Citrix Access Gateway 5.0 Daniel Künzli, Systems Engineer ANG Citrix Systems GmbH, Switzerland

Citrix Access

Gateway

Citrix Branch

Repeater

Citrix Receiver

XenApp

XenDesktop

XenServer

NetScaler

Secure access to Citrix app and desktop virtualization An integrated delivery infrastructure

Delivery

Network

What is Citrix Access Gateway?

Citrix Access Gateway™ is the only secure application and desktop access solution that provides administrators with application-level control while empowering users with access from anywhere.

Adaptive

Policy Control Best Performance

& Flexible Deployment HDX SmartAccess

Broad Platform Support

Seamless access through Citrix Receiver

Citrix Confidential - Do Not Distribute

•Windows

•Mac

•Linux

• iPhone and iPad

•Android

•Blackberry

•Java

Adaptive Policy Control

Citrix Confidential - Do Not Distribute

Other SSL VPNs only go this far

What Resources?

Who and Where?

Endpoint Analysis Authentication

Access Control

Which

User

What

Device

What

Location

What

Authentication

Web and

File

Resources

Networks

Mail

Servers

Applications

How?

Application-level Control

VPN

Access

Clientless Access

XenApp

•Applications

•Virtual

Channels

XenDesktop

•Desktops

•Virtual

Channels

•Virtual appliance with same functionality as Access Gateway 2010

•Designed to upgrade Secure Gateway

•Capacity for medium-size deployments (500 users per appliance)

•Available for Citrix XenServer or VmWare ESX (NEW!) hypervisors

•Ideal for secure access to XenApp and XenDesktop

•Designed to upgrade Secure Gateway

•Capacity for medium-size deployments (500 users per appliance)

•Designed for secure access

•High capacity (5,000 users per appliance)

•Upgradable to NetScaler for additional functionality

•Multi-function appliance (secure access, load-balancing, acceleration)

•Highest capacity (10,000+ users per appliance)

•Most reliable hardware

•Ideal for business continuity across multiple datacenters

Appliance Options

Access Gateway 2010

Access Gateway VPX

NetScaler MPX 7500 or higher

Access Gateway MPX 5500

Which Appliance To Choose

Access Gateway 2010

Access Gateway VPX

NetScaler MPX 7500 or higher

Access Gateway MPX 5500

• How many users?

• What form factor?

• Physical or Virtual appliance?

• Will the appliance be dedicated for

remote access?

• Multi-function appliance required?

• How many sites need to be supported?

• Certificate based authentication?

• Client certificates?

Appliance Failover avoids a single point of failure

Basic High Availability

Primary

Secondary

Single

External

IP Address

Single

Internal

IP Address

•Available with all appliance models (New! on Model 2010 and VPX)

•Avoid single points of failure in Access Gateway deployments

(including Access Controller servers)

Achieve Business Continuity with NetScaler & Global Server Load Balancing

•Enable multiple site deployments transparently to users

•Route users to the nearest and most available datacenter

Secure Gateway Upgrade

• Seamless support for Citrix Receiver and Dazzle

• Adaptive Policy Control

• Single point of secure access for all Citrix solutions

• Cost-effective (No user licenses required)

Flexible deployment options

• Hardened physical appliance

• Virtual appliance

• Business continuity options available

Best SSL VPN to use within Citrix environments

Use Access Gateway with XenDesktop and XenApp

Replacement for Access Gateway Standard and Advanced • For SMB and midsize organizations

• Runs on the Model 2010 and AG VPX only

All new appliance firmware with simplified administration

Architecture refresh will increase feature velocity

Delivers new features for existing AG-S/A customers • Subscription Advantage Eligibility date: Sep 1, 2010

Access Gateway 5.0 – Release Overview

New! Access Gateway VPX for VMWare ESX

Citrix

Access G

ate

way

VP

X

Access Gateway VPX • Same features as the Model 2010 physical appliance

• Supported on Citrix XenServer and VMWare ESX

Supports up to 500 concurrent users

List price $995 • Same as XenServer version

• Includes 1 yr Subscription Advantage

Free 5-user VPX Express Edition • www.citrix.com/tryaccessgateway

Limited rack space or infrastructure is available

Agility and rapid recovery is important • Virtual appliances enable fast deployment and provisioning

• Downtime is minimized through hardware independence

Cost-cutting is a requirement • Energy consumption reduced through consolidation

• Standardizing hardware creates a pricing advantage with server vendors

A low-cost training & testing environment is needed

Citrix Confidential - Do Not Distribute

Choose a virtual appliance when…

Citrix

Access G

ate

way

VP

X

• Platform license • Comes with AG appliance (upgrade / fullfillment)

• Required for the Gateway to function

• Allows XA / XD connections – basic logonpoints (SG replacement)

• Universal license • CCU license – Smart Access logon points

• Full VPN Tunnel & clientless access to websites and fileshares

• Endpoint analysis & policy – based – SmartAccess

• Express license • VPX appliance only

• 1 platform – 5 users – 1 year Citrix Confidential - Do Not Distribute

Licence Types

How do I deploy Access Gateway VPX?

VPX supports the same deployment modes as the Model 2010 appliance, including:

• Single-DMZ deployment with SSL VPN access

• Single-DMZ deployment with Citrix Web Interface “behind” Access Gateway VPX

• Single-DMZ deployment with Citrix Web Interface “parallel” to Access Gateway VPX

• “Advanced Access Control Mode” where policies are deferred to an Citrix AAC server (Access Gateway, Advanced Edition)

• Multiple Access Gateway instances configured in a failover cluster

How Can I Deploy Access Gateway VPX?

Web Interface Parallel to Access Gateway

XenApp Online Plugin

Access Gateway

XenApp

Web Interface

Web Interface Behind Access Gateway

XenApp Online Plugin

Access Gateway

XenApp

Web Interface

Full VPN Access

Access Gateway Plugin

Access Gateway

XenApp

Web

Interface

Microsoft

SharePoint

File shares

Other

Access Gateway with Citrix Receiver

Citrix Receiver

Citrix Dazzle

Access Gateway

XenApp

Web

Interface

Merchandising

Server

Advanced Access Control

XenApp Online Plugin

- OR -

Access Gateway Plugin

Access Gateway

XenApp

Advanced

Access Control

Web

Interface

• Join multiple physical network interfaces (PIFs) in XenServer

• Bonded NICs appear as a single virtual interface (VIFs) to a virtual machine

• NIC Bonding increases fault tolerance

• PIFs work in Active/Active mode

NIC Bonding

• Group multiple XenServer host machines into a “server pool”

• During a XenServer host failure, Access Gateway VPX is initialized on another XenServer in the pool

• Active user sessions need to be re-established

High Availability

• Transfer a running instance of Access Gateway VPX from one physical XenServer host to another XenServer host without terminating existing user sessions.

XenMotion

• Add VPX as a failover server for an existing deployment

• If the appliance is ever unavailable, clients use the VPX

Add a Failover Gateway

Primary Appliance

Model 2010

Secondary Appliance

Access Gateway VPX

External Virtual

IP Address

Internal Virtual

IP Address

Internal

Resources

1. Install Citrix XenServer and XenCenter

2. Obtain virtual image file cag.xva (295.5 MB)

3. Using XenCenter, import the virtual machine.

• Import type: Exported VM

4. Browse to select the cag.xva file

5. Virtual machine import takes a few minutes to complete

6. Virtual image starts up with default IP address 10.20.30.40

Installing Access Gateway VPX

1. In XenCenter, select the Access Gateway virtual machine and click the Console tab

2. Log on Username: admin Password: admin

3. Use the text-based menu to set IP address & default gateway

Initial Configuration – Within XenCenter

Access Gateway, 5.0.0.144025, 2010-08-30

-----------------------------------

Main Menu

-----------------------------------

[0] Express Setup Use Express Setup to set IP address, subnet mask & default gateway

[1] System

[2] Troubleshooting

[3] Help

[4] Log Out

------------

Choice:

Console Menu

• After changing the AG VPX IP address, point a browser to https://<IPAddress>/lp/adminlogonpoint

• Log on as admin / admin

Initial Configuration – Using Browser-based Admin Tool

Initial Configuration – Using Browser-based Admin Tool

1. Create authentication profile(s) – LDAP, RADIUS, RSA

2. Set the host name

3. Request and install an SSL certificate

4. Install the free Access Gateway Platform License

5. Add Secure Ticket Authorities and ICA ACLs

6. Create a Basic Logon Point for use with Web Interface

Detailed steps available at edocs.citrix.com

Appliance Setup

Configuring the Logon Point

Select “Basic”

Enter WI URL

Select Auth Profile

Enable Single Sign-on

Click Save

Configuring Web Interface

Create a New Web Interface Site…

…with Authentication Performed At Access Gateway

Enter Access Gateway Authentication Service URL

Web Interface must be

able to reach this URL

and make a trusted SSL

connection

Citrix Confidential - Do Not Distribute

Set Default Access Settings to “Gateway Direct”

Provide Gateway Address for Clients

Address (FQDN) must

match the gateway’s SSL

certificate name

Add Secure Ticket Authority Addresses

Configure the same STA

URLs on Access Gateway

End User Access

End User Access

• Standard Edition • DMZ with double hop

• dynamic Routing with Routing Information-Protokoll (RIP)

• Windows NT LAN Manager (NTLM) as authentificationmethod

• Local defined Access Gateway users

• Advanced Edition • Live Edit

• HTML preview

• Web E-Mail

Citrix Confidential - Do Not Distribute

Discontinued Features