An Introduction to the New Security Features of Citrix MetaFrame Secure Access Manager

An Introduction to the New Security Features of Citrix MetaFrame Secure Access Manager

An Introduction to the New Security Features of Citrix MetaFrame Secure Access Manager

Tommy Walker, Systems Engineer Bob Schaeffer, Systems Engineer

Citrix Systems

Tommy Walker, Systems Engineer Bob Schaeffer, Systems Engineer

Citrix Confidential

Non Disclosure Agreement

•

This presentation

is confidential. By

virtue of your

relationship with

Citrix, you are

bound to retain in

confidence all

Under Construction

This product is still under development.

Citrix Confidential

Secure Gateway Today

Internet

Secure Gateway

Web Interface

STA

3rd _{Party Auth}

MetaFrame XP Server

Farm Internet

Explorer and ICA

Agenda

• _{SSL/TLS Support}

• Logon Agent

• Gateway Client

• _{Deployment Scenarios}

• Secure Gateway Management

SSL/TLS Support

SSL/TLS Support

• SSL V3.0 and TLS V1.0 secure protocols

supported

• Secure connections now include between

– ICA Client and Web Server/Logon Agent

– ICA Client and the Secure Gateway

– Secure Gateway and the Secure Gateway Proxy

– Secure Gateway and the, Authentication Service

– Secure Gateway and the Secure Ticketing Authority

– Secure Ticket Authority and the Logon Agent

Citrix Confidential

SSL/TLS Support

• ICA connections are

relatively persistent

While

• HTTP connections are

SSL/TLS Support

• Why do we care……

• _{The key generation phase of the SSL/TLS}

handshake

• _{Is a computationally intensive operation}

• _{MetaFrame Secure Access Manager makes}

use of session ID reuse

• This reduces the requirement to generate a

Citrix Confidential

Cipher Suites Supported

• RSA_WITH_3DES_EDE_CBC_SHA

• RSA_WITH_RC4_128_SHA

• RSA_WITH_RC4_128_MD5

• Remove weak cryptography

• Meet government

requirements for the

Logon Agent

Citrix Confidential

Logon Agent

• _{The Logon Agent is a web based login}

service responsible for displaying a login page and processing the login requests.

• Implemented as server based ASP scripts

Logon Agent

• Ships with two logon page templates

– one using basic username,

password and domain – basic authentication

integrated with RSA SecurID

• Customizable logon page templates

• Third party forms based

Citrix Confidential

Logon Agent Process

• The Logon Agent presents a HTML logon

page to the user

• User Credentials Collected

• The Logon Agent first validates the

SecurID

• The SOAP protocol

passes the credentials to the

Logon Agent Process

• _{Upon authentication}

– Authentication Service returns a session cookie

– _{A redirection URL}

– A number of cookies required by the MetaFrame Secure Access Manager

• The Logon Agent formats the data returned

by the Authentication Service

• _{Forwards the formatted response to the}

Gateway Client

Internal and External Web Access

• A VPN or Reverse Proxy is commonly used to

access your internal web content

• A VPN requires extensive client setup

• A reverse proxy does not handle all situations

– A URL generated by a client side script, applet or control

Citrix Confidential

Gateway Client

• MetaFrame Secure Access Manager utilizing

the Gateway Client allows access to all or some internal web content located on the corporate intranet

Gateway Client

• Downloaded to and hosted by the client web

browser after user authentication

• The Gateway Client reads the proxy settings of

the host web browser when it is launched

• It inserts itself between the web browser and

the client side proxy

• If no client side proxy is detected

Citrix Confidential

Gateway Client

• _{The client intercepts the HTTP or HTTPS traffic}

and encapsulates via the CGP protocol

• _{It determines whether the URL request is for}

an internal or an external site

• Internal site

– the client side component redirects the traffic through the Secure Gateway to the correct site

• External site

– the client side component allows the

Gateway Client

• What if my device cannot

download the Gateway Client?

– Internet Café

– Small Handheld Devices

• When the Client is not present, the Secure

Citrix Confidential

Access Control Lists

• The Access Control List (ACL) has been extended

• The Network Administrator defines the ACL on the Gateway

• The ACL is used by the Gateway to determine if a request to connect to a server can be honored

• Server name, port and protocol are required in the ACL

Access Control Lists

• One Access Control List (ACL) for all outgoing

connections from the Gateway

• Incoming connections have an ACL for each

interface (only one configuration though)

• There is effectively a single ACL for all

incoming connections to the Gateway

• The ACL is used on the Secure

Gateway Proxy to restrict

Citrix Confidential

Server Access List

• The Server Access List is a subset of the

Access Control List

• This is defined by the Administrator using

the Access Management Console (AMC)

• The Server Access List defines which web

Deployment Scenarios

Citrix Confidential

Single DMZ Deployment

• The Secure Gateway is deployed in a

single-staged DMZ

• The Gateway accepts connections from the

Internet via an external facing firewall

• Makes connections directly to the resource

requested

• This was the Secure Gateway v1.x

deployment model

Internet

Secure Gateway

Web Interface

STA

3rd _{Party Auth}

Single DMZ Deployment

• Logon Agent is installed on the same

server as the Secure Gateway

• The connection is typically not encrypted

in this situation

• IIS server should be locked down to allow

Citrix Confidential

Single DMZ Design

Internet

Secure Gateway

Logon Agent Authorization Service +

STA

3rd _{Party Auth}

Citrix Confidential

Single DMZ Design MetaFrame XP Only

Internet

Secure Gateway

Web Interface STA

3rd _{Party Auth}

Double DMZ Deployment

• A double-hop deployment is where a

Secure Gateway and Secure Gateway

Proxy are deployed in a multi-staged DMZ

• The Secure Gateway accepts client

connections on one side

• The Secure Gateway cannot make a direct

connection to the requested resource

• The resources requested by the client are

Citrix Confidential

Double DMZ Deployment

• _{The Secure Gateway Proxy passes the}

requested resources via SOCKS V5

• The default listener port for the Secure

Gateway Proxy is 1080

• This request can also be encrypted with

SSL

• The Secure Gateway Proxy is a mode of the

Double DMZ Deployment

• The Login Agent currently does not use

proxying for its connections

• It is deployed in the second stage DMZ

• The Logon Agent and Web Interface server

are accessed by the Gateway through a single hop

• It also allows the Logon Agent and the Web

Citrix Confidential

Double DMZ Design with Gateway Client

Internet Secure Gateway Logon Agent Authorization Service + STA

3rd Party Auth

Double DMZ Design with MetaFrame XP

Internet

Secure Gateway

Web Interface

STA

MetaFrame XP Server

Farm Internet

Explorer and ICA

Secure Gateway Management

Secure Gateway Management

• The Secure Gateway Management features

are centralized in a MMC Snap-In

• The snap-in allows an administrator

through a single management console to:

– Monitor active HTTP connections

– Monitor and control active ICA connections

– Display Gateway configuration

– Display Gateway Performance Monitor counters

Citrix Confidential

Secure Gateway Management and the STA

• _{The STA XML protocol has been modified}

• _{This change is used to uniquely identify ICA}

connections in the Gateway session manager

• The STA XML protocol now includes an

extended data (XData) element

• This contains an escaped XML document with

the following data elements inside it

– _{Server Address (MetaFrame address and port)} – Username

– User Domain

– Application Name

Secure Gateway Management

• The Secure Gateway Management MMC

Snap-in presents a list of all current sessions.

• The following information is provided for each

entry (session) in the list:

– Client IP Address

– Server IP Address

– User Name

– Domain

Citrix Confidential

Secure Gateway Management

Cont.

– _{Bytes Count To Client}

– Bytes Count From Client

– _{Bytes Count To Server}

– _{Bytes Count From Server}

– Time Established

– _{Time Elapsed}

Citrix Confidential

Performance Monitor Counters

• Total Successful Connections

• Total Successful Connections (HTTP)

• Total Successful Connections (ICA)

• Total Failed Connections

• Failed Connections (Timed Out)

• Failed Connections (SSL Error)

• Failed Connections (Server Connect Error)

Citrix Confidential

Performance Monitor Counters

• Total Bytes from Gateway to Client

• Total Bytes from Client to Gateway

• Pending Connections

• Total Active Connections

• Active ICA Connections

• Active HTTP(S) Connections

• Active Other Connections

• Peak Active Connections

Performance Monitor Counters

• Peak Bytes/Sec from Client to Gateway

• Last Client Connect Time

• Longest Client Connect Time

• Total Successful Ticket Validations

• _{Total Failed Ticket Validations}

• Total Successful Validations (Requests)

• Total Successful Validations (Cached)

Error Logging

Error Logging

• Four levels of logging by the gateway

will be collected:

– FATAL

– ERROR

– WARNING

Citrix Confidential

Gateway Log Events

• _{Gateway startup (success and failure)}

• _{Gateway pause}

• Gateway resume

• _{Gateway shutdown}

• _{Connection attempt}

• Connection success

Including username, domain, client address/ port, server connected to and

Gateway Log Events

• Connection failure and if possible at what stage in the connection process the failure occurred

• Authentication attempt success

• Authentication attempt failure and if

possible the reason for the failure

• Logging configuration parameter

Citrix Confidential

In Review

3rd Party Auth

Questions

Questions

Tommy Walker, Systems Engineer Bob Schaeffer, Systems Engineer