DV4 - Citrix CloudGateway: Access and control Windows, SaaS and web applications. Systems Engineer, Citrix Systems GmbH

DV4 - Citrix CloudGateway:

Access and control Windows, SaaS

and web applications

Rob Sanders Systems Engineer, Citrix Systems

Corporate Apps & Storage

Corporate Apps

& Storage

BYO Phone

SaaS Apps

Mobile Apps

Data

BYO Tablet

Enterprise Mobility for All Apps, Data & Devices

PC Mac Smartphone Tablet Thin Client Storefront™ services Content controllers Access Gateway services

Single server deployment

High availability deployment

Components

Mac and Windows

Storefront Services Tier

Storefront Services

List All Apps Launch App “Value Adds” List My Apps Subscribe Sto re Service s Au thenticat io n Service Update Service (Merchandising Server) 3rd Party Adaptors 3rd _{Party Web} Password OTP Kerberos ... Mobile Applications 3rd _{Party Apps} Smartcard App Controller Acc es s Ga te w ay XenDesktop farms 3 ₂ 1

Authentication

ᵒ Between different Storefront services ᵒ To other Citrix services

• Extends in many directions

ᵒ Federation-In (SAML protocol) ᵒ Access Gateway SSO

ᵒ SSO to AppController Au thenticat io n Service Password OTP Kerberos ... Smartcard 1

Authentication Flow… Current

Authentication Flow… New

Authentication methods

• Three authentication methods available on Storefront Services

ᵒ User name and password – e.g. Explicit ᵒ Domain pass-through – e.g. Pass-through

ᵒ Pass-through from Citrix Access Gateway – e.g. Authentication “at Access Gateway”

• No 2-factor authentication (RADIUS, tokens and OTP) available

ᵒ Use Access Gateway to provide this functionality

• No support for Kerberos, smart cards and federation at this time • Domain pass-through only available with:

ᵒ Domain-joined Windows devices

Store Service

ᵒ XML messages over HTTP(S) protocol ᵒ Authentication via a token header token

• Designed to be a public SDK

ᵒ Currently not published

• Root service is ‘Resources’

ᵒ This then references images, Windows icons, etc. List All Apps

Launch App List My Apps Subscribe Sto re Service s 2

Receiver for Web

• Logically a Receiver like any other

ᵒ Talks to Storefront Services over HTTPS

• Our implementation

ᵒ Static HTML + CSS + JavaScript

• Rich UI

ᵒ Same UI as all other receivers

ᵒ Designed to be modular & customizable

Web Receiver

3rd _{Party Web}

Enabling remote access

Storefront Services & Access Gateway

integration

Supported

• Access Gateway 5.0.3 or later

• Access Gateway Enterprise 9.3 or later • Access Gateway Enterprise 10.0 preferred Not supported

• Access Gateway Standard / Advanced Editions 4.x • Secure Gateway 3.2

Where in the world is Carmen SanDiego…??

• Beacons are used to determine the location of user • Each beacon is a URL

ᵒ Internal: Only accessible from the LAN

ᵒ External: Public website (e.g. www.citrix.com or www.google.com)

• Receiver sends GET request to each beacon

ᵒ HTTP Response Status 200-399 is success

• Possible results

ᵒ NONE: No network connection

ᵒ VPN: Access Gateway plug-in detected and connection active ᵒ LAN: Internal beacon success, no Access Gateway needed

ᵒ OUTSIDE: Internal beacon unreachable, Access Gateway needed ᵒ HOTSPOT: Multiple external beacons connect to same proxy

Provisioning files

Configuring Citrix Receiver made easy!

Store = https://itdevstores.citrite.net/Showcase Gateway = ftlagx.citrix.com, “US-East” Gateway = sjcagx.citrix.com, “US-West” Gateway = lonagx.citrix.com, “EMEA” Default = lonagx.citrix.com Beacons Internal = http://mycitrite.net External = http://www.citrix.com External = http://www.google.com Store Service Auth Service ftlagx.citrix.com lonagx.citrix.com sjcagx.citrix.com itdevstores.citrite.net

Customizations

Citrix ICA Client control

and Chrome plug-in

• Must be installed and enabled to detect the client

• Used to determine to install or upgrade Citrix Receiver and for Workspace Control

• Configure behavior in web.config file

Modifying the web.config file

ᵒ Workspace Control is available for both native Receiver and Receiver for Web ᵒ Auto-reconnect to active / disconnected sessions enabled by default

ᵒ By default

• Native Receiver will disconnect all applications on exit • Receiver for Web will terminate all applications on exit

• Connect and Disconnect buttons are not available in Receiver for Web

• Client Deployment

ᵒ Installation of Citrix Receiver when no Receiver present enabled by default ᵒ Upgrade of Citrix Receiver to new version disabled by default

Modifying the web.config file

ᵒ Workspace Control is available for both native Receiver and Receiver for Web ᵒ Auto-reconnect to active / disconnected sessions enabled by default

ᵒ By default

• Native Receiver will disconnect all applications on exit • Receiver for Web will terminate all applications on exit

• Connect and Disconnect buttons are not available in Receiver for Web

• Client Deployment

ᵒ Installation of Citrix Receiver when no Receiver present enabled by default ᵒ Upgrade of Citrix Receiver to new version disabled by default

Customization

• No customization options in console • All files for customization are in

\StoreWeb\contrib folder • CSS customization ᵒ custom.style.css • JavaScript customization ᵒ custom.script.js • String customization ᵒ custom.wrstrings.<lang-code>.js ᵒ New language pack

Communication Flow

1

2

3

5

4

Native connector

• AppController connects using Java API’s • User Credentials submitted over SSL • Use for non-SAML apps

FormFill connector

• AppController fills in user credentials

• AppController sends a redirect to user’s browser • Use FormFill for apps that do not support SAML

SAML connector

• AppController connects to Web apps supporting SAML • AppController supports SAML 1.1 and 2.0

How the SAML connector works

Identity Provider

How the SAML connector works

Identity Provider

How the SAML connector works

Identity Provider

Role-based access

• A role is a group of users to which we can assign applications

• Roles are formed of one or more AD groups Important!

• Only groups inside the root of your Base DN are exposed in AppController (fixed in AppController 2.0)

• When adding multiple AD groups to a role, only users that are a member of all groups get assigned the

AppController Administration Data Active Directory sync

• Automatically create user accounts within the ShareFile platform • Configure SAML configuration using basic admin input

AppController Administratio n Mobile Apps Active Directory

• Wrap native mobile apps into Citrix Mobile Application packages • Import applications to AppController

• Push native mobile applications to user devices

App Preparation Tool

AppController Active Directory sync Administration Mobile Apps

iOS/ Android Platform

iOS/ Android kernel Native Mobile App Mobile Controller Native Mobile App

Nutzen Sie unsere Zusatzangebote!

• Citrix Expert Desks: Unsere Produkt-Spezialisten beantworten Ihre individuellen Fragen und geben Ihnen Einblick in aktuelle Projekte

• Citrix Tech Lounge: Lernen Sie die wichtigsten Funktionen von Citrix XenClient live kennen - bei einem Hands-On-Test in unserer Tech Lounge

• Meet the Architects: Buchen Sie an der Info einen Kurz-Workshops mit Citrix-Consulting und erarbeiten Sie eine Zielarchitektur für Ihr Unternehmen

• Citrix Datentankstelle: Lassen Sie sich auf Ihren mobilen Endgeräten einen Citrix Receiver mit Demozugang einrichten

• Citrix Education Desk: Informieren Sie sich über die aktuellen Trainingsangebote • Citrix Test Center: Die Plätze sind ausgebucht. Es besteht die Möglichkeit über die

Feedback und Präsentationen

• Ihre Meinung ist uns wichtig! Bitte nehmen Sie sich einige Minuten Zeit,

unseren Online Feedbackbogen auszufüllen. Den Link dazu erhalten Sie einige Tage nach der Veranstaltung

• Im Anschluss an den Fragebogen haben Sie Zugriff auf die Downloadseite der Präsentationen

Bitte vormerken: Citrix Synergy 2012

• The premier event on cloud computing, virtualization and networking

• 17.- 19. Oktober 2012 im

International Convention Centre Barcelona

• Weitere Infos: