Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Gateway Operation

Published byMarshall Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Gateway Operation"— Presentation transcript:

1 Access Gateway Operation
Client Network Stack Access Gateway opens TCP or UDP connections to servers on the user’s behalf. IP All traffic tunneled in SSL to the gateway SSL Access Gateway Servers

2 Secure Gateway Capabilities
Presentation Title Goes Here Secure Gateway Capabilities Insert Version Number Here DMZ 1 DMZ 2 Internal Web Interface STA & XML Server 80/443 80/443 Internet 80/443 , CPS Server 1080/443 443 1494 2598 5 9 8 Single or double-hop DMZ support No VPN client required; works with native, Java, and ActiveX ICA clients Supports SmoothRoaming and workspace control © 2004 Citrix Systems, Inc.—All rights reserved. 2

3 Full Client Operation NDIS SHIM
Intercepted traffic appears to originate from the gateway to the client on port 10010 Applications CitrixSAClient.exe :10000 :10010 :10020 :10040 App connects to an IP that the gateway client intercepts VPN Client initiates new SSL connection to the gateway on port 443 The Secure Access client is transparent to user applications: there is no remote network interface, route table modifications or hosts file tampering. When using network monitoring tools such as Netstat, TCPView or NetMon on the client, you will see what appears to be inbound TCP connections from the gateway on random high port. But these connections are not actually taking place on the wire. Client IP firewall rules must be set to allow traffic to and from the gateway plus traffic to destination IP’s, but the client only sends physical traffic to the gateway on port 443. User space Kernel space NDIS SHIM 3

4 VPN Client in Non-admin mode
Intercepted traffic appears to originate from the gateway to the client on port 10010 Applications CitrixSAClient.exe :10000 :10010 :10020 :10040 App connects to an IP that the gateway client intercepts VPN Client initiates new SSL connection to the gateway on port 443 The Secure Access client is transparent to user applications: there is no remote network interface, route table modifications or hosts file tampering. When using network monitoring tools such as Netstat, TCPView or NetMon on the client, you will see what appears to be inbound TCP connections from the gateway on random high port. But these connections are not actually taking place on the wire. Client IP firewall rules must be set to allow traffic to and from the gateway plus traffic to destination IP’s, but the client only sends physical traffic to the gateway on port 443. WINSOCK SHIM User space Kernel space 4

5 What types of traffic can the non-admin VPN client intercept?
OK in Non-admin mode Requires admin mode Internet Explorer, Firefox, etc. VoIP ICA Client, RDP Client CIFS/SM B Outlook, Lotus Notes Streaming Video Java applets Any UDP traffic Most TCP-based applications

6 Direct access to file shares via AG
CIFS: 445 (TCP) VPN:443 Browsing: 3268 (GC) or (NBT) Access Gateway Client File Server Kerberos KDC: 88 (TCP) SS – title: Direct Access to File Shares via Citrix Access Gateway

7 Browser access to files via Advanced Edition (or Enterprise Edition)
CIFS, etc. Access Gateway Client Advanced Access Control server File Server SS: title --- Browser Access to Files via Access Gateway Advanced Edition

8 Exchange and MAPI Client Exchange RPC Port Discovery: 135
Exchange Directory NSPI Proxy Interface: (dynamic) Exchange Information Store Interface: (dynamic) Client Exchange Exchange Site Replication Service: (dynamic)

9 Option #1: Proxying MAPI with Access Gateway
RPC Port Discovery: 135 Exchange Directory NSPI Proxy Interface: (dynamic) VPN: 443 Exchange Information Store Interface: (dynamic) Access Gateway Client Exchange Exchange Site Replication Service: (dynamic) KB: Configuring Static Exchange Ports -

10 Option #2: Proxying MAPI over HTTP
135 HTTP: 80 VPN: 443 Dynamic Port Access Gateway Client Exchange Front-end or IIS 6.0 RPC Proxy Exchange Con: Requires Outlook client reconfiguration

11 Presentation Server Access
Presentation Title Goes Here Insert Version Number Here Presentation Server Access Internet DMZ Trusted Network ICA protocol (Port 1494 or 2598), XML (Port 80 OR 443) Citrix Presentation Server Farm SSL/TLS (Port 443) Use SSL Relay to encrypt XML/STA traffic Client Access Gateway HTTP (Port 80) OR HTTPS (Port 443) SS; title – Citrix Presentation Server Access Web Interface No Windows in the DMZ, just a hardened appliance Web Interface servers may be brought onto the Trusted Network and shared with LAN users Access Gateway credentials can be relayed to Web Interface for single sign-on to Presentation Server © 2003 Citrix Systems, Inc.—All rights reserved. 11

12 Web Interface Integration Options
Before designing a solution, ask: How should users authenticate? Do you want Web Interface on the LAN or in the DMZ? Will Web Interface be shared by internal and external users? Do you want to differentiate access levels based on endpoint analysis?

13 How it works: Access Presentation Servers with no VPN Client
Presentation Title Goes Here Insert Version Number Here How it works: Access Presentation Servers with no VPN Client User points to Access Gateway terminates SSL and authenticates user Reverse proxy to Web Interface and perform single sign on User clicks an application icon Web interface requests ticket from XML Service Web Interface sends ticket to user in ICA file ICA Client spawns, sends ICA in SSL to Access Gateway Access Gateway validates ticket ICA Session established and Application is displayed on user desktop Web Interface HTTPS SSL XML XML Access Gateway ICA Client Presentation Server Farm SS: title – How It Works: Access Presentation Server Clients with No VPN Client Be sure to use presentation mode to see the animations in this slide. © 2003 Citrix Systems, Inc.—All rights reserved. 13

14 Web Interface Site Details Set On A Per–Group Basis
Each group can use the portal page like before or be redirected to another web server URL Send different users to different Citrix farms according to group membership SS – lower-case “a” in title

15 Multiple Logon Option Page
Establishes a VPN connection for full desktop connectivity Redirects to Web Interface for ICA-only access

16 Minimal Deployment: Standard Edition
Web Interface Presentation Servers Access Gateway Standard Edition Web Interface may be moved to the LAN if Access Gateway is configured to authenticate users

17 Advanced Edition Web Interface Integration
Advanced Access Control (AAC) Access Gateway User traffic flows through AAC on its way to Web Interface Presentation Server Farm

18 Advanced Edition Web Interface Integration
Advanced Access Control (AAC) Access Gateway If there are multiple AAC servers, one user’s traffic will emanate from all AAC servers in the farm Presentation Server Farm

19 Advanced Edition Web Interface Integration
? Web Interface Advanced Access Control (AAC) Access Gateway If there are also multiple WI servers, load balancing becomes a challenge. One user’s traffic must be persisted to one WI server, but the traffic will emanate from multiple AAC servers. Presentation Server Farm

20 Option 1: Redundant WI servers with NLB
Web Interface Advanced Access Control (AAC) Access Gateway Windows Network Load Balancing (NLB) can be used, but only for redundancy. Configure NLB for “Single Host” SS: title – Redundant Web Interface Servers with Network Load Balancing Trademark Windows® Presentation Server Farm

21 Option 2: Use NetScaler for Cookie-based Load Balancing
VIP* Web Interface Advanced Access Control (AAC) Access Gateway NetScaler® can be used to virtualize the WI servers with cookie-based load balancing. Use the ASPNET Session ID Cookie for persistence. SS; title – Use Citrix NetScaler… Trademark NetScaler® in text; lower-case Cookie in text * NetScaler Virtual IP, not a Presentation Server Virtual IP Presentation Server Farm

22 Load Balancer Insertion Points
Citrix Access Gateway Client to CAG CAG to Advanced Access Control AAC to WI WI to AAC Citrix Presentation Server Web Interface servers and CSG XML Service Load balancing mirrored sites (GSLB)

Download ppt "Access Gateway Operation"

Similar presentations

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Mike Bayne 15 September 2011

Mike Bayne 15 September 2011
Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness

Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Citrix Technical Overview

Citrix Technical Overview
Secure Remote Access from Cyber Cafe Timothy Siu SunONE SE Manager

Secure Remote Access from Cyber Cafe Timothy Siu SunONE SE Manager
Citrix Access Gateway Enterprise Edition Technical Overview Seceidos GmbH&Co. KG Robert Hochrein

Citrix Access Gateway Enterprise Edition Technical Overview Seceidos GmbH&Co. KG Robert Hochrein
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Remote Access SSL VPN Stewart Duncan Technical Manager.

Remote Access SSL VPN Stewart Duncan Technical Manager.
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.

Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Remote Networking Architectures

Remote Networking Architectures
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.

Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

Similar presentations

Ads by Google