Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Gateway Operation

Similar presentations


Presentation on theme: "Access Gateway Operation"— Presentation transcript:

1 Access Gateway Operation
Client Network Stack Access Gateway opens TCP or UDP connections to servers on the user’s behalf. IP All traffic tunneled in SSL to the gateway SSL Access Gateway Servers

2 Secure Gateway Capabilities
Presentation Title Goes Here Secure Gateway Capabilities Insert Version Number Here DMZ 1 DMZ 2 Internal Web Interface STA & XML Server 80/443 80/443 Internet 80/443 , CPS Server 1080/443 443 1494 2598 5 9 8 Single or double-hop DMZ support No VPN client required; works with native, Java, and ActiveX ICA clients Supports SmoothRoaming and workspace control © 2004 Citrix Systems, Inc.—All rights reserved. 2

3 Full Client Operation NDIS SHIM
Intercepted traffic appears to originate from the gateway to the client on port 10010 Applications CitrixSAClient.exe :10000 :10010 :10020 :10040 App connects to an IP that the gateway client intercepts VPN Client initiates new SSL connection to the gateway on port 443 The Secure Access client is transparent to user applications: there is no remote network interface, route table modifications or hosts file tampering. When using network monitoring tools such as Netstat, TCPView or NetMon on the client, you will see what appears to be inbound TCP connections from the gateway on random high port. But these connections are not actually taking place on the wire. Client IP firewall rules must be set to allow traffic to and from the gateway plus traffic to destination IP’s, but the client only sends physical traffic to the gateway on port 443. User space Kernel space NDIS SHIM 3

4 VPN Client in Non-admin mode
Intercepted traffic appears to originate from the gateway to the client on port 10010 Applications CitrixSAClient.exe :10000 :10010 :10020 :10040 App connects to an IP that the gateway client intercepts VPN Client initiates new SSL connection to the gateway on port 443 The Secure Access client is transparent to user applications: there is no remote network interface, route table modifications or hosts file tampering. When using network monitoring tools such as Netstat, TCPView or NetMon on the client, you will see what appears to be inbound TCP connections from the gateway on random high port. But these connections are not actually taking place on the wire. Client IP firewall rules must be set to allow traffic to and from the gateway plus traffic to destination IP’s, but the client only sends physical traffic to the gateway on port 443. WINSOCK SHIM User space Kernel space 4

5 What types of traffic can the non-admin VPN client intercept?
OK in Non-admin mode Requires admin mode Internet Explorer, Firefox, etc. VoIP ICA Client, RDP Client CIFS/SM B Outlook, Lotus Notes Streaming Video Java applets Any UDP traffic Most TCP-based applications

6 Direct access to file shares via AG
CIFS: 445 (TCP) VPN:443 Browsing: 3268 (GC) or (NBT) Access Gateway Client File Server Kerberos KDC: 88 (TCP) SS – title: Direct Access to File Shares via Citrix Access Gateway

7 Browser access to files via Advanced Edition (or Enterprise Edition)
CIFS, etc. Access Gateway Client Advanced Access Control server File Server SS: title --- Browser Access to Files via Access Gateway Advanced Edition

8 Exchange and MAPI Client Exchange RPC Port Discovery: 135
Exchange Directory NSPI Proxy Interface: (dynamic) Exchange Information Store Interface: (dynamic) Client Exchange Exchange Site Replication Service: (dynamic)

9 Option #1: Proxying MAPI with Access Gateway
RPC Port Discovery: 135 Exchange Directory NSPI Proxy Interface: (dynamic) VPN: 443 Exchange Information Store Interface: (dynamic) Access Gateway Client Exchange Exchange Site Replication Service: (dynamic) KB: Configuring Static Exchange Ports -

10 Option #2: Proxying MAPI over HTTP
135 HTTP: 80 VPN: 443 Dynamic Port Access Gateway Client Exchange Front-end or IIS 6.0 RPC Proxy Exchange Con: Requires Outlook client reconfiguration

11 Presentation Server Access
Presentation Title Goes Here Insert Version Number Here Presentation Server Access Internet DMZ Trusted Network ICA protocol (Port 1494 or 2598), XML (Port 80 OR 443) Citrix Presentation Server Farm SSL/TLS (Port 443) Use SSL Relay to encrypt XML/STA traffic Client Access Gateway HTTP (Port 80) OR HTTPS (Port 443) SS; title – Citrix Presentation Server Access Web Interface No Windows in the DMZ, just a hardened appliance Web Interface servers may be brought onto the Trusted Network and shared with LAN users Access Gateway credentials can be relayed to Web Interface for single sign-on to Presentation Server © 2003 Citrix Systems, Inc.—All rights reserved. 11

12 Web Interface Integration Options
Before designing a solution, ask: How should users authenticate? Do you want Web Interface on the LAN or in the DMZ? Will Web Interface be shared by internal and external users? Do you want to differentiate access levels based on endpoint analysis?

13 How it works: Access Presentation Servers with no VPN Client
Presentation Title Goes Here Insert Version Number Here How it works: Access Presentation Servers with no VPN Client User points to Access Gateway terminates SSL and authenticates user Reverse proxy to Web Interface and perform single sign on User clicks an application icon Web interface requests ticket from XML Service Web Interface sends ticket to user in ICA file ICA Client spawns, sends ICA in SSL to Access Gateway Access Gateway validates ticket ICA Session established and Application is displayed on user desktop Web Interface HTTPS SSL XML XML Access Gateway ICA Client Presentation Server Farm SS: title – How It Works: Access Presentation Server Clients with No VPN Client Be sure to use presentation mode to see the animations in this slide. © 2003 Citrix Systems, Inc.—All rights reserved. 13

14 Web Interface Site Details Set On A Per–Group Basis
Each group can use the portal page like before or be redirected to another web server URL Send different users to different Citrix farms according to group membership SS – lower-case “a” in title

15 Multiple Logon Option Page
Establishes a VPN connection for full desktop connectivity Redirects to Web Interface for ICA-only access

16 Minimal Deployment: Standard Edition
Web Interface Presentation Servers Access Gateway Standard Edition Web Interface may be moved to the LAN if Access Gateway is configured to authenticate users

17 Advanced Edition Web Interface Integration
Advanced Access Control (AAC) Access Gateway User traffic flows through AAC on its way to Web Interface Presentation Server Farm

18 Advanced Edition Web Interface Integration
Advanced Access Control (AAC) Access Gateway If there are multiple AAC servers, one user’s traffic will emanate from all AAC servers in the farm Presentation Server Farm

19 Advanced Edition Web Interface Integration
? Web Interface Advanced Access Control (AAC) Access Gateway If there are also multiple WI servers, load balancing becomes a challenge. One user’s traffic must be persisted to one WI server, but the traffic will emanate from multiple AAC servers. Presentation Server Farm

20 Option 1: Redundant WI servers with NLB
Web Interface Advanced Access Control (AAC) Access Gateway Windows Network Load Balancing (NLB) can be used, but only for redundancy. Configure NLB for “Single Host” SS: title – Redundant Web Interface Servers with Network Load Balancing Trademark Windows® Presentation Server Farm

21 Option 2: Use NetScaler for Cookie-based Load Balancing
VIP* Web Interface Advanced Access Control (AAC) Access Gateway NetScaler® can be used to virtualize the WI servers with cookie-based load balancing. Use the ASPNET Session ID Cookie for persistence. SS; title – Use Citrix NetScaler… Trademark NetScaler® in text; lower-case Cookie in text * NetScaler Virtual IP, not a Presentation Server Virtual IP Presentation Server Farm

22 Load Balancer Insertion Points
Citrix Access Gateway Client to CAG CAG to Advanced Access Control AAC to WI WI to AAC Citrix Presentation Server Web Interface servers and CSG XML Service Load balancing mirrored sites (GSLB)


Download ppt "Access Gateway Operation"

Similar presentations


Ads by Google