Citrix Access Gateway

advertisement
Citrix Technical Overview
Access Gateway – Basic Features
AAA
a
Policy Driven Access
a
Full Application Support
a
Ease of Use
a
Security
a
Access Gateway - Features
Authentication
Clients
Administration
Authorization
Auditing
Endpoint
Analysis
User
Experience
Scalability
High
Availability
Differentiators
Authentication
Supports most authentication mechanisms
•
•
•
•
•
•
•
•
Active Directory
LDAP
NTLM
RADIUS
TACACS+
One-time password tokens
Client certificates & smart cards
Local store
Dual Source
Authentication
Cascading
Authentication
Authorization
• Policy-driven access
•
•
•
•
Authentication
Authorization
Session control
Auditing
• Wide variety of policy criteria
•
•
•
•
Network information
Application access
Client certificate parameters
Client configurations
• Highly granular access control
• User, groups, virtual IP, and global policies
• HTTP authorization based on URL
• TCP/IP authorization based on address and port
Auditing
• Full administrative audit trail
• All management operations logged
• Full user activity audit trail
• All session activity
• All network flows
• All system events logged
• Support for external logging servers
Clients
Two types of client delivery:
•
Secure Access Client – Native installed application that remains
resident in the system tray
•
Plugin – ActiveX or Java control dynamically downloaded and
executed via HTML
Connecting to XenApp
Applications Only
Connecting to any IP-based
Application
All XenApp Clients v6.3 or
later, including:
Secure Access platforms:
• Windows NT/2000/XP
• Windows Vista
• MacOS 9 & 10
• Linux & Java
• Windows CE
• UNIX
• Windows Vista/2000/XP
• Java (used by Mac & Linux)
• PocketPC
Endpoint Analysis
• Checking for specific client criteria
• Scans can be run pre and post logon
• Results used for policy evaluation
and SmartAccess decisions
• Connecting Windows machines can be
scanned for any combination of:
•
•
•
•
•
•
•
Files
Processes
Registry entries
System services
Operating System
Hotfixes
Client certificates
Ease of Management and Administration
• Console for Management
• Easy Wizards
• To simplify common tasks
• For easier integration with XenApp
• For complex tasks
• Delegated Administration
•
•
•
•
Read-Only
Operator
Network
Superuser
• Command Line Interface
(For Advanced Admins)
Scalability
7000 series
2,500 Users
9000 series
5,000 Users
10000 series
10,000 Users
= 100
High Availability Pairing
Master
vpn.company.com
(10.10.10.1)
Backup
Network healthcheck packets are
exchanged
Two appliances can form an active/passive cluster
• Health-checking packets constantly exchanged between pair
• When the primary fails, the secondary assumes the IP address
User sessions are HA aware
• All sessions are replicated on secondary
• “show aaa session” on secondary shows active users
Other Features
• VoIP support
• Universal licensing
• Client-side cleanup
• Server-initiated connections
• FIPS 140-2 compliance
• *Common Criteria Certification
(H2-2008)
AG
Universal
License
Differentiators
Citrix
XenApp™
Deliver Windows
Apps
Citrix®
NetScaler®
Deliver Web
Apps
Citrix
XenDesktop™
Deliver Windows
Desktops
Citrix Access Gateway and XenApp
Citrix®
NetScaler®
Deliver Web
Apps
Citrix
XenApp™
Deliver Windows
Apps
Users
Citrix
EdgeSight™
Monitor Real-Time
User Experience
Citrix
WANScaler™
Accelerate Apps
to Branch Offices
Citrix
Access Gateway™
Enable Secure
App Access
Apps
Citrix
XenDesktop™
Deliver Windows
Desktops
Secure Delivery of Windows Applications
Access Gateway & XenApp
SmartAccess – Data Protection
Other SSL VPNs only go this far
WHO
WHAT
HOW
Clipboard
Which User
Web and
Network
File Servers Resources
Launch
with ICA
• Save
• Print
What Device
XenApp
Mail
Applications Servers
What Location
Endpoint Analysis
and Authentication
Access Control
Download Email
Access Gateway and XenApp
Best SSL VPN to use with XenApp
• Replace Secure Gateway with a
hardened appliance
• Single logon experience to Web
Interface
• Add support for all applications
and protocols
• Add SmartAccess to application
delivery
• Secure Application Virtualization
Accessing XenApp Server
1. User accesses
https://agee.corp.ctx
3)
4) HTTPS
1) SSL
8) SSL
Client
Web
Interface
6) XML
Access
Gateway
XenApp
Server Farm
2. Access Gateway authenticates the
user and validates the end-point
3. Access Gateway communicates
the user credentials and policy
conditions to Web Interface
4. Web Interface displays the user’s
set of applications.
5. User clicks an application icon
6. Web Interface requests a ticket
from the Secure Ticket Authority
7. Web Interface sends a ticket to the
user in a ICA ® file
8. The ICA client launches and sends
secure ICA traffic to Access
Gateway
9. Access Gateway validates the
ticket against the STA
10. The ICA session is established
Secure Gateway Replacement (Modes)
Pure Secure Gateway
• VPN Authentication is OFF
• Web Interface in direct mode, handles authentication
Secure Gateway with Single Sign-On
• VPN Authentication is ON
• Web Interface in Indirect Mode
• User credentials passed through for SSO to Web
Secure Gateway with SmartAccess
• VPN Authentication is ON, Pre-auth and Post-auth EPA configured
• Web Interface in Indirect and “Access Gateway Enterprise” Mode
• XenApp configured for Filters & Access Policies
Citrix Access Gateway and XenDesktop
Citrix®
NetScaler®
Deliver Web
Apps
Citrix
XenApp™
Deliver Windows
Apps
Users
Citrix
EdgeSight™
Monitor Real-Time
User Experience
Citrix
WANScaler™
Accelerate Apps
to Branch Offices
Citrix
Access Gateway™
Enable Secure
App Access
Citrix
XenDesktop™
Deliver Windows
Desktops
Secure Delivery of Windows Desktops
Apps
Secure Access & Delivery from the
Data Center to the Desktop
Data Center
Access Gateway
ICA/CGP
Virtual
Desktops
User
XenDesktop
Secure Desktop Virtualization
Secure Desktop Delivery with Access
Gateway & XenDesktop
• Secures remote desktop delivery
• Secure delivery of Desktop Virtualization
• SmartAccess policies
• Provides strongest data delivery protection
• Hosted desktop and data stay in the data center
• End point device compliance with security policies
• Hosted desktop isolated from local desktop
• Enables "Bring-Your-Own-PC" asset
model
• Dramatically simplifies Desktop
Management
• Reduces cost of Desktop Computing by up to 40%
Access Gateway Redirecting to XenDesktop
Available XenDesktops can be based on
SmartAccess
User is connected to their desktop
Access Gateway supports single
sign-on session is securely
XenDesktop
to Web Interface by default
delivered through Access Gateway
Secure Access and XenDesktop
A secure connection is established
between the client and Access
Gateway
XenDesktop
session is tunneled through
SmartAccess
determines
the Citrix Access
Gateway client
which applications
are
delivered
Citrix Access Gateway and NetScaler
Delivering Web Applications
(Network Architect Line-of-Sight)
Citrix®
NetScaler®
Deliver Web
Apps
Citrix
XenApp™
Deliver Windows
Apps
Users
Citrix
EdgeSight™
Monitor Real-Time
User Experience
Citrix
WANScaler™
Accelerate Apps
to Branch Offices
Citrix
Access Gateway™
Enable Secure
App Access
Apps
Citrix
XenDesktop™
Deliver Windows
Desktops
Access Gateway and NetScaler:
Business Continuity & Disaster Recovery
Global Server Load Balancing
• Route client connections to the
nearest or most available site
• Implement multi-site disaster
recovery
corp.xyz.com
corp.xyz.com
corp.xyz.com
DR Site
corp.xyz.com
One URL for the website…
…supporting “active-passive”
site failover.
Access Gateway & NetScaler
Application Firewall
Legitimate
Application
traffic
Attacks
allowed
Blocked
through
Web
App
Users
Internet
Network
Access
Citrix NetScaler
Platinum Edition
(Includes Access Gateway
Enterprise Edition)
Application
Infrastructure
Protecting back-end web applications and data
• Better Data Protection and Better User Experience
• Real-time protection for application and application logic
• Accelerated Secure access and delivery of data
New Features in 8.1
8.1 Main Features/Benefits
Feature
Benefit
Clientless, browser-based access Access resources from any PC without the need
(Phase 1 – OWA 2003/2007 and for the full Secure Access Client
simple http rewrite)
Installation wizards & revamped
documentation
Easier installation and configuration
Access scenario fallback with
client choices
Ability to set rules that dictate how users may
access resources based upon EPA results (full
client or ICA only). Users have options when
they successfully pass EPA scan.
Vista client
Expand opportunities
Enhanced NavUI with XenApp
applications list
Provide a seamless user interface to XenApp
applications
FTA – File Type Association
Ability to automatically launch a XenApp
published application when a file is double
clicked for viewing
Clientless Access – URL Rewriting
• Allows a secure clientless connection
• Supports
•
•
•
•
Portal page
Generic web sites
Outlook Web Access Light
Outlook Web Access Premium
Clientless Access – Email Support
Clientless Access - URL Rewriting
Rewritten URL is
https://gateway.corp.com/cvpn/aHR0cDovL3d3dy5nb29nbGUuY29t/
Access Gateway Wizards
• Create or edit an SSL VPN virtual server – New!
• Configure certificates – New!
• Configure name resolution
• Configure authorization
• Default authorization action – New!
• Configure port 80 redirection – New!
• Configure clientless access – New!
• Published Applications – New!
• ICA connections – New!
Client Choices
Provides users with a choice of
using the Secure Access Client or
launching applications through
Web Interface
Use Client Security Expressions
to conditionally control Secure
Access Client availability
Access Scenario Fallback
Access Scenario Fallback
uses a Quarantine Group in
addition to the “Client
Security String”
Quarantine
Client Choices – User Interface
Windows Interface Look and Feel in NavUI
Home page is left blank
to support embedded WI
The WI Mode can be set to Normal or Compact
but the WI site must be configured in the same mode
Normal Mode
Compact Mode
Custom Mode
The WI site can be forced into an embedded mode by modifying the site properties
Refer to CTX114504 for complete details
Network Overview
One-arm versus Two-Arm
One-arm Deployment
1) User Request
2) User Request
4) Server Response
3) Server Response
Two-arm Deployment
1) User Request
4) Server Response
2) User Request
3) Server Response
5 Types of IP Addresses in Access Gateway
•
Virtual Server IP (VIP)
•
Management IP (NSIP)
•
Subnet IP / Mapped IP (SNIP/MIP)
•
Intranet IP (IIP)
IIP
VIP
End User
SNIP/MIP
Backend Server
Administration and
Authentication
Basic Firewall and Port Rules
DNS
53 (UDP)
AD / LDAP
443,80*
(HTTP/TCP)
VIP
Remote End User
389/636 (TCP)
SNIP
80, 8080, 443 (HTTP/TCP)
1494, 2598 (TCP)
CPS & WI
* Port 80 used for https redirect
443,80 (TCP/HTTP)
3010, 3008 ,22 (TCP)
AGEE Admin
Common Firewall and Port Requirements
Source
Destination
Port
Use
Internet
VIP
443
SSL Virtual Server
Connections
Internet
VIP
80
Port 80 Redirection
NSIP
Management
Console
22, 80, 3008, 3010
SSH, Web Tool,
Java Admin Tool
NSIP
LDAP Server
389
LDAP
NSIP
LDAP Server
636
Secure LDAP
NSIP
RADIUS Server
1812
RADIUS
NSIP
DNS Server
53
DNS queries
WI/CPS Firewall and Port Requirements
Source
Destination
Port
Use
MIP/SNIP
Web Interface
80
WI over HTTP
MIP/SNIP
Web Interface
443
WI over HTTPS
MIP/SNIP
CPS Server
1494 or 2598
ICA traffic
VIP
STA Server
8080 or 443
STA
communication
Web Interface
VIP
443
SSO Callback
Download