Citrix Access Gateway 7-0 Enterprise Edition - Technical Presentation Englisch

Citrix Access Gateway
Enterprise Edition
Technical Overview
Seceidos GmbH&Co. KG
Robert Hochrein
robert.hochrein@seceidos.de
Citrix Access Gateway

SSL VPN Remote Access
Simple and Cost

Effective Secure
Remote Access
Advanced Access
Control and Device
Flexibility
Complex and
Demanding
Environments
Access
Gateway
Access
Gateway
Access
Gateway
Standard
Edition
Advanced
Edition
Enterprise
Edition
best for
best for
best for
Small-to-Midsized
Customers
Presentation Server
Environments
Enterprise
Deployments
Internal and Partner Use Only
2005 Citrix Systems, Inc.All rights reserved.
Access Gateway Enterprise Edition

Features & Benefits
Feature
Description
Benefit
Traffic Acceleration
Speed access to applications and

resources with SSL offload, web
compression, and TCP
optimization.
Provide the optimal remote access

experience for users over low bandwidth,
high latency connections.
High Availability
Configuration
Link master and backup appliances

to create a redundant cluster which
ensures sessions will remain active
if the master fails.
Keep remote access available for users

even in the case of an appliance failure.
Global Server Loadbalancing (GSLB)
Route client connections to the

best site based on site availability,
health, proximity, and
responsiveness.
Improve the remote users access

experience by connecting them to the best
performing site.
Implement a disaster recovery and
business continuity strategy.
Roles-based
Administration
Create and manage administrative

users and groups that can each
have unique management
privileges.
Define security policies to ensure

administrators only perform the minimal set
of operations required by their role.
Enterprise-class
Auditing
Monitor and log all operations

requested by end users and
administrators.
Gain full visibility into all operations to

ensure services and data remain secure.
Quarantine Groups
Provide limited access rights for

clients which fail the end-point
analysis scans.
Create remediation sites to allow clients to

install the most recent anti-virus pattern
files, operating system patches, etc. prior to
connecting to the protected resources.

Features & Benefits (continued)
Feature
Description
Benefit
Browser Cleanup
Remove objects and data stored on

the browser while the SSL VPN
session was open.
Prevent sensitive corporate information

from inadvertently being leaked to mobile
laptops and home PCs.
Denial of Service
Prevention
Protect resources from common

denial of service attacks such as
SYN attacks and HTTP GET floods.
Ensure continued service to legitimate

users by protecting the organizations
servers.
Access Interface
Allow users to setup bookmarks

and access files through a web
browser.
Give users a quick and easy way to access

frequently used resources
Extensive
Authentication Support
Provide authentication from a wide

variety of typical enterprise
authentication systems (including
smart cards).
Allow administrators to easily integrate

their SSL VPN into their existing
environment.
Security Certifications
Enterprise Edition has been

independently certified by ICSA
Testing Labs (v2.0).
Customers have independent verification

of the security and capabilities of the
Enterprise Edition.
A FIPS 140-2 Level 2 certified

cryptographic module is available
as an option for the model 9000
platform as a hardware option.
US Government organizations and

contractors may require FIPS 140-2
certified cryptography.
Support 802.1q packet tagging to

route packets to the correct VLAN
segment.
Allow administrators to quickly deploy the

SSL VPN to work in networks with existing
VLAN topologies.
VLAN Support

Appliance Options
7000
9000
Enterprise
Enterprise
Form Factor
1U
2U
FIPS Option
Redundant power
supplies
2,500
5,000
Software editions
supported
Maximum VPN users
Methods of Initial Configuration

Command-line Interface (CLI)
Java Configuration Utility (GUI)
Basic Configuration cli method

To access the configuration utility using supplied console cable and
terminal emulation of 9600,N,8,1
REVIEW CONFIGURATION PARAMETERS MENU

-----------------------------------This menu allows you to view and/or modify the NetScaler's configuration.
Each configuration parameter displays its current value within brackets
if it has been set. To change a value, enter the number that is displayed
next to it.
-----------------------------------1. NetScaler's IP address: [192.168.100.1]
2. Netmask: [255.255.0.0]
3. Advanced Network Configuration.
4. Time zone.
5. Cancel all the changes and exit.
6. Apply changes and exit.
Select a menu item from 1 to 6 [6]
Tech 1
Accessing the Administration Portal

A open web browser to the default IP (http://192.168.100.1)
Configuration Utility Login
- Accept the certificate warning
-Login with default user nsroot

-Default password is nsroot
Administration Traffic
Administrator
Workstation
Management traffic uses

port 3010 and an
encrypted protocol
10
Quick Start with the

SSL VPN Wizard
Start the Wizard
Set the IP address
Set the SSL certificate
Select a DNS server
Point to a AAA server
And youre done!
11
Define Multiple Virtual Servers

Each virtual server has a unique:
IP address and FQDN

SSL certificate
Authentication configuration
Policy set
Policies can optionally derive from a global policy set
Vpn1.company.com (10.10.10.1)
12
Dashboard Utility
13
Authentication
Supports Major Authentication Methods
14
Active Directory
LDAP
NTLM
RADIUS (with challenge-response support)
RSA SecurID
TACASC+
Local
Client Certificates
Supports Cascading Authentication
Authorization
Policy Driven Access
Wide Variety of Criteria
Policy based on network information

Policy based on application access
Policy based on client certificate parameters
Policy based on client configurations
Highly Granular Access Control
15
Authentication by Policy
Authorization by Policy
Session control by Policy
Auditing by Policy
Users/Groups up to Global policies

HTTP authorization based on URL
TCP/IP authorization based on address and port
Auditing
Full Administrative Audit Trail
16
All System Events
Support for External

Syslog Servers
All management operations logged
Full User Audit Trail
All session activity (login, logout, timeout)

All network flows (not just web)
Client Security
Session Policies can control:
End Point Analysis
Built-in support for Antivirus checks
Built-in support for Firewall checks
Host identification
Client Side Clean Up
17
Split tunneling
Forward proxy definitions
Session timeout values
Client security
Clean browser cache, history, autocompletion files, plug-ins, etc.

Control with session policies
Administrator can mandate
Denial of Service Protection

SYN Attacks
Client
Server
Normal TCP Sequence
Client
Server
SYN Flood
Enterprise Edition avoids memory consumption with packet cookies
18
Other Denial of Server Protections
request
Other Prevented Attacks:
19
Packet Floods
HTTP GET Floods
request
SSL Floods
Idle Connection Floods
request
Security
Web Email
Web Portal
Quarantined
Quarantined
Quarantined
User Quarantine
Users assigned to a quarantine group when end-point analysis fails
Differentiated session and resource authorization policies
Use to grant limited access to remediation sites
20
Client Support
All Windows Platforms

Windows 98/ME
Windows NT/2000/XP/SP2
Windows CE and PocketPC
MacOS X and Linux

Java Based Client
Reliable Application Access

No application content modification
Enforces Client Security
21
Navigation Homepage
Bookmarks
Customize global bookmarks
Per-User bookmarks
Filesystem bookmarks
Themes
Custom style sheets supported
Logo update
End user can pick their own colors
Integrated File Manager

Web based file access
Unicode Support
22
Server-Initiated Requests
Source IP = Client IP
Source IP = Mapped IP
Client connects and is assigned a unique Mapped IP address
Servers can use this Mapped IP address to establish server-initiated connections back to the client.
23
High Availability Pairing
Master
Network health-check
packets are
exchanged
Vpn.company.com (10.10.10.1)
Backup
Two appliances can be linked to form an active / passive cluster. Health-checking packets are constantly
exchanged between the pair. When the master fails, the backup assumes the IP address. All
connections from the client are broken and must be re-established.
24
Global Server Load Balancing (GSLB)
25
Distributes network traffic across multiple sites

Route client connections to the nearest site
Distributes server load across multiple sites
Implement Disaster recovery
Includes NetScaler Capabilities
5x Faster
Internet
26
Access
Gateway
Enterprise
Edition
The best solution for the complex and demanding enterprise!
27

Citrix Access Gateway 7-0 Enterprise Edition - Technical Presentation Englisch

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Citrix Access Gateway 7-0 Enterprise Edition - Technical Presentation Englisch

Uploaded by

Copyright:

Available Formats

Citrix Access Gateway

Citrix Access Gateway

Simple and Cost

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Access Gateway Enterprise Edition

Speed access to applications and

Provide the optimal remote access

Link master and backup appliances

Keep remote access available for users

Global Server Loadbalancing (GSLB)

Route client connections to the

Improve the remote users access

Create and manage administrative

Define security policies to ensure

Monitor and log all operations

Gain full visibility into all operations to

Provide limited access rights for

Create remediation sites to allow clients to

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Access Gateway Enterprise Edition

Remove objects and data stored on

Prevent sensitive corporate information

Protect resources from common

Ensure continued service to legitimate

Allow users to setup bookmarks

Give users a quick and easy way to access

Provide authentication from a wide

Allow administrators to easily integrate

Enterprise Edition has been

Customers have independent verification

A FIPS 140-2 Level 2 certified

US Government organizations and

Support 802.1q packet tagging to

Allow administrators to quickly deploy the

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Access Gateway Enterprise Edition

Maximum VPN users

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Methods of Initial Configuration

Java Configuration Utility (GUI)

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Basic Configuration cli method

REVIEW CONFIGURATION PARAMETERS MENU

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Accessing the Administration Portal

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Configuration Utility Login

- Accept the certificate warning

-Login with default user nsroot

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Management traffic uses

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.

Quick Start with the

Internal and Partner Use Only

2005 Citrix Systems, Inc.All rights reserved.