Cisco Adaptive Security Appliances and Citrix NetScaler Gateway citrix.com

Cisco Adaptive Security

Appliances and Citrix

Contents

What You Will Learn ...3

Cisco ASA SSL VPN ...4

Citrix NetScaler Gateway ...5

Citrix HDX SmartAccess ...6

Citrix HDX Insight...6

Combining Cisco ASA and Citrix NetScaler Gateway ...7

Why Combine? ...8

Use Case: Cisco AnyConnect and Cisco ASA with Citrix NetScaler Gateway and Citrix HDX SmartAccess ...9

Typical Security Policy Example ...9

Cisco ASA Policy Configuration ...10

Citrix NertScaler Gateway Configuration ... 11

Summary ...13

Use Case: Cisco WebVPN (Clientless) and Cisco ASA with Citrix NetScaler Gateway and Citrix HDX SmartAccess ... 14

Typical Security Policy Example for Clientless Access ... 14

Summary ...15

What You Will Learn

Cisco® Adaptive Security Appliances (ASA) SSL and IP Security (IPsec) Edition and Citrix NetScaler Gateway are two popular secure remote-access solutions. Cisco ASA provides market-leading IPsec and SSL VPN, site-to-site VPN, and remote-access VPN technologies with Cisco AnyConnect® Secure Mobility Client and Cisco WebVPN (clientless), all within a single appliance. Citrix NetScaler Gateway is a market-leading, secure application and data-access solution that provides administrators with detailed application- and data-level control while empowering users with remote access from anywhere. Citrix NetScaler Gateway provides the best secure application and data access for Citrix XenApp, XenDesktop, and XenMobile.

Together, Cisco and Citrix provide enhanced value for enterprises. This value is achieved by deploying Cisco ASA and Citrix NetScaler Gateway so that the strengths of each are paramount:

• Deploy Cisco ASA at the Internet edge to terminate secure remote sessions for both Cisco AnyConnect client and Cisco WebVPN (clientless) users.

• Deploy Citrix NetScaler Gateway to provide detailed policy enforcement using Citrix HDX SmartAccess and to provide insight into application traffic for Citrix XenApp and XenDesktop resources.

Such a combined deployment of the two products could be:

• Parallel to each other, on the Internet edge, with Citrix NetScaler Gateway terminating all the Citrix traffic, and Cisco ASA terminating all the non-Citrix traffic • Inline, with Cisco ASA terminating all traffic, and delegating Citrix traffic to Citrix

NetScaler Gateway

This document focuses on the inline deployment model, which provides a single point of termination for all traffic. Citrix and Cisco tested the following two joint use cases for such a deployment (Figure 1):

• Cisco AnyConnect and Cisco ASA with Citrix NetScaler Gateway • Cisco WebVPN and Cisco ASA with Citrix NetScaler Gateway

Cisco Any Connect

Citrix Receiver

Cisco ASA

550-X NetScaler GatewayCitrix

Citrix Web Interface and StoreFront Citrix NetScaler ADC Citrix XenApp and XenDesktop

By deploying both Cisco ASA and Citrix NetScaler Gateway in your network, you provide secure remote access not only to your traditional resources, but also to your Citrix XenApp and XenDesktop resources. The actual use cases presented in this document demonstrate the enhanced value of a joint deployment and the way that Cisco and Citrix working together can enhance your secure remote-access solution.

Virtualization technologies such as market-leading Citrix XenApp and XenDesktop have experienced tremendous growth as enterprises look for a solution to address a growing and diverse user community with multiple devices seeking anytime and anywhere access. Many enterprises are now implementing desktop virtualization solutions to reduce the capital expenditures (CapEx) needed to both provide their employees with company-owned devices and implement a bring-your-own-device (BYOD) strategy, at the same time taking advantage of the inherent security controls that virtual desktops and applications offer.

Cisco and Citrix are partners and share a common goal of enabling a secure mobile workforce. As partners, the two companies are working to integrate Cisco ASA, Cisco AnyConnect Secure Mobility Client, and Cisco Identity Services Engine (ISE) with Citrix Worx, Receiver, NetScaler Gateway, and XenMobile.

Cisco, with Cisco ASA, and Citrix, with the Citrix NetScaler Gateway, offer a combined best solution by complementing each other’s strengths to enhance the value offered. This combined solution is primarily designed for enterprises with existing Citrix XenApp and XenDesktop deployments and existing Cisco ASA full VPN deployments for remote access to other company resources. The joint solution with Citrix NetScaler Gateway demonstrates the use of Citrix’s detailed policy access mechanisms and Citrix HDX traffic insight in parallel with Cisco ASA. This document also provides an overview of the current respective solutions and demonstrates how the respective solutions currently work together today. This document gives security engineers and administrators an overview of the configuration and best practices for the combined solutions. Basic working knowledge of Cisco ASA and clientless and Cisco AnyConnect SSL VPNs and familiarity with Citrix NetScaler Gateway, XenApp, and XenDesktop are assumed. After reading this document, you should have a good understanding of the components involved in the solution and will be well equipped to review other detailed collateral.

Cisco ASA SSL VPN

It offers:

• Deployment flexibility: The solution extends the appropriate remote-access VPN

technology, either clientless or full network (SSL and Transport Layer Security [TLS], Datagram TLS [DTLS], or IPsec Internet Key Exchange Versions 1 and 2 [IKEv1 and v2]) access, on a per-session basis, depending on the user group or endpoint accessing the network, the security posture, and administrative policies.

• Comprehensive network access: Broad application and network resource access

is provided through Cisco AnyConnect Secure Mobility Client, an automatically downloadable network-tunneling client that enables access to almost any company application or resource.

• Ubiquitous clientless access: The solution delivers secure remote access to

authenticated users on both managed and unmanaged endpoints, enabling increased productivity by providing “anytime access” to the network.

• Detailed control: The solution empowers network and IT managers to provide and

monitor controlled access to company resources and applications.

• Transparent connectivity: The Cisco AnyConnect Secure Mobility Client

automatically connects or disconnects a user session based on the user’s location and network availability, providing a transparent secure connectivity experience to the roaming worker, who gains increased productivity and flexibility.

• Optimized performance: The Cisco AnyConnect Secure Mobility Client provides an

optimized VPN connection for latency-sensitive traffic, such as voice over IP (VoIP) traffic and TCP-based application access. The Cisco AnyConnect client can automatically determine and establish connectivity to the optimal network access point.

• Consistent security: The solution enables highly scalable secure mobility protection

by extending location-aware security policies to every transaction when the Cisco AnyConnect Secure Mobility Client is used with integrated web security. The user’s location and the nature of the company resources accessed (for instance, an enterprise or in-house application, or a software-as-a-service [SaaS] application) define the level of acceptable-use policies, malware protection, and data security policies. The Cisco AnyConnect client is optimized for use with the Cisco IronPort® Web Security appliance and the cloud-based Cisco ScanSafe Web Security service. Both deployment options include Cisco’s industry-leading use-policy enforcement and protection for enterprise resources from both known and zero-day malware.

Citrix NetScaler Gateway

Citrix NetScaler Gateway provides the best secure application and data access for Citrix XenApp, XenDesktop, and XenMobile. It also provides several modes of access to help provide the best security:

• ICAProxy (secure proxy for Citrix Independent Computing Architecture [ICA; Citrix HDX] traffic only): This mode is used for transparent and secure access to

Citrix XenApp and XenDesktop published virtual applications and desktops. In this mode, no Citrix NetScaler Gateway client is required, and all resources are accessed through the browser or using Citrix Receiver. Citrix NetScaler Gateway also provides Citrix HDX SmartAccess capabilities, which provides highly detailed control of application and desktop access on the endpoint.

• CVPN (clientless VPN access over the browser): This mode provides access to

internal websites and file shares over a browser, and hence it does not require any client installation. This mode provides increased security as well as transparent access from anywhere.

• SSL VPN (full tunnel access for a devicewide VPN): This mode creates a

devicewide VPN and virtually connects the incoming device to the company network. This mode provides complete access to all internal resources.

• Micro VPN (application-specific access through micro-VPN tunnels): This mode

is designed for mobile platforms as part of Citrix’s mobility solutions (Citrix XenMobile). Instead of providing a device-level VPN (because BYOD devices may or may not be trusted), this mode provides application-level tunnels, helping ensure the capability of specific applications, as approved by the administrator, to tunnel back into the enterprise.

Citrix HDX SmartAccess

Citrix HDX SmartAccess is a Citrix XenApp and XenDesktop technology that works in collaboration with Citrix NetScaler Gateway. The concept is simple: use Citrix NetScaler Gateway’s assessment of end-device posture to guide the application and desktop capabilities for complete end-to-end security and to eliminate data leakage. This approach permits the use of preauthentication and postauthentication checks as conditions for access to published resources, along with other factors. These additional factors include anything you can control with a Citrix XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard access, client audio access, and client printer mapping.

Any Citrix XenApp or XenDesktop policy can be applied on the basis of whether or not the user passes a Citrix NetScaler Gateway check. For example, a valid user on an endpoint that is company issued (as governed by a Citrix NetScaler Gateway endpoint scan) can be allowed an unlimited ICA session. However, the same user on an untrusted endpoint (lack of some evidence for trust in a search by a Citrix NetScaler Gateway endpoint scan) may be allowed only a circumscribed or highly controlled ICA session, with client drive mapping disabled, clipboard access disabled, etc.

Citrix HDX Insight

Visibility is a critical requirement for all enterprise deployments today, and in virtualization scenarios it is essential for remote-access use cases. Citrix HDX Insight is a Citrix

for user-access scenarios providing visibility across all layers. It also provides insight for troubleshooting use cases in which user access is slow and the reason may be latency on the client side of the network or a problem in a component in the data center. It can break down the latency metrics into multiple parts, showing every individual path of the access network. It also can help plot jitter, which can help explain a sudden problem in a user session. Citrix HDX Insight provides all this information across every application the user has accessed, enabling you to identify application-level problems. It can also provide cumulative information across applications and users, which makes it even more useful for troubleshooting use cases.

Citrix HDX SmartAccess and HDX Insight are especially useful for Citrix XenApp and XenDesktop administrators and should be deployed in all Citrix use cases, along with Citrix NetScaler Gateway.

Combining Cisco ASA and Citrix NetScaler Gateway

As mentioned earlier, Cisco ASA and Citrix NetScaler Gateway have both similarities and independent strengths when deployed for secure remote access. By combining the two products, tremendous value is offered (Table 1).

Table 1. Strengths of Cisco ASA and Citrix NetScaler Gateway

Cisco Strengths Citrix Strengths

Cisco is a market leader in networking and security, with an extremely large installed base of Cisco ASA, Cisco AnyConnect clients, and Cisco WebVPN deployments.

Citrix is a market leader in application and desktop virtualization, with world-class products including Citrix XenApp and XenDesktop.

The Cisco ASA 5500 Series provides IPsec and SSL remote-access VPN, site-to-site VPN, firewall, web security, and intrusion protection system (IPS) capabilities in one appliance.

Citrix NetScaler is the industry’s most advanced cloud network platform. It enables the data center network to become an end-to-end service delivery fabric to optimize the delivery of all web applications, cloud-based services, virtual desktops, enterprise business applications, and mobile services.

VPN features are easy to configure with the user-friendly and intuitive Cisco Adaptive Security Device Manager (ASDM), a simple GUI-based configuration tool.

Cisco now recommends that enterprises purchase Citrix NetScaler for application load balancing. In fact, Citrix NetScaler is now embedded in Cisco Nexus® switches. Appliances support up to 10,000 concurrent

SSL VPN or IPsec VPN user sessions per appliance. Multiple appliances can be clustered together in either active-active or active-standby configurations to increase capacity. Load balancing is integrated into the appliances as well.

Citrix NetScaler Gateway provides the best secure application and data access for Citrix XenApp, XenDesktop, and XenMobile.

The Cisco AnyConnect Secure Mobility Client modular approach enables enterprises to add modules that provide IEEE 802.1x, web security, server load balancing, and posture if they want.

Citrix NetScaler Gateway’s HDX SmartAccess capabilities provide an excellent solution for providing strong data security while empowering users to work from anywhere. Citrix’s

Why Combine?

Enterprises often have multiple needs to address when providing secure remote access: • VPN access from trusted devices

• Citrix HDX access from semitrusted devices

• Highly controlled Citrix HDX access from untrusted devices

Cisco ASA is an excellent solution for accessing enterprise resources in the company network, and it provides outstanding security controls to manage this access. Cisco ASA provides both SSL and IPsec VPN offerings on the same appliance and scales well for enterprise needs.

Citrix NetScaler Gateway is an excellent solution for accessing Citrix HDX resources running in Citrix XenApp and XenDesktop farms. Citrix NetScaler Gateway provides the best integration with these resources and offers extremely detailed policy controls to fine-tune the kind of session that end users can access based on user identity and as endpoint posture. Additionally, Citrix NetScaler Gateway can parse ICA traffic, providing insightful information to administrators.

To implement these two distinct back-end resources through these two distinct gateway devices, the following options are available:

• Run both gateways in parallel, with end users accessing these gateways for the respective resources that the gateways control. For example, select Cisco ASA for VPN access to file shares, Microsoft Exchange Server, and Microsoft SharePoint. At the same time, select Citrix NetScaler Gateway to access Citrix HDX resources.

• Create a single gateway for access. Citrix NetScaler Gateway provides excellent value for Citrix XenApp and XenDesktop access, so you can use it to control access to these farms. Cisco ASA can be used as the single gateway to accept all traffic. Policies can be set up to make sure that all Citrix HDX traffic coming to the Cisco ASA device is routed to Citrix NetScaler Gateway.

The second option, a single gateway, provides some advantages:

• The use of a single gateway from the end-user’s perspective simplifies end-user access. • Cisco ASA continues to provide transparent access to all company resources.

• Citrix NetScaler Gateway helps ensure flawless and secure access to Citrix HDX resources.

• As Citrix products on the back end evolve, so does Citrix NetScaler Gateway. Putting Citrix NetScaler Gateway in front of all Citrix HDX resources helps ensure that that the solution will continue to work as the back-end evolves.

• Citrix NetScaler Gateway offers Citrix HDX SmartAccess, with detailed policy controls to tune Citrix HDX sessions based on user identity and endpoint posture.

Use Case: Cisco AnyConnect and Cisco ASA with Citrix NetScaler Gateway and Citrix HDX SmartAccess

This use case (Figure 2) incorporates both the Cisco ASA SSL VPN Edition and the Citrix NetScaler Gateway to provide comprehensive end-to-end secure remote access to company resources with a focus on access to a Citrix back end (Citrix XenDesktop and XenApp). Cisco ASA 550-X Citrix NetScaler Gateway One-Arm Citrix XenDesktop Citrix Web Interface and StoreFront Citrix XenApp

Figure 2. Citrix Web Interface and StoreFront

The role of the Cisco ASA is to provide SSL VPN access to the company network for all devices, including mobile devices, using both the Cisco AnyConnect Secure Mobility Client and Cisco WebVPN (clientless) after first assessing the posture of the connecting device and assigning the user to the appropriate dynamic access policy, through which the final attributes are assigned to the user’s session.

The Citrix NetScaler Gateway in this use case protects the Citrix back end and is configured to work with Citrix StoreFront, which is the successor to Citrix Web Interface and provides much more flexibility to end users with a self-service approach that allows users to choose the applications they see on the Citrix Receiver screen in subsequent connections. The Citrix NetScaler Gateway also assesses the posture of the user with Citrix Endpoint Analysis.

Typical Security Policy Example

Only remote company-owned and company-controlled assets are granted full network access using the Cisco AnyConnect client. Required checks for identifying company devices are:

• Process check • File check • Registry check

• Check for presence of Microsoft firewall • Check for presence of antivirus software

• Check for failure of any of the checks listed for company devices • Check for presence of any firewall

• Check for presence of any antivirus software

The solution presented here builds on the company and noncompany device security policies to implement two dynamic access policies on the Cisco ASA to control access: • Tier-1 company owned: Cisco AnyConnect access without any restrictions

• Tier-2 noncompany owned: Portal and restricted Cisco AnyConnect access to Citrix NetScaler virtual server virtual IP address for access to the Citrix back end

Cisco ASA Policy Configuration

This configuration uses Cisco ASA v9.1(1) and Cisco ASDM 7.1(2). This example assumes that the Cisco ASA has the required basic configuration to allow SSL VPN access to the public interface.

You configure simple checks using Cisco Secure Desktop HostScan on the Cisco ASA to define the required posture (Figure 3).

• Check the registry to determine whether the machine is joined to the cisco.citrix.com domain.

• Check for the presence of a corp-asset-file.txt file. • Check for a running process on the mcshield.exe device.

Using the HostScan results, you can configure additional checks directly in the dynamic access policy. Configure additional Tier-1 criteria (Figure 4).

• Authentication, authorization, and accounting (AAA) attribute = Lightweight Directory Access Protocol (LDAP) member of the Citrix group

• Endpoint attribute = Microsoft Windows 7 OS

• Logical expression to check for antivirus and firewall software (more likely checked as an endpoint attribute, but for the purpose of showing all dynamic access policy options, this example uses a logical expression)

Figure 4. Configuring the Dynamic Access Policy

Citrix NertScaler Gateway Configuration

Cisco ASA 550-X Citrix NetScaler Gateway One-Arm Mode Citrix XenDesktop Citrix Web Interface and StoreFront Citrix XenApp Citrix Endpoint Analysis

Sends Results

Initiates Scan Fails (Remediate) or Grants Access

Figure 5. Citrix NetScaler Gateway Configuration

In this use case, the Cisco ASA is terminating the VPN sessions, so the Citrix NetScaler Gateway does not need to thoroughly interrogate the endpoint again; only checks that are relevant for Citrix HDX SmartAccess are needed. Essentially, Cisco ASA is responsible for endpoint security, and Citrix NetScaler Gateway is responsible for performing endpoint analysis scans that are relevant for the back-end Citrix applications and desktops. On the Citrix NetScaler Gateway, you can configure session policies to control access to Citrix XenApp and XenDesktop using Citrix HDX SmartAccess. To configure Citrix HDX SmartAccess, you need to configure Citrix NetScaler Gateway settings on the Citrix Web Interface or StoreFront server and to configure session policies on the Citrix NetScaler Gateway. When you run the Published Applications Wizard, you can select the session policies you created for Citrix HDX SmartAccess to gain more detailed control.

There are also two conditions similar to the dynamic access policies:

• Restrictive: The user fails the endpoint analysis but still receives access, but

restrictions will be put in place. For example, not all applications may be available, or if the user is allowed access to Citrix XenDesktop, the user may not be permitted to map a drive to avoid the risk of a noncompany device.

• Nonrestrictive: The user passes the endpoint analysis and is granted access without

any restrictions. For example, the user will be able to map a local drive to the virtual desktop infrastructure (VDI) and, if accessing Citrix XenApp, will be able to use all applications.

For example, a simple Citrix HDX SmartAccess policy might use endpoint analysis to check the connecting device to make sure that a specific process is running to determine whether the session should be given nonrestrictive access or be subject to some

Figure 6. Creating a Simple Citrix HDX SmartAccess Policy

To configure Citrix HDX SmartAccess, you also need to configure Citrix NetScaler Gateway settings on the Citrix Web Interface or StoreFront server and on Citrix XenApp and

XenDesktop. When enforcing policy on applications, you run the Published Applications Wizard, where you can select the session policies you created for Citrix HDX SmartAccess to control access to the applications.

In the example shown here, the Microsoft Calculator, Notepad, and WordPad applications are being published (Figure 7). A filter is applied to the Microsoft WordPad application that specifies that this application will be available to a remote user connecting through Citrix NetScaler Gateway if, and only if, Citrix endpoint analysis scans verify that the mcshield. exe process is running. (Note that the endpoint analysis scan could be configured for a multitude of checks, including checks for registry information, files, processes, and the presence of antivirus software.)

Figure 7. Applying a Filter to Verify the Presence of a Process

Summary

Use Case: Cisco WebVPN (Clientless) and Cisco ASA with Citrix NetScaler Gateway and Citrix HDX SmartAccess

This use case (Figure 8) incorporates the Cisco ASA SSL VPN Edition and the Citrix NetScaler Gateway with Citrix HDX SmartAccess to provide comprehensive end-to-end secure remote access to company resources with a focus on access to a Citrix back end (Citrix XenDesktop and XenApp).

Cisco ASA 550-X Citrix NetScaler Gateway Citrix XenDesktop Citrix Web Interface and StoreFront Citrix XenApp

Figure 8. Cisco WebVPN (Clientless) and Cisco ASA with Citrix NetScaler Gateway and Citrix HDX SmartAccess Use Case

The role of Cisco ASA is to provide SSL VPN access to the company network for users using the Cisco WebVPN (clientless) solution. Cisco WebVPN could be the primary remote-access solution or an alternative choice for uncontrolled company assets. Cisco ASA, as mentioned earlier, provides comprehensive support for users accessing Citrix resources when Cisco WebVPN is used; however, what the solution lacks, and what the Citrix NetScaler Gateway can add, is Citrix HDX SmartAccess for more detailed granular control over the Citrix XenApp and XenDesktop resources.

As in the preceding use case, Cisco ASA assesses the posture of the user’s device and assigns the dynamic access policy based on the specified criteria, which is less stringent because the user does not receive full network access when using Cisco WebVPN. The Citrix NetScaler Gateway in this use case again protects the Citrix back end and is configured to work with Citrix StoreFront. The Citrix NetScaler Gateway also assesses the posture of the user with Citrix endpoint analysis and applies a filter based on the endpoint analysis scan results.

Typical Security Policy Example for Clientless Access

This example permits Cisco WebVPN (clientless) access to a user who meets the following requirements:

• Successfully authenticates and is a member of the Citrix Active Directory group • Uses Microsoft Windows 7 or MAC OS X

If the user meets these requirements, the user is assigned the Tier-2 dynamic access policy, which applies a bookmark on the portal to permit access to Citrix NetScaler and Citrix NetScaler Gateway (Figure 9).

Check for Any Antivirus and Any Firewall Software

Figure 9. Configuring Clientless Access Policy

The policy configuration on the Citrix NetScaler Gateway is performed in the same way as shown in the preceding use case.

After successfully logging in, the user is presented with the a portal with the Citrix NetScaler Gateway URL published for access to Citrix StoreFront, with access subject to additional posture assessment by the Citrix NetScaler Gateway and Citrix HDX SmartAccess endpoint analysis scans (Figure 10).

Figure 10. Access Portal

Summary

NetScaler Gateway login page (single sign-on [SSO] can be configured to eliminate this step). After the user enters the appropriate credentials, the user will be subject to the endpoint analysis scan and, depending the results and the filter applied, the permitted applications will be available. With this use case, only the Citrix NetScaler Gateway and Citrix HDX SmartAccess can enforce the detailed policy to limit specific applications on Citrix XenApp or restrict certain functions for Citrix XenDesktop such as drive mapping and clipboard access.

Conclusion

About Citrix

Citrix Systems, Inc. (NASDAQ:CTXS) transforms how businesses and IT work and people collaborate in the cloud era. With market-leading cloud, collaboration, networking and virtualization technologies, Citrix powers mobile workstyles and cloud services, making complex enterprise IT simpler and more accessible for 260,000 organizations. Citrix products touch 75 percent of Internet users each day and it partners with more than 10,000 companies in 100 countries. Annual revenue in 2011 was $2.21 billion. Learn more at www.citrix.com. ©2013 Citrix Systems, Inc. All rights reserved. Citrix®_{, Citrix Receiver}™_{, Citrix}® _CloudGateway™_{, Citrix ShareFile}™_{, HDX}™ _{and Citrix}®

XenDesktop® _{are trademarks or registered trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered}

in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.

About Cisco

Cisco Systems, Inc. (NASDAQ:CSCO) has shaped the future of the Internet by creating unprecedented value and opportunity for our customers, employees, investors and ecosystem partners and has become the worldwide leader in networking — transforming how people connect, communicate and collaborate. Annual revenue in 2013 was $12.4 billion. Learn more at www.cisco.com