1 / 36

Citrix Secure Gateway Technical Training

Citrix Secure Gateway Technical Training. Agenda. By the end of this session, you should be able to: Explain the role CSG plays in a MetaFrame deployment Explain the role of SSL certificates

astin
Download Presentation

Citrix Secure Gateway Technical Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Citrix Secure Gateway Technical Training

  2. Agenda • By the end of this session, you should be able to: • Explain the role CSG plays in a MetaFrame deployment • Explain the role of SSL certificates • Install and configure the CSG Gateway, Secure Ticket Authority, Nfuse 1.61 and the 6.20 ICA client to enable SSL connectivity through CSG

  3. What Solution does CSG Enable? • Securely and simply deliver published applications across the Internet • Other components of this solution include: • NFuse 1.61 or later (required) • Secure Web Server and/or Portal (e.g. Citrix XPS) • Replaceable authentication (e.g. SecurID, smart card) • SSL enabled clients

  4. What is CSG? • Gateway between an SSL enabled ICA client and one or more MetaFrame servers • Tunnels ICA traffic inside SSL • Limited to ICA only – not a general purpose VPN. • Runs independently from MetaFrame, links into NFuse for authorization • Three components: • Citrix Secure Gateway Server (“the gateway”) • Secure Ticket Authority (“STA”) • Modified NFuse Website

  5. CSG in a Nutshell Internal Network Client sends ICA-in-SSL packets to the CSG Gateway Server CSG Gateway Server forwards unencrypted ICA traffic to MetaFrame. MetaFrame sees the CSG Server as a local client. Encrypted with SSL Internet CSG Gateway Server MetaFrame Server ICA 6.20 Client

  6. CSG Server with NFuse CSG Server with NFuse

  7. CSG 1.0 Technical Requirements • Three Windows 2000 servers with SP2: • CSG Gateway Server • Server Certificate • Secure Ticket Authority • Microsoft Internet Information Server (IIS) • NFuse 1.61 (or a modified earlier version) • Microsoft Internet Information Server (IIS) • Win32, Java, Mac or Linux 6.20 ICA client • MetaFrame Server Farm

  8. CSG 1.0 Marketing Requirements • Subscription Advantage Customers Only • CSG is being offered as a value-add to the Subscription Advantage program • Customers who bought MetaFrame XP with Subscription Advantage will receive the option to download CSG from www.citrix.com/MyCitrix • There is no technical enforcement of this requirement

  9. CSG Versus SSL Relay • For ICA-SSL connectivity, CSG is easier to deploy than SSL Relay on the MetaFrame servers:

  10. ICA Secure ICA SSL Relay CSG Citrix Extranet CSG Versus Extranet Lower security Highest Security • Compared to Extranet, CSG is fairly limited. If you are already using Extranet, you don’t need CSG.

  11. Intro to SSL

  12. Why SSL? • The threats: • Server masquerading • Network sniffers • Secure Sockets Layer (SSL) provides: • Authentication • Digital certificates prove identity on the Internet • This prevents “man-in-the-middle” or DNS attacks • Encryption • Using 128-bit key lengths • This prevents network sniffers from viewing your information

  13. SSL Certificates • SSL Certificate requirements • A new thing for many of our customers • Need to be very careful – can be difficult • Obtain certificates from: • Private Certificate Authority (CA) • Public CA • Evaluation cert from Public CA (Baltimore, Verisign) • Possible need to install root CA on Client. Windows 6.20 ICA client supports all Windows standard CA’s

  14. Could I see some ID please? • SSL Certificates are like Driver’s Licenses

  15. Server certificates • Server certificates are unique to a particular server name • The “subject” of the certificate is the FQDN of the server • Server certificates also include fields dictating what the certificate can be used for • View the Certification Path to find out what CA issued this certificate (may be a chain of CA’s)

  16. Root Certificates • Root certificates (aka CA certificates) are self-signed entities that are used to verify server certificates • If you trust a CA, install their root certificate. • Windows ships with many pre-installed CA certificates for well-known CA’s: • Verisign • Entrust • Baltimore • RSA • Thawte

  17. Client needs the root, server needs a cert • Sample Certificate Placement

  18. Default root certificates • Root certificates need to be installed into the Windows operating system • To see what certificates are installed, use MMC or IE

  19. InstallingCSG

  20. CSG installation steps • Installation steps to follow: • Read The Friendly Manuals: • Getting Started Guide • Administrator’s Guide • Fill out the “Installation Checklist” • Install the software in the correct order: • 1. Secure Ticket Authority • 2. CSG Gateway Service • 3. CSG NFuse Extensions (or use Nfuse 1.61 or Columbia 6.0) 20

  21. Important – Print the Checklist • The CSG distribution includes an installation checklist that takes the guesswork out of installing the components • It is recommended that you sketch your network, print this page, fill in the blanks, and then begin installing the servers

  22. Extract the self expanding exe • CSG comes in the form of a single, self expanding exe file “SetupCSG.exe” • Execute this file to expand its contents and start the installation process.

  23. Example installation • CSG uses three machines: • 1. Secure Ticket Authority (STA) • Fully qualified domain name (FQDN): sta01.company.com • Machine pre-loaded with Windows 2000 (SP2) server and IIS 5.0 • 2. CSG Gateway Server • FQDN: snowy1.csg-gw.company.com • Machine pre-loaded with Windows 2000 (SP2) • 3. NFuse 1.61 Server • FQDN: nfuse.company.com • Machine pre-loaded with Windows 2000 (SP2) server and IIS 5.0 • NFuse 1.61 installed • CSG also includes example scripts and documentation to help you integrate CSG functionality into an existing Nfuse website.

  24. Easy install--demo

  25. Server Certificates Server Certificate Required A server certificate must be obtained and installed for your CSG Gateway machine. The certificate must be issued to the FQDN of the snowy gateway. The Snowy Administrator’s Guide provides in-depth information regarding server certificates.

  26. Checking installed Server Certificates Run MMC on the CSG gateway machine and add the “Certificates” snap-in.

  27. Checking installed Server Certificates Ensure that the server certificate is installed into the Local Computer\Personal\Certificates store

  28. Checking installed Server Certificates Double click on the certificate shown to check that it is ok.

  29. Connecting through CSG To launch an application, simply click on the application’s link as you would in NFuse normally. You can ensure that the connection is 128bit SSL by opening the ICA connection center. Small Padlock

  30. Connecting through CSG You can also see the security status of the connection via the Client Connection Status dialog on the client.

  31. Relay Mode • If NFuse is not an option • Possible to install CSG in “relay mode”, where no STA ticket is required • Not secure! Use this only when NFuse is not an option • Impossible to switch between normal mode and relay mode—you must explicitly install CSG in relay mode. To do so:msiexec /i csg_gwy.msi RELAYMODE=1

  32. Troubleshooting There is a great step-by-step troubleshooting section and detailed explanations of error messages in the Administrator’s Guide (RTFM). Troubleshooting tips: • Ensure that you can ping all machines in your CSG system by their FQDN. • Using netstat, ensure that your CSG gateway machine is listening on port 443 (https). • Using netstat, ensure that your Snowy Ticket Authority machine is listening on port 80 (http). • Ensure that you are using version 6.20 or higher of the ICA client. • Check that all of your system clocks are in sync, this can lead to certificates being invalid.

  33. Perfmon counters On the Secure Gateway server: • Active Session Count • Client Connections Accepted • Client Connections Failed • Client Connections Timed Out • Global Clients to Gateway Bytes • Global Clients to Gateway Packets • Global Gateway to Client(s) Bytes • Global Gateway to MetaFrame server bytes • Global MetaFrame server to Gateway Bytes Global MetaFrame server to Gateway Packets MetaFrame Connections Failed MetaFrame Connections Successful Peak Active Clients Peak Client Connection Attempts Peak STA Data Requests Peak STA Save Tickets STA Data Requests Failed STA Data Requests Successful STA Save Tickets Failed STA Save Tickets Successful

  34. Perfmon counters • On the Secure Ticket Authority server: • STA Bad Data Request Count • STA Bad Save Request Count • STA Good Data Request Count • STA Good Save Request Count • STA Good Ticket Request Count • STA Peak Data Request Rate • STA Peak Save Request Rate • STA Peak Ticket Request Rate • STA Save Request Rate • STA Ticket Timeout Count

  35. Further Reading • Citrix Secure Gateway Administrator’s Guide • Citrix Secure Gateway Getting Started Guide • White paper: Using the Citrix SSL Relay Service • SSL and TLS Essentials, by Stephen ThomasISBN: 0-471-38354-6

  36. Thank You &Now Everything Computes Securely

More Related