Value Features Architecture Components Architecture Deployment Scenarios Deployment Planning Console Installation Synchronization License Installation Console Configuration

(1)

Technical Training

(2)

Agenda (1 – 3)

•

Value

•

Features

•

Architecture Components

•

Architecture Deployment Scenarios

•

Deployment

–

Planning

–

Console Installation

–

Synchronization

–

License Installation

(3)

Agenda (2 – 3)

•

Deployment

–

Console Configuration

• Generate Agent • User Question • Application

• FTU List

• Password Generation Policies • Password Sharing Groups

(4)

Agenda (3 – 3)

•

Security

•

Load Balancing

•

Advanced Concepts – Process

•

Advanced Concepts – Clients

•

Licensing & Pricing

•

Target Client

•

Sales Tools

(5)

(6)

Value –

Customer Challenges

•

Increased security requirements

•

Increasing number of password-protected

applications

•

Compliance with HIPAA, Sarbanes-Oxley, et. al.

regulations

(7)

Value –

Password Management Problems

•

End-User Problems

–

Numerous passwords

–

Password change policies

–

Forgotten passwords

–

Store passwords in insecure places

•

Problems for Employers

–

Reduced security

–

Reduced productivity

(8)

Value –

Applications with Separate Logins

51% 27% 11% 45% 60% 48% 13% 41% 4% 0% 20% 40% 60% 80% 100% 50-499 employees (599) 500-4,999 employees (463) >5,000 employees (216) 0% 20% 40% 60% 80%

100% Less than 5

5-20

>21

How Many Applications Are Your Users Dealing With?

(9)

Value –

Single Sign-on Market

“Each time an end-user calls the help desk, it costs the

organization $25-$50.”

- Giga Research

“Each time an end-user calls the help desk, it costs the

organization $25-$50.” - Giga Research

“30 percent of all calls to the help desk are for password

resets”

- Gartner Group

“30 percent of all calls to the help desk are for password

resets” - Gartner Group

“The average end-user calls the help desk four times per year for

password resets”

- Gartner Group

“The average end-user calls the help desk four times per year for

password resets” - Gartner Group

“Businesses spend $200 per year per person on password

management”

- Forrester Research

“Businesses spend $200 per year per person on password

management” - Forrester Research

(10)

Value –

MetaFrame Password Manager

•

Simplifies end-user computing

–

Enterprise Single Sign-On (SSO) for Windows, Web,

proprietary, and host-based applications

•

Reduces help desk costs

–

Centrally manage and automate password-related events,

including password generation & changes

•

Increases network security

–

Stricter password policies

–

More frequent and automated password changes

(11)

Value –

Simplified End-User Computing

W in d o w s W in d o w s

For Access to

(12)

Value –

Reduce Help Desk Costs

•

Centralize password

administration

•

Automate password

changes

–

Transparent to the end

user

(13)

Value –

Increase Network Security

•

Enable strong passwords

•

Automate password

changes

– Transparent to the end user and as frequently as you like

– Users can’t share their passwords

Is password management a part of your security strategy? Is password management a part of your security strategy?

How secure are you?

What is your password?

Where do you write down your password?

Is your new password different?

What is your password to login to CRM?

How secure are you?

What is your password?

Where do you write down your password?

Is your new password different?

(14)

(15)

Features –

Key Features

•

Intelligent Agent Response

•

Automated Password Change

•

Strong Password Policies

(16)

Features –

• SSO-enables any applications

– e.g., Intranet or CRM application

• Supports Windows, Web, Host-based applications

• Rapidly SSO-enable applications

• No scripting, programming, or applications changes required

• Supports 3rd and 4th logon

fields

• SSO-enables any applications

– e.g., Intranet or CRM application

• Supports Windows, Web, Host-based applications

• Rapidly SSO-enable applications

• No scripting, programming, or applications changes required

• Supports 3rd_{and 4}th_logon fields

(17)

Features –

Enables administrators to

rapidly SSO-enable

(18)

Features –

Automated Password Change

•

Enable more frequent

password changes

•

Set to manual or automatic

mode

•

Automatic mode makes

password changes

transparent to end-user

(19)

Features –

Strong Password Policies

•

Enable password of different

lengths

•

Use a combination of

numeric, alpha and special

characters

•

Set character repeat settings

•

Example (X8@ja3!nvt3x)

(20)

(21)

(22)

Architecture –

Components

Administrative tool to centrally manage MetaFrame Password Manager deployment

Configures applications and user settings

(23)

Architecture –

Components

Stores all settings configured by administrators

Based on Active Directory or Network Share

Agent synchronizes settings from credential store

(24)

Architecture –

Components

Stores all settings configured by administrator

Client/Desktop component Synchronizes settings from Credential Store

Has its own local credential store for offline/mobile use Detects logon and change password events

Automatically fills in secondary credentials and changes

passwords for end users

• Co-located with applications

(25)

(26)

Deployment –

Steps

• Planning

– Select deployment mode

– Select Central Credential Store Directory

• _{Prepare Central Credential Store} • Add and activate license

• Configure MetaFrame Password Manager deployment

– Configure User Questions

– Configure Application Definitions

– Configure Password Policies and Password Sharing Groups – Configure Agent Settings

– Configure First Time Use List

• Save configurations in Central Credential Store

• _{Create and install Agent with address of Central Credential} Store

– Use Custom MSI to create package

(27)

(28)

Deployment – Planning –

Details

•

Hardware and Software Requirements

•

Licensing Requirements

•

Deployment Scenarios

•

Synchronization

(29)

Deployment – Planning –

Hardware and Software Requirements

• ADD INFO ON MFXP !!!!!

• Hardware and Software Requirements

– Console

• Approximately 20MB RAM

• Approximately 20MB disk space

• Approximately 30KB disk space per user

• Windows 2000 Professional • Windows 2000 Server • Windows Server 2003 • Windows XP Professional

– Agent

• Approximately 5MB RAM

• Approximately 10MB disk space

• Windows 2000 Professional • Windows 2000 Server • Windows Server 2003 • Windows XP Professional • Windows NT Workstation 4.0

– _{MetaFrame Password Manager supports Web browsing using Microsoft}

(30)

Deployment – Planning –

•

– Concurrent-connection license $189

• Each loaded agent requires a license.

• A single user uses 1 license even if he has agent running in different location (ex: desktop, MF XP Presentation Server) • Similar to MetaFrame XP Presentation Server.

– Named user $89

• Defined by the user ID

• Mobile users who need to use MetaFrame Password Manager on their laptops require a named user license.

– You can use both type of licenses at the same time

(31)

Deployment – Planning –

Scenarios

MetaFrame

MetaFrame

Presentation Server

Presentation Server Applications Applications MetaFrame XPMetaFrame XP_Deployed_Deployed

MetaFrame XP MetaFrame XP Deployed Deployed Desktop Desktop Desktop Desktop

Uniquely able to address Citrix/non-Citrix environments

= SSO Agent

MetaFrame

Presentation Server

Presentation Server Applications Applications +

+

Local Applications

Local Applications

Local Applications Only

Local Applications Only DesktopDesktop

(32)

Deployment – Planning – Scenarios

– XP Presentation Server

MetaFrame XP Presentation Servers

ICA Client

= Agent

Central Credential Storage

Agent runs in ICA sessions

•

Agent only required to be

installed on MetaFrame

XP Presentation Servers

•

Agents runs in ICA

sessions and works for

Published applications

(33)

Desktop

= Agent

Local Applications

• Agent installed only on Desktops • Agent can work in mobile mode by

synchronizing settings and secondary credentials from central credential store

(34)

Deployment – Planning – Scenarios

– Mixed Deployment

MetaFrame XP Server Desktop

= Agent

Published Applications Local

Applications

• Agent installed on MetaFrame XP Presentation Servers and Desktops

• Agents run on Desktop and in ICA sessions without any problems

(35)

Deployment – Planning –

Central Credential Store

•

File Share

– User password data is saved in a folder under the People folder, which is secured

– Configuration objects store at the root of the sync point – Pros

• Does not require schema extension

• Single synchronization point ensures that there are no replication issues (unless DFS is implemented)

– Cons

• Same configuration for all users

• All users will connect to the file share, regardless of location

No scalability limits for File share or Active Directory

No scalability limits for File share or Active Directory

Both can support thousands of users

Both are equally secure

(36)

Deployment – Planning –

Central Credential Store

•

Active Directory

– User password data is saved as a child of the user object in AD – Configuration objects such as applications and agents can be

configured at any level

– The agent will query the AD for the current user’s agent setting – Will walk up the tree until it finds settings or reaches root

– Pros

• Uses the organizations existing infrastructure

• Allows configuration of different settings for different users or containers

– Cons

(37)

Deployment – Planning –

Application Information

•

Application Information

–

Application definitions specify identifiers including

user name and password entry field location,

application executable name, URLs, and control IDs

for credential fields.

–

Must have application installed on same computer

as the MPM Console

(38)

(39)

Deployment – Console –

Installation

•

Requires .NET Framework 1.1

– _{Found on CD \SSO Administrative Console\dotnetfx.exe}

•

Install Console

– _{\SSO Administrative Console\setup.msi or from Autorun}

•

Requirements:

– _{Must be able to communicate with Sync location} – _{Must have applications installed on same machine}

• _{Used to create Application Definition}

– _OS

• _{Windows 2000 Professional, Windows 2000 Server, Windows} Server 2003, Windows XP Professional

(40)

Deployment

(41)

Deployment – Central Credential

Store – File share

•

Select a File Server accessible to the Agents

•

Run CTXFILESYNCPREP.EXE utility on the File Server

from a command prompt

•

Creates a shared folder on the server – CitrixSync$

•

Sets required security permissions

– _{Only Authenticated users can access the network share}

– _{No user can access each others’ credential files in the People} folder

• Only CREATOR_OWNER has access to data in People folder

•

STEPS: MPMAG-p.23

•

Using Windows 2000 or 2003 Distributed File System (DFS)

(42)

Deployment – Central Credential

Store – Active Directory

• _{A member of Schema Admin group needs to log on to a machine} that resides in the Active Directory

– _{Ensure Schema Master Role is configured to allow schema updates}

• _{Run ‘cscript CTXSCHEMAPREP.VBS’ from a command prompt}

– Extends the schema of Active Directory

• _{Run CTXDOMAINPREP.EXE from a command prompt}

– _{Updates permissions of the specified container}

– _{Enables users to create MetaFrame Password Manager objects under} their Active Directory User objects based on schema extensions

(43)

(44)

Deployment – Licenses

•

Install Licenses

– _{Console will not open unless a license is entered} – Use the same Sync Location to store licenses

•

MetaFrame Password Manager License Administration

– _{Utility used to manage licenses}

(45)

(46)

Application Definitions

• Configured applications for single sign-on • Wizard creation process

• Application templates provided to easily create application definition

Automate Password Changes

• Automatically respond to PW changes • Set password format (e.g., length, etc.) • Apply rules by each application

Create Application Groups

• Group applications to use same credentials • Use common credentials across different

applications

Control Agent Settings

• Administrative control over all settings for agents and users

• Centralized administration

Directory Administration

• Setup and management of synchronizer • Active Directory, File Share

Deployment – Console –

Configuration

Application Definitions

Application Definitions

Automate Password Changes

• Automatically respond to PW changes • Set password format (e.g., length, etc.) • Apply rules by each application

Automate Password Changes • Automatically respond to PW changes • Set password format (e.g., length, etc.) • Apply rules by each application

Create Application Groups

applications

Create Application Groups

applications

Control Agent Settings

• Centralized administration

Control Agent Settings

• Centralized administration Directory Administration

• Setup and management of synchronizer • Active Directory, File Share

Directory Administration

(47)

Deployment –

(48)

Configuration – Base Agent

•

Agent

– Agent on CD installs but does not synchronize to central credential store – The agent must be modified to provide synchronization

• Agent with Base Configuration

– Only includes synchronization information

– Requires the agent to obtain all configuration from sync. location before 1st time use

– Use for testing new MPM configurations

• Agent with Full Configuration

– Agent can be created with full configuration (including agent setting, application definition, sync. Location

– Allows agent to be installed and work without the need to sync. before 1st time use

(49)

Deployment – Console –

Configuration – Base Agent

•

Use to point agent to sync server to obtain latest configuration

•

Create Agent Setting with only setting is Sync location

•

Generate Customized Agent

•

Save XML file and push configuration to Sync location

•

Install Agent

– Make sure latest configuration is pushed to Sync location – Install agent

– Start agent

• You can verify in the CitrixSync folder and under the people folder a new folder for the user will be created

(50)

Configuration –

(51)

User Question

• Administrators configure questions that users have to answer first time they use the Agent

• Answers from end users stored securely in both Local and Central Credential Store

• Later, if users forget their primary passwords, they can answer these questions to retrieve their

secondary credentials • Questions can not be

changed/deleted after initial deployment

(52)

Configuration –

(53)

Application Definition

•

Each application enabled for Single Sign On has ‘Application

Definition’

•

Application Definition can be built using

– Pre-configured Application Templates

– Wizard based Application Definition configuration

•

Applications supported

– Windows Applications – Web Applications

– Host-based Applications

•

Application Definition consists of

– Actions for Logon

(54)

Application Definition – Windows

• Each window consists of different controls (eg: text box, button, plain text/label, etc.)

– Regardless of the language application is developed in • Each control has a unique identifier on a window  Control Id

(55)

Application Definition – Windows

•

Normal matching of Windows applications

– The .exe file, the source that runs an application

– The window title, which is used to distinguish between different windows inside the same application

– Control ID’s

•

Advanced matching of Windows applications (Field Matching)

– Used to distinguish between windows that have multiple windows with the same title opening from the same executable file

– See Eudora and Lotus Notes which are pre-defined

•

Notes

– _{Matching will not work with Java applications and .NET} applications

(56)

Application Definition – Windows

•

Using Send-Keys

•

MPM cannot detect controls on some windows

– Developed using non-standard windows controls

– Developed using proprietary third party windows controls – .NET and Java Applications

•

Administrators can write SendKey functions for such

applications

•

Specify shortcut keys to get focus on required input fields

– Username, Password, Other fields, Logon button

•

Use Hotkeys to increase reliability

• Alt-U, Alt-P, Alt-O

•

STEPS: MPMAG-p.45-50

(57)

Application Definition – Web

•

Configured for

– Pop-up dialogs – Forms

• The URL can be defined to the appropriate level by the admin

– http://salesforce.com, or – http://marketing.citrix.com

• Support for logon to many popular web sites/applications without

configuration

(58)

Deployment – Console –

Application Definition – Web

•

Normal matching of Web applications

– URL

– Layout of the fields in a form

• Matching these characteristics with the admin configured template

•

Advanced matching of Web applications (Field Matching)

– Inspects other aspects of the HTML as defined in template

• HTML attributes • Text within the page • HTML itself

– All searches define a search scope

(59)

Deployment – Console –

Application Definition – Host

• MetaFrame Password Manager supports single sign-on to mainframe applications through terminal emulators

– Emulators following HLLAPI (High Level Language API) standard – 3270

– 5250

• What is HLLAPI?

– High Level Language Application Program Interface, an IBM API standard that allows a PC application to communicate with a host computer such as an IBM iSeries or zSeries host

– HLLAPI requires PC emulation software and then defines a set of APIs that allow other PC applications to interface with the emulation software

• Supported Emulators

– Rumba6, Attachmate myExtra!, Extra! 6.3, 6.4, 6.5, 2000 and 7.1

– Reflection 7, 8, 9 and 10, PCOM

– HostOnDemand 4.0 ,Glink, Aviva, ViewNow, ZephyrPC, ZephyrWeb

– BOSaNOVA, HostExplorer 6 and 8

(60)

Deployment – Console –

Application Definition – Host

•

Normal matching of Web applications

– Text – Row – Column

•

Configure position for different functions

(61)

(62)

Deployment –

(63)

First Time Use List (Bulk Add)

•

Administrators configure

applications presented to

end users when the Agent

launched for the first time

•

Allows end users to enter

their secondary credentials

during first time use of the

agent

•

Benefit

– End users only have to go through configuration of secondary credentials once

(64)

Configuration –

Console –

(65)

Password Generation Policies

•

Administrator can set policies that constrain automatic password

generation

•

Password Policies control

– Password size

– Types of characters allowed

– Etc.

•

Helps administrator enforce tighter security

– Complex passwords

– More frequent password changes

– Less password sharing across users

•

Must be more restrictive than native application Password

Policies

– Else, password changes may fail

(66)

Deployment –

Console –

(67)

Password Sharing Groups

•

Applications sharing same credentials can be grouped

together

•

Single backend authentication system across multiple

applications – single set of credentials

– Example – Multiple web applications require credentials from same DOMAIN

•

Third party Password Synchronization setup between

different authentication systems ensuring same

credentials between them

(68)

Deployment –

(69)

Agent Settings

•

Administrator configures

Agent functionality available

to end users

•

Examples

– _{Allow Refresh}

– _{Clean up Local Credential} Store on shutdown

– _Etc.

•

Benefit

– More administrative control – All settings stored centrally

and can be changed anytime

(70)

Deployment – Console –

Agent Settings

• CHANGE THIS SLIDE TO ADD RECOMMENDATIONS • ADD ALL SETTINGS WITH INFO

• Timer after which end users have to re-authenticate to the Agent • Administratively controlled setting

• Administrator can force reauthentication when users access certain applications

• Helps administrators build tighter security

– End users may forget to log-off or lock the system

• End users still need to only remember one set of credentials • Not compatible with strong authenticators that use a hidden

password

(71)

Deployment –

Console –

(72)

Configuration – Saving

•

Read this slide 5 times (this is very important)

•

Components:

– Agent – Reads configuration from the Sync folder – Console – Stores configuration in the Sync folder

•

The easiest way to work with the console is:

– When you save your configuration from the console using File| Save, this saves your configuration as a XML file

• This does NOT store the information in the Sync folder

– Always use the XML file to configure Password Manager

• Save a copy in a centralized area available to MPM administrators

(73)

Deployment – Console –

Saving Configurations

•

File Share

– Connect to File Share Central Credential Store – Read existing configuration

– Make changes to configuration (as described earlier) – Save configuration back to the Credential Store

•

Active Directory

– Connect to Active Directory – Read existing configuration – Make changes to configuration

– Save configuration back to any container (OU or user) in Active Directory

• Allows different settings for different users

(74)

Configuration –

(75)

Deployment – Agent –

Deploying

•

Create a new Custom MSI file using the Console

•

Configure the address of Central Credential Store

(Synchronizer)

•

Optionally, add other settings, application

definitions, etc. to custom MSI

•

Use MSI deployment tools to install the Agent

–

Active Directory

–

Third party tools

–

Installation Manager for deployments on MetaFrame XP

Presentation Server Enterprise Edition

(76)

(77)

Advanced Concepts –

Security – Components

•

Authentication

– Support for strong authentication

– No need for additional authentication servers

•

Encryption

– Credentials stored securely

– Support for standard 3DES encryption

•

Shell

– Link to all other MPM components

•

– No scripts or connectors or changes to applications

– Automatically detects logon and password change events

•

Credential Synchronization

– Centralized management

– Integration with existing infrastructure (AD and File System)

(78)

Security – Components

•

Components

– Authentication • Authenticator

• Authentication Services

• Authentication API

– Encryption • Crypto API

• Primary Authentication Key

– Shell

• Local Credential Store

• Credential Manager

• First-Time Use

– Intelligent Agent Response • Access Manager

– Credential Synchronization • Record Level Sync

• File Level Sync

• Sync API

(79)

(80)

Advanced Concepts – Security –

Components – Authentication

•

Components

– Authenticator

• Provides credential to Authentication Services • Windows Authentication Provided

– Authentication Services

• Validates credentials provided by Authenticator against system authentication services such as Windows Domain

• Pass validations to Authenticator API

– Authenticator API

(81)

Advanced Concepts – Security –

Components – Authentication

Re-authentication

Ships with Windows Authenticator

Validates

credentials using existing systems

(82)

Advanced Concepts – Security –

Components – Encryption

•

Components

– Crypto API

• Confirms user authentication with Authenticator API

• Generates a unique primary authentication key (and new password) • Uses Primary Authentication Key to decrypt individual credentials

– Primary Authentication Key

• Unlock upon successful end-user authentication

• Created based on random number generator using MS CAPI • Self-encrypted using 3-DES

• Encrypted once with Windows Password and once with User Question Info

(83)

Advanced Concepts – Security –

Components – Encryption

•

Definitions:

– Symmetric Encryption (Same key used to encrypt and decrypt data) – Cryptographic Service Provides (CSP)

– MS CAPI

– 3-DES (Secret key crypto algorithm used to create 56-bit keys - Used three times)

• Related Info

– MS CAPI

• Generates Primary Authentication key and New Passwords

• Uses RSA Cryptographic Service Provides (CSP)

– User Question

• Prevents someone from resetting a password and then gaining access to credentials that do not belong to them

– Credential Data

• Username, password, 3rd_{and 4}th_{field are encrypted}

(84)

Advanced Concepts – Security –

Components – Shell

•

Components

– Local Credential Store

• Encrypted in the memory map file (MMF) in binary format

• Encrypted records for each set of end user credential, settings and advanced configuration information

– Credential Manager

• Interacts with Authentication API, Crypto API, Access Manager and Synchronization API

– First-Time Use

(85)

Advanced Concepts – Security –

•

Function

– Receive user validation from Authenticator API

– Encrypting and decrypting data from local credential store

(86)

Intelligent Intelligent Agent Agent Response Response Authenticator Authenticator API API

First-time use ShellShell

(87)

Advanced Concepts – Security –

Components – Intelligent Agent

Response

•

Components

– Access Manager

• Interface between Credential Manager and Application Response Component

• Web browser SSO Helper Object (SSOBHO.exe)

• Windows Hook Component (SSOShell.exe)

• Mainframe Helper Object (SSOMHO.exe)

•

Function

–

Event driven architecture that remains dormant until a

credential request is made by application

–

Uses system-level approach

•

Related Information

(88)

Components – Intelligent Agent

Response

Web Applications Windows Applications Host-based Applications

Shell

_{Windows Hook}_{Windows Hook}

(89)

Components – Credential Store

•

Function

–

Syncs FTU settings, application configurations and admin

override

•

Components

– Record-level synchronization

• Allows access from multiple location at the same time

– File-level synchronization

• Determines latest credential file

– Synchronization API

• Used to read and write data to sync. Area (Share folder or AD)

– Unique Identifier List (UID List)

(90)

Advanced Concepts – Security –

Components – Credential

Synchronization

• Keeps local and central credential stores in sync

• Latest version of the store overwrites settings

– All changes have time-stamps

– Similar to MS Profile

• Allows administrator to push application configuration and agent settings to end users

• Always initiated by the Agent based on administrative configuration

• Administrator controls frequency of synchronization

• “Aggressive Sync” mode - Synchronization occurs whenever user

performs an action that should use most current credentials or settings

– Example – a new application launch, etc.

(91)

Advanced Concepts – Security –

Synchronization

Local Credential Storage

Microsoft Active Directory Domain OU OU OU OU OU OU File server Benefits

• _{Enables mobility for end}

users

• _{Eases deployment of}

application

configurations and settings

• _Centralizes

(92)

Advanced Concepts – Security –

Synchronization

Annie User June 5, 2003

Password 9:14 AM XLB639 MAL929 New Password Local Credential Store Encrypted Central Credential Store Encrypted Annie User June 6, 2003

Password 6:43 AM MAL929 New Password Synchronizes with Central Credential Store 1 2

(93)

(94)

Advanced Concepts –

Agent Synchronization Workflow

• Automatically launched when a user logs on • Gets users credentials from the GINA

• Uses password to decrypt data in Local and Central Credential Stores

• Synchronizes Local or Central Credential Stores with more recent settings

– File Share

• Synchronizes Local Credential Store with global folders

• ENTLIST – Application configuration, password policies

• ADMINOVERRIDE –Agent settings

• FTU –User questions and Bulk add applications

• Updates People folder on network share

– Active Directory

• Starts finding the configured settings in the User object

• Walks up the OU tree until first container with configured settings is found

• Synchronizes Active Directory with Local Credential Store

(95)

Advanced Concepts –

Agent Configuration Files

•

APPLIST.INI

– Stores pre-configured, password-protected application definitions installed with the agent

•

ENTLIST.INI

– Stores all application definitions configured by the administrator

– Synchronized from Central Credential Store

•

AELIST.INI

– Merged version from APPLIST.INI and ENTLIST.INI

– Stores all application definitions to be used by the agent

•

FTULIST.INI

– Defines users first time use experience

– Installed when the agent is installed

(96)

Agent Event Logging

•

Password Manager Agent logs all SSO events to

the Windows Event Log:

–

Credential use

–

Credential changes

–

Global credential events

–

MetaFrame Password Manager events

–

MetaFrame Password Manager feature use

(97)

(98)

Credential Store – File share

• Select a File Server accessible to the Agents

• _{Run CTXFILESYNCPREP.EXE utility on the File Server from a}

command prompt

• _{Creates a shared folder on the server – CitrixSync$} • Creates the required folders

– _{People – stores settings for each user in individual folders}

• _{Used for}

– _{ENTLIST – stores all application configuration, password policies and}

password sharing groups

– _{ADMINOVERRIDE – stores all Agent settings configured by administrators} – _{FTU – stores all User questions and Bulk add applications for first time use}

of the Agent

– _{SYNCSTATE – stores timestamp of the last change to global settings}

• _{Sets required security permissions}

– _{Only Authenticated users can access the network share}

– _{No user can access each others’ credential files in the People folder}

(99)

Advanced Concepts –

Credential Store – Active Directory

• _{A member of Schema Admin group needs to log on to a machine} that resides in the Active Directory

– _{Ensure Schema Master Role is configured to allow schema updates}

• _{Run ‘cscript CTXSCHEMAPREP.VBS’ from a command prompt}

– Extends the schema of Active Directory – _{Adds three new classes}

• _{Citrix-SSOConfig – contains data for all administrative configurations} • Update frequency – only when administrator makes configuration changes

• _{Citrix-SSOLicenseClass – contains license information} • Update frequency – Rarely (when license is added, removed)

• Citrix-SSOSecret – contains secret data used to authenticate a user of Citrix MetaFrame Password Manager

• Update frequency – only when a user stores new credentials for SSO

• _{Run CTXDOMAINPREP.EXE from a command prompt}

– _{Updates permissions of the specified container}

(100)

(101)

Advanced Concepts –

GINA

•

Password Manager implements a “stub” GINA.

– _{Does not implement own replacement user interface or} authentication mechanism

– _{But passes through to the underlying GINA (which itself may be} the standard Microsoft GINA or a replacement GINA)

– _{HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\} CurrentVersion\Winlogon\GinalDLL

– _{HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\}

MetaFramePasswordManager\Shell\OrigGinaDALL

• _Msginal.dll

•

Allows to integrate with other authentication systems that

implements GINA chaining

(102)

Advanced Concepts

Individual Agent

(103)

Advanced Concepts

-Individual Agent Setting

•

Default installation on MetaFrame XP Presentation

Server

– _{Runs agents for all sessions}

•

To disable agent from starting automaticaly

– _{HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\} CurrentVersion\Winlogon\AppSetup

•

To enable agent for specific applications

– _{Use SSOLAUNCHER.EXE when publishing application to start} agent for an individual application

(104)

(105)

Licensing –

Pricing

Suggested Retail Price

Starter Packs*

$3,580

$1,780 20 Named User Licenses

20 Concurrent Connected User (CCU) Licenses

Bump Packs (5, 10, 20, 50, 100 packs)*

Per CCU

Per Named User $89

$179

Subscription Advantage Renewal

Per CCU

Per Named User $12

$24

*Includes 1 year Subscription Advantage

Citrix is the only company in the market that sells a single sign-on solution with CCU licensing

(106)

Licensing –

Options

•

Named-user is equivalent to primary logon ID (best practices

as per Macrovision)

•

Named-user license is a dedicated license

•

CCU license is a shareable license

– Higher value for customers that can benefit from concurrency, e.g.:

• shift workers sharing a single PC (local and/or MetaFrame-deployed apps)

• global organizations (“follow-the-sun”)

• pure MF environments (concurrency ratio above 2:1)

•

Disconnected (mobile) users require a named user license

(107)

Licensing –

Price Advantages of CCU Licensing

Concurrent Connected User

3:1 ($179/3)

$179

Concurrency Ratios

5:1 ($179/5)

10:1 ($179/10)

$60

$36

$18

What is the Concurrency ratio in your environment?

SRP

(108)

Licensing –

Which licenses should I buy?

Scenario Type of License Required

MetaFrame Presentation Server only

Desktop only

Desktop and MetaFrame Presentation Server

Concurrent connected user (CCU)

Named user

User accesses password-protected applications located on…

Mobile (disconnected) workers Named user

Browser installed on local desktop Named user

Browser is published application on MetaFrame Presentation

Server

(109)

(110)

Target Client –

Who is the target customer?

•

Existing Citrix customer

–

Loyal

–

Appreciates CCU pricing advantages

•

Microsoft shop

–

Windows authentication (NT Domains or Active Directory)

–

Desktop OS ≥ Windows 2000/NT (i.e. not Win9x)

(111)

(112)

Sales Tools –

On MyCitrix

Now Available

• Product Overview Brochure

• Presentations

– Customer

– Partner Training

• ROI White Paper

• ACE Cost Analyzer –

Password Manager Module

• Autodemo

• FAQs

•

Product Overview Brochure

•

Presentations

– Customer

– Partner Training

•

ROI White Paper

•

ACE Cost Analyzer –

Password Manager Module

•

Autodemo

(113)

Sales Tools –

Training

Security Fundamentals (CTX-1400AW) Selling and Positioning Citrix MetaFrame Password Manager (CTX-1322AW)

Availability

Date Cost

Today $40

Today $100 Course Title

Admin Instructor-Led Training

(CTX-1321AI) 16 Oct. 2003

Introduction to Citrix MetaFrame

Password Manager (CTX-1320AW) Nov. 2003

$500

$100

eLearning courses available on

(114)

(115)

Why Sell MPM? –

Expanded Business Opportunities

•

A Great Combination

– New product and services opportunities

– Leverage existing

MetaFrame Presentation Server customers

– Leverage your existing skill set

– Great application intersection

– Mutual product pull-through

•

Open New Doors –

Broadens Penetration

– Important for single point of access

(116)

Why Sell MPM? –

Services Revenue Opportunities

•

Provide Infrastructure assessments!

– Collect critical initial deployment info – Enumerate savings

•

Provide Implementation Services

– Proof of Concepts

– Scoping - applications, users, directory setup

– Configuration – app templates, agent config, policies, directory integration

– Deployment – agent setup, user training, help desk prep

– Feedback – ROI validation, references, deployment expansion

•

Provide integration with other security products

(117)

Why Sell MPM? –

What’s the real opportunity?

• Engage existing MetaFrame Presentation Server customers

• Leverage existing expertise deploying MetaFrame Presentation Server

• Provides value-add service opportunity

(118)

(119)

Summary –

•

Simplifies end-user computing

–

Enterprise Single Sign-On (SSO) for Windows, Web,

proprietary, and host-based applications

•

Reduces help desk costs

–

Centrally manage and automate password-related events,

including password generation & changes

•

Increases network security

–

Stricter password policies

–

More frequent and automated password changes

(120)