Citrix® Secure Gateway

Phil MontgomerySenior Product Manager

Citrix Products and ServicesOctober 2001

Learning Objectives

In this session, you will:

Get a preview of the new features and benefits of the Citrix Secure Gateway.

Learn how Citrix Secure Gateway (CSG) can provide Internet-based access to applications for remote employees, customers, and partners.

Agenda

Business Goals and Drivers

Citrix Goals and Solution

What is CSG?

CSG Architecture

CSG Technology Preview

Citrix Security Solutions

Demonstration

Summary, Q&A

Business Goals

Leverage Internet to deliver value outside of traditional models.

Demonstrable ROI

Do more with less

Do it before the competition does

Business Drivers

Remote access for employees, customers, and partners

B2B and B2C customers

displaced across many geographic locations

Web Browser with highly limited Internet connection only assumption

Access to key business applications

Security

Speed to market and development costs

Citrix Goals

Build a solution to securely and simply deliver MetaFrame applications across the Internet, on demand, to any device.

Barriers to implementation

ICA port 1494 not normally open on firewalls, difficult to open up

Use standards based encryption, protect against “man-in-the-middle” attack (Secure ICA is vulnerable to such attacks)

Large, difficult, intrusive, VPN client installs not suitable for many deployment types

Cost of VPN solutions, especially to large customer base

Hide MetaFrame servers from being seen or directly accessed from Internet

What is CSG?

Gateway between an SSL enabled ICA client and one or more MetaFrame servers

Tunnels ICA traffic inside SSL.

Limited to ICA only – not a general purpose VPN.

Runs independently from MetaFrame, links into NFuse for authorization

Three components:CSG Server

Secure Ticket Authority

Modified NFuse

Previously known as project “Snowy”

Solution Components

Citrix Secure Gateway (CSG)

Other components:

Metaframe

NFuse

SSL enabled clients

Optionally

Secure web server and/or portal (e.G. Citrix XPS)

Replaceable authentication (e.G. SecurID, smart card)

ICA client object (ICO)

CSG components

Client Workstation

CSG Server

NFuse/Web Server

MetaFrame Server Farm

Secure Ticketing Authority (STA)

CSG with NFuse

HTTP/S

Secure WebServer

WebBrowser

MetaFrame Server Farm

NFuseCitrix XML

Service

XML-HTTP/80

ICA/1494 443ICA Client CSGServer

DMZ

Initial connection is always established with the web server.

The user may not even have Citrix client installed.

ICA/SSL

443

5. Ticket Verification

5. ICA/1494

3. ICA File

4. ICA/SSL

CSG Ticketing

1. Standard NFuse ICA Name Resolution

ProductionMetaFrame Farm

Secure WebServer

NFuse

SecureTicketing Authority

ICA Client

WebBrowser

1. Standard NFuse XML

CSGServer

DMZ

3. ICA FileXML Service

5. CSG server verifies ticket and opens ICA connection.

3. CSG ticket is delivered to ICA client as the part of ICA file.

4. CSG ticket is delivered to CSG server as the part of SOCKS inside SSL information.

2. Ticket Generation

2. Requested CSG ticket on application launch

CSG Architecture 1

Authorization based on ticketing, leverages NFuse for Authentication

Compatible with wide range of authentication systems

Replaceable Secure Ticketing Authority (STA)

Works with replaceable auth – e.g. SecurID, Smartcard

Operates in Gateway mode – installed in DMZHighly scalable – by design

Single CSG server can support 1000 to 2000 concurrent connections

Highly reliable – fail-over support for STA, external Load Balancer for main CSG Server.

CSG Architecture 2

Uses XML for inter-component communication

Components are easily replaceable by Citrix or 3-rd party

SOAP is considered as the next step

No changes necessary to MetaFrame servers

Can be quickly installed into existing system

Packaging

Provided at no additional cost to valid Subscription Advantage customers

Download only

Included in future MetaFrame release

English and possibly Japanese (product is Internationalized)

v1.0 Windows 2000 server platform

Technology Preview

Private Preview, available from hidden URL http://cdn.citrix.com/snowy

Create CDN account and login before entering URL.

Time-bombed to expire 1st Feb 2002

Windows 2000 and IIS/NFuse only

No support – feedback to snowy@citrix.com

Need at least 2 machines, one running CSG, the other NFuse/STA. 3 machines is recommended.

Need server SSL certificate & High Encryption Pack

Things to come

Q1/2 2002 –Solaris

Q3/Q4 – v1.5 – Possible features:

•Improved Management (SNMP, WMI, MMC)

•TLS support

•Government certifications

•End to End SSL

•SDK

We need your feedback on CSG directions!

Citrix Solutions

ICA Secure ICA

SSL Relay

CSG Server

Citrix Extranet

Lower security

      Highest Security

SSL Solutions

Use what, when?

Use SecureICA when:·  Secure DOS or Win 16 access is necessary

·  Have old devices/ ICA clients that cannot be upgraded

·  Risk of “man-in-the-middle” attack is acceptable

Use SSL Relay when:·  Small number of MetaFrame servers to support (<5)

·  No need to secure access at DMZ

·  No need to hide server IP addresses, or NAT is used

·  Need end-to-end encryption of data between client and server

Use what, when?Use Citrix Secure Gateway when:

• Large number of servers to support

• Want to hide internal network addresses

• Want to secure from DMZ

• Need 2 factor authentication (in conjunction with NFuse)

• Need non-intrusive client install e.g. access from Internet cafes

Use Citrix Extranet or another VPN when:• Need 2 factor authentication

• Need to create a secure pipeline for full (beyond ICA) network access

• Need to create secure tunnels between sites

• Want to secure from within DMZ

• Access is normally via same workstation i.e. OK to install intrusive Client

• Want to use IPSEC

Key information sources

CSG Tech Preview - http://cdn.citrix.com/snowy

Feedback to snowy@citrix.com

Product Manager: phil.montgomery@citrix.com

Demonstration

Summary

Q&A