1 / 36

Deploying Citrix Secure Gateway

Deploying Citrix Secure Gateway. A Workforce Mobility Solution. Agenda. What is Citrix Secure Gateway? Components and Requirements Implementation Think about this Better Management and Usability with Feature Release 2. What is Citrix Secure Gateway?. Secure Internet Access.

Download Presentation

Deploying Citrix Secure Gateway

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DeployingCitrix Secure Gateway A Workforce Mobility Solution

  2. Agenda • What is Citrix Secure Gateway? • Components and Requirements • Implementation • Think about this • Better Management and Usability with Feature Release 2

  3. What isCitrix Secure Gateway? Secure Internet Access

  4. What is Citrix Secure Gateway? • Secure Remote Access Product • Designed for use with MetaFrame only • Single IP access from the Internet • SSL Encryption • Communication over port 443 • Single Point Certificate Management

  5. Components of CSG Solution • Citrix Secure Gateway Server • Citrix NFuse 1.6 • Secure Ticketing Authority • Citrix MetaFrame XP, Feature Release 1

  6. Workforce Mobility Components and Requirements A Secure Clientless Internet Access Solution

  7. Solution Components • Citrix Secure Gateway Server • NFuse 1.6 or later with Citrix Secure Gateway Components • Hardware Load Balancer • Verisign or other Authorized Certificate • ACE/RSA Secure ID Server • NT Domain/Active Directory/Novell NDS • Secure Ticketing Authority Server

  8. Function of Citrix Secure Gateway • Encrypt ICA Traffic • Access Authorization (w/ STA) • Provide Connectivity • Provide Single IP connectivity to internet

  9. Function of NFuse Web Server • Provide Authentication Page • Provide Application List from MetaFrame • Authenticate user against ACE/RSA Server • Accept NT/ADS/Novell Credentials • Provide ICA Clients for download and install • This includes Active-X Control, Netscape Plugin, Java Applet

  10. Function of Load Balancer • Provide Fail-over capabilities to Citrix Secure Gateway and NFuse Servers • 2 – Citrix Secure Gateway Servers • 2 – NFuse 1.6 Servers • Provide Stateful Load Balancing for Solution

  11. Function of Certificates, Tickets, Login Verisign or other CA Certificate • Encryption Level Verification NT Domain/Microsoft ADS/ Novell NDS • MetaFrame Application Authentication ACE/RSA Secure ID • Provide Secure Authentication to Web Server Secure Ticketing Authority • Machine Level Verification/Authentication

  12. Workforce Mobility Implementation A Secure Clientless Internet Access Solution

  13. Server Specifications Citrix Secure Gateway • P700 Mhz with 1GB RAM • Citrix Uses P933 with 1GB RAM NFuse 1.6 Web Server • Standard Web Server w/ IIS 5.0 or above • Citrix Uses Dual P700 w/ 1GB RAM

  14. Authentication Considerations STA • Should NOT be located in DMZ • If compromised, can allow access to network • Should not be installed on Web Server ACE/RSA • Should NOT be installed on PDC • Does not require LDAP link to ADS/NDS • Usernames in RSA should match NT/ADS/NDS

  15. Architectural Considerations • Java Client or 986 Win32 ICA Client Required • Install Java Client on Web Server for Java Applet access • RSA is used to Secure Web Server Access • Logon to web server • Gain access to NFuse Application Set • NT/ADS/NDS is used for • User Authentication for Application List from MetaFrame • User Authentication to MetaFrame Connection • STA used for machine level authentication • Used to prevent man in the middle attacks • Verify that user on machine has already be identified

  16. Communications Ports Firewall (External to ICA Client) • NFuse 1.6 – 443 • Citrix Secure Gateway – 443 Firewall (Internal to Secure Network) • NFuse 1.6 to ACE/RSA Secure ID - 5500 • NFuse 1.6 Server to MetaFrame – 80 • NFuse 1.6 to STA – 80 • Citrix Secure Gateway to STA – 80 • Citrix Secure Gateway to MetaFrame – 1494

  17. Communication – Application Set Citrix Secure Gateway MetaFrame Server Farm and NT PDC ICA Client STA Firewall DMZ Interface NFuse Server ACE/RSA

  18. Communication – ICA File Creation Citrix Secure Gateway MetaFrame Server Farm and NT PDC ICA Client STA Firewall DMZ Interface NFuse Server ACE/RSA

  19. Communication – Connection Citrix Secure Gateway MetaFrame Server Farm and NT PDC ICA Client STA Firewall DMZ Interface NFuse Server ACE/RSA

  20. Creating the Login Web Page • Modify the ACE/RSA login page • Add NFuse Login Components • NT Username, Password • May want to configure Domain as static • Some ICA Connection Properties • Need to be configured before logon • Cannot be stored in a Cookie because of this • May be saved in directory on server but not secure

  21. Configuring the Java Applet • Run setup.class on your web server • Create HTML page for ICA session • Note: Optimal config is Ultra Thin Web Client • For Internet Explorer users, the HTML page could look like this: <applet code=com.citrix.JICA width=640 height=480> <param name=cabinets value=JICA-coreM.cab> <param name=address value=CitrixServer> • For Netscape Navigator users, the HTML page could look like this: <applet code=com.citrix.JICA archive=JICA-coreN.jar width=640 height=480> <param name=address value=CitrixServer> Ref: Citrix ICA Java Client Administrators Guide • See Installing the Citrix ICA Java Client; Chapter 2, Page 21 • See Creating an HTML Page to Launch the ICA Java Client; Chapter 3, Page 29

  22. Additional Steps (ACE/RSA Secure ID) • Install Net OS on Web Server • Create Entry for Web Server on ACE/RSA • Copy SDCONF.REC File to System32 on Web Server

  23. Demo Time A Secure Clientless Internet Access Solution

  24. Workforce MobilityThink About This A Secure Clientless Internet Access Solution

  25. NFuse ICA Clients • Install on NFuse Server for easy install Java Applet • Install on NFuse Server for Kiosk/Café Access • Universal Zero-Client Access SSL to ICA Client • HTTPS Web Site/Pages • Encrypt Browser Communications • Secure ID Credentials • NT Domain/ADS/NDS Credentials • Secure Ticket and ICA File

  26. Certificates CA Authority • Support by Microsoft OS by default • Flexible use for Kiosk/Internet Café Access Custom Certificates • Distribution/Management Challenges • Kiosk/Internet Café Access questionable • Highest Security

  27. MetaFrame XP,Feature Release 2 A Sneak Peak

  28. Features • Delegated Administration • Enhanced Web Administration • Enhanced Systems Monitoring and Analysis • User Collaboration • File Type Association • Smart Card Support • Client/Server Drag and Drop • Improved File Transfer/Client Drive Mapping • Client Customization Utilities • Installation and Deployment Enhancements • Hotfix Management

  29. Delegated Administration Create specialized administrators to handle specific areas of MetaFrame administration • Managing printers • Published applications • User policies • Task Based

  30. User Policies

  31. User Collaboration • One or many users may shadow a single user • Shadowing is not just for administrators any more.

  32. Content Redirection Published Acrobat Local Application(Outlook, Word, IE) SERVER CLIENT Acrobat content located anywhere

  33. Enhanced Systems Monitoring & Analysis • Summary Database • Monitor health of Database Connection Server • Schedule the transfer of daily data • Enable automated data purges • Specify server metric per server basis • Audit users to track user statistics, favorite applications, and server usage across the farm • Setup Cost Centers, Fee structures • Generate reports, all within the CMC • Bill by domain or cost centers • HTML report template • Pre-defined Crystal templates

  34. Enhanced Printing

  35. Enhanced CWC

More Related