Presentation is loading. Please wait.

Presentation is loading. Please wait.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Published byJaquan Hearne Modified over 10 years ago

Similar presentations

Presentation on theme: "Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002."— Presentation transcript:

1 Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002

2 2 2 What is Citrix Secure Gateway? Citrix Secure Gateway is a secure Internet gateway between MetaFrame® servers and ICA Client workstations that allows customers to simply and securely deliver applications across the Internet, on demand, to any device

3 3 3 Firewall Typical Layout Firewall Citrix MetaFrame XP and/or MetaFrame for Unix Citrix Secure Gateway Citrix NFuse Classic Client Workstations Secure Connectivity Authentication Access Mgmt. Internet DMZ Internal Network

4 4 4 CSG traffic flow HTTP/S Secure Web Server ServerWebBrowserWebBrowser MetaFrame Server Farm MetaFrame NFuseNFuse Citrix XML Service XML- HTTP/80 ICA/1494 443 ICA Client CSGServerCSGServer DMZ ICA/SSL 443.ICA file Optional 3 rd Party Authentication

5 5 5 CSG for Windows Gateway Service Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators

6 6 6 CSG for Solaris daemon Solaris on SPARC v8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded OpenSSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. Solaris on SPARC v8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded OpenSSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer.

7 7 7 Secure Ticketing Authority Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool

8 8 8 2. Ticket Generation 5. Ticket Verification 5. ICA/1494 3. ICA File 4. ICA/SSL CSG Ticketing Production MetaFrame Farm Production Secure Web Server Server NFuse Secure Ticketing Authority Secure Ticketing Authority ICA Client WebBrowserWebBrowser 1. Standard NFuse XML CSGServerCSGServer DMZ 3. ICA File XML Service 5. CSG server verifies ticket and opens ICA connection. 3.CSG ticket is delivered to ICA client as the part of ICA file. 4. CSG ticket is delivered to CSG server 2. Requested CSG ticket on application launch 1. Standard ICA Name Resolution

9 9 9 Encryption and Connectivity Secures ICA Traffic only SSL v3.0 or TLS v1.0 with 128-bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only) Secures ICA Traffic only SSL v3.0 or TLS v1.0 with 128-bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only)

10 10 Authentication Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: – Microsoft NT Domain and Active Directory – Novell NDS – SmartCard Use whatever security mechanisms you wish to protect your web server from unauthorized access (e.g RSA SecurID®, SafeWord PremierAccess) Authentication process is further secured using an HTTPS configured NFuse Web server Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: – Microsoft NT Domain and Active Directory – Novell NDS – SmartCard Use whatever security mechanisms you wish to protect your web server from unauthorized access (e.g RSA SecurID®, SafeWord PremierAccess) Authentication process is further secured using an HTTPS configured NFuse Web server

11 11 Deployment with Citrix Secure Gateway Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports MetaFrame v1.8 and higher. CSG Supports MetaFrame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh. Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports MetaFrame v1.8 and higher. CSG Supports MetaFrame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh.

12 12 Deployment Issues Citrix v6.30 Windows & Java ICA clients can traverse a number of industry standard secure proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons. Citrix v6.30 Windows & Java ICA clients can traverse a number of industry standard secure proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons.

13 13 Citrix Security Solutions SSL Solutions CSG is a simple and secure, ICA only solution SecureICA SSL Relay Citrix Secure Gateway VPN Solution

14 14 When to use SecureICA or SSL Relay Use SecureICA when: – Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of man-in-the-middle attack is acceptable Use SSL Relay when: – Small number of MetaFrame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server Use SecureICA when: – Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of man-in-the-middle attack is acceptable Use SSL Relay when: – Small number of MetaFrame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server

15 15 When to use CSG or VPN Use Citrix Secure Gateway when: – Large number of servers to support – Want to hide internal network addresses – Want to secure from DMZ – Need two-factor authentication (in conjunction with NFuse) – Need non-intrusive client install i.e. access from Internet cafes Use a Virtual Private Network (VPN) when: – Need two-factor authentication – Need to create a secure pipeline for full (beyond ICA) network access – Need to create secure tunnels between sites – Want to secure from within DMZ – Access is normally via same workstation i.e. OK to install additional client – Want to use IPSEC Use Citrix Secure Gateway when: – Large number of servers to support – Want to hide internal network addresses – Want to secure from DMZ – Need two-factor authentication (in conjunction with NFuse) – Need non-intrusive client install i.e. access from Internet cafes Use a Virtual Private Network (VPN) when: – Need two-factor authentication – Need to create a secure pipeline for full (beyond ICA) network access – Need to create secure tunnels between sites – Want to secure from within DMZ – Access is normally via same workstation i.e. OK to install additional client – Want to use IPSEC

16 16 Internet Café Solution Build a complete, Java applet-based solution, which assumes nothing pre- installed on clients. MetaFrame XPe Citrix NFuse Classic 1.7 Citrix Secure Gateway Replaceable authentication (e.g. RSA SecureID, SafeWord PremierAccess) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1.7) Build a complete, Java applet-based solution, which assumes nothing pre- installed on clients. MetaFrame XPe Citrix NFuse Classic 1.7 Citrix Secure Gateway Replaceable authentication (e.g. RSA SecureID, SafeWord PremierAccess) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1.7)

17 17 Whats new in CSG v1.1 Windows 2000 certification List of IP addresses not to log (e.g. network load balancer) All CSG logging to Windows system log TLS v1.0 and SSL v3.0 (exclusive) GOV, COM, or ALL crypto selection FIPS 140-1 certified crypto modules No NFuse Extensions – NFuse Classic v1.7 natively supports CSG Solaris platform Edition Windows 2000 certification List of IP addresses not to log (e.g. network load balancer) All CSG logging to Windows system log TLS v1.0 and SSL v3.0 (exclusive) GOV, COM, or ALL crypto selection FIPS 140-1 certified crypto modules No NFuse Extensions – NFuse Classic v1.7 natively supports CSG Solaris platform Edition

18 18 CSG v1.1 availability CSG v1.1 Windows (English) available on MetaFrame FR2 Components CD CSG v1.1 Windows (English) is fully internationalized for operation on non- English Windows 2000. CSG v1.1 Windows (Japanese) available on MetaFrame FR2 (J) Components CD CSG v1.1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers CSG v1.1 Windows (English) available on MetaFrame FR2 Components CD CSG v1.1 Windows (English) is fully internationalized for operation on non- English Windows 2000. CSG v1.1 Windows (Japanese) available on MetaFrame FR2 (J) Components CD CSG v1.1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers

19 19 For More Information… For More Information – Contact a local member of the Citrix Solutions Network – Connect to Citrix Web site at: www.citrix.com/products/securegateway www.citrix.com/products/securegateway For More Information – Contact a local member of the Citrix Solutions Network – Connect to Citrix Web site at: www.citrix.com/products/securegateway www.citrix.com/products/securegateway

20

Download ppt "Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002."

Similar presentations

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Heroix Longitude - multiplatform, automated application performance monitoring and management software.

Heroix Longitude - multiplatform, automated application performance monitoring and management software.
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.

Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Vision/Benefits/Introduction Randy Armstrong (OPC Foundation)

Vision/Benefits/Introduction Randy Armstrong (OPC Foundation)
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.

Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
Using Citrix MetaFrame and Windows 2000 Servers with HP e3000 Terminal Emulation Victor Odlivak Technical Support Engineer WRQ, Inc. 1500 Dexter Avenue.

Using Citrix MetaFrame and Windows 2000 Servers with HP e3000 Terminal Emulation Victor Odlivak Technical Support Engineer WRQ, Inc Dexter Avenue.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google