Value Features Architecture Components Deployment Advanced Concepts Licensing & Pricing Target Client Sales Tools Why Sell MetaFrame Password Manager?

(1)

Technical Training

Douglas A. Brown

(2)

2 © Citrix 2003

Agenda

•

Value

•

Features

•

Architecture Components

•

Deployment

•

Advanced Concepts

•

Licensing & Pricing

•

Target Client

•

Sales Tools

(3)

(4)

4 © Citrix 2003

Value –

Customer Challenges

•

Increased security requirements

•

Increasing number of password-protected

applications

•

Compliance with HIPAA, Sarbanes-Oxley, et. al.

regulations

(5)

5 © Citrix 2003

Value –

Password Management Problems

•

End-User Problems

–

Numerous passwords

–

Password change policies

–

Forgotten passwords

–

Store passwords in insecure places

•

Problems for Employers

–

Reduced security

–

Reduced productivity

(6)

6 © Citrix 2003

Value –

Applications with Separate Logins

51% 27% 11% 45% 60% 48% 13% 41% 4% 0% 20% 40% 60% 80% 100% 50-499 employees (599) 500-4,999 employees (463) >5,000 employees (216) 0% 20% 40% 60% 80%

100% Less than 5

5-20

>21

How Many Applications Are Your Users Dealing With?

(7)

7 © Citrix 2003

Value –

Single Sign-on Market

“Each time an end-user calls the help desk, it costs the

organization $25-$50.”

- Giga Research

“Each time an end-user calls the help desk, it costs the

organization $25-$50.”

- Giga Research

“30 percent of all calls to the help desk are for password

resets”

- Gartner Group

“30 percent of all calls to the help desk are for password

resets”

- Gartner Group

“The average end-user calls the help desk four times per year for

password resets”

- Gartner Group

“The average end-user calls the help desk four times per year for

password resets”

- Gartner Group

“Businesses spend $200 per year per person on password

management”

- Forrester Research

“Businesses spend $200 per year per person on password

management”

- Forrester Research

(8)

8 © Citrix 2003

Value –

MetaFrame Password Manager

•

Simplifies end-user computing

–

Enterprise Single Sign-On (SSO) for Windows, Web,

proprietary, and host-based applications

•

Reduces help desk costs

–

Centrally manage and automate password-related events,

including password generation & changes

•

Increases network security

–

Stricter password policies

–

More frequent and automated password changes

(9)

9 © Citrix 2003

Value –

Simplified End-User Computing

W in d o w s W in d o w s

For Access to

(10)

10 © Citrix 2003

Value –

Reduce Help Desk Costs

•

Centralize password

administration

•

Automate password

changes

–

Transparent to the end

user

–

What did I change my

(11)

11 © Citrix 2003

Value –

Increase Network Security

•

Enable strong passwords

•

Automate password

changes

– Transparent to the end user

and as frequently as you like

– Users can’t share their passwords

Is password management a part of your security strategy?

Is password management a part of your security strategy?

How secure are you?

What is your password?

Where do you write down your password?

Is your new password different?

What is your password to login to CRM?

How secure are you?

What is your password?

Where do you write down your password?

Is your new password different?

(12)

(13)

13 © Citrix 2003

Features –

Key Features

•

Intelligent Agent Response

•

Automated Password Change

•

Strong Password Policies

•

Compatibility to Web, Windows and host-based

apps

(14)

14 © Citrix 2003

Features –

• SSO-enables any applications – e.g., Intranet or CRM

application

• Supports Windows, Web, Host-based applications

• Rapidly SSO-enable applications

• No scripting, programming, or applications changes required • Supports 3rd and 4th logon fields

• SSO-enables any applications

– e.g., Intranet or CRM

application

• Supports Windows, Web,

Host-based applications

• Rapidly SSO-enable

applications

• No scripting, programming, or

applications changes required

• Supports 3rd_{and 4}th_{logon fields}

(15)

15 © Citrix 2003

Features –

Automated Password Change

•

Enable more frequent

password changes

•

Set to manual or automatic

mode

•

Automatic mode makes

password changes

transparent to end-user

(16)

16 © Citrix 2003

Features –

Strong Password Policies

•

Enable password of different

lengths

•

Use a combination of

numeric, alpha and special

characters

•

Set character repeat settings

•

Example (X8@ja3!nvt3x)

(17)

(18)

18 © Citrix 2003

(19)

19 © Citrix 2003

Architecture –

Components

Administrative tool to centrally manage MetaFrame Password Manager deployment

Configures applications and user settings

(20)

20 © Citrix 2003

Architecture –

Components

Stores all settings configured by administrators

Based on Active Directory or Network Share

Agent synchronizes settings from credential store

(21)

21 © Citrix 2003

Architecture –

Components

Stores all settings configured by administrator

Client/Desktop component Synchronizes settings from Credential Store

Has its own local credential store for offline/mobile use Detects logon and change password events

Automatically fills in secondary credentials and changes

passwords for end users

• Co-located with applications

(22)

(23)

23 © Citrix 2003

Deployment –

Steps

•

Planning

•

Central Credential Store

•

Console Installation

•

Licenses

•

Console Configuration

– _{Default Agent}

– User Question

– Application

– FTU List

– Password Generation Policies

– Password Sharing Groups

– Agent Settings

– Saving Configuration

(24)

(25)

25 © Citrix 2003

Deployment – Planning –

Details

•

Hardware and Software Requirements

•

Licensing Requirements

•

Deployment Scenarios

•

Synchronization

(26)

26 © Citrix 2003

Hardware and Software Requirements

• Hardware and Software Requirements – _Console

• Approximately 20MB RAM

• Approximately 20MB disk space

• Approximately 30KB disk space per user

• Windows 2000 Professional

• Windows 2000 Server

• Windows Server 2003

• Windows XP Professional

– Agent (DOES NOT REQUIRE METAFRAME XP)

• Approximately 5MB RAM

• Approximately 10MB disk space

• Windows 2000 Professional

• Windows 2000 Server

• Windows Server 2003

• Windows XP Professional

• Windows NT Workstation 4.0

– _{MetaFrame Password Manager supports Web browsing using}

(27)

27 © Citrix 2003

Deployment – Planning –

•

– Agent on MetaFrame XP Presentation Server

• MetaFrame XP Presentation Server with FR3 and Service Pack 3

• MetaFrame XP Presentation Server with FR2 and Service Pack 3

(28)

28 © Citrix 2003

Licensing Requirements

•

Licensing Requirements

– Concurrent-connection license $189

• Each loaded agent requires a license.

• A single user uses 1 license even if he has agent running in different location (ex: desktop, MF XP Presentation Server)

• Similar to MetaFrame XP Presentation Server.

– Named user $89

• Defined by the user ID

• Mobile users who need to use MetaFrame Password Manager on their laptops require a named user license.

– You can use both type of licenses at the same time

– The Access Suite is only available with concurrent licenses.

(29)

29 © Citrix 2003

Deployment – Planning –

Scenarios

MetaFrame MetaFrame Presentation Server

Presentation Server Applications Applications MetaFrame XPMetaFrame XP_Deployed_Deployed

MetaFrame XP MetaFrame XP Deployed Deployed Desktop Desktop Desktop Desktop

Uniquely able to address Citrix/non-Citrix environments

= SSO Agent

MetaFrame MetaFrame Presentation Server

Presentation Server Applications Applications +

+

Local Applications Local Applications

Local Applications Only

Local Applications Only DesktopDesktop

(30)

30 © Citrix 2003

Deployment – Planning – Scenarios

– XP Presentation Server

MetaFrame XP Presentation Servers

ICA Client

= Agent

Central Credential Storage

Agent runs in ICA sessions

•

Agent only required to be

installed on MetaFrame

XP Presentation Servers

•

Agents runs in ICA

sessions and works for

Published applications

(31)

31 © Citrix 2003 Desktop

Central Credential Storage

= Agent

Local Applications

•

Agent installed only on Desktops

•

Agent can work in mobile mode by

synchronizing settings and

secondary credentials from central

credential store

(32)

32 © Citrix 2003

Deployment – Planning – Scenarios

– Mixed Deployment

MetaFrame XP Server Desktop

Central Credential Storage

= Agent

Published Applications Local

Applications

• Agent installed on MetaFrame XP Presentation Servers and Desktops

• Agents run on Desktop and in ICA sessions without any problems

(33)

33 © Citrix 2003

Deployment – Planning –

•

File Share or Active Directory

•

File Share

– User password data is saved in a folder under the People folder, which is secured

– Configuration objects store at the root of the sync point

– Pros

• Does not require schema extension

• Single synchronization point ensures that there are no replication issues (unless DFS is implemented)

– Cons

• Same configuration for all users (if using one file share)

• All users will connect to the file share, regardless of location

No scalability limits for File share or Active Directory

No scalability limits for File share or Active Directory

Both can support thousands of users

Both are equally secure

(34)

34 © Citrix 2003

Deployment – Planning –

•

Active Directory

– User password data is saved as a child of the user object in AD

– Configuration objects such as applications and agents can be

configured at any level

– The agent will query the AD for the current user’s agent setting

– Will walk up the tree until it finds settings or reaches root

– Pros

• Uses the organizations existing infrastructure

• Allows configuration of different settings for different users or containers

– Cons

• Synchronization is dictated by existing replication schedules

(35)

35 © Citrix 2003

Deployment – Planning –

Application Information

•

Application Information

– Define list of applications that require login information

• Is username and password shared with other applications?

• Will you enable auto-creation of passwords?

• What type of passwords are required (length, characters, …)?

– Application definitions specify identifiers including user name and password entry field location, application

executable name, URLs, and control IDs for credential fields.

– Must have application installed on same computer as the MPM Console

(36)

Deployment

(37)

37 © Citrix 2003

Deployment – Central Credential

Store – File share

•

Select a File Server accessible to the Agents

•

Run CTXFILESYNCPREP.EXE utility on the File Server

from a command prompt

•

Creates a shared folder on the server – CitrixSync$

•

Sets required security permissions

– _{Only Authenticated users can access the network share}

– _{No user can access each others’ credential files in the People}

folder

• Only CREATOR_OWNER has access to data in People folder

•

STEPS: MPMAG-p.23

– _{To use File Synchronization Setup for MetaFrame Password}

Manager

•

Using Windows 2000 or 2003 Distributed File System (DFS)

(38)

38 © Citrix 2003

Deployment – Central Credential

Store – Active Directory

• _{A member of Schema Admin group needs to log on to a machine}

that resides in the Active Directory

– _{Ensure Schema Master Role is configured to allow schema updates}

• _{Run ‘cscript CTXSCHEMAPREP.VBS’ from a command prompt}

– Extends the schema of Active Directory

• _{Run CTXDOMAINPREP.EXE from a command prompt}

– _{Updates permissions of the specified container}

– _{Enables users to create MetaFrame Password Manager objects under}

their Active Directory User objects based on schema extensions

•

STEPS: MPMAG-p.25-26

– _{To use schema extension for MetaFrame Password}

Manager

– _{To use Active Directory Setup for MetaFrame}

(39)

Deployment

(40)

40 © Citrix 2003

Deployment – Console –

Installation

•

Requires .NET Framework 1.1

– _{Found on CD \SSO Administrative Console\dotnetfx.exe}

•

Install Console

– _{\SSO Administrative Console\setup.msi or from Autorun}

•

Requirements:

– _{Must be able to communicate with Sync location}

– _{Must have applications installed on same machine}

• _{Used to create Application Definition}

– _OS

• _{Windows 2000 Professional, Windows 2000 Server, Windows}

Server 2003, Windows XP Professional

– _{STEPS: MPMAG-p.31-32}

(41)

(42)

42 © Citrix 2003

Deployment – Licenses

•

Install and Activate Licenses

– _{Console will not open unless a license is entered}

– Use the same Sync Location to store licenses

•

MetaFrame Password Manager License Administration

– _{Utility used to manage licenses}

•

STEPS: MPMAG-p.33-35

– _{To store the license repository on a shared folder} – _{To store the license repository in Active Directory}

– _{To add a MetaFrame Password Manager license}

– _{To activate a MetaFrame Password Manager}

(43)

(44)

44 © Citrix 2003

Lab #1

•

DO NOT INSTALL AGENT

•

Create Credential Store using File Share

• _{To use schema extension for MetaFrame Password}

Manager

• _{To use Active Directory Setup for MetaFrame}

Password Manager

•

Install Console

• To install the console using the Typical installation

•

Install and Activate Licenses

• _{To store the license repository on a shared folder} • To store the license repository in Active Directory

• _{To add a MetaFrame Password Manager license}

(45)

Deployment

(46)

46 © Citrix 2003

Application Definitions

• Configured applications for single sign-on • Wizard creation process

• Application templates provided to easily create application definition

Automate Password Changes

• Automatically respond to PW changes • Set password format (e.g., length, etc.) • Apply rules by each application

Create Application Groups

• Group applications to use same credentials • Use common credentials across different

applications

Control Agent Settings

• Administrative control over all settings for agents and users

• Centralized administration Directory Administration

• Setup and management of synchronizer • Active Directory, File Share

Deployment – Console –

Configuration

Application Definitions

Application Definitions

Automate Password Changes • Automatically respond to PW changes • Set password format (e.g., length, etc.) • Apply rules by each application

Create Application Groups

applications

Create Application Groups

applications

Control Agent Settings

• Centralized administration

Control Agent Settings

• Centralized administration

Directory Administration

• Setup and management of synchronizer • Active Directory, File Share

Directory Administration

(47)

Deployment –

Console –

(48)

48 © Citrix 2003

Configuration – Saving

•

Read this slide 5 times (this is very important)

•

Components:

– Agent – Reads configuration from the Sync folder

– Console – Stores configuration in the Sync folder

•

The easiest way to work with the console is:

– When you save your configuration from the console using File|

Save, this saves your configuration as a XML file

• This does NOT store the information in the Sync folder

– Always use the XML file to configure Password Manager

• Save a copy in a centralized area available to MPM administrators

– After doing changes in the console you must “Configure SSO

(49)

49 © Citrix 2003

Deployment – Console –

Saving Configurations

• File Share

– Connect to File Share Central Credential Store

– Read existing configuration

– Make changes to configuration (as described earlier)

– Save configuration back to the Credential Store

• Active Directory

– Connect to Active Directory

– Read existing configuration

– Make changes to configuration

– Save configuration back to any container (OU or user) in Active Directory

• Allows different settings for different users

• STEPS: MPMAG-p.79-81

– To configure a shared folder for single sign-on support

(50)

Deployment –

(51)

51 © Citrix 2003

Agent – Configuration Types

•

Agent with Basic Configuration

– Agent on CD installs but does not synchronize to central credential store

– _{The agent must be modified to provide synchronization modifying registry} – You should use the default or offline configuration

• Agent with Default Configuration

– Only includes synchronization information

– Requires the agent to obtain all configuration from sync. location before 1st

time use

– _{This is the recommended agent configuration}

• Agent with Offline Configuration

– Agent can be created with offline configuration (including agent setting, application definition, sync. location

– Allows agent to be installed and work without the need to sync. before 1st

time use

– Required ONLY if user may not have access to sync. location on 1st time

(52)

52 © Citrix 2003

Deployment – Console –

Configuration – Default Agent

• Use to point agent to sync server to obtain latest configuration

• Create Agent Setting with only setting is Sync location

• Generate Customized Agent

• Save XML file and push configuration to Sync location

• Install Agent

– Make sure latest configuration is pushed to Sync location

– Install agent

– Start agent

• You can verify in the CitrixSync folder and under the people folder a new folder for the user will be created

• STEPS: MPMAG-p.37-39, p.82-83

– To add a shared folder as the synchronizer • DO NOT DO STEP 9-12

– To generate a custom .msi

(53)

Configuration –

(54)

54 © Citrix 2003

User Question

• Administrators configure questions that users have to answer first time they use the Agent

• Answers from end users stored securely in both Local and Central Credential Store

• Later, if users forget their primary passwords, they can answer these questions to retrieve their

secondary credentials

• Questions can not be

changed/deleted after initial deployment

• New questions can be added later

• STEPS: MPMAG-p.63

(55)

(56)

56 © Citrix 2003

Lab #2

• _{Generate Default Agent}

– STEPS: MPMAG-p.37-39, p.82-83

• To add a shared folder as the synchronizer

• Do not do step 9-12

• To generate a custom .msi

• Don’t send any applications or FTU list, only send the Agent Settings

• _{Create User Question}

– STEPS: MPMAG-p.63

• To create user questions

• Save Configuration to Credential Store

– STEPS: MPMAG-p.79-81

• To configure a shared folder for single sign-on support • To configure Active Directory for single sign-on support

• _{Install Default Agent}

• _{Verify that synchronization is working}

(57)

Configuration –

(58)

58 © Citrix 2003

Application Definition

•

Each application enabled for Single Sign On has ‘Application

Definition’

•

Application Definition can be built using

– Pre-configured Application Templates

– Wizard based Application Definition configuration

•

Applications supported

– Windows Applications

– Web Applications

– Host-based Applications

•

Application Definition consists of

– Actions for Logon

(59)

59 © Citrix 2003

Application Definition – Windows

• Each window consists of different controls (eg: text box, button, plain text/label, etc.)

– Regardless of the language application is developed in

• Each control has a unique identifier on a window  Control Id

(60)

60 © Citrix 2003

Deployment – Console –

• Normal matching of Windows applications

– The .exe file, the source that runs an application

– The window title, which is used to distinguish between different windows inside the same application

– Control ID’s

• Advanced matching of Windows applications (Field Matching)

– Used to distinguish between windows that have multiple windows with the same title opening from the same executable file

– See Eudora and Lotus Notes which are pre-defined

• Notes

– Field matching support is available for all standard network logons including iexplore.exe and explore.exe

– To add a pre-set Windows application definition

– To create a Windows application definition

(61)

61 © Citrix 2003

Deployment – Console –

• Using Send-Keys

• MPM cannot detect controls on some windows

– Developed using non-standard windows controls

– Developed using proprietary third party windows controls

– .NET and Java Applications

• Administrators can write SendKey functions for such applications

• Specify shortcut keys to get focus on required input fields

– Username, Password, Other fields, Logon button

• Use Hotkeys to increase reliability

• Alt-U, Alt-P, Alt-O

– To check if an application uses control IDs

– To create a Windows application definition using SendKeys

(62)

62 © Citrix 2003

Deployment – Console –

Application Definition – Web

•

Configured for

– Pop-up dialogs

– Forms

• The URL can be defined to the appropriate level by the admin

– http://salesforce.com, or

– http://marketing.citrix.com

• Support for logon to many popular web sites/applications without

(63)

63 © Citrix 2003

Deployment – Console –

Application Definition – Web

• Normal matching of Web applications

– URL

– Layout of the fields in a form

• Matching these characteristics with the admin configured template

• Advanced matching of Web applications (Field Matching)

– Inspects other aspects of the HTML as defined in template

• HTML attributes

• Text within the page

• HTML itself

– All searches define a search scope

• The scope is limited to a single instance of an HTML object. MPM looks inside this instance.

• STEPS: MPMAG-p.53-56

– To add a pre-set Web application definition

– To create a Web application definition

(64)

64 © Citrix 2003

Deployment – Console –

Application Definition – Host

• MetaFrame Password Manager supports single sign-on to

mainframe applications through terminal emulators

– Emulators following HLLAPI (High Level Language API) standard

– 3270

– 5250

• What is HLLAPI?

– High Level Language Application Program Interface, an IBM API standard that allows a PC application to communicate with a host computer such as an IBM iSeries or zSeries host

– HLLAPI requires PC emulation software and then defines a set of APIs that allow other PC applications to interface with the emulation software

• Supported Emulators

– Rumba6, Attachmate myExtra!, Extra! 6.3, 6.4, 6.5, 2000 and 7.1

– Reflection 7, 8, 9 and 10, PCOM

– HostOnDemand 4.0 ,Glink, Aviva, ViewNow, ZephyrPC, ZephyrWeb

(65)

65 © Citrix 2003

Deployment – Console –

Application Definition – Host

•

Normal matching of Web applications

– Text

– Row

– Column

•

Configure position for different functions

– User Id

– Password

– Other fields

– To enable terminal emulation support

(66)

66 © Citrix 2003

(67)

(68)

68 © Citrix 2003

Lab #3

• _{Configure Windows Application Definition} – STEPS: MPMAG-p.46-48

• To add a pre-set Windows application definition

• To create a Windows application definition

• To use Windows matching – STEPS: MPMAG-p.49-50

• To check if an application uses control IDs

• To create a Windows application definition using SendKeys • _{Configure Web Application Definition}

• To add a pre-set Web application definition

• To create a Web application definition

• To use Web matching

• Configure Host-Based Application Definition – STEPS: MPMAG-p.57-59

• To enable terminal emulation support

(69)

Deployment –

(70)

70 © Citrix 2003

First Time Use List (Bulk Add)

• Administrators configure

applications presented to end users when the Agent launched for the first time

• Allows end users to enter their secondary credentials during first time use of the agent

• Benefit

– End users only have to go through configuration of secondary credentials once • STEPS: MPMAG-p.62

– To configure an application definition to support bulk-add

– _{To select applications to}

(71)

Configuration –

Console –

(72)

72 © Citrix 2003

Password Generation Policies

• Administrator can set policies that constrain automatic password generation

• Password Policies control – Password size

– Types of characters allowed

– Etc.

• Helps administrator enforce tighter security – Complex passwords

– More frequent password changes

– Less password sharing across users

• Must be more restrictive than native application Password Policies – Else, password changes may fail

– To create a global password policy

– To create application-specific policies

(73)

Deployment –

Console –

(74)

74 © Citrix 2003

Password Sharing Groups

•

Applications sharing same credentials can be grouped

together

•

Single backend authentication system across multiple

applications – single set of credentials

– Example – Multiple web applications require credentials from

same DOMAIN

•

Third party Password Synchronization setup between

different authentication systems ensuring same

credentials between them

•

– To create a regular password sharing group

(75)

(76)

76 © Citrix 2003

Lab #4

•

Configure FTU List

–

STEPS: MPMAG-p.62

• To configure an application definition to support bulk-add

• To select applications to appear in the first-time-use list

•

Configure Password Generation Policy

–

• To create a global password policy

• To create application-specific policies

• To delete, copy, or rename a password policy

•

Configure Password Sharing Group

– STEPS: MPMAG-p.65-66

• To create a regular password sharing group

(77)

Deployment –

(78)

78 © Citrix 2003

Agent Settings

• Administrator configures Agent functionality available to end users

• Examples

– Allow Refresh

– Clean up Local Credential Store on shutdown

– Etc.

• Benefit

– More administrative control

– All settings stored centrally and can be changed anytime

• Configure all settings

(79)

79 © Citrix 2003

Deployment – Console –

Agent Settings

• AllowRefresh

– Determines whether or not to display the Refresh button in the agent user interface. The Refresh function enables users to synchronize their data at any time.

• AllowReveal

– Determines whether or not to display the Reveal button in the agent user interface. The Reveal function enables users to see the text of passwords instead of masking

characters. This function is not enabled by default. You can override the setting by specific application using the Allow Reveal Password setting on the Miscellaneous tab of an application definition.

• AllowUnknown

– Determines whether or not users can add credentials for applications that are not predefined by an administrator.

• AutoLogin

(80)

80 © Citrix 2003

Deployment – Console –

Agent Settings

• ChangePassword

– Determines the behavior of the Change Passwordwizard when a user encounters a password change request. You can set this value to:

• Prompt user: Prompt the user with the Change Password wizard.

• Prompt with Auto: Prompt the user to enter a new password and

provide the option to have a password generated automatically.

• Generate for selection: Generate a new password and provide the

option for the user to specify the new password.

• Prompt without Auto: Prompt the user to enter a new password

and do not provide the option of generating a password automatically.

• Generate and notify: Generate the new password and inform the

user that the password changed.

• Generate quietly and submit: Generate the new password and do

not inform the user that the password changed.

• DefaultPolicy

– Determines the password policy to use for this agent. The

password policy defined in the applist.ini file is the default value for this setting. If no password policy is specified in the

(81)

81 © Citrix 2003

Deployment – Console –

Agent Settings

•

DNLevelsToMatch

– Determines the number of URL levels to be used as matching criteria.For the URL: http://mail.citrix.com:

2=*.citrix.com 3=*mail.citrix.com Values less than 2 are treated as 2. Numbers greater than the total number of URL levels set this to match all text to the left of a

question mark (?) in the URL.

•

LogonAfterConfig

– Determines whether or not the agent submits the credentials to the application after filling in a credential request page. This setting is overridden by the value of the Auto Submit check box that appears on the specific application’s

Miscellaneous tab. If you set this on the console, it cannot be set using the agent.

•

HostMainFrameSupport

(82)

82 © Citrix 2003

Deployment – Console –

Agent Settings

• PasswordSharing

– _{Determines whether or not regular password sharing groups will be used. This setting}

integrates with the PasswordSharing setting under Authenticator in this manner:

• If you enable both PasswordSharing settings, regular and domain-level password sharing groups are enabled.

• If you enable this PasswordSharing setting only, regular password sharing groups are enabled. Domain sharing groups are not enabled.

• If you enable only the PasswordSharing setting under Authenticator, domain-level password sharing groups are enabled.

• ReauthOnReveal

– Determines whether or not the agent requires authentication when users select

Reveal from an application’s properties page or Reveal All from the agent user interface.With this set to enable, if a system is left logged on, users must supply

credentials before seeing actual password text.

• SpecialChars

(83)

83 © Citrix 2003

Deployment – Console –

Agent Settings

• ConfirmPasswordChange

– Determines whether or not to require password confirmation when users change passwords. This setting can be overridden at the applicationtype and application-specific level by using the Hide “Confirm Password” setting on the Error Detection tab.

• MaskPassword

– Determines whether or not masked characters are displayed rather than the actual characters in a password. You can also set this option at the application-type and application-specific levels on the Error Detection tab.

• MaxRetryAttempts

– Integrates with the RetryTimeout setting to determine the number of logon retries

allowed in the specified time-out period before the agent displays an error message. Set this value to a number greater than zero (0). Important If the value is set at zero, the logon error dialog box never appears and users may be locked into an endless loop of failed logon attempts. You can also set this value at the application-type and

(84)

84 © Citrix 2003

Deployment – Console –

Agent Settings

•

RetryTimeout (seconds)

– Determines the time period, in seconds, during which users can attempt the

maximum number of logon retries (set by MaxRetryAttempts). You can also set this option at the application-type and application-specific levels using the

Logon Timeout setting on the Error Detection tab.

•

LogonManagerColumns

– Determines the columns and their order in the agent user interface.

•

HostInterval

– Determines the time interval, in milliseconds, between checks for terminal

(85)

85 © Citrix 2003

Agent Settings

•

PasswordSharing

– Determines whether or not to allow password changes made with the Microsoft

Authenticator to be shared with credentials in the group domain.This setting works with the PasswordSharing setting listed under AccessManager as follows:

• If you enable both PasswordSharing settings, regular and domain-level password sharing groups are enabled.

• If you enable the PasswordSharing setting under AccessManager only, regular password sharing groups are enabled.

• If you enable the PasswordSharing setting under Authenticator only, domain-level password sharing groups are enabled.

•

LogEvents

– Determines the MetaFrame Password Manager events that are recorded in the

(86)

86 © Citrix 2003

Agent Settings

• AutoLogonDelay

– Determines the time, in milliseconds, that the MetaFrame Password Manager animated logo appears. The logo indicates that the product is processing a command. To not show the animated logo, set this value to 0.

• DeleteOnShutdown

– Determines whether or not to remove users’ data folders and registry keys when the agent is shut down. Enable this setting when you have roaming profiles. This security feature removes user profiles after log off, ensuring that passwords are not

compromised by the other users of the same computer.

• DaysBeforeDelete

– Determines how many days elapse from the time a credential is marked for deletion until the time it is physically removed.

• DisplayComputerName

(87)

87 © Citrix 2003

Deployment – Console –

Agent Settings

• ProvideCredentials

– _{Determines whether or not to provide credentials to applications automatically, without}

requesting confirmation from users. If you enable this option on the console, it is not configurable in the agent.

• IdentifyNew

– Determines whether or not to prompt users to add logon information when MetaFrame Password Manager recognizes a new application. If you enable this option on the console, it is not configurable in the agent.

• RetryCount

– Determines the number of times the retry dialog box appears to the user.

• AggressiveSync

– Determines whether or not to synchronize credentials, agent settings, first-time-use criteria, and password policies whenever a user launches one of the following:

• A known Windows or Web application

• An unknown Web application

(88)

88 © Citrix 2003

Deployment – Console –

Agent Settings

• WorkDisconnected

– Determines whether or not the agent operates when it cannot connect to the synchronizer. During startup, the agent attempts to connect to the synchronizer to receive the latest credentials and settings. If the agent fails to connect, it continues operation based on this setting.

• SyncInterval

– Specifies the time, in minutes, before automatically synchronizing again. This setting directs the agent to synchronize periodically, based on the amount of time you specify. For example, if this setting is five minutes, the agent synchronizes every five minutes whether or not user activity occurs.

• OfflineNotification

– Determines whether or not to allow users to work offline without prompting them when a synchronization event fails.

• FilesyncType

– Shows the shared folder for synchronization. This setting is unavailable if you are using Active Directory for synchronization.

• Server

(89)

(90)

90 © Citrix 2003

Lab #5

•

Configure Agent Settings

– STEPS: MPMAG-p.68-78

(91)

Configuration –

(92)

92 © Citrix 2003

Deployment – Agent –

Deploying

•

Use MSI deployment tools to install the Default

Agent

–

Active Directory

–

Third party tools

–

Installation Manager for deployments on MetaFrame XP

(93)

(94)

94 © Citrix 2003

Advanced Concepts –

Security – Components

•

Authentication

– Support for strong authentication

– No need for additional authentication servers

•

Encryption

– Credentials stored securely

– Support for standard 3DES encryption

•

Shell

– Link to all other MPM components

•

– No scripts or connectors or changes to applications

– Automatically detects logon and password change events

•

Credential Synchronization

– Centralized management

– Integration with existing infrastructure (AD and File System)

(95)

95 © Citrix 2003

Advanced Concepts –

Security – Components

•

Components

– Authentication

• Authenticator

• Authentication Services

• Authentication API

– Encryption

• Crypto API

• Primary Authentication Key

– Shell

• Local Credential Store

• Credential Manager

• First-Time Use

– Intelligent Agent Response

• Access Manager

– Credential Synchronization

• Record Level Sync

• File Level Sync

• Sync API

(96)

(97)

Advanced Concepts – Security –

Components – Authentication

•

Components

– Authenticator

• Provides credential to Authentication Services

• Windows Authentication Provided

– Authentication Services

• Validates credentials provided by Authenticator against system authentication services such as Windows Domain

• Pass validations to Authenticator API

– Authenticator API

• Integrates authentication user interface (Windows) with the Shell

(98)

Advanced Concepts – Security –

Components – Authentication

Re-authentication

Ships with Windows Authenticator

Validates

credentials using existing systems

(99)

Advanced Concepts – Security –

Components – Encryption

•

Components

– Crypto API

• Confirms user authentication with Authenticator API

• Generates a unique primary authentication key (and new password)

• Uses Primary Authentication Key to decrypt individual credentials

– Primary Authentication Key

• Unlock upon successful end-user authentication

• Created based on random number generator using MS CAPI

• Self-encrypted using 3-DES

• Encrypted once with Windows Password and once with User Question Info

(100)

Advanced Concepts – Security –

Components – Encryption

•

Definitions:

– Symmetric Encryption (Same key used to encrypt and decrypt data)

– Cryptographic Service Provides (CSP)

– MS CAPI

– 3-DES (Secret key crypto algorithm used to create 56-bit keys - Used three times)

• Related Info

– MS CAPI

• Generates Primary Authentication key and New Passwords

• Uses RSA Cryptographic Service Provides (CSP)

– User Question

• Prevents someone from resetting a password and then gaining access to credentials that do not belong to them

– Credential Data

• Username, password, 3rd_{and 4}th_{field are encrypted}

(101)

Advanced Concepts – Security –

Components – Shell

•

Components

– Local Credential Store

• Encrypted in the memory map file (MMF) in binary format

• Encrypted records for each set of end user credential, settings and advanced configuration information

– Credential Manager

• Interacts with Authentication API, Crypto API, Access Manager and Synchronization API

– First-Time Use

(102)

Advanced Concepts – Security –

•

Function

– Receive user validation from Authenticator API

– Encrypting and decrypting data from local credential store

– Supplying credentials to Intelligent Agent Response components

(103)

Advanced Concepts – Security –

Intelligent Intelligent Agent Agent Response Response Authenticator Authenticator API API

First-time use ShellShell

(104)

Advanced Concepts – Security –

Components – Intelligent Agent

Response

•

Components

– Access Manager

• Interface between Credential Manager and Application Response Component

• Web browser SSO Helper Object (SSOBHO.exe)

• Windows Hook Component (SSOShell.exe)

• Mainframe Helper Object (SSOMHO.exe)

•

Function

–

Event driven architecture that remains dormant until a

credential request is made by application

–

Uses system-level approach

•

Related Information

– Config File – Need write access to local profile

(105)

Components – Intelligent Agent

Response

Web Applications Windows Applications Host-based Applications

Shell

_{Windows Hook}_{Windows Hook}

(106)

Components – Credential Store

•

Function

–

Syncs FTU settings, application configurations and admin

override

•

Components

– Record-level synchronization

• Allows access from multiple location at the same time – File-level synchronization

• Determines latest credential file

– Synchronization API

• Used to read and write data to sync. Area (Share folder or AD) – Unique Identifier List (UID List)

(107)

Advanced Concepts – Security –

Components – Credential

Synchronization

• Keeps local and central credential stores in sync • Latest version of the store overwrites settings

– All changes have time-stamps

– Similar to MS Profile

• Allows administrator to push application configuration and agent settings to end users

• Always initiated by the Agent based on administrative configuration • Administrator controls frequency of synchronization

• “Aggressive Sync” mode - Synchronization occurs whenever user

performs an action that should use most current credentials or settings – Example – a new application launch, etc.

(108)

Advanced Concepts – Security –

Synchronization

Local Credential Storage

Microsoft Active Directory Domain OU OU OU OU OU OU File server Benefits

• _{Enables mobility for end}

users

• _{Eases deployment of}

application

configurations and settings

• _Centralizes

(109)

Advanced Concepts – Security –

Synchronization

Annie User June 5, 2003

Password 9:14 AM XLB639 MAL929 New Password Local Credential Store Encrypted Central Credential Store Encrypted Annie User June 6, 2003

Password 6:43 AM MAL929 New Password Synchronizes with Central Credential Store 1 2

(110)

(111)

Advanced Concepts –

Agent Synchronization Workflow

• Automatically launched when a user logs on

• Gets users credentials from the GINA

• Uses password to decrypt data in Local and Central Credential

Stores

• Synchronizes Local or Central Credential Stores with more recent

settings

– File Share

• Synchronizes Local Credential Store with global folders

• ENTLIST – Application configuration, password policies

• ADMINOVERRIDE –Agent settings

• FTU –User questions and Bulk add applications

• Updates People folder on network share

– Active Directory

• Starts finding the configured settings in the User object

• Walks up the OU tree until first container with configured settings is found

• Synchronizes Active Directory with Local Credential Store

(112)

Advanced Concepts –

Agent Configuration Files

•

APPLIST.INI

– Stores pre-configured, password-protected application definitions installed with the agent

•

ENTLIST.INI

– Stores all application definitions configured by the administrator

– Synchronized from Central Credential Store

•

AELIST.INI

– Merged version from APPLIST.INI and ENTLIST.INI

– Stores all application definitions to be used by the agent

•

FTULIST.INI

– Defines users first time use experience

– Installed when the agent is installed

(113)

Agent Event Logging

•

Password Manager Agent logs all SSO events to

the Windows Event Log:

–

Credential use

–

Credential changes

–

Global credential events

–

MetaFrame Password Manager events

–

MetaFrame Password Manager feature use

(114)

(115)

Credential Store – File share

• Select a File Server accessible to the Agents

• _{Run CTXFILESYNCPREP.EXE utility on the File Server from a} command prompt

• _{Creates a shared folder on the server – CitrixSync$} • Creates the required folders

– _{People – stores settings for each user in individual folders}

• _{Used for}

– _{ENTLIST – stores all application configuration, password policies and}

password sharing groups

– _{ADMINOVERRIDE – stores all Agent settings configured by administrators} – _{FTU – stores all User questions and Bulk add applications for first time use}

of the Agent

– _{SYNCSTATE – stores timestamp of the last change to global settings}

• _{Sets required security permissions}

– _{Only Authenticated users can access the network share}

– _{No user can access each others’ credential files in the People folder}

(116)

Advanced Concepts –

Credential Store – Active Directory

• _{A member of Schema Admin group needs to log on to a machine}

that resides in the Active Directory

– _{Ensure Schema Master Role is configured to allow schema updates}

• _{Run ‘cscript CTXSCHEMAPREP.VBS’ from a command prompt}

– Extends the schema of Active Directory

– _{Adds three new classes}

• _{Citrix-SSOConfig – contains data for all administrative configurations}

• Update frequency – only when administrator makes configuration changes

• _{Citrix-SSOLicenseClass – contains license information}

• Update frequency – Rarely (when license is added, removed)

• Citrix-SSOSecret – contains secret data used to authenticate a user of Citrix MetaFrame Password Manager

• Update frequency – only when a user stores new credentials for SSO

• _{Run CTXDOMAINPREP.EXE from a command prompt}

– _{Updates permissions of the specified container}

– _{Enables users to create MetaFrame Password Manager objects under}

(117)

(118)

Advanced Concepts –

GINA

•

Password Manager implements a “stub” GINA.

– _{Does not implement own replacement user interface or}

authentication mechanism

– _{But passes through to the underlying GINA (which itself may be}

the standard Microsoft GINA or a replacement GINA)

– _{HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\}

CurrentVersion\Winlogon\GinalDLL

– _{HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\}

MetaFramePasswordManager\Shell\OrigGinaDALL

• _Msginal.dll

•

Allows to integrate with other authentication systems that

implements GINA chaining

(119)

Advanced Concepts

Individual Agent

(120)

Advanced Concepts

-Individual Agent Setting

•

Default installation on MetaFrame XP Presentation

Server

– _{Runs agents for all sessions}

•

To disable agent from starting automaticaly

– _{HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\}

CurrentVersion\Winlogon\AppSetup

•

To enable agent for specific applications

– _{Use SSOLAUNCHER.EXE when publishing application to start}

agent for an individual application

– _{This could be used to enable MPM for specific users by}

(121)

(122)

Licensing –

Pricing

Suggested Retail Price

Starter Packs*

$3,580

$1,780 20 Named User Licenses

20 Concurrent Connected User (CCU) Licenses

Bump Packs (5, 10, 20, 50, 100 packs)*

Per CCU

Per Named User $89

$179

Subscription Advantage Renewal

Per CCU

Per Named User $12

$24

*Includes 1 year Subscription Advantage

Citrix is the only company in the market that sells a single sign-on solution with CCU licensing

(123)

Licensing –

Options

•

Named-user is equivalent to primary logon ID (best practices

as per Macrovision)

•

Named-user license is a dedicated license

•

CCU license is a shareable license

– Higher value for customers that can benefit from concurrency,

e.g.:

• shift workers sharing a single PC (local and/or MetaFrame-deployed apps)

• global organizations (“follow-the-sun”)

• pure MF environments (concurrency ratio above 2:1)

•

Disconnected (mobile) users require a named user license

(124)

Licensing –

Price Advantages of CCU Licensing

MetaFrame Password Manager

Concurrent Connected User

3:1 ($179/3)

$179

Concurrency Ratios

5:1 ($179/5)

10:1 ($179/10)

$60

$36

$18

What is the Concurrency ratio in your environment?

SRP

(125)

Licensing –

Which licenses should I buy?

Scenario Type of License Required

MetaFrame Presentation Server only

Desktop only

Desktop and MetaFrame Presentation Server

Concurrent connected user (CCU)

Named user

User accesses password-protected applications located on…

Mobile (disconnected) workers Named user

Browser installed on local desktop Named user

Browser is published application on MetaFrame Presentation

Server

(126)

(127)

Target Client –

Who is the target customer?

•

Existing Citrix customer

–

Loyal

–

Appreciates CCU pricing advantages

•

Microsoft shop

–

Windows authentication (NT Domains or Active Directory)

–

Desktop OS ≥ Windows 2000/NT (i.e. not Win9x)

(128)

(129)

Sales Tools –

On MyCitrix

Now Available

• Product Overview Brochure

• Presentations

– Customer

– Partner Training

• ROI White Paper

• ACE Cost Analyzer –

Password Manager Module

• Autodemo

• FAQs

•

Product Overview Brochure

•

Presentations

– Customer

– Partner Training

•

ROI White Paper

•

ACE Cost Analyzer –

Password Manager Module

•

Autodemo

(130)

Sales Tools –

Training

Security Fundamentals (CTX-1400AW) Selling and Positioning Citrix MetaFrame Password Manager (CTX-1322AW)

Availability

Date Cost

Today $40

Today $100

Course Title

Admin Instructor-Led Training

(CTX-1321AI) 16 Oct. 2003

Introduction to Citrix MetaFrame

Password Manager (CTX-1320AW) Nov. 2003

$500

$100

(131)

(132)

Why Sell MPM? –

Expanded Business Opportunities

•

A Great Combination

– New product and services

opportunities

– Leverage existing

MetaFrame Presentation Server customers

– Leverage your existing skill set

– Great application

intersection

– Mutual product pull-through

•

Open New Doors –

Broadens Penetration

– Important for single point of access

(133)

Value Features Architecture Components Deployment Advanced Concepts Licensing & Pricing Target Client Sales Tools Why Sell MetaFrame Password Manager?

Technical Training

regulations

How Many Applications Are Your Users Dealing With?

Value –

“Each time an end-user calls the help desk, it costs the

resets”

- Gartner Group

Value –

Increases network security

Transparent to the end

Is password management a part of your security strategy?

How secure are you?

Is your new password different?

Features –

numeric, alpha and special

Administrative tool to centrally manage MetaFrame Password Manager deployment

Architecture –

Stores all settings configured by administrators

Architecture –

Stores all settings configured by administrator

Deployment –

Hardware and Software Requirements

Deployment – Planning –

Licensing Requirements

Deployment – Planning –

MetaFrame MetaFrame Presentation Server

Local Applications Only

Deployment – Planning – Scenarios

MetaFrame XP Presentation Servers

Agent only required to be

Central Credential Storage

Agent installed only on Desktops

MetaFrame XP Server Desktop

Deployment – Planning –

No scalability limits for File share or Active Directory

Deployment – Planning –

Deployment – Planning –

Deployment

STEPS: MPMAG-p.23

STEPS: MPMAG-p.25-26

Manager

Deployment

Deployment – Licenses

**DO NOT INSTALL AGENT**

Manager

Install Console

Application Definitions

Control Agent Settings

Deployment – Console –

Application Definitions

Create Application Groups

Control Agent Settings

Deployment –

Deployment – Console –

Deployment –

Deployment – Console –

Configuration –

Configuration –

Application Definition consists of

Deployment – Console –

Deployment – Console –

Deployment – Console –

Deployment – Console –

Deployment – Console –

Deployment – Console –

Deployment –

Configuration –

Deployment –

Third party Password Synchronization setup between

Configure Password Generation Policy

Deployment – Console –

Deployment – Console –

provide the option to have a password generated automatically.

user that the password changed.

Deployment – Console –

LogonAfterConfig

Deployment – Console –

Deployment – Console –

Deployment – Console –

DO NOT INSTALL AGENT