• No results found

Securing Citrix with SSL VPN Technology

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Securing Citrix with SSL VPN Technology"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Securing Citrix with SSL VPN Technology

An AEP Networks Solution Summary

For years, Citrix® Systems has dominated the server-based computing market as the solution of choice for application access across the enterprise. Citrix Presentation Server (formerly MetaFrame) delivers a scalable, comprehensive solution that yields unequivocal dividends.

However, securing Presentation Server resources – particularly for access beyond the LAN - remains a central challenge. Historically, Citrix administrators have had few options when implementing remote access to Citrix Presentation Server applications, beyond Citrix’s resource- and server-intensive Secure Gateway for MetaFrame (Citrix Secure Gateway) software. Recently, Citrix has taken another stab at security by offering an acquired appliance called Citrix Access Gateway (CAG). While CAG is a decided step forward in terms of deployment and manageability, in truth the CAG appliance is lacking in flexibility and security features. For example, CAG was eliminated from Network World’s December 2005 SSL VPN testing for its lack of web reverse proxy technology, a key requirement for secure, clientless application access. The product lacks third party security validation and accreditations, such as Federal Information Processing Standards (FIPS), ICSA Labs Secure Socket Layer - Transport Layer Security (SSL-TLS), and the Virtual Private Network Consortium (VPNC). CAG is also designed for Citrix applications, and does not support the variety of applications typically required for business users. For many organizations, CAG does not represent a true enterprise-class remote access solution.

SSL VPNs offer a broader, more encompassing approach, providing crucial network security for Presentation Server – as well as other application environments – while adding important features unavailable with CAG. This paper describes the drawbacks associated with CAG and presents the AEP Netilla® Security Platform, an SSL VPN from AEP Networks, as the best-of-breed alternative for simple, secure access to Citrix Presentation Server.

Citrix Access Gateway Overview

CAG, a 1U rack-mounted appliance, is designed as an access platform for Citrix-only environments. From an implementation perspective CAG is a much less complicated solution than its predecessor – Citrix Secure Gateway, a software product requiring 2-4 servers to implement and significant effort to deploy and maintain. However, CAG is far from a total remote access solution:

CAG lacks key security capabilities:

ƒ Does not employ proxies - Relies on tunneling only – creates an end-end connection that is much less secure.

ƒ No industry certifications (FIPS, ICSA, and VPNC).

ƒ Limited policy enforcement: No group information retrieved from ActiveDirectory or LDAP

ƒ No stateful packet inspection (SPI) firewall

(2)

CAG lacks key functionality capabilities:

ƒ Limited growth options: Cannot be securely extended to non-Citrix applications (web-based, Linux, mainframe, or native Windows Terminal Services)

ƒ Requires a full or ActiveX Windows client and administration rights on the remote user’s PC.

ƒ Confusing for end users: Requires multiple clicks to access Citrix applications

ƒ Lacks authentication options (e.g. no client side certificates with revocation, no device identification, no embedded 2-factor server).

ƒ Complicated deployment/management– Requires Web Interface and a Secure Ticket Authority configured on the private network - lacks browser-based administration

ƒ Poor reporting: While CAG supports standard Syslog/SNMP management, it is limited to failover and external load balancing

SSL VPNs: A Better Approach

SSL VPNs provide a much higher level of security compared to CAG, while adding a range of features that allow companies to extend their Citrix infrastructure with a surprising level of ease. The AEP Netilla Security Platform (NSP), for example, enhances Citrix with an icon-driven webtop with auto launch capabilities, an embedded 2-factor authentication server, server load balancing, session timeouts, robust reporting and logging, forced re-authentication, and client machine identification.

The NSP provides this functionality through a powerful realms-based policy framework, allowing organizations to create customized policy enforcement “containers” depending on the access environment. For example, some users may require the full Outlook client via Citrix while others access Outlook Web Access through a reverse proxy. Road warriors who work from kiosks need endpoint integrity scans, while others must be limited to corporate-issued PCs only. A single NSP supports all these requirements to suit the assorted access needs of the enterprise.

Securing Presentation Server Directly with the AEP Netilla Security Platform (NSP)

For organizations that prefer to use the native Citrix ICA client, the NSP utilizes AEP’s Intelligent Port Forwarding technology. As shown in Figure 1, this technique automatically delivers a Java client that sits on a remote Windows machine and looks for the TCP port that Presentation Server applications use. As soon as data starts to flow, the Port Forwarder Java client encapsulates and encrypts all the traffic in SSL and forwards it to the NSP gateway, where it can be deciphered and delivered to a Citrix Presentation Server.

Figure 1: Port Forwarding the ICA Client (ActiveX, Java, Win32)

(3)

Once the user logs in to the NSP (via the authentication protocol used for the network), the NSP pulls the authorized applications that have been defined on the Citrix servers, and publishes icons for these applications directly onto the NSP’s unified webtop. These Citrix icons are presented along with all the resources defined for that user (Web, Linux, mainframe or native Windows Terminal Server applications, as well as file shares). Alternatively, the NSP can be configured to auto-launch Citrix applications directly from the NSP’s initial login screen. As an added benefit, updates made to Citrix applications by administrators are automatically reflected in the user’s webtop, eliminating additional Administrator intervention.

When a Citrix application is requested by the end user (either via clicking an icon or via the NSP’s application auto-launch), the NSP checks to see if an ICA client is already resident on the user’s computer; if not, it will package a Java applet containing the Citrix ICA client (Java or ActiveX) – and install the client on the user’s PC. Admin rights are not required for this process, nor are hosts file edits on the user’s PC. This means that end users must only click an icon or log into the appliance to access Citrix applications; the NSP provides the appropriate client seamlessly and without administrative hassles. The NSP will publish any Citrix application – a Windows desktop, full program neighborhood, or single Citrix application – while standard Citrix printing and all other Presentation Server services such as Seamless Windows and load balancing are fully supported. Of note: The NSP provides access directly to the Presentation Servers themselves (without requiring Citrix Secure Gateway or Citrix Web Interface), further cutting costs and management.

From an administrator’s perspective, deploying Presentation Server via the NSP is a single-admin screen process:

ƒ NSP administrators enter the IP or Hostname of a Citrix server running the XML service OR the host/IP of the SSL Relay

ƒ The Admin selects standard options (application icon to display, server address, default ICA client to deliver, etc.)

ƒ Admin selects users or groups (ActiveDirectory or LDAP) allowed to run the application set Option Two: Using AEP NSP Thin Proxy

As an alternative to Intelligent Port Forwarding, the NSP offers an embedded thin-client proxy. In this arrangement, the NSP generates a proxy or representation of the application, so remote users can access different applications through native protocols such as Remote Desktop Protocol (RDP) data for Windows-based applications.

Figure 2: Thin Client Proxy for Windows and Citrix Applications

(4)

As shown in Figure 2, the NSP intermediates the connection between remote-client requests and the network-based application server, terminating incoming SSL connections at the application layer in the NSP appliance, located in the DMZ. Once the incoming request is terminated, the NSP translates the data to the appropriate application protocol, such as RDP for the Terminal Server/Citrix server.

During this termination period the NSP is able to apply security policy, functioning as a gatekeeper between the Internet and the private network.

It is this crucial security benefit that distinguishes the NSP from competitors. In this application-layer proxy model, the end user never directly connects to a “private side” network resource; instead, the NSP functions as a proxy, protecting application servers from direct Internet exposure.

Capping Citrix with NSP Thin Proxy

Another benefit of NSP Thin Proxy technology accrues from simplifying the organization’s use of Citrix. For example, even if an organization relies on Citrix for the LAN, remote users can leverage AEP Thin technology to “talk” RDP to the Citrix server, because Citrix is a service that runs on Windows Terminal Server. In this way, the NSP enables an organization to “cap” its Citrix deployment and instead deploy AEP thin-client technology to remote users, who access the same applications that they use in the office, rather than having to expand Citrix further. Or, organizations might prefer to make some “Citrix” applications available via Port Forwarding and others available via AEP’s thin proxy. Both scenarios are possible in the same NSP, and in the same user’s session, using AEP V- Realms.

Secure ALL Business Application with a Single Appliance

In addition to Port Forwarding and Thin proxy, the NSP also rewrites HTTP requests for web-based applications, allowing internal DNS addresses that do not resolve publicly to be accessed securely over the Internet. Company Web servers remain safe behind the firewall, in a highly secure portion of the private network, without the cost and maintenance of locking each server down for public access, while administrators gain granular access control to directories, servers, and paths on a user or group basis. Rounding out the NSP’s access modes is Layer 3 (network-layer) tunneling for client/server-based applications, as well as a Java-based files browser with client drive mapping and drag, drop, copy and paste functionality.

(5)

Comparing the Approaches

Conclusion: The Most Versatile SSL VPN Available

In the final analysis, SSL VPNs offer tremendous value as secure application gateways, offering a far simpler, safer, and less costly approach than the CAG alternative. The result is a powerful tool - one that delivers a best-of-breed solution that maximizes an organizations application investment, while protecting the company’s critical business assets.

Try an Online Demo

See for yourself: Visit http://www.aepnetworks.com/demo and see how easy secure access to Citrix can be.

Contact AEP Networks [email protected] www.aepnetworks.com

U.S: 877-652-5200 x5207 • EMEA: +44 (0) 1442 458 640 • Japan: +81-3-3432-3336 • Hong Kong: +852 8199 0104 Citrix Access Gateway (CAG) AEP Netilla Security Platform (NSP)

ƒ Access product ƒ Secure access product

ƒ Citrix-focused access only – lacks

proxies ƒ NSP supports tunneling, Citrix, WTS, Linux as well as Web applications via more secure proxy technology

ƒ Lacks third-party accreditation (no FIPS,

ICSA, VPNC) ƒ Highly security focused (FIPS, ICSA, VPNC tested and approved)

ƒ Intrusive client-side install required –

required Admin rights on local PC ƒ Non-intrusive end user deployment: NO Admin rights or hosts file edits on the local PC

ƒ Complex network deployment: Requires Web Interface and Secure Ticket

ƒ Authority

ƒ Much simpler: Direct communication from NSP to Presentation Server(s) in the private network

ƒ Provides end-to-end connections or

“tunnels” ƒ Provides proxies to protect applications

ƒ Complicated management and

configuration ƒ Simple to deploy and manage: Single-screen setup

ƒ Trivial, limited authentication models ƒ V-realms containers for authentication, policy

ƒ Complex for end users ƒ Citrix apps published right in the user’s portal – one-click access to Citrix applications

ƒ Multi-step end user access process ƒ Single Sign On (SSO) capability via secure storage of credentials in session-based tokens for forwarding into applications – Application auto- launch option

ƒ Typical Citrix remote printing hassles ƒ Universal print driver for printing locally to ANY printer

ƒ Supports third-party 2-Factor only ƒ Integrated VASCO 2-Factor authentication server eliminates extra hardware purchase or Citrix infrastructure changes. NSP also supports all third-party 2-Factor solutions from RSA, Aladdin, and others.

References

Download now ( PDF - 5 Page - 271.78 KB )

Related documents

Do Industry-Specific Performance Measures Predict Returns? The Case of Same-Store Sales. Halla Yang March 16, 2007

• Run cross-sectional regressions of firm level equity returns for each month from July of year t+1 through June of year t+2 on set of characteristics.. • Average the

LIVINGSTON COUNTY GUIDE TO

Guide to Reuse, Reduce, Recycle and Safe Disposal (Livingston County does not endorse any particular company or service.) 10.. COMPUTERS & ELECTRON COMPUTERS &

ComTrade Citrix Smart Plugin for HP Software (SPI for Citrix)

Before you deploy SPI for Citrix policies to Citrix managed nodes, you should know exactly which version of Citrix XenApp server, Desktop Delivery Controller, Provisioning

A Passenger Traffic Assignment Model with Capacity Constraints for Transit Networks

On-board loads Alighting Flow Residual Seat K Residual Load Residual Vehicle K Seat allocation to ancient passengers Residual Service K Service frequency Service

Developing an Annual Environmental Health Report for the Oneida Nation of Wisconsin

A disconnect has resulted from this physical and organizational separation. The result has been an absence of high quality collaborative decision making about the services we

UNIT 6: Classification and Evolution DAYSHEET 68: Kingdoms of Life

To maintain homeostasis, the plasma membrane allows some molecules into the cell and keeps..

Transfer of intracellular HIV Nef to endothelium causes endothelial dysfunction

Figure 8: HIV-infected Jurkat cells but not acellular HIV virus cause endothelial cell death

MERCANS MIDDLE EAST MADE EASY

Incorporation Contingent Search Payroll & HR Payroll Compensation Licensing Executive Search Accounting HRMS Benefits Immigration RPO Government Relations ATS Labor Law