Embed Size (px)
Citation preview
Citrix Technical OverviewCitrix Technical Overview
Access Gateway – Basic Features
DifferentiatorsDifferentiators
Access Gateway - Features
Authentication Authorization Auditing
Clients
High Availability
User Experience
Administration Scalability
Endpoint Analysis
Supports most authentication mechanisms• Active Directory
• LDAP
• NTLM
• RADIUS
• TACACS+
• One-time password tokens
• Client certificates & smart cards
• Local store
Authentication
Dual SourceAuthenticationDual Source
Authentication
CascadingAuthentication
CascadingAuthentication
Authorization• Policy-driven access
• Authentication
• Authorization
• Session control
• Auditing
• Wide variety of policy criteria• Network information
• Application access
• Client certificate parameters
• Client configurations
• Highly granular access control• User, groups, virtual IP, and global policies
• HTTP authorization based on URL
• TCP/IP authorization based on address and port
Auditing
• Full administrative audit trail• All management operations logged
• Full user activity audit trail• All session activity
• All network flows
• All system events logged
• Support for external logging servers
Clients
Two types of client delivery:• Secure Access Client – Native installed application that remains
resident in the system tray
• Plugin – ActiveX or Java control dynamically downloaded and executed via HTML
Connecting to XenApp Applications Only
Connecting to any IP-based Application
All XenApp Clients v6.3 or later, including:
• Windows NT/2000/XP• Windows Vista• MacOS 9 & 10• Linux & Java• Windows CE• UNIX
Secure Access platforms:
• Windows Vista/2000/XP• Java (used by Mac & Linux)• PocketPC
Endpoint Analysis
• Checking for specific client criteria
• Scans can be run pre and post logon
• Results used for policy evaluation and SmartAccess decisions
• Connecting Windows machines can be scanned for any combination of:
• Files
• Processes
• Registry entries
• System services
• Operating System
• Hotfixes
• Client certificates
Ease of Management and Administration
• Console for Management• Easy Wizards
• To simplify common tasks
• For easier integration with XenApp
• For complex tasks
• Delegated Administration• Read-Only
• Operator
• Network
• Superuser
• Command Line Interface (For Advanced Admins)
Scalability
9000 series
7000 series
10000 series
= 100
2,500 Users
5,000 Users
10,000 Users
High Availability Pairing
vpn.company.com (10.10.10.1)
Network health-check packets are
exchanged
Master
Backup
Two appliances can form an active/passive cluster• Health-checking packets constantly exchanged between pair
• When the primary fails, the secondary assumes the IP address
User sessions are HA aware• All sessions are replicated on secondary
• “show aaa session” on secondary shows active users
Other Features
• VoIP support
• Universal licensing
• Client-side cleanup
• Server-initiated connections
• FIPS 140-2 compliance
• *Common Criteria Certification (H2-2008)
AGUniversalLicense
Differentiators
Citrix XenApp™
Deliver Windows Apps
Citrix XenDesktop™
Deliver Windows Desktops
Citrix® NetScaler®
Deliver WebApps
Citrix Access Gateway and XenApp
Citrix® NetScaler®
Deliver WebApps
Citrix XenApp™
Deliver Windows Apps
Citrix XenDesktop™
Deliver Windows Desktops
Users AppsCitrix
EdgeSight™
Monitor Real-Time User Experience
Citrix WANScaler™
Accelerate Apps to Branch Offices
Citrix Access Gateway™
Enable Secure App Access
Secure Delivery of Windows Applications
Access Gateway & XenAppSmartAccess – Data Protection
WHATWHO HOW
Endpoint Analysis and Authentication
Which User
What Device
What Location
Launch with ICA
EmailDownload
Clipboard
• Save
Other SSL VPNs only go this far
Access Control
XenApp Applications
Mail Servers
Web and File Servers
Network Resources
Access Gateway and XenApp
• Replace Secure Gateway with a hardened appliance
• Single logon experience to Web Interface
• Add support for all applications and protocols
• Add SmartAccess to application delivery
• Secure Application Virtualization
Best SSL VPN to use with XenApp
Accessing XenApp Server
Web Interface
Access GatewayClient
1. User accesses https://agee.corp.ctx
2. Access Gateway authenticates the user and validates the end-point
3. Access Gateway communicates the user credentials and policy conditions to Web Interface
4. Web Interface displays the user’s set of applications.
5. User clicks an application icon
6. Web Interface requests a ticket from the Secure Ticket Authority
7. Web Interface sends a ticket to the user in a ICA ® file
8. The ICA client launches and sends secure ICA traffic to Access Gateway
9. Access Gateway validates the ticket against the STA
10. The ICA session is established
1) SSL
XenApp Server Farm
3) HTTPS
6) XML9) XML10) ICA
4) HTTPS
8) SSL
Secure Gateway Replacement (Modes)
Citrix Access Gateway and XenDesktop
Citrix® NetScaler®
Deliver WebApps
Citrix XenApp™
Deliver Windows Apps
Citrix XenDesktop™
Deliver Windows Desktops
Users AppsCitrix
EdgeSight™
Monitor Real-Time User Experience
Citrix WANScaler™
Accelerate Apps to Branch Offices
Citrix Access Gateway™
Enable Secure App Access
Secure Delivery of Windows Desktops
Secure Access & Delivery from the Data Center to the Desktop
Access Gateway
User
Virtual Desktops
XenDesktop
HTTPS HTTPS
ICA/CGPICA/CGP
XMLXML
ICA + SSLICA + SSL
HTTPS - SSO
HTTPS - SSO
Data Center
Secure Desktop Virtualization
Secure Desktop Delivery with Access Gateway & XenDesktop
• Secures remote desktop delivery• Secure delivery of Desktop Virtualization
• SmartAccess policies
• Provides strongest data delivery protection• Hosted desktop and data stay in the data center
• End point device compliance with security policies
• Hosted desktop isolated from local desktop
• Enables "Bring-Your-Own-PC" asset model
• Dramatically simplifies Desktop Management• Reduces cost of Desktop Computing by up to 40%
Access Gateway Redirecting to XenDesktop
Access Gateway supports single sign-on to Web Interface by default
Access Gateway supports single sign-on to Web Interface by default
Available XenDesktops can be based on SmartAccess
Available XenDesktops can be based on SmartAccess
XenDesktop session is securely delivered through Access Gateway
XenDesktop session is securely delivered through Access Gateway
User is connected to their desktopUser is connected to their desktop
Secure Access and XenDesktop
XenDesktop session is tunneled through the Citrix Access Gateway client
XenDesktop session is tunneled through the Citrix Access Gateway client
SmartAccess determines which applications are
delivered
SmartAccess determines which applications are
delivered
A secure connection is established between the client and Access
Gateway
A secure connection is established between the client and Access
Gateway
Citrix Access Gateway and NetScaler
Citrix® NetScaler®
Deliver WebApps
Citrix XenApp™
Deliver Windows Apps
Citrix XenDesktop™
Deliver Windows Desktops
Users AppsCitrix
EdgeSight™
Monitor Real-Time User Experience
Citrix WANScaler™
Accelerate Apps to Branch Offices
Citrix Access Gateway™
Enable Secure App Access
Delivering Web Applications(Network Architect Line-of-Sight)
Access Gateway and NetScaler:Business Continuity & Disaster Recovery
corp.xyz.com
corp.xyz.com
corp.xyz.com
One URL for the website… …supporting “active-passive” site failover.
corp.xyz.com
DR Site
Global Server Load Balancing•Route client connections to the nearest or most available site
•Implement multi-site disaster recovery
InternetWeb App
Users
Legitimate traffic
allowed through
Application Attacks Blocked
Citrix NetScaler Platinum Edition(Includes Access Gateway
Enterprise Edition)Application
Infrastructure
Network Access
Access Gateway & NetScaler Application Firewall
Protecting back-end web applications and data• Better Data Protection and Better User Experience
• Real-time protection for application and application logic
• Accelerated Secure access and delivery of data
New Features in 8.1New Features in 8.1
8.1 Main Features/BenefitsFeature Benefit
Clientless, browser-based access(Phase 1 – OWA 2003/2007 and simple http rewrite)
Access resources from any PC without the need for the full Secure Access Client
Installation wizards & revamped documentation
Easier installation and configuration
Access scenario fallback with client choices
Ability to set rules that dictate how users may access resources based upon EPA results (full client or ICA only). Users have options when they successfully pass EPA scan.
Vista client Expand opportunities
Enhanced NavUI with XenApp applications list
Provide a seamless user interface to XenApp applications
FTA – File Type Association Ability to automatically launch a XenApp published application when a file is double clicked for viewing
Clientless Access – URL Rewriting
• Allows a secure clientless connection
• Supports • Portal page
• Generic web sites
• Outlook Web Access Light
• Outlook Web Access Premium
Clientless Access – Email Support
Clientless Access - URL Rewriting
Rewritten URL is https://gateway.corp.com/cvpn/aHR0cDovL3d3dy5nb29nbGUuY29t/
Rewritten URL is https://gateway.corp.com/cvpn/aHR0cDovL3d3dy5nb29nbGUuY29t/
Access Gateway Wizards
• Create or edit an SSL VPN virtual server – New!
• Configure certificates – New!
• Configure name resolution
• Configure authorization
• Default authorization action – New!
• Configure port 80 redirection – New!
• Configure clientless access – New!
• Published Applications – New!
• ICA connections – New!
Client Choices
Provides users with a choice of using the Secure Access Client or
launching applications through Web Interface
Provides users with a choice of using the Secure Access Client or
launching applications through Web Interface
Use Client Security Expressions to conditionally control Secure
Access Client availability
Use Client Security Expressions to conditionally control Secure
Access Client availability
Access Scenario Fallback
Access Scenario Fallback uses a Quarantine Group in
addition to the “Client Security String”
Access Scenario Fallback uses a Quarantine Group in
addition to the “Client Security String”
Quarantine
Client Choices – User Interface
Windows Interface Look and Feel in NavUI
The WI Mode can be set to Normal or Compact but the WI site must be configured in the same mode
The WI Mode can be set to Normal or Compact but the WI site must be configured in the same mode
Home page is left blank to support embedded WIHome page is left blank to support embedded WI
Normal Mode
Compact Mode
Custom Mode
The WI site can be forced into an embedded mode by modifying the site propertiesRefer to CTX114504 for complete details
The WI site can be forced into an embedded mode by modifying the site propertiesRefer to CTX114504 for complete details
Network OverviewNetwork Overview
One-arm versus Two-Arm
1) User Request 2) User Request
3) Server Response4) Server Response
One-arm Deployment
1) User Request 2) User Request
3) Server Response4) Server Response
Two-arm Deployment
5 Types of IP Addresses in Access Gateway • Virtual Server IP (VIP)
• Management IP (NSIP)
• Subnet IP / Mapped IP (SNIP/MIP)
• Intranet IP (IIP)
Administration and Authentication
End User
VIP SNIP/MIP
Backend ServerNSIP
IIP
389/636 (TCP)
53 (UDP)
Basic Firewall and Port Rules
AGEE Admin
Remote End User
VIP
NSIP
CPS & WI
443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP)
80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)
443,80* (HTTP/TCP)
NSIP
DNS
* Port 80 used for https redirect
NSIP
AD / LDAP
SNIP
Common Firewall and Port Requirements Source Destination Port Use
Internet VIP 443 SSL Virtual Server Connections
Internet VIP 80 Port 80 Redirection
NSIP Management Console
22, 80, 3008, 3010 SSH, Web Tool, Java Admin Tool
NSIP LDAP Server 389 LDAP
NSIP LDAP Server 636 Secure LDAP
NSIP RADIUS Server 1812 RADIUS
NSIP DNS Server 53 DNS queries
WI/CPS Firewall and Port Requirements Source Destination Port Use
MIP/SNIP Web Interface 80 WI over HTTP
MIP/SNIP Web Interface 443 WI over HTTPS
MIP/SNIP CPS Server 1494 or 2598 ICA traffic
VIP STA Server 8080 or 443 STA communication
Web Interface VIP 443 SSO Callback
