Deploying Citrix Secure Gateway A Workforce Mobility Solution

(1)

Citrix Confidential Citrix Confidential

Deploying

Citrix Secure Gateway

(2)

Agenda

• What is Citrix Secure Gateway? • Components and Requirements • Implementation

• Think about this

(3)

What is

Citrix Secure Gateway?

(4)

What is Citrix Secure Gateway?

• Secure Remote Access Product

• Designed for use with MetaFrame only • Single IP access from the Internet

• SSL Encryption

• Communication over port 443

(5)

Components of CSG Solution

• Citrix Secure Gateway Server • Citrix NFuse 1.6

• Secure Ticketing Authority

(6)

Workforce Mobility

Components and Requirements

(7)

Solution Components

• Citrix Secure Gateway Server

• NFuse 1.6 or later with Citrix Secure Gateway Components

• Hardware Load Balancer

• Verisign or other Authorized Certificate • ACE/RSA Secure ID Server

(8)

Function of Citrix Secure Gateway

• Encrypt ICA Traffic

• Access Authorization (w/ STA) • Provide Connectivity

(9)

Function of NFuse Web Server

• Provide Authentication Page

• Provide Application List from MetaFrame • Authenticate user against ACE/RSA Server • Accept NT/ADS/Novell Credentials

• Provide ICA Clients for download and install

(10)

Function of Load Balancer

• Provide Fail-over capabilities to Citrix Secure Gateway and NFuse Servers

2 – Citrix Secure Gateway Servers 2 – NFuse 1.6 Servers

(11)

Function of Certificates, Tickets, Login

Verisign or other CA Certificate

• Encryption Level Verification

NT Domain/Microsoft ADS/ Novell NDS

• MetaFrame Application Authentication

ACE/RSA Secure ID

• Provide Secure Authentication to Web Server

Secure Ticketing Authority

(12)

Workforce Mobility

Implementation

(13)

Server Specifications

Citrix Secure Gateway

• P700 Mhz with 1GB RAM

• Citrix Uses P933 with 1GB RAM

NFuse 1.6 Web Server

(14)

Authentication Considerations

STA

• Should NOT be located in DMZ

• If compromised, can allow access to network • Should not be installed on Web Server

ACE/RSA

• Should NOT be installed on PDC

• Does not require LDAP link to ADS/NDS

(15)

Architectural Considerations

• Java Client or 986 Win32 ICA Client Required

Install Java Client on Web Server for Java Applet access

• RSA is used to Secure Web Server Access

Logon to web server

Gain access to NFuse Application Set

• NT/ADS/NDS is used for

User Authentication for Application List from MetaFrame User Authentication to MetaFrame Connection

• STA used for machine level authentication

Used to prevent man in the middle attacks

(16)

Communications Ports

Firewall (External to ICA Client)

• NFuse 1.6 – 443

• Citrix Secure Gateway – 443

Firewall (Internal to Secure Network)

• NFuse 1.6 to ACE/RSA Secure ID - 5500 • NFuse 1.6 Server to MetaFrame – 80

• NFuse 1.6 to STA – 80

• Citrix Secure Gateway to STA – 80

(17)

Communication – Application Set

ICA Client NFuse Server Citrix Secure Gateway ACE/RSA STA MetaFrame Server Farm

and NT PDC

(18)

Communication – ICA File Creation

D M Z In te rfa ce ICA Client NFuse Server Citrix Secure Gateway ACE/RSA STA MetaFrame Server Farm

and NT PDC

Fir

ew

(19)

Communication – Connection

Fir ew all ICA Client NFuse Server Citrix Secure Gateway ACE/RSA STA MetaFrame Server Farm

and NT PDC

(20)

Creating the Login Web Page

• Modify the ACE/RSA login page • Add NFuse Login Components

NT Username, Password

May want to configure Domain as static

• Some ICA Connection Properties

Need to be configured before logon

Cannot be stored in a Cookie because of this

(21)

Configuring the Java Applet

• Run setup.class on your web server • Create HTML page for ICA session

• Note: Optimal config is Ultra Thin Web Client

For Internet Explorer users, the HTML page could look like this: <applet code=com.citrix.JICA width=640 height=480> <param name=cabinets value=JICA-coreM.cab>

For Netscape Navigator users, the HTML page could look like this:

Ref: Citrix ICA Java Client Administrators Guide

See Installing the Citrix ICA Java Client; Chapter 2, Page 21

(22)

Additional Steps (ACE/RSA Secure ID)

• Install Net OS on Web Server

• Create Entry for Web Server on ACE/RSA

(23)

Demo Time

(24)

Workforce Mobility

Think About This

(25)

NFuse

ICA Clients

• Install on NFuse Server for easy install

Java Applet

• Install on NFuse Server for Kiosk/Café Access • Universal Zero-Client Access

SSL to ICA Client

• HTTPS Web Site/Pages

• Encrypt Browser Communications

Secure ID Credentials

(26)

Certificates

CA Authority

• Support by Microsoft OS by default

• Flexible use for Kiosk/Internet Café Access

Custom Certificates

• Distribution/Management Challenges

(27)

MetaFrame XP,

Feature Release 2

(28)

Features

• Delegated Administration

• Enhanced Web Administration

• Enhanced Systems Monitoring and Analysis • User Collaboration

• File Type Association • Smart Card Support

• Client/Server Drag and Drop

• Improved File Transfer/Client Drive Mapping • Client Customization Utilities

(29)

Delegated Administration

Create specialized administrators to handle specific areas of MetaFrame administration

– Managing printers

– Published applications – User policies

(30)

(31)

User Collaboration

• One or many users may shadow a single user • Shadowing is not just for administrators any

(32)

Content Redirection

CLIENT

SERVER

Local Application (Outlook, Word, IE)

Acrobat content located anywhere Published

(33)

Enhanced Systems Monitoring & Analysis

• Summary Database

• Monitor health of Database Connection Server • Schedule the transfer of daily data

• Enable automated data purges

• Specify server metric per server basis

• Audit users to track user statistics, favorite applications, and server usage across the farm

• Setup Cost Centers, Fee structures • Generate reports, all within the CMC • Bill by domain or cost centers

• HTML report template

(34)

(35)

(36)