Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Slides:



Advertisements
Similar presentations
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Advertisements

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Heroix Longitude - multiplatform, automated application performance monitoring and management software.
| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Enabling IPv6 in Corporate Intranet Networks
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
Windows 2003 and 802.1x Secure Wireless Deployments.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Vision/Benefits/Introduction Randy Armstrong (OPC Foundation)
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
Using Citrix MetaFrame and Windows 2000 Servers with HP e3000 Terminal Emulation Victor Odlivak Technical Support Engineer WRQ, Inc Dexter Avenue.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Intranet, Extranet, Firewall. Intranet and Extranet.
Access Gateway Operation
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
Session 10 Windows Platform Eng. Dina Alkhoudari.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Chapter 9: Novell NetWare
Jetro Platforms – Corporate Introduction What Do We Do? How Do We Do It? Why Choose Jetro CockpIT™ Technical Demonstration Agenda.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.
What’s New in Fireware v11.9.5
EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Identifying Application Impacts on Network Design Designing and Supporting.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Computer Emergency Notification System (CENS)
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
Remote Access Using Citrix Presentation Server December 6, 2006 Matthew Granger IT665.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Five Windows Server 2008 Remote Desktop Services,
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Selling Strategies Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications.
Integrating and Troubleshooting Citrix Access Gateway.
Citrix Secure Gateway v1.1 Customer Presentation Aug 2002 Customer Presentation Aug 2002.
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.
Novell NetWare 5 A Network Operating System By Dr. Najla Al-Nabhan Much of the material in these slides was taken from Jingfeng Gao Lecture Notes. 1.
Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
MetaFrame Secure Access Manager Overview Presented by Douglas A. Brown.
SCALABILITY AND SECURITY Presentation. 01 Scalability.
Server Administration, Server Management and Networking Alokes Chattopadhyay.
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
Contents Software components All users in one location:
Remote Access Lecture 2.
Goals Introduce the Windows Server 2003 family of operating systems
Secure Gateway Today Internet Internet Explorer and ICA MetaFrame
HACKIN G CITRIX.
APACHE WEB SERVER.
Designing IIS Security (IIS – Internet Information Service)
Securing web applications Externally
Presentation transcript:

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002

2 2 What is Citrix Secure Gateway? Citrix Secure Gateway is a secure Internet gateway between MetaFrame® servers and ICA Client workstations that allows customers to simply and securely deliver applications across the Internet, on demand, to any device

3 3 Firewall Typical Layout Firewall Citrix MetaFrame XP and/or MetaFrame for Unix Citrix Secure Gateway Citrix NFuse Classic Client Workstations Secure Connectivity Authentication Access Mgmt. Internet DMZ Internal Network

4 4 CSG traffic flow HTTP/S Secure Web Server ServerWebBrowserWebBrowser MetaFrame Server Farm MetaFrame NFuseNFuse Citrix XML Service XML- HTTP/80 ICA/ ICA Client CSGServerCSGServer DMZ ICA/SSL 443.ICA file Optional 3 rd Party Authentication

5 5 CSG for Windows Gateway Service Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators

6 6 CSG for Solaris daemon Solaris on SPARC v8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded OpenSSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. Solaris on SPARC v8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded OpenSSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer.

7 7 Secure Ticketing Authority Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool

Ticket Generation 5. Ticket Verification 5. ICA/ ICA File 4. ICA/SSL CSG Ticketing Production MetaFrame Farm Production Secure Web Server Server NFuse Secure Ticketing Authority Secure Ticketing Authority ICA Client WebBrowserWebBrowser 1. Standard NFuse XML CSGServerCSGServer DMZ 3. ICA File XML Service 5. CSG server verifies ticket and opens ICA connection. 3.CSG ticket is delivered to ICA client as the part of ICA file. 4. CSG ticket is delivered to CSG server 2. Requested CSG ticket on application launch 1. Standard ICA Name Resolution

9 9 Encryption and Connectivity Secures ICA Traffic only SSL v3.0 or TLS v1.0 with 128-bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only) Secures ICA Traffic only SSL v3.0 or TLS v1.0 with 128-bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only)

10 Authentication Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: – Microsoft NT Domain and Active Directory – Novell NDS – SmartCard Use whatever security mechanisms you wish to protect your web server from unauthorized access (e.g RSA SecurID®, SafeWord PremierAccess) Authentication process is further secured using an HTTPS configured NFuse Web server Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: – Microsoft NT Domain and Active Directory – Novell NDS – SmartCard Use whatever security mechanisms you wish to protect your web server from unauthorized access (e.g RSA SecurID®, SafeWord PremierAccess) Authentication process is further secured using an HTTPS configured NFuse Web server

11 Deployment with Citrix Secure Gateway Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports MetaFrame v1.8 and higher. CSG Supports MetaFrame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh. Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports MetaFrame v1.8 and higher. CSG Supports MetaFrame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh.

12 Deployment Issues Citrix v6.30 Windows & Java ICA clients can traverse a number of industry standard secure proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons. Citrix v6.30 Windows & Java ICA clients can traverse a number of industry standard secure proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons.

13 Citrix Security Solutions SSL Solutions CSG is a simple and secure, ICA only solution SecureICA SSL Relay Citrix Secure Gateway VPN Solution

14 When to use SecureICA or SSL Relay Use SecureICA when: – Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of man-in-the-middle attack is acceptable Use SSL Relay when: – Small number of MetaFrame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server Use SecureICA when: – Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of man-in-the-middle attack is acceptable Use SSL Relay when: – Small number of MetaFrame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server

15 When to use CSG or VPN Use Citrix Secure Gateway when: – Large number of servers to support – Want to hide internal network addresses – Want to secure from DMZ – Need two-factor authentication (in conjunction with NFuse) – Need non-intrusive client install i.e. access from Internet cafes Use a Virtual Private Network (VPN) when: – Need two-factor authentication – Need to create a secure pipeline for full (beyond ICA) network access – Need to create secure tunnels between sites – Want to secure from within DMZ – Access is normally via same workstation i.e. OK to install additional client – Want to use IPSEC Use Citrix Secure Gateway when: – Large number of servers to support – Want to hide internal network addresses – Want to secure from DMZ – Need two-factor authentication (in conjunction with NFuse) – Need non-intrusive client install i.e. access from Internet cafes Use a Virtual Private Network (VPN) when: – Need two-factor authentication – Need to create a secure pipeline for full (beyond ICA) network access – Need to create secure tunnels between sites – Want to secure from within DMZ – Access is normally via same workstation i.e. OK to install additional client – Want to use IPSEC

16 Internet Café Solution Build a complete, Java applet-based solution, which assumes nothing pre- installed on clients. MetaFrame XPe Citrix NFuse Classic 1.7 Citrix Secure Gateway Replaceable authentication (e.g. RSA SecureID, SafeWord PremierAccess) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1.7) Build a complete, Java applet-based solution, which assumes nothing pre- installed on clients. MetaFrame XPe Citrix NFuse Classic 1.7 Citrix Secure Gateway Replaceable authentication (e.g. RSA SecureID, SafeWord PremierAccess) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1.7)

17 Whats new in CSG v1.1 Windows 2000 certification List of IP addresses not to log (e.g. network load balancer) All CSG logging to Windows system log TLS v1.0 and SSL v3.0 (exclusive) GOV, COM, or ALL crypto selection FIPS certified crypto modules No NFuse Extensions – NFuse Classic v1.7 natively supports CSG Solaris platform Edition Windows 2000 certification List of IP addresses not to log (e.g. network load balancer) All CSG logging to Windows system log TLS v1.0 and SSL v3.0 (exclusive) GOV, COM, or ALL crypto selection FIPS certified crypto modules No NFuse Extensions – NFuse Classic v1.7 natively supports CSG Solaris platform Edition

18 CSG v1.1 availability CSG v1.1 Windows (English) available on MetaFrame FR2 Components CD CSG v1.1 Windows (English) is fully internationalized for operation on non- English Windows CSG v1.1 Windows (Japanese) available on MetaFrame FR2 (J) Components CD CSG v1.1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers CSG v1.1 Windows (English) available on MetaFrame FR2 Components CD CSG v1.1 Windows (English) is fully internationalized for operation on non- English Windows CSG v1.1 Windows (Japanese) available on MetaFrame FR2 (J) Components CD CSG v1.1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers

19 For More Information… For More Information – Contact a local member of the Citrix Solutions Network – Connect to Citrix Web site at: For More Information – Contact a local member of the Citrix Solutions Network – Connect to Citrix Web site at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.