• No results found

- Integrating iKey Authentication to Citrix Metaframe XP servers with the NetSwift iGate

N/A
N/A
Protected

Academic year: 2020

Share "- Integrating iKey Authentication to Citrix Metaframe XP servers with the NetSwift iGate"

Copied!
7
0
0

Loading.... (view fulltext now)

Full text

(1)

WHITEPAPER

- Integrating iKey Authentication to Citrix Metaframe XP servers

with the NetSwift iGate

Security White Paper

By Chris Holland, Senior Product Manager

This white paper outlines the ability to secure access with Rainbow iKey and NetSwift iGate Private Web solution to a Citrix Metaframe XP environment where the nFuse and Citrix Secure Gateway applications are being used.

(2)

Introduction

The NetSwift iGate is a solution for deploying secure access to Web based resources and applications. It not only provides automatic SSL encryption for all web based traffic – but it also seamlessly manages authentication of users with an iKey. An iKey is the most

convenient and cost effective solution for multi-factor authentication.

In many environments however, remote access is provisioned through a combination of techniques in order to support legacy applications that have not transitioned to web based revisions. Examples of remote access technologies are:

• • • •

Private Web (extranet, CRM, ERP, email) secured by NetSwift iGate Citrix

Terminal Services

VPN

The iGate/iKey combination can provide a single method of access to all these systems and solutions, including Windows logon, thus providing a number of benefits to both the end user and the IT administrator. The following table summarizes those benefits as they relate to both the IT Administrator and the End User.

2

Administrator End User

Single method for access As an administrator I do not need to manage different user accounts across different systems

As an end user I only need to use my iKey to access major systems – and I don’t need to remember all the different username and password combinations

Mutli-Factor authentication Secure in the knowledge that the practice of writing down username and passwords is gone – and only people with iKeys are authorized to access my resources

Works like an ATM card – insert the key into the USB port and enter my own PIN number

Easier than all alternatives Users will embrace use of solutions that make their lives easier. Studies show that frequent re-tries are required for many different types of authentication – the most frequent being username/password. The iKey is faster to use than any alternative logon method.

You can access your applications more quickly and with your own

configured PIN number. You no longer need to remember passwords or enter complex shifting numbers on a display.

(3)

3 Provides strong

un-authentication Alternative methods cannot un-authenticate users securely. Users are either forced to re-authenticate on a time-out basis or rely on the user actually “logging out” and/or “closing a browser” in order to actively close a session. The iGate/iKey combination un-authenticates users when they remove the iKey.1

When you pull the iKey out your sessions are

automatically closed and continued access is denied.

More cost effective than

username and password Our customers have estimated that managing the changes and resetting of accounts costs around $36 per instance.

Implementing the iKey dramatically lowers that cost by significantly reducing the number of instances where a

username and password is required.

Whether you are on the road or in your office – you have a key with your own personal PIN that gets you access to most

applications that you need – so you don’t have to wait for IT to reset your

passwords or waste time remembering complex ones. You can get access more quickly and efficiently than before.

Wider application base iKey is more widely

deployed and integrated with other products than any other multi-factor authentication device – allowing you to deploy disk encryption, digital

signatures and other applications using the same iKey.

This means that I only need to carry one iKey for all my applications

1 Complete un-authentication of users is a feature primarily designed for next generation systems – such as

Private Web based applications secured by the NetSwift iGate. Un-authentication, however, is also available with Windows login and Terminal Services. Un-authentication is not supported in Citrix environments at this time.

(4)

Citrix Metaframe XP

No one organization has a deployment of all Web based application and resources for remote access. In many cases, corporations have seen the value in providing a desktop like experience for their users for access on the road. Citrix Metaframe XP is the latest

technology from the market leader in this space.

Traditionally, access to Citrix has required a locally installed client software application. With Citrix Metaframe XP and nFuse, the local client (ICA) application is no longer required and access is provided through a browser interface by means of a run-time applet served by the Citrix solution.

The NetSwift iGate and iKey can be configured to provide strong authentication to a Citrix Metaframe XP deployment – providing users with a simple and convenient method for accessing Citrix and providing administrators with the peace of mind that user accounts aren’t being duplicated and that users aren’t forgetting their account credentials.

Because the NetSwift iGate provides strong authentication to other applications and resources in addition to Citrix, the implementation of such a solution is also beneficial as it can support existing solutions as well as adapt to support future applications and changes in the IT infrastructure.

Citrix / Terminal Server / VPN

Application Servers Network File Shares CRM applications Email Servers

IT Staff Employees

Customers

Partners Executives

iGate

Authentication Server

Remote Workstations internet

iKey Authentication for Remote Access

Authentication Requests

Legacy Fat Client applications Private Web applications

Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution

(5)

Integration

The integration of the NetSwift iGate Private Web solution with Citrix Metaframe XP provides two alternatives for users to protect access, “MasterKey” based and “Basic Security Protection”. This integration guide describes how the NetSwift iGate integrates with Citrix Metaframe XP using either method. The “MasterKey” based method provides one step authentication for users when accessing Citrix. This method requires some minor modification work. The “Basic Security Protection” simply provides iKey gated access to Citrix (and all other web based resources) without the sign in benefits of “MasterKey”.

The MasterKey method is best suited when Citrix defers authentication to a network domain controller such as with a SAM database in a Windows NT 4.0 or 2000 domain or in the case of an Active Directory.

The Basic Security Protection is best suited to provide instant multi-factor authentication to various resources and leave the integration of ‘credentials’ for these resources to a later time.

The Citrix environment requires the following components to be installed and configured:

• • •

Citrix Metaframe XP

Citrix nFuse portal and web clients Citrix Secure Gateway

The Citrix nFuse portal is a web based application that provides access to Citrix sessions through a web page and delivers content locally to a client in a web browser. The Citrix Secure Gateway ensure that access to the Citrix sessions can only occur through the nFuse application.

MasterKey based login

In this case it is assumed that the Citrix server is maintaining its own list of users or is deferring authentication to the Windows domain. The NetSwift iGate is responsible for identifying incoming users to the nFuse application. Since Citrix still expects a domain, username and password, the NetSwift iGate is configured to forward the appropriate and authenticated identity of every incoming user to the application. This satisfies the

authentication requirements and architecture model of the network and the Citrix solution without requiring maintenance of separate passwords or user identities for each employee.

The integration is accomplished by some very simple modification of the login.asp code of the nFuse application. The modifications include a few lines that are added to this code to allow the application to retrieve the authenticated credentials securely from the iGate server. The solution is configured to trap requests for NTLM authentication and respond securely to the requests with the appropriate credentials. This allows for seamless

integration into an existing architecture and for the continued maintenance of user domain credentials for backwards compatibility with other applications for which access through iKey/NetSwift iGate is not required.

Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution

(6)

Users still have domain credentials, however the user configures his iKey one time with that credential information. The IT administrator is not required in the configuration or set-up of each users credentials – as the user can do this himself. The credentials are securely stored and are only released under the following circumstances…

• • •

An NTLM login event has been generated

The iKey has been authenticated by the iGate server The user has entered their personal PIN number

This method provides complete integration. When iKeys are distributed to users, as part of their configuration (which is to set up their own PIN) they have the option of also

configuring the iKey to automatically provide NTLM authentication. Simply, if the user chooses not to do this, then when an NTLM authentication is required – they just enter it manually.

Basic Security Protection

By default, iGate protects web based applications. With the nFuse application and Citrix Secure Gateway, access to applications are only allowed via a browser, and the default portal page for launching applications is a web page itself. Therefore, access to the web based Citrix portal page can be protected by the default operation of iGate. The user will be required to authenticate himself to the Citrix server with a username and password – but only after having authenticated by means of the iKey. This is a simple and rapid way to immediately deploy strong multi-factor authentication to the Citrix Metaframe XP environment.

Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution

(7)

Securing Citrix Metaframe XP with NetSwift iGate Private Web Solution

References

Related documents

The Commission report itselfwas also lacking in almost any mention of women's health issues and con- cerns (National Coordinating Group on Health Care Reform and Women,

It is through this removal of cultural identity and status within Aboriginal groups that Canadian legislation has produced a signifi- cant threat to the health and well-being of

Modeling and Simulation of Trajectories of a Wire Like Particle in a Three Phase Common Enclosure.. Gas Insulated Busduct (GIB) with and Without

Akhil Tiwari will be graduating with a Bachelor's Degree in Engineering in computer science from Veermata Jijabai Technological Institute, Mumbai (India) in 2012. His areas

In addition, also year 2020 going forward it is expected to usher-in 5G infrastructure with blockchain technology into the IoT equation, thus helping business over high

(10, 11) have assured that as polymer fiber link length increases, and both ambient temperature and relative refractive index difference decrease, this leads to

Ontario enacted pay equity legisla- tion in 1987 and university adminis- trations and faculty since have grap- pled with the particularities of cat- egorizing and evaluating

subchorionic hematoma in patients with first trimester bleeding was associated with adverse pregnancy outcome in terms of risk of abortion, antenatal complications like