Beruflich Dokumente
Kultur Dokumente
Advanced Edition
Technical Overview
Seceidos GmbH&Co. KG
Robert Hochrein
robert.hochrein@seceidos.de
Agenda
Overview
Citrix Access Gateway Advanced Edition
Feature & Benefits
Architecture
Minimize reauthentication on
re-connect
CPS Applications
Local Users
Access
Gateway
appliance
Mobile PDA
Firewall
Need access to
all internal IT
resources
Corporate Laptop
Firewall
Access from
widely varying
devices
Advanced
Access
Control
server
Email Servers
Internet
Home Computer
File Servers
Bandwidth
Latency
Device
idiosyncrasies
Partners
Endpoint security,
identification, and
integrity validation
Consistent user
experience
Secure and
Hardened
Centralized access
control to all IT
resources
Advanced Access
Control and Device
Flexibility
Complex and
Demanding
Environments
Access
Gateway
Access
Gateway
Access
Gateway
Standard
Edition
Advanced
Edition
Enterprise
Edition
best for
best for
best for
Small-to-Midsized
Customers
Presentation Server
Environments
Enterprise
Deployments
Agenda
Overview
Citrix Access Gateway Advanced Edition
Feature & Benefits
Architecture
Access
Access
Gateway
Gateway
Advanced
Standard
Edition
Edition
Model 2000
Product Components
+
Access Gateway 2000
Access Gateway hardened appliance
in DMZ
Enables end-to-end secure
communication via SSL
Authentication point
Enforces policies generated by
Advanced Access Control
Agenda
Overview
Citrix Access Gateway Advanced Edition
Feature & Benefits
Architecture
Function
Benefit
Endpoint Analysis
Browser-only Access
Improved management
Easy integration with 3rd party tools
Access
Anywhere, Anytime
After work hours
During office closures
On the road
Access to all
applications
Access is transparent
Access from any device
Information Security
Protection of critical
systems
Denial of service
Exposure to malware
Intellectual property control
Address regulatory
compliance
Risk mitigation
Practical and cost-effective
SmartAccess Technology
Extensive policy-based sense and response
Automatically reconfigures the appropriate level of access
as users roam between devices, locations and
connections
Advanced, extensible end-point security policies and
analysis
Action Rights Control defines what the user can access,
and what actions they can take
Granular Controls
E-mail Sync
Web E-mail
Full Presentation Server Access
Full Presentation Server App Set
File Download
Local Edit and Save
File Upload
Corporate Desktop
Public Kiosk
Edit in Memory
Limited Presentation Server access
(read-only local drive mapping)
Limited Presentation Server
application set
File Preview
File Upload
E-mail Sync
Web E-mail
File Preview
Web E-mail
Controlled
Presentation
Server
Access
Elements of SmartAccess
SSL-VPNs
Analyze Endpoint & Connection
Machine Identity:
NetBIOS name
Domain Membership
MAC address
Machine Configuration
Operating System
Anti-Virus System
Personal Firewall
Network Zone
Authentication Method
CPS applications
File & network shares
Web based email
Web sites (URLs)
Web applications
Email synchronization
Client/Server applications
VoIP
Access Scenario:
Corporate Users from a Hotel
OK
CPS Applications
Corporate Laptop
Advanced Access
Control server
Email Servers
Firewall
Firewall
Mobile PDA
Access
Gateway
appliance
Internet
Home Computer
Partner Machine
File Servers
Access Scenario:
Corporate Users from Home
CPS Applications
Corporate Laptop
Advanced Access
Control server
Email Servers
Firewall
Firewall
Mobile PDA
Access
Gateway
appliance
Home Computer
Partner Machine
Internet
Download and Access Information:
Full download
Download to memory only
Access via CPS only
Preview in HTML only
Edit and Save Changes:
Save locally
Save only to network
Save disabled
Print
Print locally
Print to selected printers only
Printing disabled
CPS Applications
File Servers
Policy Configuration
Define resources which can be accessed and viewed by users
Supported resource types:
File shares
Web sites
VPN network access
Email sync
Web-based email
Policy Configuration
Policies are first defined by the resources which they effect
Administrators may multi-select resources
Policy Configuration
Policies define the permissions which apply to the selected
resources
Administrators set permissions based on resource type
Policies can:
Grant Access
Deny
Specify how a user
can access a resource
Policy Configuration
Policies can be defined to only apply under certain scenarios
Filters define scenarios
Policy Configuration
Filters can use a number of criteria including:
How the user authenticated
Users network location
Policy Configuration
Policies can be applied to specific users
Users can be authenticated from:
RADIUS
LDAP
Secure LDAP
Active Directory
RSA SecurID
SecureComputing SafeWord
Pre-defined Entire
Network resource can be
used in policies to give
users access to all
servers in the network
2.
3.
4.
CPS Applications
Email Servers
File Servers
CPS Applications
Corporate Laptop
Email Servers
File Servers
Partner Machine
Action Right:
File Type Association
Action Right:
File Type Association
Internet
DMZ
Presentation
Server
Connector
HTTP/S
SSL
1
Endpoint
Device
Interactions
Protected Network
2
Access Gateway
appliance
1)
2)
3)
4)
5)
6)
3
Web Proxy
HTTP/S
Policy
Engine
MetaFrame
Presentation Server
6
5
Advanced Access
Control server
Enterprise Web Server
Action Right:
File Type Association
Internet
DMZ
Interactions
Protected Network
CGP/ICA
4
Presentation
Server
Connector
HTTP/S
SSL
HTTPS
Endpoint
Device
2
Access Gateway
appliance
Citrix Presentation
Server
Web Proxy
Policy
Engine
1
HTTP/S
Advanced Access
Control server
Protected Web Server
1)
2)
3)
4)
5)
Endpoint Analysis:
Overview
Analyze the client machine to identify the device and
determine if it is secured.
Endpoint Analysis Clients:
ActiveX client for IE browsers (requires Admin or Power user privileges)
Win32 install (via MSI)
Netscape plug-in for Netscape and Mozilla browsers
Endpoint Analysis:
User Interaction
Internet
DMZ
2
1
4
8
Endpoint
Device
Interactions
1)
2)
3)
4)
5)
6)
7)
8)
9)
3
7
6
5
9
Access Gateway
appliance
Advanced Access
Control server
Browser-only Access
Extend access to any device
with a browser
Absolutely no client required
Deliver e-mail, file shares, web
sites/applications to any
device with a browser
Automatically render Microsoft
Office documents to HTML
preview
Web Proxy
Nav UI
Outlook Web Access,
iNotes, or Nav UI
Protected
Web Server
1)
2)
3)
Proxy operations:
a)
b)
c)
d)
4
AAC Server
Connection
Access
Manager
Gateway
Web Proxy
4)
5)
6)
a)
b)
c)
Browser-only Access:
Web Proxy URL Rewriting
http://fltrdover.pss.citrite.net/CitrixWebProxy/aHR0cDovL2Z0bHJwYXVsd3Nwcy5jaXRyaXguY29t/sites/age/
AAC server
Proxified
http://ftlrpaulwsps.citrix.com/sites/age/
Resource
Browser-only Access:
Nav UI Applications
Supported platforms:
Palm
RIM Blackberry
PocketPC 2000/2003
Microsoft Smartphones
Advanced Access
Web Interface
Control server
Corporate Laptop
Firewall
Firewall
Access Gateway
appliance
Internet
Citrix
Presentation
Server Farm
Corporate Laptop
Access
Gateway
appliance
Email Servers
Firewall
Firewall
Mobile PDA
Advanced Access
Control server
Internet
Home Computer
Partner Machine
Management
Console
File Servers
Appliance Management
Access Gateway
cluster is
configured in the
Access Suite
Console
Agenda
Overview
Citrix Access Gateway Advanced Edition
Feature & Benefits
Architecture
Standard Deployment
Responsibilities:
Fetch configuration from Advanced Access
Control servers (at start-up)
Authentication page delivery and validation
End Point Analysis proxy
Connection policy enforcement
Session verification
Presentation Server
Advanced Access
Control server
Firewall
HTML Authentication
Firewall
Access Gateway
appliance
Client Device
Secure Control
Channel
(SOAP)
E-mail Servers
Web/App Servers
Responsibilities:
Authentication
End Point Analysis service
Configuration Management
Policy decisions
Licensing
Session Management
File Servers
IP PBX
Presentation Server
Presentation
Server Client
E-mail Servers
Firewall
Firewall
Access Gateway
appliance
AG Client
Web Browser
Web/App Servers
Secure Control
Channel
File Servers
Advanced Access
Control server
IP PBX
AG Traffic ICA/CGP
Presentation Server
Presentation
Server Client
E-mail Servers
Firewall
ICA/CGP Traffic
Firewall
Access Gateway
appliance
AG Client
Web Browser
Web/App Servers
Secure Control
Channel
File Servers
Advanced Access
Control server
IP PBX
AG responsibilities are:
Validate Session with AAC
Enforce Level 3-4 policies
Proxy HTTP traffic to AAC
Presentation
Server Client
Presentation Server
E-mail Servers
Firewall
HTML/HTTP Traffic
Firewall
Access Gateway
appliance
AG Client
Web/App Servers
Web Browser
Policy Decisions
Render Navigation Pages
Enforce Granular Access
Action Rights
Advanced Access
Control server
File Servers
IP PBX
DMZ
Protected Network
Enterprise
Resource Servers
Database Cluster
Exchange/
Notes
File
Shares
Endpoint
Device
NetScaler
Load-Balancer
Access Gateway
appliances
Advanced Access
Control Servers
Optional - Access
Center Agent Services
Web
Servers
MPS
Optional - Indexing
Services
EPA Proxy
HTML Rendering/
Validation Rules
Ticket Validation
EPA Client
Requests
State Change
Notifications
Config
Service
Logon Agent
Service
Logon
Agent
Pages
Authentication
Service
Endpoint
Analysis
Service
Gateway
Notification
Service
Cluster + Session
Config Request
Page Execution
Notify Request
Session
Manager
Notify Request
Gateway
Configuration
Service
Cluster Config
Config
Business
Objects
Session Config
Policy
Engine
+
Access Gateway
appliance
Additional Resources:
Access Gateway Technical Presentation & FAQ:
http://sharepoint.citrite.net/sites/gateways/