Citrix Technical Overview 1

Access Gateway – Basic Features AAA a Policy Driven Access Full Application Support Ease of Use Security Basics - All vendors meet the 5 SSL VPN Requirements – Access Gateway (introductory slide) AAA (Authentication, Authorization and Auditing) Policy driven Access Full Application Support (Supports all Protocols, and applications) Ease of use (both on the Admin and client side) Security (Supports SSL/TLS)

Access Gateway - Features Most SSL VPN’s/Access Gateway predominantly – divided into the following (With Differentiators making the biggest impact for Access Gateway) Differentiators: XenApp Integration (SmartAccess for published applications and SG replacement) XenDesktop (SmartAccess for Desktops) NetScaler (LB, GSLB and Application Firewall) Features: AAA Clients EPA User Experience Administration Scalability HA (Others) Differentiators

Presentation Title Goes Here Authentication Insert Version Number Here Supports most authentication mechanisms Active Directory LDAP NTLM RADIUS TACACS+ One-time password tokens Client certificates & smart cards Local store Dual Source Authentication Cascading Authentication TACACS: Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Supports: Dual Source and Cascading Authentication. Also supports Dual Cascading Authentication SmartCard support – through Client Certificates © 2003 Citrix Systems, Inc.—All rights reserved.

Presentation Title Goes Here Authorization Insert Version Number Here Policy-driven access Authentication Authorization Session control Auditing Wide variety of policy criteria Network information Application access Client certificate parameters Client configurations Highly granular access control User, groups, virtual IP, and global policies HTTP authorization based on URL TCP/IP authorization based on address and port Different Policies dictate and control access to resources (Networks, Servers, Applications, XA, XD) Ability to create complex expressions based on different qualifiers and criteria. (Details: List of expressions provided in the Admin Guide). Authorization Policies are bound at the Group or User level Use cases: File Transfer Authorization Access list for internal connections Web site and web application restrictions © 2003 Citrix Systems, Inc.—All rights reserved.

Auditing Full administrative audit trail All management operations logged Full user activity audit trail All session activity All network flows All system events logged Support for external logging servers Logging and Auditing Capabilities: Syslog Nslog Ability to log the following: Login information Logout information Access failures TCP statistics UDP statistics Http information System events (device up/down)

Clients Two types of client delivery: Secure Access Client – Native installed application that remains resident in the system tray Plugin – ActiveX or Java control dynamically downloaded and executed via HTML Connecting to XenApp Applications Only Connecting to any IP-based Application All XenApp Clients v6.3 or later, including: Windows NT/2000/XP Windows Vista MacOS 9 & 10 Linux & Java Windows CE UNIX Secure Access platforms: Windows Vista/2000/XP Java (used by Mac & Linux) PocketPC Describe the 3 types Clients Full Secure Access Client Plugin (ActiveX and Java based) Full Client – All functionality/Protocols work ActiveX – All functionality/Protocols work (Only on Windows Platforms) Java Based – Only TCP Traffic (no UDP) and Applications (Application List needs to be provided) – Transparent Mode. Recommended for Mac and Linux platforms.

Endpoint Analysis Checking for specific client criteria Scans can be run pre and post logon Results used for policy evaluation and SmartAccess decisions Connecting Windows machines can be scanned for any combination of: Files Processes Registry entries System services Operating System Hotfixes Client certificates EPA Scans Available Files Processes Registry entries System services Operating System Hotfixes Client certificates Note: No EPA SDK available with AG EE

Ease of Management and Administration Console for Management Easy Wizards To simplify common tasks For easier integration with XenApp For complex tasks Delegated Administration Read-Only Operator Network Superuser Command Line Interface (For Advanced Admins) New Wizards created specifically to simplify product configuration and deployment. Delegated Administration – provides the administrator the ability to configure limited/full access to configure the appliance (e.g. For Help Desk and other Admins) . Rules that control what individual users may access and do on the Access Gateway Allow you to define what parts of the Access Gateway configuration a user or group is permitted to access and modify Regulate which commands, command groups, virtual servers, and other elements system users and groups are permitted to use - Read Only: Allows read-only access to all show commands except for the system command group and ns.conf show commands - Operator: Allows read-only access as above, and in addition allows access to enable and disable commands on services. This policy also allows access to set services and servers as ‘accessdown’ - Network: Permits near-total system access, excluding system commands and the shell command - Superuser: Grants full system privileges, giving exactly the same privileges as the nsroot user CLI – continues to support and provide for Administrators that need ability to create scripts and automate builds/configurations

Presentation Title Goes Here Insert Version Number Here Scalability 7000 series 2,500 Users 9000 series 5,000 Users Enterprise Edition offers the best scalability and performance of all the editions in the Access Gateway product line. 10000 series 10,000 Users = 100 © 2003 Citrix Systems, Inc.—All rights reserved.

High Availability Pairing Presentation Title Goes Here Insert Version Number Here High Availability Pairing Master vpn.company.com (10.10.10.1) Network health-check packets are exchanged Backup Two appliances can form an active/passive cluster Health-checking packets constantly exchanged between pair When the primary fails, the secondary assumes the IP address User sessions are HA aware All sessions are replicated on secondary “show aaa session” on secondary shows active users When appliances are deployed in HA pair – they can be in Active/Passive mode only. For Active/Active mode – leverage the GSLB feature in NS. If due to failure, the active appliances is unavailable, the passive appliance takes over and the user session is seamlessly relocated onto the passive appliance. End user will see his VPN client reconnecting (almost instantly) without prompting for any credentials. Most applications will work and maintain state over a failover. (Some of the application will need to be re-initiated in order to establish connection with backend servers). – This is due to the type/mechanism of applications and not due to the failover. © 2003 Citrix Systems, Inc.—All rights reserved.

Other Features VoIP support Universal licensing Client-side cleanup Server-initiated connections FIPS 140-2 compliance *Common Criteria Certification (H2-2008) AG Universal License Additional Features Available VoIP Support –Softphones and others supported Client-side cleanup – cleans up cache, history and other data files * Common Criteria Certification – Currently under certification – Targeted for End of year 2008

Deliver Windows Desktops Differentiators Citrix XenApp™ Deliver Windows Apps Citrix® NetScaler® Deliver Web Apps Citrix XenDesktop™ Deliver Windows Desktops Integration with XenApp, XenDesktop and NetScaler provides the most significant value for the Access Gateway product line. This slide leads into the 3 platinum products and the integration value with each.

Citrix Access Gateway and XenApp Citrix® NetScaler® Deliver Web Apps Citrix XenApp™ Deliver Windows Apps In most organizations, someone in IT Infrastructure Operations is the one primarily responsible for the delivery of Windows-based applications. When this person looks down the line-of-sight from the datacenter to the users he/she is supporting, it looks something like this. Presentation Server is the application delivery controller that initiates the delivery process for Windows applications at the point-of-origin, so this product is the center of gravity for this individual. Products like Access Gateway, WANScaler and EdgeSight are common to all applications, so they are also essential to IT infrastructure ops. Users Citrix EdgeSight™ Monitor Real-Time User Experience Citrix WANScaler™ Accelerate Apps to Branch Offices Citrix Access Gateway™ Enable Secure App Access Apps Citrix XenDesktop™ Deliver Windows Desktops Secure Delivery of Windows Applications © 2007 Citrix Systems, Inc. — All rights reserved 14

Access Gateway & XenApp SmartAccess – Data Protection Other SSL VPNs only go this far HOW WHO WHAT Endpoint Analysis and Authentication Which User What Device What Location Access Control XenApp Applications Mail Servers Web and File Servers Network Resources Launch with ICA Email Download Clipboard Save Print Use this slide to relate the previous analogy to how SmartAccess works. The real difference to competitors is that Citrix can control HOW the application is delivered. 15

Access Gateway and XenApp Presentation Title Goes Here Access Gateway and XenApp Insert Version Number Here Best SSL VPN to use with XenApp Replace Secure Gateway with a hardened appliance Single logon experience to Web Interface Add support for all applications and protocols Add SmartAccess to application delivery Secure Application Virtualization Discuss SmartAccess SG Replacements Secure Application virtualization © 2003 Citrix Systems, Inc.—All rights reserved. 16

Accessing XenApp Server Presentation Title Goes Here Insert Version Number Here User accesses https://agee.corp.ctx Access Gateway authenticates the user and validates the end-point Access Gateway communicates the user credentials and policy conditions to Web Interface Web Interface displays the user’s set of applications. User clicks an application icon Web Interface requests a ticket from the Secure Ticket Authority Web Interface sends a ticket to the user in a ICA ® file The ICA client launches and sends secure ICA traffic to Access Gateway Access Gateway validates the ticket against the STA The ICA session is established Web Interface 4) HTTPS 3) HTTPS 1) SSL 8) SSL 6) XML 9) XML Access Gateway 10) ICA Client XenApp Server Farm Important points to remember: WI can point to any vpn vserver, not necessarily the one where users connect. WI must be able to resolve the FQDN of the virtual server WI must be able to route to the virtual server IP of HTTPS WI must trust the SSL certificate from a machine level. © 2003 Citrix Systems, Inc.—All rights reserved. 17

Secure Gateway Replacement (Modes) Pure Secure Gateway VPN Authentication is OFF Web Interface in direct mode, handles authentication Secure Gateway with Single Sign-On VPN Authentication is ON Web Interface in Indirect Mode User credentials passed through for SSO to Web Secure Gateway with SmartAccess VPN Authentication is ON, Pre-auth and Post-auth EPA configured Web Interface in Indirect and “Access Gateway Enterprise” Mode XenApp configured for Filters & Access Policies Used for Secure Gateway Replacement – Different Modes SG can be deployed using AG-EE Pure SG Mode – Requires WI to authenticate and authorize the user for Access to XA Applications SG with SSO – Appliances authenticates user and SSO to WI SG with SmartAccess – Appliance authenticates users, pre-auth and post auth policies are configured, send to WI – in AG-E mode, filters and presents XA applications.

Citrix Access Gateway and XenDesktop Citrix® NetScaler® Deliver Web Apps Citrix XenApp™ Deliver Windows Apps In most organizations, someone in Desktop Operations is the one primarily responsible for supporting Windows Desktops. When these desktops are installed in the datacenter and delivered over the network, the desktop ops team is the one most responsible. When this person looks down the line-of-sight from the datacenter to the users he/she is supporting, it looks something like this. Desktop Server is the delivery controller that initiates the delivery process for Windows desktops at the point-of-origin, so this product is the center of gravity for this individual. Products like Access Gateway, WANScaler and EdgeSight are common to all applications, so they are also essential to desktop ops. Users Citrix EdgeSight™ Monitor Real-Time User Experience Citrix WANScaler™ Accelerate Apps to Branch Offices Citrix Access Gateway™ Enable Secure App Access Apps Citrix XenDesktop™ Deliver Windows Desktops Secure Delivery of Windows Desktops © 2007 Citrix Systems, Inc. — All rights reserved 19

Secure Access & Delivery from the Data Center to the Desktop Access Gateway ICA/CGP ICA + SSL HTTPS Virtual Desktops HTTPS - SSO XML User End user experience User points browser to Access Gateway URL Endpoint analysis may be performed before the logon page is displayed. The AG-E logon page appears. End user authenticates using single-factor or two-factor authentication After successful authentication, the Secure Access Client may be offered to the user, the user is redirected to the XenDesktop Web Interface site. XenDesktop Controller enumerates desktops without requiring another logon, user clicks a desktop icon Published desktop appears for the end user On logout, the Access Gateway logon page appears Notes AG-E supplies all pre-authentication EPA and logon pages Single sign-on works using the same callback method as AG-A SmartAccess is available and could be used to filter desktop availability XenDesktop Secure Desktop Virtualization

Secure Desktop Delivery with Access Gateway & XenDesktop Secures remote desktop delivery Secure delivery of Desktop Virtualization SmartAccess policies Provides strongest data delivery protection Hosted desktop and data stay in the data center End point device compliance with security policies Hosted desktop isolated from local desktop Enables "Bring-Your-Own-PC" asset model Dramatically simplifies Desktop Management Reduces cost of Desktop Computing by up to 40% XenDesktop takes simple virtualization to the next level by enabling IT departments to deliver and manage end user desktop deployment centrally and simply.

Access Gateway Redirecting to XenDesktop Available XenDesktops can be based on SmartAccess User is connected to their desktop Access Gateway supports single sign-on to Web Interface by default XenDesktop session is securely delivered through Access Gateway Screenshots: 1. Access Gateway supports single sign-on to Web Interface by default 2. Available XenDesktops can be based on SmartAccess 3. User is connected to their desktop 4. XenDesktop session is securely delivered through Access Gateway

Secure Access and XenDesktop A secure connection is established between the client and Access Gateway XenDesktop session is tunneled through the Citrix Access Gateway client SmartAccess determines which applications are delivered In this scenario a user is launching the Citrix Access Gateway client to establish a VPN connection. In addition a XenDesktop can be launched and is tunneled through the secure connection.

Citrix Access Gateway and NetScaler Delivering Web Applications (Network Architect Line-of-Sight) Citrix® NetScaler® Deliver Web Apps Citrix XenApp™ Deliver Windows Apps In most organizations, the Network Architect is the one primarily responsible for the delivery of web-based applications. When this person looks down the line-of-sight from the datacenter to the users he/she is supporting, it looks something like this. NetScaler is the application delivery controller that initiates the delivery process from the point-of-origin, so this product is the center of gravity for this individual. Products like Access Gateway, WANScaler and EdgeSight are common to all applications, so they are also essential to the network architect (note that this individual also generally takes a lead role on WANScaler since the WAN is considered part of the core network infrastructure). Users Citrix EdgeSight™ Monitor Real-Time User Experience Citrix WANScaler™ Accelerate Apps to Branch Offices Citrix Access Gateway™ Enable Secure App Access Apps Citrix XenDesktop™ Deliver Windows Desktops © 2007 Citrix Systems, Inc. — All rights reserved 24

Access Gateway and NetScaler: Business Continuity & Disaster Recovery Global Server Load Balancing Route client connections to the nearest or most available site Implement multi-site disaster recovery corp.xyz.com corp.xyz.com corp.xyz.com DR Site corp.xyz.com This example shows an active/passive deployment where there is a “hot standby” site that only receives users in the event a primary site becomes unavailable. Also, in this example all users are given the same URL (corp.cps.com) and GSLB transparently directs them to their appropriate primary site. In the event that a primary site becomes unavailable, its users will be transparently directed to the standby site. The impacted user group is still using the same URL to access the standby site, and may not even realize it is accessing a different site. One URL for the website… …supporting “active-passive” site failover.

Access Gateway & NetScaler Application Firewall Legitimate traffic allowed through Application Attacks Blocked Network Access Application Infrastructure Citrix NetScaler Platinum Edition (Includes Access Gateway Enterprise Edition) Web App Users Internet And that’s where the NetScaler Application Firewall module comes in. Integrated into Citrix NetScaler, it sits behind your network firewalls, in front of your important web applications, protecting them from attacks automatically with no signatures or updates required. Simply configure it once, and you’re done. It can actually be up and running in less than 30 minutes in most cases. Protecting back-end web applications and data Better Data Protection and Better User Experience Real-time protection for application and application logic Accelerated Secure access and delivery of data

New Features in 8.1 27

8.1 Main Features/Benefits Clientless, browser-based access (Phase 1 – OWA 2003/2007 and simple http rewrite) Access resources from any PC without the need for the full Secure Access Client Installation wizards & revamped documentation Easier installation and configuration Access scenario fallback with client choices Ability to set rules that dictate how users may access resources based upon EPA results (full client or ICA only). Users have options when they successfully pass EPA scan. Vista client Expand opportunities Enhanced NavUI with XenApp applications list Provide a seamless user interface to XenApp applications FTA – File Type Association Ability to automatically launch a XenApp published application when a file is double clicked for viewing Features VS Benefits for 8.1 Focus on the following key features: Clientless Access (URL Rewriting) Access Scenarios Fallback (with client choices) Enhanced NavUI with WI/XA applications and FTA

Clientless Access – URL Rewriting Allows a secure clientless connection Supports Portal page Generic web sites Outlook Web Access Light Outlook Web Access Premium We will be providing access to the following applications in future releases: SharePoint 2003* SharePoint 2007*

Clientless Access – Email Support

Clientless Access - URL Rewriting Rewrites URLS in 3 formats: If VPN access URL is https://gateway.company.com and the URL http://intranet/dir/file.html to be accessed in clientless mode via it will be encoded as:- Opaque - Base 64 encoding to obfuscate the domain and protocol (e.g. https://gateway.company.com/cvpn/aHR0cDovL2ludHJhbmV0/dir/file.html) Transparent - No encoding is used: domain and protocol is visible in the Clientless encoded URL (e.g. https://gateway.company.com/cvpn/http/intranet/dir/file.html) Encrypt - Domain and protocol are encrypted using the session key (e.g. https://gateway.company.com/cvpn/dsjDSdFke43Ffdef89nRkj39K83rj39hr3/dir/file.html) Rewritten URL is https://gateway.corp.com/cvpn/aHR0cDovL3d3dy5nb29nbGUuY29t/

Access Gateway Wizards Create or edit an SSL VPN virtual server – New! Configure certificates – New! Configure name resolution Configure authorization Default authorization action – New! Configure port 80 redirection – New! Configure clientless access – New! Published Applications – New! ICA connections – New! The SSL VPN node has been renamed Access Gateway in 8.1. The SSL VPN Wizard has been renamed Access Gateway Wizard and includes new functionality

Client Choices Provides users with a choice of using the Secure Access Client or launching applications through Web Interface Use Client Security Expressions to conditionally control Secure Access Client availability Allows the end-user to choose the type of access that he/she desires (Based of post-authentication scans, also called “Client Security Expressions” – Note Quarantine Groups are not used)

Access Scenario Fallback Access Scenario Fallback uses a Quarantine Group in addition to the “Client Security String” Quarantine In this case, instead of displaying the user with a ClientChoices page, the decision is automatically made and the user is either given full access or limited access (Clientless VPN or WI) (Post-Authentication scan also called “Client Security Expression” is used along with Quarantine Group concept)

Client Choices – User Interface User Interface – Allows end-user to decide on the type of access he/she desires

Windows Interface Look and Feel in NavUI Home page is left blank to support embedded WI Better integration with WI website. The Administrator gets to set 2 settings – Compact and Normal. The WI Mode can be set to Normal or Compact but the WI site must be configured in the same mode

Normal Mode The user has to use the scroll bar to move up and down to access XA applications- Iframe

Compact Mode Takes the applications and lists them in a windows that does not scroll. Fixed or Compact Mode

Refer to CTX114504 for complete details Custom Mode Feature Parity with AG-A 4.5 - Incase customer wants same look and feel. Procedure or Steps   WI 4.2+ Open the file site/serverscripts/include.cs Make a backup copy of this file prior to making any edits. Find the getAGEAccessMode() method and change the return statement so that it always returns AGEAccessMode.EMBEDDED. Note following lines indicated in red: Open the file and edit the following lines as indicated in red. Find the getAGEAccessMode() method and change the return statement so that it always returns AGEAccessMode.EMBEDDED. It is recommended that you make a backup copy of this file prior to making any edits. /**  * Gets the access mode of the site when the Web Interface is being accessed via  * Access Gateway Enterprise. The access method determines the behaviour of the  * site.  *  * @return the current access mode, or null if the access mode was not recognised  * or the site is not being accessed via AGE.  */ public AGEAccessMode getAGEAccessMode() {     bool AGEIntegrationEnabled = getAuthenticationConfiguration().isEnabledMethod(AuthMethod.AGE_PASSTHROUGH);     AGEAccessMode accessMode = Session[SV_AGE_ACCESS_MODE] as AGEAccessMode;     //return AGEIntegrationEnabled ? accessMode : null;     return AGEAccessMode.EMBEDDED; } Save the File Test access through Access Gateway Advanced Edition. WI 4.5+ Open the file <site-root>\app_data\site\serverscripts\include.aspxf  * This method will return null if called before authentication has  * completed.     //return isAGEIntegrationEnabled() ? accessMode : null; The WI site can be forced into an embedded mode by modifying the site properties Refer to CTX114504 for complete details

Network Overview To be used – If discussing Deployments/Networking and when Network Architects are included in meetings.

One-arm versus Two-Arm One-arm Deployment 1) User Request 2) User Request 4) Server Response 3) Server Response Two-arm Deployment 1) User Request 2) User Request Discuss 1-arm and 2-arm deployments. Access Gateway – works in both deployment modes. It is based on customers preference which one they would like to deploy. 4) Server Response 3) Server Response

5 Types of IP Addresses in Access Gateway Virtual Server IP (VIP) Management IP (NSIP) Subnet IP / Mapped IP (SNIP/MIP) Intranet IP (IIP) IIP End User VIP SNIP/MIP Explain the different configuration IP’s on the Access Gateway. VIP – External IP address for the SSL VPN NSIP – Used to administer the Access Gateway SNIP/MIP – All internal communication takes place on these IP’s IIP – IP address allocated the SSL VPN client/end-user from an IP Pool. Communication from End user to back end servers takes place on this IP. A SNIP supports RIP, OSPF, BGP routing protocols Backend Server NSIP Administration and Authentication

Basic Firewall and Port Rules DNS 53 (UDP) NSIP AD / LDAP 443,80* (HTTP/TCP) NSIP 389/636 (TCP) Remote End User VIP SNIP 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP) CPS & WI Sample: Deployment for AG-EE (in the DMZ). Discuss AG IP’s and Functionality * Port 80 used for https redirect NSIP 443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP) AGEE Admin

Common Firewall and Port Requirements Source Destination Port Use Internet VIP 443 SSL Virtual Server Connections 80 Port 80 Redirection NSIP Management Console 22, 80, 3008, 3010 SSH, Web Tool, Java Admin Tool LDAP Server 389 LDAP 636 Secure LDAP RADIUS Server 1812 RADIUS DNS Server 53 DNS queries regular gui uses port 80 for http and 3010 for applets. Secure gui uses 443 and 3008. Talk about what each port does and why it needs to be opened and what IP’s.

WI/CPS Firewall and Port Requirements Source Destination Port Use MIP/SNIP Web Interface 80 WI over HTTP 443 WI over HTTPS CPS Server 1494 or 2598 ICA traffic VIP STA Server 8080 or 443 STA communication SSO Callback Similar Concept here. WI – SSO Callback – Important for SmartAccess capabilities.