Presentation is loading. Please wait.

Presentation is loading. Please wait.

Citrix Technical Overview. Access Gateway – Basic Features.

Similar presentations


Presentation on theme: "Citrix Technical Overview. Access Gateway – Basic Features."— Presentation transcript:

1 Citrix Technical Overview

2 Access Gateway – Basic Features

3 Differentiators Access Gateway - Features

4 Supports most authentication mechanisms Active Directory LDAP NTLM RADIUS TACACS+ One-time password tokens Client certificates & smart cards Local store Authentication Dual Source Authentication Cascading Authentication

5 Authorization Policy-driven access Authentication Authorization Session control Auditing Wide variety of policy criteria Network information Application access Client certificate parameters Client configurations Highly granular access control User, groups, virtual IP, and global policies HTTP authorization based on URL TCP/IP authorization based on address and port

6 Auditing Full administrative audit trail All management operations logged Full user activity audit trail All session activity All network flows All system events logged Support for external logging servers

7 Clients Two types of client delivery: Secure Access Client – Native installed application that remains resident in the system tray Plugin – ActiveX or Java control dynamically downloaded and executed via HTML Connecting to XenApp Applications Only Connecting to any IP-based Application All XenApp Clients v6.3 or later, including: Windows NT/2000/XP Windows Vista MacOS 9 & 10 Linux & Java Windows CE UNIX Secure Access platforms: Windows Vista/2000/XP Java (used by Mac & Linux) PocketPC

8 Endpoint Analysis Checking for specific client criteria Scans can be run pre and post logon Results used for policy evaluation and SmartAccess decisions Connecting Windows machines can be scanned for any combination of: Files Processes Registry entries System services Operating System Hotfixes Client certificates

9 Ease of Management and Administration Console for Management Easy Wizards To simplify common tasks For easier integration with XenApp For complex tasks Delegated Administration Read-Only Operator Network Superuser Command Line Interface (For Advanced Admins)

10 Scalability 9000 series 7000 series series = 100 2,500 Users 5,000 Users 10,000 Users

11 High Availability Pairing vpn.company.com ( ) Network health- check packets are exchanged Master Backup Two appliances can form an active/passive cluster Health-checking packets constantly exchanged between pair When the primary fails, the secondary assumes the IP address User sessions are HA aware All sessions are replicated on secondary “show aaa session” on secondary shows active users

12 Other Features VoIP support Universal licensing Client-side cleanup Server-initiated connections FIPS compliance *Common Criteria Certification (H2-2008) AG Universal License

13 Differentiators Citrix XenApp ™ Deliver Windows Apps Citrix XenDesktop ™ Deliver Windows Desktops Citrix ® NetScaler ® Deliver Web Apps

14 Citrix Access Gateway and XenApp Citrix ® NetScaler ® Deliver Web Apps Citrix XenApp ™ Deliver Windows Apps Citrix XenDesktop ™ Deliver Windows Desktops UsersApps Citrix EdgeSight ™ Monitor Real-Time User Experience Citrix WANScaler ™ Accelerate Apps to Branch Offices Citrix Access Gateway ™ Enable Secure App Access Secure Delivery of Windows Applications

15 Access Gateway & XenApp SmartAccess – Data Protection WHAT WHO HOW Endpoint Analysis and Authentication Which User What Device What Location Launch with ICA Download Clipboard Save Print Other SSL VPNs only go this far Access Control XenApp Applications Mail Servers Web and File Servers Network Resources

16 Access Gateway and XenApp Replace Secure Gateway with a hardened appliance Single logon experience to Web Interface Add support for all applications and protocols Add SmartAccess to application delivery Secure Application Virtualization Best SSL VPN to use with XenApp

17 Accessing XenApp Server Web Interface Access Gateway Client 1.User accesses https://agee.corp.ctx 2.Access Gateway authenticates the user and validates the end-point 3.Access Gateway communicates the user credentials and policy conditions to Web Interface 4.Web Interface displays the user’s set of applications. 5.User clicks an application icon 6.Web Interface requests a ticket from the Secure Ticket Authority 7.Web Interface sends a ticket to the user in a ICA ® file 8.The ICA client launches and sends secure ICA traffic to Access Gateway 9.Access Gateway validates the ticket against the STA 10.The ICA session is established 1) SSL XenApp Server Farm 3) HTTPS 6) XML 9) XML 10) ICA 4) HTTPS 8) SSL

18 Pure Secure Gateway VPN Authentication is OFF Web Interface in direct mode, handles authentication Secure Gateway with Single Sign-On VPN Authentication is ON Web Interface in Indirect Mode User credentials passed through for SSO to Web Secure Gateway with SmartAccess VPN Authentication is ON, Pre-auth and Post-auth EPA configured Web Interface in Indirect and “Access Gateway Enterprise” Mode XenApp configured for Filters & Access Policies Secure Gateway Replacement (Modes)

19 Citrix Access Gateway and XenDesktop Citrix ® NetScaler ® Deliver Web Apps Citrix XenApp ™ Deliver Windows Apps Citrix XenDesktop ™ Deliver Windows Desktops UsersApps Citrix EdgeSight ™ Monitor Real-Time User Experience Citrix WANScaler ™ Accelerate Apps to Branch Offices Citrix Access Gateway ™ Enable Secure App Access Secure Delivery of Windows Desktops

20 Secure Access & Delivery from the Data Center to the Desktop Access Gateway User Virtual Desktops XenDesktop HTTPS ICA/CGP XML ICA + SSL HTTPS - SSO Data Center Secure Desktop Virtualization

21 Secure Desktop Delivery with Access Gateway & XenDesktop Secures remote desktop delivery Secure delivery of Desktop Virtualization SmartAccess policies Provides strongest data delivery protection Hosted desktop and data stay in the data center End point device compliance with security policies Hosted desktop isolated from local desktop Enables "Bring-Your-Own-PC" asset model Dramatically simplifies Desktop Management Reduces cost of Desktop Computing by up to 40%

22 Access Gateway Redirecting to XenDesktop Access Gateway supports single sign-on to Web Interface by default Available XenDesktops can be based on SmartAccess XenDesktop session is securely delivered through Access Gateway User is connected to their desktop

23 Secure Access and XenDesktop XenDesktop session is tunneled through the Citrix Access Gateway client SmartAccess determines which applications are delivered A secure connection is established between the client and Access Gateway

24 Citrix Access Gateway and NetScaler Citrix ® NetScaler ® Deliver Web Apps Citrix XenApp ™ Deliver Windows Apps Citrix XenDesktop ™ Deliver Windows Desktops UsersApps Citrix EdgeSight ™ Monitor Real-Time User Experience Citrix WANScaler ™ Accelerate Apps to Branch Offices Citrix Access Gateway ™ Enable Secure App Access Delivering Web Applications (Network Architect Line-of-Sight)

25 Access Gateway and NetScaler: Business Continuity & Disaster Recovery corp.xyz.com One URL for the website… …supporting “active-passive” site failover. corp.xyz.com DR Site Global Server Load Balancing Route client connections to the nearest or most available site Implement multi-site disaster recovery

26 Internet Web App Users Legitimate traffic allowed through Application Attacks Blocked Citrix NetScaler Platinum Edition (Includes Access Gateway Enterprise Edition) Application Infrastructure Network Access Access Gateway & NetScaler Application Firewall Protecting back-end web applications and data Better Data Protection and Better User Experience Real-time protection for application and application logic Accelerated Secure access and delivery of data

27 New Features in 8.1

28 8.1 Main Features/Benefits FeatureBenefit Clientless, browser-based access (Phase 1 – OWA 2003/2007 and simple http rewrite) Access resources from any PC without the need for the full Secure Access Client Installation wizards & revamped documentation Easier installation and configuration Access scenario fallback with client choices Ability to set rules that dictate how users may access resources based upon EPA results (full client or ICA only). Users have options when they successfully pass EPA scan. Vista clientExpand opportunities Enhanced NavUI with XenApp applications list Provide a seamless user interface to XenApp applications FTA – File Type AssociationAbility to automatically launch a XenApp published application when a file is double clicked for viewing

29 Clientless Access – URL Rewriting Allows a secure clientless connection Supports Portal page Generic web sites Outlook Web Access Light Outlook Web Access Premium

30 Clientless Access – Support

31 Clientless Access - URL Rewriting Rewritten URL is https://gateway.corp.com/cvpn/aHR0cDovL3d3dy5nb29nbGUuY29t/

32 Access Gateway Wizards Create or edit an SSL VPN virtual server – New! Configure certificates – New! Configure name resolution Configure authorization Default authorization action – New! Configure port 80 redirection – New! Configure clientless access – New! Published Applications – New! ICA connections – New!

33 Client Choices Provides users with a choice of using the Secure Access Client or launching applications through Web Interface Use Client Security Expressions to conditionally control Secure Access Client availability

34 Access Scenario Fallback Access Scenario Fallback uses a Quarantine Group in addition to the “Client Security String” Quarantine

35 Client Choices – User Interface

36 Windows Interface Look and Feel in NavUI The WI Mode can be set to Normal or Compact but the WI site must be configured in the same mode Home page is left blank to support embedded WI

37 Normal Mode

38 Compact Mode

39 Custom Mode The WI site can be forced into an embedded mode by modifying the site properties Refer to CTX for complete details The WI site can be forced into an embedded mode by modifying the site properties Refer to CTX for complete details

40 Network Overview

41 One-arm versus Two-Arm 1) User Request2) User Request 3) Server Response 4) Server Response One-arm Deployment 1) User Request 2) User Request 3) Server Response 4) Server Response Two-arm Deployment

42 5 Types of IP Addresses in Access Gateway Virtual Server IP (VIP) Management IP (NSIP) Subnet IP / Mapped IP (SNIP/MIP) Intranet IP (IIP) Administration and Authentication End User VIP SNIP/MIP Backend Server NSIP IIP

43 389/636 (TCP) 53 (UDP) Basic Firewall and Port Rules AGEE Admin Remote End User VIP NSIP CPS & WI 443,80 (TCP/HTTP) 3010, 3008,22 (TCP) 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP) 443,80* (HTTP/TCP) NSIP DNS * Port 80 used for https redirect NSIP AD / LDAP SNIP

44 Common Firewall and Port Requirements SourceDestinationPortUse InternetVIP443SSL Virtual Server Connections InternetVIP80Port 80 Redirection NSIPManagement Console 22, 80, 3008, 3010SSH, Web Tool, Java Admin Tool NSIPLDAP Server389LDAP NSIPLDAP Server636Secure LDAP NSIPRADIUS Server1812RADIUS NSIPDNS Server53DNS queries

45 WI/CPS Firewall and Port Requirements SourceDestinationPortUse MIP/SNIPWeb Interface80WI over HTTP MIP/SNIPWeb Interface443WI over HTTPS MIP/SNIPCPS Server1494 or 2598ICA traffic VIPSTA Server8080 or 443STA communication Web InterfaceVIP443SSO Callback


Download ppt "Citrix Technical Overview. Access Gateway – Basic Features."

Similar presentations


Ads by Google