WHITEPAPER
- Integrating iKey Authentication to Citrix Metaframe XP servers
with the NetSwift iGate
Security White Paper
By Chris Holland, Senior Product Manager
This white paper outlines the ability to secure access with Rainbow iKey and NetSwift iGate Private Web solution to a Citrix Metaframe XP environment where the nFuse and Citrix Secure Gateway applications are being used.
Introduction
The NetSwift iGate is a solution for deploying secure access to Web based resources and applications. It not only provides automatic SSL encryption for all web based traffic – but it also seamlessly manages authentication of users with an iKey. An iKey is the most
convenient and cost effective solution for multi-factor authentication.
In many environments however, remote access is provisioned through a combination of techniques in order to support legacy applications that have not transitioned to web based revisions. Examples of remote access technologies are:
• • • •
Private Web (extranet, CRM, ERP, email) secured by NetSwift iGate Citrix
Terminal Services
VPN
The iGate/iKey combination can provide a single method of access to all these systems and solutions, including Windows logon, thus providing a number of benefits to both the end user and the IT administrator. The following table summarizes those benefits as they relate to both the IT Administrator and the End User.
2
Administrator End User
Single method for access As an administrator I do not need to manage different user accounts across different systems
As an end user I only need to use my iKey to access major systems – and I don’t need to remember all the different username and password combinations
Mutli-Factor authentication Secure in the knowledge that the practice of writing down username and passwords is gone – and only people with iKeys are authorized to access my resources
Works like an ATM card – insert the key into the USB port and enter my own PIN number
Easier than all alternatives Users will embrace use of solutions that make their lives easier. Studies show that frequent re-tries are required for many different types of authentication – the most frequent being username/password. The iKey is faster to use than any alternative logon method.
You can access your applications more quickly and with your own
configured PIN number. You no longer need to remember passwords or enter complex shifting numbers on a display.
3 Provides strong
un-authentication Alternative methods cannot un-authenticate users securely. Users are either forced to re-authenticate on a time-out basis or rely on the user actually “logging out” and/or “closing a browser” in order to actively close a session. The iGate/iKey combination un-authenticates users when they remove the iKey.1
When you pull the iKey out your sessions are
automatically closed and continued access is denied.
More cost effective than
username and password Our customers have estimated that managing the changes and resetting of accounts costs around $36 per instance.
Implementing the iKey dramatically lowers that cost by significantly reducing the number of instances where a
username and password is required.
Whether you are on the road or in your office – you have a key with your own personal PIN that gets you access to most
applications that you need – so you don’t have to wait for IT to reset your
passwords or waste time remembering complex ones. You can get access more quickly and efficiently than before.
Wider application base iKey is more widely
deployed and integrated with other products than any other multi-factor authentication device – allowing you to deploy disk encryption, digital
signatures and other applications using the same iKey.
This means that I only need to carry one iKey for all my applications
1 Complete un-authentication of users is a feature primarily designed for next generation systems – such as
Private Web based applications secured by the NetSwift iGate. Un-authentication, however, is also available with Windows login and Terminal Services. Un-authentication is not supported in Citrix environments at this time.
Citrix Metaframe XP
No one organization has a deployment of all Web based application and resources for remote access. In many cases, corporations have seen the value in providing a desktop like experience for their users for access on the road. Citrix Metaframe XP is the latest
technology from the market leader in this space.
Traditionally, access to Citrix has required a locally installed client software application. With Citrix Metaframe XP and nFuse, the local client (ICA) application is no longer required and access is provided through a browser interface by means of a run-time applet served by the Citrix solution.
The NetSwift iGate and iKey can be configured to provide strong authentication to a Citrix Metaframe XP deployment – providing users with a simple and convenient method for accessing Citrix and providing administrators with the peace of mind that user accounts aren’t being duplicated and that users aren’t forgetting their account credentials.
Because the NetSwift iGate provides strong authentication to other applications and resources in addition to Citrix, the implementation of such a solution is also beneficial as it can support existing solutions as well as adapt to support future applications and changes in the IT infrastructure.
Citrix / Terminal Server / VPN
Application Servers Network File Shares CRM applications Email Servers
IT Staff Employees
Customers
Partners Executives
iGate
Authentication Server
Remote Workstations internet
iKey Authentication for Remote Access
Authentication Requests
Legacy Fat Client applications Private Web applications
Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution
Integration
The integration of the NetSwift iGate Private Web solution with Citrix Metaframe XP provides two alternatives for users to protect access, “MasterKey” based and “Basic Security Protection”. This integration guide describes how the NetSwift iGate integrates with Citrix Metaframe XP using either method. The “MasterKey” based method provides one step authentication for users when accessing Citrix. This method requires some minor modification work. The “Basic Security Protection” simply provides iKey gated access to Citrix (and all other web based resources) without the sign in benefits of “MasterKey”.
The MasterKey method is best suited when Citrix defers authentication to a network domain controller such as with a SAM database in a Windows NT 4.0 or 2000 domain or in the case of an Active Directory.
The Basic Security Protection is best suited to provide instant multi-factor authentication to various resources and leave the integration of ‘credentials’ for these resources to a later time.
The Citrix environment requires the following components to be installed and configured:
• • •
Citrix Metaframe XP
Citrix nFuse portal and web clients Citrix Secure Gateway
The Citrix nFuse portal is a web based application that provides access to Citrix sessions through a web page and delivers content locally to a client in a web browser. The Citrix Secure Gateway ensure that access to the Citrix sessions can only occur through the nFuse application.
MasterKey based login
In this case it is assumed that the Citrix server is maintaining its own list of users or is deferring authentication to the Windows domain. The NetSwift iGate is responsible for identifying incoming users to the nFuse application. Since Citrix still expects a domain, username and password, the NetSwift iGate is configured to forward the appropriate and authenticated identity of every incoming user to the application. This satisfies the
authentication requirements and architecture model of the network and the Citrix solution without requiring maintenance of separate passwords or user identities for each employee.
The integration is accomplished by some very simple modification of the login.asp code of the nFuse application. The modifications include a few lines that are added to this code to allow the application to retrieve the authenticated credentials securely from the iGate server. The solution is configured to trap requests for NTLM authentication and respond securely to the requests with the appropriate credentials. This allows for seamless
integration into an existing architecture and for the continued maintenance of user domain credentials for backwards compatibility with other applications for which access through iKey/NetSwift iGate is not required.
Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution
Users still have domain credentials, however the user configures his iKey one time with that credential information. The IT administrator is not required in the configuration or set-up of each users credentials – as the user can do this himself. The credentials are securely stored and are only released under the following circumstances…
• • •
An NTLM login event has been generated
The iKey has been authenticated by the iGate server The user has entered their personal PIN number
This method provides complete integration. When iKeys are distributed to users, as part of their configuration (which is to set up their own PIN) they have the option of also
configuring the iKey to automatically provide NTLM authentication. Simply, if the user chooses not to do this, then when an NTLM authentication is required – they just enter it manually.
Basic Security Protection
By default, iGate protects web based applications. With the nFuse application and Citrix Secure Gateway, access to applications are only allowed via a browser, and the default portal page for launching applications is a web page itself. Therefore, access to the web based Citrix portal page can be protected by the default operation of iGate. The user will be required to authenticate himself to the Citrix server with a username and password – but only after having authenticated by means of the iKey. This is a simple and rapid way to immediately deploy strong multi-factor authentication to the Citrix Metaframe XP environment.
Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution
Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution