Transcript Internal Road Map Summary

Citrix® Secure Gateway
Phil Montgomery
Senior Product Manager
Citrix Products and Services
October 2001
Learning Objectives
In this session, you will:
Get a preview of the new features and
benefits of the Citrix Secure Gateway.
Learn how Citrix Secure Gateway (CSG) can
provide Internet-based access to applications
for remote employees, customers, and
partners.
Agenda
Business Goals and Drivers
Citrix Goals and Solution
What is CSG?
CSG Architecture
CSG Technology Preview
Citrix Security Solutions
Demonstration
Summary, Q&A
Business Goals
Leverage Internet to deliver value outside of
traditional models.
Demonstrable ROI
Do more with less
Do it before the competition does
Business Drivers
Remote access for employees, customers, and
partners
B2B and B2C customers
displaced across many geographic locations
Web Browser with highly limited Internet connection
only assumption
Access to key business applications
Security
Speed to market and development costs
Citrix Goals
Build a solution to securely and simply
deliver MetaFrame applications across the
Internet, on demand, to any device.
Barriers to implementation
ICA port 1494 not normally open on firewalls, difficult
to open up
Use standards based encryption, protect against
“man-in-the-middle” attack (Secure ICA is vulnerable
to such attacks)
Large, difficult, intrusive, VPN client installs not
suitable for many deployment types
Cost of VPN solutions, especially to large customer
base
Hide MetaFrame servers from being seen or directly
accessed from Internet
What is CSG?
Gateway between an SSL enabled ICA client and
one or more MetaFrame servers
Tunnels ICA traffic inside SSL.
Limited to ICA only – not a general purpose VPN.
Runs independently from MetaFrame, links into
NFuse for authorization
Three components:
CSG Server
Secure Ticket Authority
Modified NFuse
Previously known as project “Snowy”
Solution Components
Citrix Secure Gateway (CSG)
Other components:
Metaframe
NFuse
SSL enabled clients
Optionally
Secure web server and/or portal (e.G. Citrix XPS)
Replaceable authentication (e.G. SecurID, smart card)
ICA client object (ICO)
CSG components
CSG Server
Secure
Ticketing
Authority
(STA)
MetaFrame
Server Farm
Client
Workstation
NFuse/Web Server
CSG with NFuse
DMZ
ICA/SSL
ICA Client
Web
Browser
443
443
CSG
Server
ICA/1494
MetaFrame
Server Farm
XML-HTTP/80
Citrix XML
Service
Secure Web
Server
HTTP/S
NFuse
Initial connection is always established with the web server.
The user may not even have Citrix client installed.
CSG Ticketing
DMZ
5. ICA/1494
4. ICA/SSL
ICA Client
3. ICA File
Web
Browser
3. ICA
File
CSG
Server
5. Ticket
Verification
Production
MetaFrame Farm
Secure
Ticketing
Authority
Secure Web
Server
XML Service
2. Ticket Generation
NFuse
1. Standard NFuse XML
1. Standard NFuse ICA Name Resolution
2. Requested CSG ticket on application launch
3. CSG ticket is delivered to ICA client as the part of ICA file.
4. CSG ticket is delivered to CSG server as the part of SOCKS inside SSL
information.
5. CSG server verifies ticket and opens ICA connection.
CSG Architecture 1
Authorization based on ticketing, leverages NFuse for
Authentication
Compatible with wide range of authentication systems
Replaceable Secure Ticketing Authority (STA)
Works with replaceable auth – e.g. SecurID, Smartcard
Operates in Gateway mode – installed in DMZ
Highly scalable – by design
Single CSG server can support 1000 to 2000 concurrent
connections
Highly reliable – fail-over support for STA, external Load
Balancer for main CSG Server.
CSG Architecture 2
Uses XML for inter-component
communication
Components are easily replaceable by Citrix or 3-rd
party
SOAP is considered as the next step
No changes necessary to MetaFrame servers
Can be quickly installed into existing system
Packaging
Provided at no additional cost to valid
Subscription Advantage customers
Download only
Included in future MetaFrame release
English and possibly Japanese (product is
Internationalized)
v1.0 Windows 2000 server platform
Technology Preview
Private Preview, available from hidden URL
http://cdn.citrix.com/snowy
Create CDN account and login before entering URL.
Time-bombed to expire 1st Feb 2002
Windows 2000 and IIS/NFuse only
No support – feedback to [email protected]
Need at least 2 machines, one running CSG, the
other NFuse/STA. 3 machines is recommended.
Need server SSL certificate & High Encryption Pack
Things to come
Q1/2 2002 –Solaris
Q3/Q4 – v1.5 – Possible features:
•Improved Management (SNMP, WMI, MMC)
•TLS support
•Government certifications
•End to End SSL
•SDK
We need your feedback on CSG directions!
Citrix Solutions
SSL Solutions
ICA
Lower
security
Secure
ICA
SSL
Relay
CSG
Server
Citrix
Extranet
Highest
Security
Use what, when?
Use SecureICA when:
· Secure DOS or Win 16 access is necessary
· Have old devices/ ICA clients that cannot be upgraded
· Risk of “man-in-the-middle” attack is acceptable
Use SSL Relay when:
· Small number of MetaFrame servers to support (<5)
· No need to secure access at DMZ
· No need to hide server IP addresses, or NAT is used
· Need end-to-end encryption of data between client and server
Use what, when?
Use Citrix Secure Gateway when:
• Large number of servers to support
• Want to hide internal network addresses
• Want to secure from DMZ
• Need 2 factor authentication (in conjunction with NFuse)
• Need non-intrusive client install e.g. access from Internet cafes
Use Citrix Extranet or another VPN when:
•
•
•
•
Need 2 factor authentication
Need to create a secure pipeline for full (beyond ICA) network access
Need to create secure tunnels between sites
Want to secure from within DMZ
• Access is normally via same workstation i.e. OK to install intrusive
Client
• Want to use IPSEC
Key information sources
CSG Tech Preview http://cdn.citrix.com/snowy
Feedback to [email protected]
Product Manager:
[email protected]
Demonstration
Summary
Q&A