360 likes | 399 Views
Deploying Citrix Secure Gateway. A Workforce Mobility Solution. Agenda. What is Citrix Secure Gateway? Components and Requirements Implementation Think about this Better Management and Usability with Feature Release 2. What is Citrix Secure Gateway?. Secure Internet Access.
E N D
DeployingCitrix Secure Gateway A Workforce Mobility Solution
Agenda • What is Citrix Secure Gateway? • Components and Requirements • Implementation • Think about this • Better Management and Usability with Feature Release 2
What isCitrix Secure Gateway? Secure Internet Access
What is Citrix Secure Gateway? • Secure Remote Access Product • Designed for use with MetaFrame only • Single IP access from the Internet • SSL Encryption • Communication over port 443 • Single Point Certificate Management
Components of CSG Solution • Citrix Secure Gateway Server • Citrix NFuse 1.6 • Secure Ticketing Authority • Citrix MetaFrame XP, Feature Release 1
Workforce Mobility Components and Requirements A Secure Clientless Internet Access Solution
Solution Components • Citrix Secure Gateway Server • NFuse 1.6 or later with Citrix Secure Gateway Components • Hardware Load Balancer • Verisign or other Authorized Certificate • ACE/RSA Secure ID Server • NT Domain/Active Directory/Novell NDS • Secure Ticketing Authority Server
Function of Citrix Secure Gateway • Encrypt ICA Traffic • Access Authorization (w/ STA) • Provide Connectivity • Provide Single IP connectivity to internet
Function of NFuse Web Server • Provide Authentication Page • Provide Application List from MetaFrame • Authenticate user against ACE/RSA Server • Accept NT/ADS/Novell Credentials • Provide ICA Clients for download and install • This includes Active-X Control, Netscape Plugin, Java Applet
Function of Load Balancer • Provide Fail-over capabilities to Citrix Secure Gateway and NFuse Servers • 2 – Citrix Secure Gateway Servers • 2 – NFuse 1.6 Servers • Provide Stateful Load Balancing for Solution
Function of Certificates, Tickets, Login Verisign or other CA Certificate • Encryption Level Verification NT Domain/Microsoft ADS/ Novell NDS • MetaFrame Application Authentication ACE/RSA Secure ID • Provide Secure Authentication to Web Server Secure Ticketing Authority • Machine Level Verification/Authentication
Workforce Mobility Implementation A Secure Clientless Internet Access Solution
Server Specifications Citrix Secure Gateway • P700 Mhz with 1GB RAM • Citrix Uses P933 with 1GB RAM NFuse 1.6 Web Server • Standard Web Server w/ IIS 5.0 or above • Citrix Uses Dual P700 w/ 1GB RAM
Authentication Considerations STA • Should NOT be located in DMZ • If compromised, can allow access to network • Should not be installed on Web Server ACE/RSA • Should NOT be installed on PDC • Does not require LDAP link to ADS/NDS • Usernames in RSA should match NT/ADS/NDS
Architectural Considerations • Java Client or 986 Win32 ICA Client Required • Install Java Client on Web Server for Java Applet access • RSA is used to Secure Web Server Access • Logon to web server • Gain access to NFuse Application Set • NT/ADS/NDS is used for • User Authentication for Application List from MetaFrame • User Authentication to MetaFrame Connection • STA used for machine level authentication • Used to prevent man in the middle attacks • Verify that user on machine has already be identified
Communications Ports Firewall (External to ICA Client) • NFuse 1.6 – 443 • Citrix Secure Gateway – 443 Firewall (Internal to Secure Network) • NFuse 1.6 to ACE/RSA Secure ID - 5500 • NFuse 1.6 Server to MetaFrame – 80 • NFuse 1.6 to STA – 80 • Citrix Secure Gateway to STA – 80 • Citrix Secure Gateway to MetaFrame – 1494
Communication – Application Set Citrix Secure Gateway MetaFrame Server Farm and NT PDC ICA Client STA Firewall DMZ Interface NFuse Server ACE/RSA
Communication – ICA File Creation Citrix Secure Gateway MetaFrame Server Farm and NT PDC ICA Client STA Firewall DMZ Interface NFuse Server ACE/RSA
Communication – Connection Citrix Secure Gateway MetaFrame Server Farm and NT PDC ICA Client STA Firewall DMZ Interface NFuse Server ACE/RSA
Creating the Login Web Page • Modify the ACE/RSA login page • Add NFuse Login Components • NT Username, Password • May want to configure Domain as static • Some ICA Connection Properties • Need to be configured before logon • Cannot be stored in a Cookie because of this • May be saved in directory on server but not secure
Configuring the Java Applet • Run setup.class on your web server • Create HTML page for ICA session • Note: Optimal config is Ultra Thin Web Client • For Internet Explorer users, the HTML page could look like this: <applet code=com.citrix.JICA width=640 height=480> <param name=cabinets value=JICA-coreM.cab> <param name=address value=CitrixServer> • For Netscape Navigator users, the HTML page could look like this: <applet code=com.citrix.JICA archive=JICA-coreN.jar width=640 height=480> <param name=address value=CitrixServer> Ref: Citrix ICA Java Client Administrators Guide • See Installing the Citrix ICA Java Client; Chapter 2, Page 21 • See Creating an HTML Page to Launch the ICA Java Client; Chapter 3, Page 29
Additional Steps (ACE/RSA Secure ID) • Install Net OS on Web Server • Create Entry for Web Server on ACE/RSA • Copy SDCONF.REC File to System32 on Web Server
Demo Time A Secure Clientless Internet Access Solution
Workforce MobilityThink About This A Secure Clientless Internet Access Solution
NFuse ICA Clients • Install on NFuse Server for easy install Java Applet • Install on NFuse Server for Kiosk/Café Access • Universal Zero-Client Access SSL to ICA Client • HTTPS Web Site/Pages • Encrypt Browser Communications • Secure ID Credentials • NT Domain/ADS/NDS Credentials • Secure Ticket and ICA File
Certificates CA Authority • Support by Microsoft OS by default • Flexible use for Kiosk/Internet Café Access Custom Certificates • Distribution/Management Challenges • Kiosk/Internet Café Access questionable • Highest Security
MetaFrame XP,Feature Release 2 A Sneak Peak
Features • Delegated Administration • Enhanced Web Administration • Enhanced Systems Monitoring and Analysis • User Collaboration • File Type Association • Smart Card Support • Client/Server Drag and Drop • Improved File Transfer/Client Drive Mapping • Client Customization Utilities • Installation and Deployment Enhancements • Hotfix Management
Delegated Administration Create specialized administrators to handle specific areas of MetaFrame administration • Managing printers • Published applications • User policies • Task Based
User Collaboration • One or many users may shadow a single user • Shadowing is not just for administrators any more.
Content Redirection Published Acrobat Local Application(Outlook, Word, IE) SERVER CLIENT Acrobat content located anywhere
Enhanced Systems Monitoring & Analysis • Summary Database • Monitor health of Database Connection Server • Schedule the transfer of daily data • Enable automated data purges • Specify server metric per server basis • Audit users to track user statistics, favorite applications, and server usage across the farm • Setup Cost Centers, Fee structures • Generate reports, all within the CMC • Bill by domain or cost centers • HTML report template • Pre-defined Crystal templates