Access Gateway Operation
Download
Report
Transcript Access Gateway Operation
Access Gateway Operation
Client Network
Stack
All traffic tunneled in SSL to the
gateway
Access Gateway opens TCP or
UDP connections to servers on
the user’s behalf.
IP
SSL
Access
Gateway
Servers
Secure Gateway Capabilities
DMZ 1
Internal
DMZ 2
STA & XML Server
Web Interface
80/443
Internet
80/443
,
80/443
CPS Server
1494
598
1080/443
443
2598
Single or double-hop DMZ support
No VPN client required; works with native, Java, and ActiveX ICA clients
Supports SmoothRoaming and workspace control
Full Client Operation
Applications
Intercepted traffic appears to originate from the gateway
to the client on port 10010
:10000
:10010
:10020
:10040
CitrixSAClient.exe
VPN Client initiates new SSL
connection to the gateway on
port 443
App connects to an
IP that the gateway
client intercepts
User space
Kernel space
NDIS SHIM
VPN Client in Non-admin mode
Applications
Intercepted traffic appears to originate from the
gateway to the client on port 10010
:10000
:10010
CitrixSAClient.exe
:10020
:10040
App connects to
an IP that the
gateway client
intercepts
WINSOCK SHIM
VPN Client initiates new
SSL connection to the
gateway on port 443
User space
Kernel space
What types of traffic can the non-admin
VPN client intercept?
OK in Non-admin mode
Requires admin mode
Internet Explorer, Firefox, etc.
VoIP
ICA Client, RDP Client
CIFS/SM B
Outlook, Lotus Notes
Streaming Video
Java applets
Any UDP traffic
Most TCP-based applications
Direct access to file shares via AG
CIFS: 445 (TCP)
VPN:443
Client
Browsing: 3268 (GC) or 137139(NBT)
Access
Gateway
Kerberos KDC: 88
(TCP)
File Server
Browser access to files via
Advanced Edition (or Enterprise Edition)
HTTP(S):
80 or 443
HTTPS:443
Client
Access
Gateway
CIFS, etc.
Advanced Access
Control server
File Server
Exchange and MAPI
RPC Port Discovery: 135
Exchange Directory NSPI Proxy
Interface: (dynamic)
Exchange Information Store Interface:
(dynamic)
Client
Exchange Site Replication Service:
(dynamic)
Exchange
Option #1:
Proxying MAPI with Access Gateway
RPC Port Discovery: 135
Exchange Directory NSPI Proxy
Interface: (dynamic)
VPN: 443
Client
Access
Gateway
Exchange Information Store Interface:
(dynamic)
Exchange Site Replication Service:
(dynamic)
Exchange
KB: Configuring Static Exchange Ports http://support.microsoft.com/kb/270836/
Option #2:
Proxying MAPI over HTTP
135
HTTP:
80
VPN: 443
Client
Access
Gateway
Dynamic
Port
Exchange
Front-end
or
IIS 6.0 RPC Proxy
Exchange
Con: Requires Outlook client reconfiguration
Presentation Server Access
Internet
DMZ
Trusted Network
ICA protocol (Port 1494 or 2598),
XML (Port 80 OR 443)
Citrix
Presentation
Server Farm
Client
SSL/TLS
(Port 443)
Access Gateway
HTTP (Port 80)
OR
HTTPS (Port 443)
•
No Windows in the DMZ, just a hardened appliance
•
Web Interface servers may be brought onto the
Trusted Network and shared with LAN users
•
Access Gateway credentials can be relayed to Web
Interface for single sign-on to Presentation Server
Web
Interface
Use SSL Relay to
encrypt XML/STA
traffic
How it works: Access Presentation Servers
with no VPN Client
HTTPS
Web
Interface
SSL
Client
Access
Gateway
XML
1. User points to
https://access.company.com
2. Access Gateway terminates SSL
and authenticates user
3. Reverse proxy to Web Interface
and perform single sign on
Presentation
Server Farm
4. User clicks an application icon
5. Web interface requests ticket from
XML Service
6. Web Interface sends ticket to user
in ICA file
7. ICA Client spawns, sends ICA in
SSL to Access Gateway
8. Access Gateway validates ticket
9. ICA Session established and
Application is displayed on user
desktop
Web Interface Site Details
Set On A Per–Group Basis
– Each group can use the portal page
like before or be redirected to
another web server URL
– Send different users to different
Citrix farms according to group
membership
Multiple Logon Option Page
Establishes a
VPN connection
for full desktop
connectivity
Redirects to
Web Interface for
ICA-only access
Minimal Deployment: Standard Edition
Web Interface
Presentation Servers
Access
Gateway
Standard Edition
Web Interface may be moved
to the LAN if Access Gateway
is configured to authenticate
users
Advanced Edition
Web Interface Integration
Access
Gateway
Advanced Access
Control (AAC)
User traffic flows through AAC on
its way to Web Interface
Web
Interface
Presentation
Server Farm
Advanced Edition
Web Interface Integration
Access
Gateway
Advanced Access
Control (AAC)
If there are multiple AAC
servers, one user’s traffic will
emanate from all AAC servers
in the farm
Web
Interface
Presentation
Server Farm
Advanced Edition
Web Interface Integration
?
Access
Gateway
Advanced Access
Control (AAC)
Web
Interface
If there are also multiple WI servers,
load balancing becomes a challenge.
One user’s traffic must be persisted
to one WI server, but the traffic will
emanate from multiple AAC servers.
Presentation
Server Farm
Option 1:
Redundant WI servers with NLB
NLB
Access
Gateway
Advanced Access
Control (AAC)
Windows Network Load Balancing
(NLB) can be used, but only for
redundancy.
Configure NLB for “Single Host”
Web
Interface
Presentation
Server Farm
Option 2: Use NetScaler for
Cookie-based Load Balancing
VIP*
Access
Gateway
Advanced Access
Control (AAC)
Web
Interface
NetScaler® can be used to
virtualize the WI servers with
cookie-based load balancing.
Use the ASPNET Session ID
Cookie for persistence.
* NetScaler VirtualPresentation
IP, not a
Server Farm
Presentation Server Virtual IP
Load Balancer Insertion Points
– Citrix Access Gateway
–
–
–
–
Client to CAG
CAG to Advanced Access Control
AAC to WI
WI to AAC
– Citrix Presentation Server
– Web Interface servers and CSG
– XML Service
– Load balancing mirrored sites (GSLB)