citrix access gateway 7-0 enterprise edition - technical presentation englisch

Citrix Access Gateway Enterprise Edition

Technical Overview

Seceidos GmbH&Co. KGRobert [email protected]

2 Internal and Partner Use Only © 2005 Citrix Systems, Inc.—All rights reserved.

Citrix Access GatewaySSL VPN Remote Access

Access GatewayStandard Edition

best forSmall-to-Midsized

Customers

Simple and Cost Effective Secure Remote Access

Access Gateway

Advanced Edition

best forPresentation Server

Environments

Advanced Access Control and Device

Flexibility

Access Gateway

Enterprise Edition

best forEnterprise

Deployments

Complex and Demanding

Environments


Access Gateway Enterprise EditionFeatures & Benefits

Feature Description Benefit

Traffic Acceleration Speed access to applications and resources with SSL offload, web compression, and TCP optimization.

•Provide the optimal remote access experience for users over low bandwidth, high latency connections.

High Availability Configuration

Link master and backup appliances to create a redundant cluster which ensures sessions will remain active if the master fails.

•Keep remote access available for users even in the case of an appliance failure.

Global Server Load-balancing (GSLB)

Route client connections to the best site based on site availability, health, proximity, and responsiveness.

•Improve the remote user’s access experience by connecting them to the best performing site.

•Implement a disaster recovery and business continuity strategy.

Roles-based Administration

Create and manage administrative users and groups that can each have unique management privileges.

•Define security policies to ensure administrators only perform the minimal set of operations required by their role.

Enterprise-class Auditing

Monitor and log all operations requested by end users and administrators.

•Gain full visibility into all operations to ensure services and data remain secure.

Quarantine Groups Provide limited access rights for clients which fail the end-point analysis scans.

•Create remediation sites to allow clients to install the most recent anti-virus pattern files, operating system patches, etc. prior to connecting to the protected resources.


Access Gateway Enterprise EditionFeatures & Benefits (continued)

Feature Description Benefit

Browser Cleanup Remove objects and data stored on the browser while the SSL VPN session was open.

•Prevent sensitive corporate information from inadvertently being leaked to mobile laptops and home PCs.

Denial of Service Prevention

Protect resources from common denial of service attacks such as SYN attacks and HTTP GET floods.

•Ensure continued service to legitimate users by protecting the organization’s servers.

Access Interface Allow users to setup bookmarks and access files through a web browser.

•Give users a quick and easy way to access frequently used resources

Extensive Authentication Support

Provide authentication from a wide variety of typical enterprise authentication systems (including smart cards).

•Allow administrators to easily integrate their SSL VPN into their existing environment.

Security Certifications •Enterprise Edition has been independently certified by ICSA Testing Labs (v2.0).

•A FIPS 140-2 Level 2 certified cryptographic module is available as an option for the model 9000 platform as a hardware option.

•Customers have independent verification of the security and capabilities of the Enterprise Edition.

•US Government organizations and contractors may require FIPS 140-2 certified cryptography.

VLAN Support Support 802.1q packet tagging to route packets to the correct VLAN segment.

Allow administrators to quickly deploy the SSL VPN to work in networks with existing VLAN topologies.


Access Gateway Enterprise Edition Appliance Options

7000 9000Software editions

supported Enterprise Enterprise

Form Factor 1U 2U

FIPS Option ─ ●

Redundant power supplies ─ ●

Maximum VPN users 2,500 5,000


Methods of Initial Configuration

• Command-line Interface (CLI)

• Java Configuration Utility (GUI)


Basic Configuration – cli method

• REVIEW CONFIGURATION PARAMETERS MENU• ------------------------------------• This menu allows you to view and/or modify the NetScaler's configuration.• Each configuration parameter displays its current value within brackets• if it has been set. To change a value, enter the number that is displayed• next to it.• ------------------------------------• 1. NetScaler's IP address: [192.168.100.1]• 2. Netmask: [255.255.0.0]• 3. Advanced Network Configuration.• 4. Time zone.• 5. Cancel all the changes and exit.• 6. Apply changes and exit.• Select a menu item from 1 to 6 [6]

To access the configuration utility using supplied console cable and terminal emulation of 9600,N,8,1

Tech 1


Accessing the Administration Portal

A open web browser to the default IP (http://192.168.100.1)

http://192.168.100.1/


Configuration Utility Login

- Accept the certificate warning

-Login with default user “nsroot”

-Default password is “nsroot”


Administration Traffic

Management traffic uses port 3010 and an

encrypted protocol

Administrator Workstation


Quick Start with the SSL VPN Wizard

Start the Wizard

Set the IP address

Set the SSL certificate

Select a DNS server

Point to a AAA server

And you’re done!


Define Multiple Virtual Servers

• Each virtual server has a unique:– IP address and FQDN– SSL certificate– Authentication configuration– Policy set

• Policies can optionally derive from a global policy set

Vpn1.company.com (10.10.10.1)




Dashboard Utility


• Supports Major Authentication Methods– Active Directory– LDAP– NTLM– RADIUS (with challenge-response support)– RSA SecurID– TACASC+– Local– Client Certificates

• Supports Cascading Authentication

Authentication


Authorization

• Policy Driven Access– Authentication by Policy– Authorization by Policy– Session control by Policy

– Auditing by Policy

• Wide Variety of Criteria– Policy based on network information– Policy based on application access– Policy based on client certificate parameters– Policy based on client configurations

• Highly Granular Access Control– Users/Groups up to Global policies– HTTP authorization based on URL– TCP/IP authorization based on address and port


Auditing

• Full Administrative Audit Trail– All management operations logged

• Full User Audit Trail– All session activity (login, logout, timeout)– All network flows (not just web)

• All System Events

• Support for External Syslog Servers


Client Security

• Session Policies can control:– Split tunneling– Forward proxy definitions– Session timeout values– Client security

• End Point Analysis– Built-in support for Antivirus checks– Built-in support for Firewall checks– Host identification

• Client Side Clean Up– Clean browser cache, history, auto-

completion files, plug-ins, etc.– Control with session policies– Administrator can mandate


Denial of Service Protection – SYN Attacks

ACK

Client Server

SYN

SYN +ACK

SYN

SYN +ACKSYN

SYN +ACKSYN

SYN +ACKSYN

SYN +ACK

Client Server

Normal TCP Sequence SYN FloodEnterprise Edition avoids memory consumption with packet cookies


Other Denial of Server Protections

• Other Prevented Attacks:– Packet Floods– HTTP GET Floods– SSL Floods– Idle Connection Floods

request

Javascript challenge

request


request



Security

• User Quarantine– Users assigned to a quarantine group when end-point analysis fails– Differentiated session and resource authorization policies– Use to grant limited access to remediation sites

Quarantined

Quarantined

Quarantined

Web Email

Web Portal


Client Support

• All Windows Platforms– Windows 98/ME – Windows NT/2000/XP/SP2– Windows CE and PocketPC

• MacOS X and Linux– Java Based Client

• Reliable Application Access– No application content

modification

• Enforces Client Security


Navigation Homepage

• Bookmarks– Customize global bookmarks– Per-User bookmarks– Filesystem bookmarks

• Themes– Custom style sheets supported– Logo update– End user can pick their own colors

• Integrated File Manager– Web based file access

• Unicode Support


Server-Initiated Requests

Source IP = Mapped IPSource IP = Client IP

Client connects and is assigned a unique Mapped IP address

Servers can use this Mapped IP address to establish server-initiated connections back to the client.


High Availability Pairing

Vpn.company.com (10.10.10.1)Network health-check packets are exchanged

Master

Backup

Two appliances can be linked to form an active / passive cluster. Health-checking packets are constantly exchanged between the pair. When the master fails, the backup assumes the IP address. All connections from the client are broken and must be re-established.


Global Server Load Balancing (GSLB)

• Distributes network traffic across multiple sites• Route client connections to the nearest site• Distributes server load across multiple sites• Implement Disaster recovery


5x Faster

Includes NetScaler Capabilities

Internet


Access Gateway Enterprise Edition

The best solution for the complex and demanding enterprise!

Access Gateway

Enterprise Edition

citrix access gateway 7-0 enterprise edition - technical presentation englisch

Documents