290 likes | 696 Views
Citrix Access Gateway Enterprise Edition Technical Overview. Seceidos GmbH&Co. KG Robert Hochrein robert.hochrein@seceidos.de. Complex and Demanding Environments. Advanced Access Control and Device Flexibility. Simple and Cost Effective Secure Remote Access. Access Gateway
E N D
Citrix Access Gateway Enterprise EditionTechnical Overview Seceidos GmbH&Co. KG Robert Hochrein robert.hochrein@seceidos.de
Complex and Demanding Environments Advanced Access Control and Device Flexibility Simple and Cost Effective Secure Remote Access Access Gateway Enterprise Edition Access Gateway Advanced Edition Access Gateway Standard Edition best forPresentation Server Environments best forSmall-to-Midsized Customers best forEnterpriseDeployments Citrix Access GatewaySSL VPN Remote Access Internal and Partner Use Only
Access Gateway Enterprise EditionFeatures & Benefits Internal and Partner Use Only
Access Gateway Enterprise EditionFeatures & Benefits (continued) Internal and Partner Use Only
Access Gateway Enterprise Edition Appliance Options Internal and Partner Use Only
Methods of Initial Configuration • Command-line Interface (CLI) • Java Configuration Utility (GUI) Internal and Partner Use Only
Basic Configuration – cli method To access the configuration utility using supplied console cable and terminal emulation of 9600,N,8,1 • REVIEW CONFIGURATION PARAMETERS MENU • ------------------------------------ • This menu allows you to view and/or modify the NetScaler's configuration. • Each configuration parameter displays its current value within brackets • if it has been set. To change a value, enter the number that is displayed • next to it. • ------------------------------------ • 1. NetScaler's IP address: [192.168.100.1] • 2. Netmask: [255.255.0.0] • 3. Advanced Network Configuration. • 4. Time zone. • 5. Cancel all the changes and exit. • 6. Apply changes and exit. • Select a menu item from 1 to 6 [6] Tech 1 Internal and Partner Use Only
Accessing the Administration Portal A open web browser to the default IP (http://192.168.100.1) Internal and Partner Use Only
Configuration Utility Login - Accept the certificate warning • Login with default user “nsroot” • Default password is “nsroot” Internal and Partner Use Only
Management traffic uses port 3010 and an encrypted protocol Administration Traffic Administrator Workstation Internal and Partner Use Only
Quick Start with the SSL VPN Wizard Start the Wizard Set the IP address Set the SSL certificate Select a DNS server Point to a AAA server And you’re done! Internal and Partner Use Only
Define Multiple Virtual Servers • Each virtual server has a unique: • IP address and FQDN • SSL certificate • Authentication configuration • Policy set • Policies can optionally derive from a global policy set Vpn1.company.com (10.10.10.1) Vpn2.company.com (10.10.10.2) Vpn3.company.com (10.10.10.3) Internal and Partner Use Only
Dashboard Utility Internal and Partner Use Only
Authentication • Supports Major Authentication Methods • Active Directory • LDAP • NTLM • RADIUS (with challenge-response support) • RSA SecurID • TACASC+ • Local • Client Certificates • Supports Cascading Authentication Internal and Partner Use Only
Authorization • Policy Driven Access • Authentication by Policy • Authorization by Policy • Session control by Policy • Auditing by Policy • Wide Variety of Criteria • Policy based on network information • Policy based on application access • Policy based on client certificate parameters • Policy based on client configurations • Highly Granular Access Control • Users/Groups up to Global policies • HTTP authorization based on URL • TCP/IP authorization based on address and port Internal and Partner Use Only
Full Administrative Audit Trail All management operations logged Full User Audit Trail All session activity (login, logout, timeout) All network flows (not just web) All System Events Support for External Syslog Servers Auditing Internal and Partner Use Only
Client Security • Session Policies can control: • Split tunneling • Forward proxy definitions • Session timeout values • Client security • End Point Analysis • Built-in support for Antivirus checks • Built-in support for Firewall checks • Host identification • Client Side Clean Up • Clean browser cache, history, auto-completion files, plug-ins, etc. • Control with session policies • Administrator can mandate Internal and Partner Use Only
SYN SYN +ACK SYN SYN +ACK SYN SYN +ACK SYN SYN +ACK Denial of Service Protection – SYN Attacks Server Client Client Server SYN SYN +ACK ACK Normal TCP Sequence SYN Flood Enterprise Edition avoids memory consumption with packet cookies Internal and Partner Use Only
request request request Javascript challenge Javascript challenge Javascript challenge Other Denial of Server Protections • Other Prevented Attacks: • Packet Floods • HTTP GET Floods • SSL Floods • Idle Connection Floods Internal and Partner Use Only
Security • User Quarantine • Users assigned to a quarantine group when end-point analysis fails • Differentiated session and resource authorization policies • Use to grant limited access to remediation sites Web Email Web Portal Quarantined Quarantined Quarantined Internal and Partner Use Only
Client Support • All Windows Platforms • Windows 98/ME • Windows NT/2000/XP/SP2 • Windows CE and PocketPC • MacOS X and Linux • Java Based Client • Reliable Application Access • No application content modification • Enforces Client Security Internal and Partner Use Only
Navigation Homepage • Bookmarks • Customize global bookmarks • Per-User bookmarks • Filesystem bookmarks • Themes • Custom style sheets supported • Logo update • End user can pick their own colors • Integrated File Manager • Web based file access • Unicode Support Internal and Partner Use Only
Servers can use this Mapped IP address to establish server-initiated connections back to the client. Server-Initiated Requests Source IP = Mapped IP Source IP = Client IP Client connects and is assigned a unique Mapped IP address Internal and Partner Use Only
High Availability Pairing Master Network health-check packets are exchanged Vpn.company.com (10.10.10.1) Backup Two appliances can be linked to form an active / passive cluster. Health-checking packets are constantly exchanged between the pair. When the master fails, the backup assumes the IP address. All connections from the client are broken and must be re-established. Internal and Partner Use Only
Global Server Load Balancing (GSLB) • Distributes network traffic across multiple sites • Route client connections to the nearest site • Distributes server load across multiple sites • Implement Disaster recovery Internal and Partner Use Only
5x Faster Includes NetScaler Capabilities Internet Internal and Partner Use Only
Access Gateway Enterprise Edition Access Gateway Enterprise Edition The best solution for the complex and demanding enterprise! Internal and Partner Use Only