.net admin portal and open up the Chrome No Routes application for editing. Navigate to the Network Tab then routes
Add a route to DENY access to the local network. NOTE: This is a CIDR block address of /24 – this is blocking access to the whole local subnet – you can add individual addresses here rather than a whole subnet.
Save the route and switch back to your server.
Open up the admin command prompt and re-run the subscribe command to update the applications
Relaunch Chrome No Routes
Test Google again
Great – still working. Now try an address on the local subnet
BLOCKED! Excellent.
Thats how to publish 2 browsers using Turbo.net one for Admin access to specific portals and one for general access with denied access to admin portals. A great use case for all those occasions where you need to lock down admin access but don’t have access to complex firewall rules and static IP addresses to restrict access.
Just publish those apps on your existing XenApp or XenDesktop estate and you have some bullet proof browser deployments for your users to consume.
Hope this help some of you out.
Got to say a massive thank you to Rory from Turbo, not only for his assistance with setting up my access to this great product but also for being professional and helpful when i approached him with questions. A true credit to a massively innovative company.
Check out his blog at : http://www.rorymon.com/blog/
Thats it for now.
Laters,
b@m
Great post. Another awesome scenario is e.g. you have a Web app that only works with IE8 & Java 6.x. Out of the box that browser would be very unsecure, so by using the rules you can now open that unsecure browser only for that Web app URL.
Agreed, so many possibilities with this product.
Only the beginning I feel!!
interesting 🙂 but how will you deal with SSL certs inside turbo container? Did you try https://FQDN of nsip?
Not tried that! Thanks for the tip, will Deffo check it out when I get a moment 🙂