Presentation is loading. Please wait.

Presentation is loading. Please wait.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Similar presentations


Presentation on theme: "Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002."— Presentation transcript:

1 Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002

2 2 2 What is Citrix Secure Gateway? Citrix Secure Gateway is a secure Internet gateway between MetaFrame® servers and ICA Client workstations that allows customers to simply and securely deliver applications across the Internet, on demand, to any device

3 3 3 Firewall Typical Layout Firewall Citrix MetaFrame XP and/or MetaFrame for Unix Citrix Secure Gateway Citrix NFuse Classic Client Workstations Secure Connectivity Authentication Access Mgmt. Internet DMZ Internal Network

4 4 4 CSG traffic flow HTTP/S Secure Web Server ServerWebBrowserWebBrowser MetaFrame Server Farm MetaFrame NFuseNFuse Citrix XML Service XML- HTTP/80 ICA/ ICA Client CSGServerCSGServer DMZ ICA/SSL 443.ICA file Optional 3 rd Party Authentication

5 5 5 CSG for Windows Gateway Service Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators

6 6 6 CSG for Solaris daemon Solaris on SPARC v8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded OpenSSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. Solaris on SPARC v8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded OpenSSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer.

7 7 7 Secure Ticketing Authority Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool

8 Ticket Generation 5. Ticket Verification 5. ICA/ ICA File 4. ICA/SSL CSG Ticketing Production MetaFrame Farm Production Secure Web Server Server NFuse Secure Ticketing Authority Secure Ticketing Authority ICA Client WebBrowserWebBrowser 1. Standard NFuse XML CSGServerCSGServer DMZ 3. ICA File XML Service 5. CSG server verifies ticket and opens ICA connection. 3.CSG ticket is delivered to ICA client as the part of ICA file. 4. CSG ticket is delivered to CSG server 2. Requested CSG ticket on application launch 1. Standard ICA Name Resolution

9 9 9 Encryption and Connectivity Secures ICA Traffic only SSL v3.0 or TLS v1.0 with 128-bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only) Secures ICA Traffic only SSL v3.0 or TLS v1.0 with 128-bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only)

10 10 Authentication Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: – Microsoft NT Domain and Active Directory – Novell NDS – SmartCard Use whatever security mechanisms you wish to protect your web server from unauthorized access (e.g RSA SecurID®, SafeWord PremierAccess) Authentication process is further secured using an HTTPS configured NFuse Web server Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: – Microsoft NT Domain and Active Directory – Novell NDS – SmartCard Use whatever security mechanisms you wish to protect your web server from unauthorized access (e.g RSA SecurID®, SafeWord PremierAccess) Authentication process is further secured using an HTTPS configured NFuse Web server

11 11 Deployment with Citrix Secure Gateway Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports MetaFrame v1.8 and higher. CSG Supports MetaFrame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh. Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports MetaFrame v1.8 and higher. CSG Supports MetaFrame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh.

12 12 Deployment Issues Citrix v6.30 Windows & Java ICA clients can traverse a number of industry standard secure proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons. Citrix v6.30 Windows & Java ICA clients can traverse a number of industry standard secure proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons.

13 13 Citrix Security Solutions SSL Solutions CSG is a simple and secure, ICA only solution SecureICA SSL Relay Citrix Secure Gateway VPN Solution

14 14 When to use SecureICA or SSL Relay Use SecureICA when: – Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of man-in-the-middle attack is acceptable Use SSL Relay when: – Small number of MetaFrame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server Use SecureICA when: – Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of man-in-the-middle attack is acceptable Use SSL Relay when: – Small number of MetaFrame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server

15 15 When to use CSG or VPN Use Citrix Secure Gateway when: – Large number of servers to support – Want to hide internal network addresses – Want to secure from DMZ – Need two-factor authentication (in conjunction with NFuse) – Need non-intrusive client install i.e. access from Internet cafes Use a Virtual Private Network (VPN) when: – Need two-factor authentication – Need to create a secure pipeline for full (beyond ICA) network access – Need to create secure tunnels between sites – Want to secure from within DMZ – Access is normally via same workstation i.e. OK to install additional client – Want to use IPSEC Use Citrix Secure Gateway when: – Large number of servers to support – Want to hide internal network addresses – Want to secure from DMZ – Need two-factor authentication (in conjunction with NFuse) – Need non-intrusive client install i.e. access from Internet cafes Use a Virtual Private Network (VPN) when: – Need two-factor authentication – Need to create a secure pipeline for full (beyond ICA) network access – Need to create secure tunnels between sites – Want to secure from within DMZ – Access is normally via same workstation i.e. OK to install additional client – Want to use IPSEC

16 16 Internet Café Solution Build a complete, Java applet-based solution, which assumes nothing pre- installed on clients. MetaFrame XPe Citrix NFuse Classic 1.7 Citrix Secure Gateway Replaceable authentication (e.g. RSA SecureID, SafeWord PremierAccess) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1.7) Build a complete, Java applet-based solution, which assumes nothing pre- installed on clients. MetaFrame XPe Citrix NFuse Classic 1.7 Citrix Secure Gateway Replaceable authentication (e.g. RSA SecureID, SafeWord PremierAccess) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1.7)

17 17 Whats new in CSG v1.1 Windows 2000 certification List of IP addresses not to log (e.g. network load balancer) All CSG logging to Windows system log TLS v1.0 and SSL v3.0 (exclusive) GOV, COM, or ALL crypto selection FIPS certified crypto modules No NFuse Extensions – NFuse Classic v1.7 natively supports CSG Solaris platform Edition Windows 2000 certification List of IP addresses not to log (e.g. network load balancer) All CSG logging to Windows system log TLS v1.0 and SSL v3.0 (exclusive) GOV, COM, or ALL crypto selection FIPS certified crypto modules No NFuse Extensions – NFuse Classic v1.7 natively supports CSG Solaris platform Edition

18 18 CSG v1.1 availability CSG v1.1 Windows (English) available on MetaFrame FR2 Components CD CSG v1.1 Windows (English) is fully internationalized for operation on non- English Windows CSG v1.1 Windows (Japanese) available on MetaFrame FR2 (J) Components CD CSG v1.1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers CSG v1.1 Windows (English) available on MetaFrame FR2 Components CD CSG v1.1 Windows (English) is fully internationalized for operation on non- English Windows CSG v1.1 Windows (Japanese) available on MetaFrame FR2 (J) Components CD CSG v1.1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers

19 19 For More Information… For More Information – Contact a local member of the Citrix Solutions Network – Connect to Citrix Web site at: For More Information – Contact a local member of the Citrix Solutions Network – Connect to Citrix Web site at:

20


Download ppt "Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002."

Similar presentations


Ads by Google