Protecting Citrix Applications

33  Download (0)

Full text


Protecting Citrix Applications



Introduction - 5 min

Objectives, Agenda & team intros

Product overview – 15 min

Overview, products, customers

SafeWord for Citrix MetaFrame

Technical Session – 25 min

Architecture, Requirements

Demonstration, Q&A

Wrap-up – 15 min


Product Team

Larry Ritter


Willy Leichter

Director, Product Marketing

Tony Chimienti

Product Manager

Sandler Rubin


Secure Computing’s products

SafeWord™ PremierAccess™

Industry leading strong authentication product

Used by thousands of enterprises worldwide


World’s strong firewall and VPN gateway—

never been compromised

Widely used by government and defense


Supports ICA natively



SafeWord™ PremierAccess™

Strong authentication for

Citrix, VPN, Web, wireless, network and custom applications

Widest range of authentication options

Role-based authorization

Advanced deployment capabilities


Who uses SafeWord products

600,000 users,

600,000 users, $70 billion $70 billion in cash management in cash management transactions daily transactions daily

Authenticate 80,000 Authenticate 80,000 remote users, suppliers remote users, suppliers and business partners and business partners

Secure remote access Secure remote access for 60,000+ users

for 60,000+ users

Secure remote access for 27,000 users Secure remote access for 27,000 users

Authenticate 30,000 employees Authenticate 30,000 employees from any location using

from any location using multiple access methods

multiple access methods Secure remote access for 32,000 usersSecure remote access for 32,000 users Secure remote access

Secure remote access for 40,000 users


Universal Web Agent Universal Web Agent RADIUS RADIUS Agent Agent RADIUS RADIUS Agents Agents WEB VPN Citrix Servers Employees Citrix® Sales Staff System login

Protecting all your applications


Why strong authentication?

Many remote access solutions (such as Citrix and

VPNs) create a secure tunnel through the Internet

An important component of security

But who is accessing that tunnel?

How do you identify your users?

Many companies rely just on fixed passwords

Username: jmalkovich Password: being_me

Username: jmalkovich Password: being_me



The password risk

Passwords are weak because…

Only one-factor authentication

Easily hacked, stolen, borrowed,

guessed or sniffed

Difficult to remember and use

Difficult to manage

These problems limit the use of

remote access systems

Anti-password presentations


Protecting Citrix® remote access

Citrix is an increasingly popular for

allowing remote access to desktop


PremierAccess protects Citrix today

Universal Web Agent protects NFuse and Citrix Secure Gateway

Agent protects ICA traffic

Includes consolidated login screen for

one-time passcodes and Windows


Recent success stories with

PremierAccess and Citrix


Kindred Healthcare

Evanston Healthcare

McKesson HBOC


Intuitive Surgical

Naval Research Lab

ETS Testing Lab

Asecus, AG

Thiel Logistics

Trizec Hahn


Advent Outsource

WM Engineering


SafeWord for Citrix MetaFrame

Developed Citrix-specific product

Launched at RSA Show, April 17

Product available May 16

Citrix-only implementation

Pre-configured, simplified installation

Simplified documentation, packaging

Citrix branding on tokens & package

No training requirements for resellers and customers


SafeWord for Citrix: simple and cost-effective


User Web InterfaceWeb Interface MetaFrameMetaFrame Active DirectoryActive Directory Microsoft Mgmt Microsoft Mgmt Console (MMC)

Console (MMC)




Tokens assigned to

Tokens assigned to

users and managed

users and managed

through MMC through MMC Tokens Authentication Authentication Server Server

In most cases,

In most cases,

the authentication

the authentication

server can live on the

server can live on the

Active Directory box

Active Directory box

One-screen login

One-screen login

for all Windows and


Customer and channel benefits

Simpler solution for Citrix customers

No integration required—makes it easy and practical to deploy strong authentication

The best solution available—much cleaner than offerings from other AAA vendors

Be up and running in half an hour

Competitive, simplified pricing

Simplified, consolidated pricing of server software, tokens and support

Priced per authenticator—no user management


Simplified pricing model

Priced on per-authenticator basis (not per user)

Single price includes tokens, software, 1st year supportBased on Citrix user counts

Starts at $99 per user

Tokens Price per user Total

5 (starter)






20 (starter)







SafeWord for Citrix vs. RSA

Citrix focus and branding

Dramatically simpler to install & deploy

Integration with Active Directory

No redundant user records

Lower cost ~ ½ the entry price per user

Runs on existing hardware

Superior tokens: non-expiring, instant pass

codes, lower maintenance


Distribution Plans

Channel Focused Product

Easy to quote & add on to Citrix sales

Easy to integrate into a customer


No certification or training requirements

Sold through distribution

US – Alternative Technology

ROW – SCC certified distributors and VARs


Web Interface

Web Interface

MetaFrame XP

MetaFrame XP Active DirectoryActive Directory

MetaFrame Server Farm

MetaFrame Server Farm

SafeWord SafeWord NFuse Agent NFuse Agent SafeWord SafeWord Server Server SafeWord SafeWord Management Management Console Console


About SW4C components

SW4C consists of the following component

Core services

Authentication Engine, Administration Service, and databaseSafeWord Active Directory Management Plug-in

Allows tokens and users to be centrally managed from Active Directory

Snap-in to the Microsoft Management Console which extends the functionality of Active Directory Users and Computers

User Center

Optional web application for user self-service including token enrollment, token testing, and PIN reset

May be used by the end-user directly or a help desk employeeAgent for MetaFrame XP Web Interface (NFuse Classic)

Enhances the Web Interface login pages to support SafeWord authentication


Prerequisites for installing SW4C

All SW4C components require Windows 2000 Server

Web Interface is only supported under Windows

MetaFrame for Unix is supported as long as Web Interface is running under Windows

SW4C works both with and without Citrix Secure Gateway

In practice, however, Secure Gateway is highly recommended



Active Directory for user management

MetaFrame environments must be migrated from NT domains to Active Directory

Token records are stored in the SW4C database

Users and user-to-token mapping are stored in Active Directory


Prerequisites (continued)

SW4C enhances the Web Interface for MetaFrame XP

SW4C installer automatically detects the version of NFuse

Classic or W.I. and makes the appropriate modifications

SafeWord authentication can be toggled from W.I. Admin

Additionally, SW4C allows group-based policies to be built in

order to determine who must strongly authenticate when

accessing applications


Active Directory Integration

Expanded Active Directory


SafeWord tab added to standard MMC user management

Windows administrators can:

Assign tokens to users

Assign, update user PINs

Test tokens


Active Directory Integration

Simplified management tools

Import, manage token records

Backup, restore token database


Administrators don’t have to assign each user a specific token Administrators don’t have to assign each user a specific token Users can self-enroll through the embedded User CenterUsers can self-enroll through the embedded User Center

User enters Active Directory username and token serial numberUser enters Active Directory username and token serial number

Can save up to 85% when compared to traditional token deploymentsCan save up to 85% when compared to traditional token deployments


Security, Firewall, and OS Issues

Core components can be installed of any Windows 2000 Server in an Active Directory domain

Should not be located in a DMZ or other insecure area of the network

Web Interface for MetaFrame XP agent can be installed on any Windows 2000 Server with IIS that is hosting Web Interface

Does not necessarily need to be a member of a domain

Can reside in a DMZ of the network

Communicates with the core server using an XML-based, SSL-secured protocol

User Center can be installed on any Windows 2000 Server

This system does not necessarily need to be a member of a domain

Can reside in a DMZ of the network

Includes an embedded web server

Communicates with the core servers using an XML-based, SSL-secured protocol


Product integration direction

Our goal is to add easy strong authentication to ALL

MetaFrame products

MetaFrame Secure Access Manager v2.0 (Magens Bay)

MetaFrame Password Manager (Bimini)

All the necessary pieces are available today in


New MetaFrame Web Interface Agent

Universal Web Agent

Full RADIUS support and embedded server

Agent for protecting ICA traffic

We are working closely with Citrix product managers to

develop the cleanest, customer-friendly solutions


SafeWord for Citrix Launch & Roadmap




Regional Seminars RSA Show (4/13-17) iForum 2003 (10/13-16) iForum NE (5/12-14) Training

Release 1 (May 16)

Web Interface Agent

Windows 2000

Release 2 (TBD)

SAM Agent

PM Agent


Working Together

Citrix Benefits

SCC lowers cost/complexity of strong authentication

Demo & Eval product for SE’s, EBC’s, CCS…

SCC Regional Managers introduce ERM’s to Accounts

SCC sponsorship of iForum & Channel Events

Mutual Benefits

Users Groups

Regional seminars


Online demo site

Live online demo site

Request a token or evaluation


Evals shipping on May 16

Self-enroll a token

Demonstrate strong

authentication for Citrix

Customer registration: