Citrix MetaFrame Secure Access Manager

(1)

Super Session

MetaFrame Access Suite

Super Session

MetaFrame Access Suite

Greg Pontrelli

Charles Dworkis

Sr. Systems Engineer Sr. Systems Engineer

Roddy Rodstein

Joseph Baker

Systems Engineer

Greg Pontrelli

Charles Dworkis

Sr. Systems Engineer Sr. Systems Engineer

Roddy Rodstein

Joseph Baker

(2)

2

Building Blocks of Access Infrastructure

Device & Network Services Security & Identity Management Services Aggregation & Personalization Services Presentation & Conferencing Services Support any hardware device over any network Control access securely and efficiently Organize and find what's important based on profile and preferences Connect and interactively work with applications, information, and people

Common Management Services

Manage, monitor & measure the consistent delivery of enterprise resource services

User Access

(3)

Citrix MetaFrame Secure Access Manager

Secure, personalized access over the Web

Secure, personalized access over the Web

Device & Network Services Security & Identity Management Services Aggregation & Personalization Services Presentation & Conferencing Services

MetaFrame XP Presentation Server

MetaFrame Secure Access Manager

(4)

4

Citrix MetaFrame Conferencing Manager

The most productive way for teams to work concurrently and collaboratively on the same applications and documents

The most productive way for teams to work concurrently and collaboratively on the same applications and documents

Device & Network Services Aggregation & Personalization Services

(5)

Citrix MetaFrame Password Manager

The most efficient single sign-on solution for accessing all password-protected applications in the MetaFrame environment

The most efficient single sign-on solution for accessing all password-protected applications in the MetaFrame environment

Device & Network Services Aggregation & Personalization Services

MetaFrame Password Manager Device & Network Services Security & Identity Management Services Aggregation & Personalization Services Presentation & Conferencing Services Device & Network Services HTTPS & 2-Factor Authentication Password Management

MetaFrame XP Presentation Server

MetaFrame Conferencing

(6)

Feature Release 3 for

Citrix® MetaFrame XP™

Presentation Server for Windows®

Feature Release 3 for

Citrix® MetaFrame XP™

(7)

Agenda

•

Overview

•

Feature Release 3 Highlights

•

Printing Enhancements

•

Licensing and Administration Changes

(8)

8

Overview

•

MetaFrame XP

Presentation Server,

Feature Release 3

provides

–

Support for Windows

Server 2003

–

Improved usability

–

Easier to deploy use

(9)

MetaFrame XP Server Line Evolution

MF 1.8 1.8a FR1

1.8

“Server Based Computing”

“Manageability & Scalability”

MF XP

XP FR1 XP FR2

XP XP FR3

Today

“Enterprise Platform”

MF Future

(10)

10

Development Cycle

FR2 FR2

• Windows Installer Support

• Enhanced Citrix Management Console • Delegated Administration

• User Policies

• Enhanced System Monitoring & Analysis • Enhanced Application Packaging & Delivery • Enhanced Citrix Web Console

• Server Farm Health Alerting • NFuse Classic 1.7

• Enterprise Services for Nfuse • New Java ICA Client 6.30 • Improved ICA Performance • Content Redirection

• Enhanced Content Publishing • User Collaboration

• Roaming User Reconnect • Printing Improvements • IBM DB2 Support

• Novell Integration Notes • Citrix Secure Gateway 1.1 • Smart Card Ready

• Expanded Internet Proxy Support • TLS Encryption

FR1

• SSL Support for ICA • NDS® Support

• Program Neighborhood® Agent • Citrix Universal Print Driver • Content Publishing

• Citrix Web Console

• Improved Printing Performance • Improved ThinWire Performance • Auto Client Reconnect

• Enhanced CMC

• Connection Control (MetaFrame XPa & XPe only)

• CPU Prioritization (MetaFrame XPa & XPe only)

• ICA Session Monitoring (MetaFrame XPe only)

• Enhanced Application Packaging and Delivery (MetaFrame XPe only)

• CA Unicenter TNG® Plug-in (MetaFrame XPe only

FR1

• SSL Support for ICA

• NDS® Support

• Program Neighborhood® Agent

• Citrix Universal Print Driver

• Content Publishing

• Citrix Web Console

• Improved Printing Performance

• Improved ThinWire Performance

• Auto Client Reconnect

• Enhanced CMC

• Connection Control (MetaFrame XPa & XPe only)

• CPU Prioritization (MetaFrame XPa & XPe only)

• ICA Session Monitoring (MetaFrame XPe only)

• Enhanced Application Packaging and Delivery (MetaFrame XPe only)

(11)

Feature Release 3 Early Adopter Pgm

•

Most Requested Features

– Universal Printing with Color and Higher Resolution

– Web Interface enhancements

– Management Console improvements

– Java and Win32 Client enhancements

– Resource Manager improvements

– SpeedScreen Browser Acceleration

•

Typical Environment

– Separate pilot farm

– Average # of servers: 8 (median 4, max 40)

(12)

12

Citrix and Windows Server 2003

• Citrix MetaFrame Presentation Server for Windows with

Feature Release 3

XPs/a/e logo certified to

run on Windows Server

2003

• Component Support

Web Interface for

MetaFrame

Presentation Server

Web Interface Extension

for MetaFrame

Presentation Server

Secure Gateway for

(13)

Citrix® MetaFrame XP™ Presentation

Server for Windows® with Feature

Release 3

Server for Windows® with Feature

Release 3

Feature Highlights

(14)

14

Citrix MetaFrame XP Presentation Server

Feature Release 3

•

SpeedScreen

™

enhancements

•

Universal printing

•

Simplified license activation

•

Enhanced management console

•

Remote server management

•

Management Pack for Microsoft

Operations Manager

•

Enhanced resource manager

•

ICA Client for Win32 enhancements

•

ICA Client for Java™ enhancements

(15)

SpeedScreen Browser Acceleration

Improves user experience and performance when browsing through graphic-rich Web applications

•

Background image delivery

–

Images from the server are transferred to ICA

client in in their native (compressed) format using

a virtual channel

•

Progressive drawing

–

Images begin to appear on the client before the

images are completely downloaded

•

Responsive scrolling

(16)

16

Speedscreen Browser Acceleration

ICA

Transport

Protocol

Client Printer Mapping Client Drive Mapping

ICA Display

Client LPT Port Mapping Downstream Audio

ICA

Protocol

supports up

to 32 virtual

channels

New

Channel

Background Image Delivery

(17)

(18)

Citrix® MetaFrame XP™ Presentation

Release 3

Printing Highlights

(19)

Universal Printing

•

Stable environment

with single driver on

all servers

•

HP LaserJet 4500

Universal Driver

•

PCL5c engine including

HPGL/2 support

(20)

20

UPD II Client and Sever Interaction

2. Server Gets print command, and uses the native Windows HP Color LaserJet 4500 Driver to create a PCL5c file.

1. User Hits Print in Client Session

FR3 Server

Win32 ICA Client v7.0

4. Client now understands how to translate PCL5c that gets generated from HP 4500 driver. Client translates the PCL5c into a bitmap, which it sends to the printer.

(21)

Auto Create Network Printers

•

Driver auto install has

been extended to auto

created Network printers

•

Auto created network

printers install their

drivers during login

(22)

Release 3

Server for Windows® with Feature

Release 3

Licensing and Administration

Improvements

(23)

Simplified License Activation

Simplifies entering and activation of many licenses

New utility supports installation of multiple licenses via license file

CAS updated to support multiple license activations via license file upload

Lics.

License activation file is processed by new utility and all licenses are activated

Lics.

(24)

24

Management Console Enhancements

Improving the user experience for Administrators

•

Farm Summary screen

•

ICA Keep-alives setting

•

New Properties viewer

•

Support for Sun Java

(25)

Enhanced Management Console

•

Improved Navigation

–

Navigate to an item by

typing the first few letters

–

Total count of objects

displayed in the taskbar

–

“Details” view persists

through multiple

management

(26)

26

Enhanced Management Console

Total

Counts of

Objects

(27)

Management Console Enhancements

(28)

28

MSDE now Supported !!

•

Better than Jet

•

Use MSDE for small to mid-sized server farms

•

MSDE with Service Pack 3 is included on FR3 CDs

•

Access can be migrated to MSDE

•

MDSE has a five concurrent workload throttle – indirect

access recommended

•

Support for single- and dual-processor desktop

computers

(29)

Other Improvements

•

WMI Provider and MetaFrame XP

Management Pack for MOM

•

Oracle 9i for Solaris and 9.2 for Windows

support for the Data Store

•

ICA Client 6.30 for Mac OS X

•

DS read/write optimizations and overall

performance gains

• IMA Start Time on all servers

• LHC Recreation Time

• Printer Driver Replication

(30)

Release 3

Client Packaging

(31)

Available Client Package Types

•

MSI is useful as an install method on

modern operating systems. It also allows

for deployment through ADS or SMS

•

EXE is useful as install method on older

OS (Win9x. NT4.0) that don’t have

Windows Installer

•

CAB is useful as an internet

(32)

32

Available Client Package Types

•

Program Neighborhood

–

Ica32.exe, Ica32.msi, Wfica.cab

•

Program Neighborhood Agent

–

Ica32

a

.exe, Ica32

a

.msi

•

Internet Client

(33)

Program Neighborhood

Program Neighborhood

Full Client

• Contains Program

Neighborhood as a

mechanism of enumerating Published applications or creating custom connections

• Supports all protocol Transport Drivers

Program Neighborhood Agent

Neighborhood Agent

as a method of

enumerating published applications

• Alternative to a

browser interface for application access

• Requires Web Interface • Supports only TCP

Transport Drivers

Program Neighborhood Agent

Neighborhood Agent

as a method of

enumerating published applications

• Alternative to a

browser interface for application access

• Requires Web Interface

• Supports only TCP Transport Drivers

Internet Client

• Contains NO

mechanism of enumerating applications must use a browser

• Requires Web

Interface or

HTML wizard to publish links (ALE)

• Requires IE 5

or Netscape 5 and up

• Supports only

TCP Transport

Internet Client

• Contains NO mechanism of enumerating applications must use a browser

• Requires Web

Interface or

HTML wizard to publish links (ALE)

• Requires IE 5 or Netscape 5 and up

(34)

34

Why so many internet clients?

Different customers have different needs

•

Requires Citrix Web Interface or Application

Launching and Embedding (ALE)

•

Ica32t.exe is an self extracting executable that has all

the virtual drivers

•

Wficat.cab is an identical feature set of ica32t.exe, but

uses an INF file to instruct IE how to install and

uninstall with no setup program

(35)

Features removed from ActiveX - wficac.cab

Features Not Included

•

Zero latency

•

Font manager

•

Client Audio mapping

•

Universal printer driver

•

Client COM port mapping

•

Netscape plug-in

•

Protocol driver (128-bit Secure ICA Dll)

•

Protocol driver (old compression Dll, not the

new reducer)

•

Auto-client update

Client Size 7.0 client

=======

•wfica.cab is 3.5 MB

•wficat.cab is 1.8 MB

•wficac.cab is 1.0 MB

(36)

Citrix® MetaFrame XP™ Presentation

Release 3

Client Features

(37)

ICA Win32 Client Version 7.0

Improves end-user experience

•

Auto client reconnect improvements

•

New ActiveX control package

•

Support for custom

Window shapes

•

NTLM Proxy authentication

•

Dynamic client name support

•

“Headless” client support

•

Certificate revocation list checking

(38)

38

(39)

FR2 Introduced Proxy Server Support

•

FR2 - Proxy server enhancements

•

Secure proxy traversal

•

Auto proxy detection

•

PAC script support

•

INS script support

•

Proxy server authentication

Issue:

Some secure proxy servers, such as Microsoft Internet

Security and Acceleration (ISA) Server, require Integrated

Windows (NTLM) authentication

The 6.30 ICA clients do not support NTLM authentication

Internet

(40)

40

Win32 7.0 Client NTLM Support

• The ICA client will use the default credentials of the currently logged on NT user first

• NTLM uses challenge/response

• NTLM is more secure than Basic authentication • No clear text password. This is why most proxy

configuration removes basic authentication

• The ICA client will use the default credentials of the currently logged on NT user first

• NTLM uses challenge/response

• NTLM is more secure than Basic authentication

(41)

Citrix Java

™

ICA

®

Client 7.0

Zero install client enhancements

•

Seamless support with Session Sharing

•

Improved Client Drive Mapping

•

Improved Client Printer Mapping

•

Enhanced XML Error messages for

troubleshooting

•

Reconnection to arbitrary sized sessions

•

Content Redirection (Server-to-client)

•

Support for INS files (analogous to proxy

auto-config PAC files)

•

Updated SSL library for smaller

(42)

42

Java client

(43)

Java Client

•

Web-Server Server

Trust CA

•

Export Certificate

•

Rename Certificate

extension to .CRT

•

Use Admin to point to

Certificate path

•

Place Certificate in

(44)

44

Selecting Java Components

•

Components can

be controlled

–

Users

–

Administrators

•

Smaller Applets

(45)

(46)

46

Java Client

•

Seamless Window Support

–

Tested with Java 2 Standard Edition version 1.3

•

Session Sharing

•

Always use HTTPS when using Private

Certificates with Java Client

•

Connection Center is

(47)

Release 3

Web Improvements

(48)

48

The Web Interface for Metaframe XP

Project Columbia Features now integrated!

•

Multi-Farm Support with Single Set

of Credentials

•

Multi-Site Support on single web server

(for JSP version only)

•

RSA SecurID support

•

Drop down choice of login domains

•

FIPS 140

•

Auto Proxy Support for ICA Win32 and ICA

Java Clients

(49)

(50)

50

Multi-farm Support

•

Like Columbia, Web Interface can aggregate farms when the

user's credentials are valid in all farms

(51)

Web Interface Extension

Web administration console

•

Configure global settings

•

Define and manage

MetaFrame farm details

•

Specify group settings

•

Define and manage the

appearance of the

web pages

•

Administer user

credential account

mapping policies

•

Generate log reports

http://<webserver>

(52)

52

Web Interface Extension

•

Embedded client support (similar to the

Web Interface)

•

RSA SecurID support

•

Support changing passwords of

secondary credentials

•

Oracle DB Support (8i or 9i)

•

Enhanced Security by removing the

primary credentials from the database

•

Increased performance for group enumeration

•

LDAP Failover – ability to switch to a backup

domain controller

•

Farm Refresh improvements

•

JRE 1.4 support

(53)

WAR file support

•

WAR File Support (Web Archives) are single file

file archives containing all the resources required

to run an application written in JSP/Java

servlet technology

•

WAR files can be installed on any compliant Web

server on any operating system (such as Solaris,

Linux, and Microsoft Windows)

•

WAR file support allows you to install multiple

Nfuse Classic Web sites on a single Web server

(54)

54

RSA SecureID Support

WI for MetaFrame running on IIS is required to use SecurID authentication

(55)

(56)

Thank You

Greg Pontrelli

Sr. Enterprise Systems Engineer

[email protected]

Greg Pontrelli