Citrix Access Gateway Enterprise Edition Technical

Download Report

Transcript Citrix Access Gateway Enterprise Edition Technical

Citrix Access Gateway Enterprise Edition

Technical Overview

Seceidos GmbH&Co. KG Robert Hochrein [email protected]

Citrix Access Gateway

SSL VPN Remote Access Simple and Cost Effective Secure Remote Access Advanced Access Control and Device Flexibility

Access Gateway

Standard Edition

Access Gateway

Advanced Edition

best for Small-to-Midsized Customers 2 Internal and Partner Use Only best for Presentation Server Environments Complex and Demanding Environments

Access Gateway

Enterprise Edition

best for Enterprise Deployments © 2005 Citrix Systems, Inc.—All rights reserved.

Access Gateway Enterprise Edition Features & Benefits

Feature Traffic Acceleration High Availability Configuration Global Server Load balancing (GSLB) Roles-based Administration Enterprise-class Auditing Quarantine Groups

3 Internal and Partner Use Only

Description Speed access to applications and resources with SSL offload, web compression, and TCP optimization. Link master and backup appliances to create a redundant cluster which ensures sessions will remain active if the master fails.

Route client connections to the best site based on site availability, health, proximity, and responsiveness. Create and manage administrative users and groups that can each have unique management privileges.

Monitor and log all operations requested by end users and administrators.

Provide limited access rights for clients which fail the end-point analysis scans.

• • •

Benefit

Provide the optimal remote access experience for users over low bandwidth, high latency connections.

Keep remote access available for users even in the case of an appliance failure.

Improve the remote user’s access experience by connecting them to the best performing site.

Implement a disaster recovery and business continuity strategy.

Define security policies to ensure administrators only perform the minimal set of operations required by their role. Gain full visibility into all operations to ensure services and data remain secure.

Create remediation sites to allow clients to install the most recent anti-virus pattern files, operating system patches, etc. prior to connecting to the protected resources.

© 2005 Citrix Systems, Inc.—All rights reserved.

Access Gateway Enterprise Edition Features & Benefits (continued)

Feature Browser Cleanup Denial of Service Prevention Access Interface Extensive Authentication Support Security Certifications VLAN Support

4 Internal and Partner Use Only

Description Remove objects and data stored on the browser while the SSL VPN session was open.

Protect resources from common denial of service attacks such as SYN attacks and HTTP GET floods.

Allow users to setup bookmarks and access files through a web browser.

Provide authentication from a wide variety of typical enterprise authentication systems (including smart cards).

Enterprise Edition has been independently certified by ICSA Testing Labs (v2.0).

A FIPS 140-2 Level 2 certified cryptographic module is available as an option for the model 9000 platform as a hardware option.

Support 802.1q packet tagging to route packets to the correct VLAN segment.

Benefit

Prevent sensitive corporate information from inadvertently being leaked to mobile laptops and home PCs.

Ensure continued service to legitimate users by protecting the organization’s servers.

Give users a quick and easy way to access frequently used resources

Allow administrators to easily integrate their SSL VPN into their existing environment.

Customers have independent verification of the security and capabilities of the Enterprise Edition.

US Government organizations and contractors may require FIPS 140-2 certified cryptography. Allow administrators to quickly deploy the SSL VPN to work in networks with existing VLAN topologies.

© 2005 Citrix Systems, Inc.—All rights reserved.

Access Gateway Enterprise Edition Appliance Options

Software editions supported Form Factor FIPS Option Redundant power supplies Maximum VPN users 7000

Enterprise 1U ─ ─ 2,500

9000

Enterprise 2U ● ● 5,000 5 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Methods of Initial Configuration

• •

Command-line Interface (CLI) Java Configuration Utility (GUI)

6 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Basic Configuration – cli method

To access the configuration utility using supplied console cable and terminal emulation of 9600,N,8,1 7 • • • • • • • • • • • • • • REVIEW CONFIGURATION PARAMETERS MENU ----------------------------------- This menu allows you to view and/or modify the NetScaler's configuration.

Each configuration parameter displays its current value within brackets if it has been set. To change a value, enter the number that is displayed next to it.

----------------------------------- 1. NetScaler's IP address: [192.168.100.1] 2. Netmask: [255.255.0.0] 3. Advanced Network Configuration.

4. Time zone.

5. Cancel all the changes and exit.

6. Apply changes and exit.

Select a menu item from 1 to 6 [6] Tech 1 © 2005 Citrix Systems, Inc.—All rights reserved.

Internal and Partner Use Only

Accessing the Administration Portal

A open web browser to the default IP ( http://192.168.100.1

) 8 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Configuration Utility Login

- Accept the certificate warning -Login with default user “nsroot” -Default password is “nsroot” © 2005 Citrix Systems, Inc.—All rights reserved.

9 Internal and Partner Use Only

Administration Traffic

10 Internal and Partner Use Only Management traffic uses port 3010 and an encrypted protocol

Administrator Workstation

© 2005 Citrix Systems, Inc.—All rights reserved.

Quick Start with the SSL VPN Wizard

Start the Wizard Set the IP address Set the SSL certificate Select a DNS server Point to a AAA server And you’re done!

11 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Define Multiple Virtual Servers

• • Each virtual server has a unique : – – – – IP address and FQDN SSL certificate Authentication configuration Policy set Policies can optionally derive from a global policy set Vpn1.company.com (10.10.10.1) Vpn2.company.com (10.10.10.2) Vpn3.company.com (10.10.10.3) © 2005 Citrix Systems, Inc.—All rights reserved.

12 Internal and Partner Use Only

Dashboard Utility

13 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Authentication

Supports Major Authentication Methods

– – – – – – – – Active Directory LDAP NTLM RADIUS (with challenge-response support) RSA SecurID TACASC+ Local Client Certificates •

Supports Cascading Authentication

14 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Authorization

Policy Driven Access

– – – – Authentication by Policy Authorization by Policy Session control by Policy Auditing by Policy •

Wide Variety of Criteria

– – – – Policy based on network information Policy based on application access Policy based on client certificate parameters Policy based on client configurations •

Highly Granular Access Control

– – – Users/Groups up to Global policies HTTP authorization based on URL TCP/IP authorization based on address and port 15 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Auditing

Full Administrative Audit Trail

– All management operations logged •

Full User Audit Trail

– – All session activity (login, logout, timeout) All network flows (not just web) 16 Internal and Partner Use Only •

All System Events

Support for External Syslog Servers

© 2005 Citrix Systems, Inc.—All rights reserved.

Client Security

Session Policies can control:

– – – – Split tunneling Forward proxy definitions Session timeout values Client security •

End Point Analysis

– – – Built-in support for Antivirus checks Built-in support for Firewall checks Host identification •

Client Side Clean Up

– Clean browser cache, history, auto completion files, plug-ins, etc.

– Control with session policies – Administrator can mandate © 2005 Citrix Systems, Inc.—All rights reserved.

17 Internal and Partner Use Only

Denial of Service Protection – SYN Attacks

Client Server Client Server Normal TCP Sequence

18 Internal and Partner Use Only

SYN Flood

Enterprise Edition avoids memory consumption with packet cookies © 2005 Citrix Systems, Inc.—All rights reserved.

Other Denial of Server Protections

Other Prevented Attacks:

– – – – Packet Floods HTTP GET Floods SSL Floods Idle Connection Floods request request request 19 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Security

Web Email Web Portal Quarantined Quarantined Quarantined •

User Quarantine

– – – Users assigned to a quarantine group when end-point analysis fails Differentiated session and resource authorization policies Use to grant limited access to remediation sites © 2005 Citrix Systems, Inc.—All rights reserved.

20 Internal and Partner Use Only

Client Support

• •

All Windows Platforms

– – – Windows 98/ME Windows NT/2000/XP/SP2 Windows CE and PocketPC

MacOS X and Linux

– Java Based Client •

Reliable Application Access

– No application content modification •

Enforces Client Security

© 2005 Citrix Systems, Inc.—All rights reserved.

21 Internal and Partner Use Only

Navigation Homepage

Bookmarks

– – – Customize global bookmarks Per-User bookmarks Filesystem bookmarks •

Themes

– – – Custom style sheets supported Logo update End user can pick their own colors •

Integrated File Manager

– Web based file access •

Unicode Support

© 2005 Citrix Systems, Inc.—All rights reserved.

22 Internal and Partner Use Only

Server-Initiated Requests

Source IP = Client IP Source IP = Mapped IP Client connects and is assigned a unique Mapped IP address Servers can use this Mapped IP address to establish server-initiated connections back to the client.

23 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

High Availability Pairing

Master

Vpn.company.com (10.10.10.1) Network health-check packets are exchanged

Backup

Two appliances can be linked to form an active / passive cluster. Health-checking packets are constantly exchanged between the pair. When the master fails, the backup assumes the IP address. All connections from the client are broken and must be re-established. 24 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Global Server Load Balancing (GSLB)

• • • • Distributes network traffic across multiple sites Route client connections to the nearest site Distributes server load across multiple sites Implement Disaster recovery © 2005 Citrix Systems, Inc.—All rights reserved.

25 Internal and Partner Use Only

Includes NetScaler Capabilities

Internet

5x Faster

26 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Access Gateway Enterprise Edition

Access Gateway

Enterprise Edition

The best solution for the complex and demanding enterprise!

27 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.