sichere bereitstellung von virtuellen desktops mit citrix access gateway
DESCRIPTION
TRANSCRIPT
Citrix Access Gateway 5.0 Daniel Künzli, Systems Engineer ANG Citrix Systems GmbH, Switzerland
Citrix Access
Gateway
Citrix Branch
Repeater
Citrix Receiver
XenApp
XenDesktop
XenServer
NetScaler
Secure access to Citrix app and desktop virtualization An integrated delivery infrastructure
Delivery
Network
What is Citrix Access Gateway?
Citrix Access Gateway™ is the only secure application and desktop access solution that provides administrators with application-level control while empowering users with access from anywhere.
Adaptive
Policy Control Best Performance
& Flexible Deployment HDX SmartAccess
Broad Platform Support
Seamless access through Citrix Receiver
Citrix Confidential - Do Not Distribute
•Windows
•Mac
•Linux
• iPhone and iPad
•Android
•Blackberry
•Java
Adaptive Policy Control
Citrix Confidential - Do Not Distribute
Other SSL VPNs only go this far
What Resources?
Who and Where?
Endpoint Analysis Authentication
Access Control
Which
User
What
Device
What
Location
What
Authentication
Web and
File
Resources
Networks
Servers
Applications
How?
Application-level Control
VPN
Access
Clientless Access
XenApp
•Applications
•Virtual
Channels
XenDesktop
•Desktops
•Virtual
Channels
•Virtual appliance with same functionality as Access Gateway 2010
•Designed to upgrade Secure Gateway
•Capacity for medium-size deployments (500 users per appliance)
•Available for Citrix XenServer or VmWare ESX (NEW!) hypervisors
•Ideal for secure access to XenApp and XenDesktop
•Designed to upgrade Secure Gateway
•Capacity for medium-size deployments (500 users per appliance)
•Designed for secure access
•High capacity (5,000 users per appliance)
•Upgradable to NetScaler for additional functionality
•Multi-function appliance (secure access, load-balancing, acceleration)
•Highest capacity (10,000+ users per appliance)
•Most reliable hardware
•Ideal for business continuity across multiple datacenters
Appliance Options
Access Gateway 2010
Access Gateway VPX
NetScaler MPX 7500 or higher
Access Gateway MPX 5500
Which Appliance To Choose
Access Gateway 2010
Access Gateway VPX
NetScaler MPX 7500 or higher
Access Gateway MPX 5500
• How many users?
• What form factor?
• Physical or Virtual appliance?
• Will the appliance be dedicated for
remote access?
• Multi-function appliance required?
• How many sites need to be supported?
• Certificate based authentication?
• Client certificates?
Appliance Failover avoids a single point of failure
Basic High Availability
Primary
Secondary
Single
External
IP Address
Single
Internal
IP Address
•Available with all appliance models (New! on Model 2010 and VPX)
•Avoid single points of failure in Access Gateway deployments
(including Access Controller servers)
Achieve Business Continuity with NetScaler & Global Server Load Balancing
•Enable multiple site deployments transparently to users
•Route users to the nearest and most available datacenter
Secure Gateway Upgrade
• Seamless support for Citrix Receiver and Dazzle
• Adaptive Policy Control
• Single point of secure access for all Citrix solutions
• Cost-effective (No user licenses required)
Flexible deployment options
• Hardened physical appliance
• Virtual appliance
• Business continuity options available
Best SSL VPN to use within Citrix environments
Use Access Gateway with XenDesktop and XenApp
Replacement for Access Gateway Standard and Advanced • For SMB and midsize organizations
• Runs on the Model 2010 and AG VPX only
All new appliance firmware with simplified administration
Architecture refresh will increase feature velocity
Delivers new features for existing AG-S/A customers • Subscription Advantage Eligibility date: Sep 1, 2010
Access Gateway 5.0 – Release Overview
New! Access Gateway VPX for VMWare ESX
Citrix
Access G
ate
way
VP
X
Access Gateway VPX • Same features as the Model 2010 physical appliance
• Supported on Citrix XenServer and VMWare ESX
Supports up to 500 concurrent users
List price $995 • Same as XenServer version
• Includes 1 yr Subscription Advantage
Free 5-user VPX Express Edition • www.citrix.com/tryaccessgateway
Limited rack space or infrastructure is available
Agility and rapid recovery is important • Virtual appliances enable fast deployment and provisioning
• Downtime is minimized through hardware independence
Cost-cutting is a requirement • Energy consumption reduced through consolidation
• Standardizing hardware creates a pricing advantage with server vendors
A low-cost training & testing environment is needed
Citrix Confidential - Do Not Distribute
Choose a virtual appliance when…
Citrix
Access G
ate
way
VP
X
• Platform license • Comes with AG appliance (upgrade / fullfillment)
• Required for the Gateway to function
• Allows XA / XD connections – basic logonpoints (SG replacement)
• Universal license • CCU license – Smart Access logon points
• Full VPN Tunnel & clientless access to websites and fileshares
• Endpoint analysis & policy – based – SmartAccess
• Express license • VPX appliance only
• 1 platform – 5 users – 1 year Citrix Confidential - Do Not Distribute
Licence Types
How do I deploy Access Gateway VPX?
VPX supports the same deployment modes as the Model 2010 appliance, including:
• Single-DMZ deployment with SSL VPN access
• Single-DMZ deployment with Citrix Web Interface “behind” Access Gateway VPX
• Single-DMZ deployment with Citrix Web Interface “parallel” to Access Gateway VPX
• “Advanced Access Control Mode” where policies are deferred to an Citrix AAC server (Access Gateway, Advanced Edition)
• Multiple Access Gateway instances configured in a failover cluster
How Can I Deploy Access Gateway VPX?
Web Interface Parallel to Access Gateway
XenApp Online Plugin
Access Gateway
XenApp
Web Interface
Web Interface Behind Access Gateway
XenApp Online Plugin
Access Gateway
XenApp
Web Interface
Full VPN Access
Access Gateway Plugin
Access Gateway
XenApp
Web
Interface
Microsoft
SharePoint
File shares
Other
Access Gateway with Citrix Receiver
Citrix Receiver
Citrix Dazzle
Access Gateway
XenApp
Web
Interface
Merchandising
Server
Advanced Access Control
XenApp Online Plugin
- OR -
Access Gateway Plugin
Access Gateway
XenApp
Advanced
Access Control
Web
Interface
• Join multiple physical network interfaces (PIFs) in XenServer
• Bonded NICs appear as a single virtual interface (VIFs) to a virtual machine
• NIC Bonding increases fault tolerance
• PIFs work in Active/Active mode
NIC Bonding
• Group multiple XenServer host machines into a “server pool”
• During a XenServer host failure, Access Gateway VPX is initialized on another XenServer in the pool
• Active user sessions need to be re-established
High Availability
• Transfer a running instance of Access Gateway VPX from one physical XenServer host to another XenServer host without terminating existing user sessions.
XenMotion
• Add VPX as a failover server for an existing deployment
• If the appliance is ever unavailable, clients use the VPX
Add a Failover Gateway
Primary Appliance
Model 2010
Secondary Appliance
Access Gateway VPX
External Virtual
IP Address
Internal Virtual
IP Address
Internal
Resources
1. Install Citrix XenServer and XenCenter
2. Obtain virtual image file cag.xva (295.5 MB)
3. Using XenCenter, import the virtual machine.
• Import type: Exported VM
4. Browse to select the cag.xva file
5. Virtual machine import takes a few minutes to complete
6. Virtual image starts up with default IP address 10.20.30.40
Installing Access Gateway VPX
1. In XenCenter, select the Access Gateway virtual machine and click the Console tab
2. Log on Username: admin Password: admin
3. Use the text-based menu to set IP address & default gateway
Initial Configuration – Within XenCenter
Access Gateway, 5.0.0.144025, 2010-08-30
-----------------------------------
Main Menu
-----------------------------------
[0] Express Setup Use Express Setup to set IP address, subnet mask & default gateway
[1] System
[2] Troubleshooting
[3] Help
[4] Log Out
------------
Choice:
Console Menu
• After changing the AG VPX IP address, point a browser to https://<IPAddress>/lp/adminlogonpoint
• Log on as admin / admin
Initial Configuration – Using Browser-based Admin Tool
Initial Configuration – Using Browser-based Admin Tool
1. Create authentication profile(s) – LDAP, RADIUS, RSA
2. Set the host name
3. Request and install an SSL certificate
4. Install the free Access Gateway Platform License
5. Add Secure Ticket Authorities and ICA ACLs
6. Create a Basic Logon Point for use with Web Interface
Detailed steps available at edocs.citrix.com
Appliance Setup
Configuring the Logon Point
Select “Basic”
Enter WI URL
Select Auth Profile
Enable Single Sign-on
Click Save
Configuring Web Interface
Create a New Web Interface Site…
…with Authentication Performed At Access Gateway
Enter Access Gateway Authentication Service URL
Web Interface must be
able to reach this URL
and make a trusted SSL
connection
Citrix Confidential - Do Not Distribute
Set Default Access Settings to “Gateway Direct”
Provide Gateway Address for Clients
Address (FQDN) must
match the gateway’s SSL
certificate name
Add Secure Ticket Authority Addresses
Configure the same STA
URLs on Access Gateway
End User Access
End User Access
• Standard Edition • DMZ with double hop
• dynamic Routing with Routing Information-Protokoll (RIP)
• Windows NT LAN Manager (NTLM) as authentificationmethod
• Local defined Access Gateway users
• Advanced Edition • Live Edit
• HTML preview
• Web E-Mail
Citrix Confidential - Do Not Distribute
Discontinued Features