Citrix MetaFrame Secure
Access Manager 2.2
Codename – “Tampa”
Citrix MetaFrame Secure Access
Manager 2.2 - Release Themes
•
Messaging synchronization for Outlook
– Users can securely access in real time Microsoft Outlook email, calendar, contacts and tasks, and synchronize
information to their local devices.
– Workers have access to critical information locally and can work from anywhere – even on a plane or in a car.
•
Securing Alternative User Interfaces
– Administrators can integrate existing portal
implementations into their access infrastructure and securely deliver access to portals anywhere.
New Features – Messaging
Synchronization for Outlook
•
Secure email synchronization using secure gateway
•
Support for Outlook 2000, XP, and 2003 clients
New Features – Alternate User
Interfaces
•
Allows direct access Web based infrastructures
immediately after authentication.
•
Allows customers to leverage existing infrastructure
•
Secures Enterprise Information Portals (EIPs)
•
Enables greater flexibility in customized MetaFrame
Architectural Changes
•
Updated Services
– Secure Ticketing Authority
– Logon Agent
•
New Client
– Advanced Gateway Client
•
No changes to:
– Access center
• No new or updated CDAs
– Core services (State, Agent, Web)
Updated Secure Ticketing Authority
• Generates two types of tickets:
– ICA Ticket
• Supports launching of ICA connections through Secure Gateway
• Sent as part of ICA files to client
• Same ticket type produced by earlier STA versions
– Advanced Gateway Client Ticket
• Used to invoke the Advanced Gateway Client on user’s desktop
• Includes list of configured alternate sites and exchange servers
• Administrator configures the following:
– Secure Ticket Authority ID
– ICA and Advanced Gateway Client ticket settings
Updated Logon Agent
• Controls access to email synchronization and alternate sites
– Enables or disables use of the Advanced Gateway Client
– Determines which users/groups can access alternate sites and exchange servers
– Sets Logon Agent redirection URL (alternate website or MSAM access center)
– Sets Advanced Gateway Client download URL
• Can be integrated with a MetaFrame Presentation Server XML Service
– Allows access to the alternate website and email
synchronization features be set for a specific domain group
• Intercepts traffic at the application layer
• Restricts request interception to a list of known servers
Advanced Gateway Client
• Intercepts traffic at the IP level
• Uses the standard Windows Service Provider Interface
• Restricts request interception to a known list of applications
and servers
Application
Presentation
Session
Transport
Network
Data Link
Physical
Advanced Gateway Client
Advanced Gateway Client
•
Required for use of Outlook Synchronization and
Alternate User Interfaces
•
Restricts traffic to a configured list of internal servers
at the network layer
– Inspects the intended destination
– If appropriate, redirects the traffic to the Gateway Service and into the internal network
•
Like a traditional IPSec client, but…
– Restricts access by application executable and destination
Protocol Support
•
AGC officially supports:
– ICA
– HTTP/HTTPS
– WebDAV
– RDP
– MAPI
•
AGC can work with other protocols
– No additional protocols were tested
– No additional protocols are supported
Client Comparison
Gateway Client Advanced Gateway Client
Installation Active X stand alone Win32
Access Center
Internal file shares (via CDA)
Standard Intranet and intranet sites
Sites incorporating client side Java
Sites incorporating WebDAV and other verbs
Email Synchronization (Exchange)
Access to Alternate User Interfaces
Existing MSAM Architecture
F ir e w a ll F ir e w a ll Secure Gateway ICA Client SSLOptional 2 Factor Authentication ICA logon agent logon agent Presentation Server Farm
Other internal resources:
- Web Servers
- File Servers (docs)
Content Delivery Server Content Delivery Agents (CDAs) Agent Server Authentication Service Secure Ticketing Authority
Web Server State Server
State Service database Access Center Enumeration Access Indexing Engine Search Engine Index Server Gateway Client
Secure Gateway: Secure reverse proxy secures interaction with internal resources
Web Server: Serves HTML, authenticates users and issues session tickets
State Server: maintains session state and Access Center configuration
Index Server: allows indexing and searching of internal Web and file servers
HTTP
F ir e w a ll
Advanced Gateway Client Overview
F ir e w a ll Secure Gateway ICA Client SSL HTTP
Optional 2 Factor Authentication ICA logon agent logon agent Presentation Server Farm
Other internal resources:
- Web Servers
- File Servers (docs)
Content Delivery Server Content Delivery Agents (CDAs) Agent Server Authentication Service Secure Ticketing Authority
Web Server State Server
State Service database Access Center Authorization & Authentication Enumeration Access Indexing Engine Search Engine Index Server Gateway Client
Advanced Gateway Client Setup:
Install client on users machine (can be delivered
via MetaFrame Secure Access Manager at logon)
Specify which users are allowed to use the Advanced Gateway client
Specify which servers can be accessed using the Advanced client:
Exchange servers via Port 135 (RPC)
Advanced Gateway Client
- Exchange Servers - Alternative UI Servers
F ir e w a ll
Securing Alternative User Interfaces
F ir e w a ll Secure Gateway ICA Client HTTP
Optional 2 Factor Authentication ICA logon agent logon agent Content Delivery Server Content Delivery Agents (CDAs) Agent Server Authentication Service Secure Ticketing Authority
Web Server State Server
State Service database Access Center Authorization & Authentication Enumeration Indexing Engine Search Engine Index Server Gateway Client
Alternate User Interface setup:
Add Alternate UI server name(s) to the Secure Access Manager server ACL (access control list)
Specify the Alternate UI URL at Secure
Gateway as the default Home Page URL Presentation
Server Farm
Other internal resources:
- Web Servers (Java/WebDAV) - File Servers (docs)
- Exchange Servers - Alternative UI Servers
Access - Alternative UI Servers
Installation Notes
•
Secure Access Manager 2.2 is an
upgrade
•
For
new
customers they will need to:
– Install MetaFrame Secure Access Manager 2.0
– Upgrade to MetaFrame Secure Access Manager 2.1
– Upgrade Logon Agent and STA to 2.2
•
To install the Advanced Gateway Client:
– Must be logged on to the desired as an administrator.
– The workstation can not be running a server operating system like NT, Windows 2000 or Windows 2003 server.
Other Notes
•
If redirection to an alternate website is performed…
– The user may need to log into the alternate website
– The second logon can be facilitated with Password Manager
•
Two Advanced Gateway Client installation packages
– MSI package (Windows XP Professional, 2000 Professional)
– EXE package (Windows 98)
•
Both the Advanced Gateway Client and Gateway
Client might be utilized in certain circumstances
Possible Issues
•
Cannot access exchange server (lose connection)
– Port 135 is used for discovery only
– MAPI port may change on restart of Exchange server.
– Recommend setting a static port for Exchange (MAPI)
•
Cannot configure mail account in Control Panel
– Control Panel uses rundll32.exe (not supported)
– Use Tools -> Options in Outlook to configure
•
Advanced Gateway Client does not close
– Session does not end when application is closed
Competitors
•
SSL VPNs
– NetScreen (formerly Neoteris)
– Aventail
– Netilla/Tarantella
– Whale
•
Portals
– Sharepoint
On the Horizon…
•
Next Release
– Codename: “Malibu”
– Release Timeframe: “Turnberry” Suite Release - 1H ‘05
•
Release Focus
– Improved Suite integration
– Extended Access Center functionality:
• Extended browser support
• Improved Shared Docs and Links CDAs
– Remote access policies based on: