Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001
Learning Objectives In this session, you will: Get a preview of the new features and benefits of the Citrix Secure Gateway. Learn how Citrix Secure Gateway (CSG) can provide Internet-based access to applications for remote employees, customers, and partners.
Agenda Business Goals and Drivers Citrix Goals and Solution What is CSG? CSG Architecture CSG Technology Preview Citrix Security Solutions Demonstration Summary, Q&A
Business Goals Leverage Internet to deliver value outside of traditional models. Demonstrable ROI Do more with less Do it before the competition does
Business Drivers Remote access for employees, customers, and partners B2B and B2C customers displaced across many geographic locations Web Browser with highly limited Internet connection only assumption Access to key business applications Security Speed to market and development costs
Citrix Goals Build a solution to securely and simply deliver MetaFrame applications across the Internet, on demand, to any device.
Barriers to implementation ICA port 1494 not normally open on firewalls, difficult to open up Use standards based encryption, protect against “man-in-the-middle” attack (Secure ICA is vulnerable to such attacks) Large, difficult, intrusive, VPN client installs not suitable for many deployment types Cost of VPN solutions, especially to large customer base Hide MetaFrame servers from being seen or directly accessed from Internet
What is CSG? Gateway between an SSL enabled ICA client and one or more MetaFrame servers Tunnels ICA traffic inside SSL. Limited to ICA only – not a general purpose VPN. Runs independently from MetaFrame, links into NFuse for authorization Three components: CSG Server Secure Ticket Authority Modified NFuse Previously known as project “Snowy”
Solution Components Citrix Secure Gateway (CSG) Other components: Metaframe NFuse SSL enabled clients Optionally Secure web server and/or portal (e.G. Citrix XPS) Replaceable authentication (e.G. SecurID, smart card) ICA client object (ICO)
CSG components Client Workstation CSG Server NFuse/Web Server MetaFrame Server Farm Secure Ticketing Authority (STA)
CSG with NFuse HTTP/S Secure Web Server Web Browser MetaFrame Server Farm NFuse Citrix XML Service XML-HTTP/80 ICA/ ICA Client CSG Server DMZ Initial connection is always established with the web server. The user may not even have Citrix client installed. ICA/SSL 443
5. Ticket Verification 5. ICA/ ICA File 4. ICA/SSL CSG Ticketing 1.Standard NFuse ICA Name Resolution Production MetaFrame Farm Secure Web Server NFuse Secure Ticketing Authority ICA Client Web Browser 1. Standard NFuse XML CSG Server DMZ 3. ICA File XML Service 5. CSG server verifies ticket and opens ICA connection. 3.CSG ticket is delivered to ICA client as the part of ICA file. 4.CSG ticket is delivered to CSG server as the part of SOCKS inside SSL information. 2. Ticket Generation 2.Requested CSG ticket on application launch
CSG Architecture 1 Authorization based on ticketing, leverages NFuse for Authentication Compatible with wide range of authentication systems Replaceable Secure Ticketing Authority (STA) Works with replaceable auth – e.g. SecurID, Smartcard Operates in Gateway mode – installed in DMZ Highly scalable – by design Single CSG server can support 1000 to 2000 concurrent connections Highly reliable – fail-over support for STA, external Load Balancer for main CSG Server.
CSG Architecture 2 Uses XML for inter-component communication Components are easily replaceable by Citrix or 3-rd party SOAP is considered as the next step No changes necessary to MetaFrame servers Can be quickly installed into existing system
Packaging Provided at no additional cost to valid Subscription Advantage customers Download only Included in future MetaFrame release English and possibly Japanese (product is Internationalized) v1.0 Windows 2000 server platform
Technology Preview Private Preview, available from hidden URL Create CDN account and login before entering URL. Time-bombed to expire 1 st Feb 2002 Windows 2000 and IIS/NFuse only No support – feedback to Need at least 2 machines, one running CSG, the other NFuse/STA. 3 machines is recommended. Need server SSL certificate & High Encryption Pack
Things to come Q1/ –Solaris Q3/Q4 – v1.5 – Possible features: Improved Management (SNMP, WMI, MMC) TLS support Government certifications End to End SSL SDK We need your feedback on CSG directions!
Citrix Solutions ICASecure ICA SSL Relay CSG Server Citrix Extranet Lower security Highest Security SSL Solutions
Use what, when? Use SecureICA when: · Secure DOS or Win 16 access is necessary · Have old devices/ ICA clients that cannot be upgraded · Risk of “man-in-the-middle” attack is acceptable Use SSL Relay when: · Small number of MetaFrame servers to support (<5) · No need to secure access at DMZ · No need to hide server IP addresses, or NAT is used · Need end-to-end encryption of data between client and server
Use what, when? Use Citrix Secure Gateway when: Large number of servers to support Want to hide internal network addresses Want to secure from DMZ Need 2 factor authentication (in conjunction with NFuse) Need non-intrusive client install e.g. access from Internet cafes Use Citrix Extranet or another VPN when: Need 2 factor authentication Need to create a secure pipeline for full (beyond ICA) network access Need to create secure tunnels between sites Want to secure from within DMZ Access is normally via same workstation i.e. OK to install intrusive Client Want to use IPSEC
Key information sources CSG Tech Preview Feedback to Product Manager:
Demonstration Summary Q&A