Transcript Citrix Extranet 2.0

Citrix Extranet 2.0
Product Overview
Agenda
What is Citrix Extranet 2.0?

Architecture

System Requirements
Citrix Extranet Features

Access Control

Identification & Authentication

Encryption

On-line Registration

Citrix Extranet Admin

Event Logging
Citrix Extranet Advantages
Commonly Used Terms
What Is Citrix Extranet 2.0?
Citrix Extranet provides a virtual private
network (VPN) which allows you to
securely deploy the latest businesscritical applications to users around the
world, via the Internet – all while
maintaining the manageability,
scalability, reliability and control you’ve
grown to expect from Citrix.
Citrix Extranet Architecture
Leverage your existing network design
Citrix Extranet System Specifications
Windows NT





Microsoft Windows NT
Server operating system
4.0, service pack 5 or 6a
Sun SPARC


Pentium II processor at 350
MHz

2 or more network adapter
cards

64 MB of RAM
10 MB of free hard disk
space
Sun Solaris 2.6, 7, or 8
20 MB minimum of free hard
disk space
All required software
packages
2 or more network adapter
cards
Client Specifications
All Users

Internet access

Connection to a network using TCP/IP protocol

The Citrix Extranet Client software
PC Users



Microsoft Windows 95 osr2, 95b, 98, 98 SE, or Windows
NT Workstation 4.0, with service pack 5 or 6a or
Windows 2000 SP1(proxy mode only)
2 MB free hard disk space
Microsoft Internet Explorer 4.0x, 5.0, or 5.01, or Netscape
Navigator 4.5, 4.5.1, 4.6, 4.61, 4.7, 4.71, 4.72, or 4.73
Client Specifications
Macintosh Users





Apple or other Macintosh OS–compatible Power PC
computer
1 MB free disk space
Macintosh OS Version 8.1 or later (8.5 or later
recommended)
Open Transport 1.3 or later (2.0 or later recommended)
Netscape Navigator 4.x or Microsoft Internet Explorer 4.x,
or 5.0
UNIX Users

A computer with Sun SPARC Systems running Solaris
2.6 or later

5 MB minimum of free hard disk space

A suitable UNIX Web browser (must support forms)
Client Specifications
Windows CE/PocketPC Users

CE Devices



Handheld PC (SH3 and MIPS)
Handheld PC Professional Edition (SH3, SH4, MIPS,
ARM, and StrongARM)
Palm-size PC (SH3 and MIPS)
Citrix Extranet 2.0
Features
Citrix Extranet Features
Access Control
Identification and
Authentication
Event
Logging
Encryption
Citrix Extranet
Admin
On-Line Registration (OLR)
Access Control
TCP-based access permissions are
defined for individuals or groups
Access Control
Permissions are identified by host name/IP
address and the port

TCP – FTP, Telnet, POP3, etc…

Web – server and port
Access Control
User-based policy management ensures
secure application access
Access Control
Access permissions are received:

At the time the Citrix Extranet Client initiates

At regular user-defined intervals
Permission sources:

User

Users’ group

“All” users
*Assigning permissions to groups avoids unnecessary duplication and is more efficient than
assigning permissions to individual users.
Access Control
Dynamic Configuration
3. Citrix Extranet Client contacts every
Citrix Extranet Server for which the user
has an authentication key and requests
the user’s current access permissions
1. Prompts user
for Access Code
2. User’s authentication
key(s) accessed
5. User’s access permissions
are dynamically updated at
startup and at regular intervals
as defined by the end user
4. User’s TCP access permissions are read from
sgate.acl and their Web permissions from sweb.acl;
the current permissions are then sent to Citrix
Extranet Client
Citrix Extranet Server
w/Dynamic Configuration (DC)
Server Or DC Server on a
separate machine
NOTE: The Dynamic Configuration Agent always
resides on the Citrix Extranet Server
Identification and Authentication
Citrix Extranet Server is the final authority
when authenticating session requests:

User authentication

Access Management

User and group additions
Identification and Authentication
Key exchange methods are flexible for the
Administrator
Tokens

FIPS token (FIPS 140-1
compliant)
Physical Smart
Cards

MCOS

VCAT token

MCOS-B

RADIUS

STARCOS 2.1

SecurID

Entrust/Netrust
Smart Card Readers
PCAT

Smarty

CHIPDRIVE external
PKI (X.509)
Certificates

Baltimore

Entrust

Microsoft

Netscape

VeriSign
Identification and Authentication
Citrix Extranet uses two authentication
factors

Access code

Token
URL request sent
to Server
Identification and Authentication
The session is initiated
Each Client TCP connection uses a unique
session key
Shared Secret Key is combination of
1/2 shared secret key generated by client &
1/2 shared secret key generated by server
Encryption
The ticket contents are encrypted

Initialization Vector (IVEC)

User ID

Ticket time/TTL

Encryption algorithm

Session key

Destination

MD5
On-line Registration (OLR)
Automated registration of the Citrix
Extranet Client is via the Internet



User registers
IDs automatically
generated
Flexible UID server
assignments
On-line Registration (OLR)
Seamless registration process
Shared Secret Key is combination of
1/2 shared secret key generated by client &
1/2 shared secret key generated by server
Citrix Extranet Admin
Manage individual or groups of servers
and users




Assigns Web and
TCP permissions
Configures OLR
Web form
Specifies
management
levels
Utilizes database
functions like
sort, filter
and find
Event Logging
Allows for easy troubleshooting by logging
critical information

Session start/end

User added/deleted

User enabled/disabled

User key changed

Successful/ unsuccessful user login

Server up/down
Citrix Extranet 2.0
Advantages
Citrix Extranet Advantages
Flexible system integration
Rapid deployment
Centralized management
Simplicity and ease of use
Cost-effectiveness
Flexible System Integration

Network Connections
Token Support

Public Network


LAN/WAN

Corporate
Intranet/Extranet

Internet





Client Support

Windows
95/98/NT/2000

Macintosh

Solaris

Linux

Windows CE

Windows PocketPC
Hard Drive
Floppy (FIPS 140-1 or
VCAT)
Smart Card
Netrust/Entrust/X.509
digital certificate

SecurID

Radius
Citrix Extranet
Flexible System Integration
Allows ICA Protocol to securely pass
through both ends of a connection
Citrix Extranet
Client uses TCP
traffic on port 443
The Client
believes the
servers are on
the same
network
When ICA passes through the Client
to the Server, Citrix Extranet proxy
intercepts the calls
Flexible System Integration
Export ready for use at any available
strength encryption

Triple DES (168-bit)

RC4

DES (56-bit)
*Embargoed countries are Cuba, Libya,
North Korea, Syria, Sudan, Iran, Iraq
Rapid Deployment
Easy deployment and token enrollment of
large user bases via On-line Registration
(OLR)
Centralized Management
Powerful GUI allows for local or remote
administrator management

Remotely using the Citrix Extranet Client

Locally on a Windows NT platform
Ease of Use
Simple 2-step client activation

Install Citrix Extranet client software

Register online
1
2
Cost-effectiveness
Leverage existing systems
No costly leased lines or modem banks
Minimal client management and user
support costs
Connect Business Securely
Permit secure online information
exchange via the Internet

Mobile users

Suppliers

Business partners

End-customers

Branch and international offices
Citrix Extranet 2.0
Powerful
End-to-end security
Centralized management
Commonly Used Terms
3DES: Cipher that applies the DES cipher three times with either
two or three different DES keys. The Citrix Extranet
implementation uses three DES keys (2168 combinations).
Access Code: The secret code, similar to a PIN on an ATM
card—required to unlock the authentication key stored on the
user’s token each time the user accesses a secure service. This
code, defined by the user during registration, must be at least four
characters in length with a maximum of 16, and can be any
combination of letters and numbers.
Access Control: Allowing or denying connections through the
use of access permissions.
Access Permissions: The associations between users and
connections, as defined by a User ID, group name, service (TCP
or Web), or destination. Citrix Extranet access permissions can be
either individual user permissions or group permissions.
Authentication: The process of determining the identity of a
user attempting to access a system.
Commonly Used Terms
Authentication Key: The key is a 32-character hexadecimal key
assigned to a user during installation by the registration server
administrator, consisting of the numbers 0 to 9 and letters A to F.


The Citrix Extranet authentication system supports virtual smart
cards and ISO-standard smart cards for both authentication and
stored data. A user with a physical smart card must use a smart
card reader connected to their PC. Virtual smart card
information (FIPS or VCAT token) may be stored on either the
PC hard drive or a removable (floppy) disk.
The user’s Citrix Extranet authentication key is stored on the
smart card, whether physical or virtual. This information is
shared with the Citrix Extranet Server, where it is stored in the
Citrix Extranet Server’s user database.
Authentication Token: A portable device used for
authenticating a user. Authentication tokens operate by
challenge/response, time-based code sequences, or other
techniques.
Commonly Used Terms
Authenticator: The name assigned to a Citrix Extranet Server
through which users can access a particular service. This name
can be up to 14 alphanumeric characters in length and it is
recommended that it be a derivative of your Citrix Extranet Server
hostname.
Domain Name: Identifies a ‘location’ on the Internet (e.g.,
citrix.com) that has been registered with the Internet Network
Information Center (InterNIC). Currently the domain name is
limited to 47 characters. Through the use of aliases, however, it is
possible to accommodate longer names.
DES: Data Encryption Standard is a NIST-standard encryption
algorithm for secure data protection. A binary number is used as
an encryption key with 720 quadrillion possible combinations
(256). The key is randomly generated for each session (TCP
connection).
FIPS Token: (Virtual Smart Card or Soft Token) A software
emulation of a hardware authentication token that is in
compliance with the FIPS140–1 coding standards. It stores your
private information (authentication key) in an single encrypted file,
either on a floppy disk or on your hard drive. FIPS Token is the
default authentication method.
Commonly Used Terms
OLR: Citrix Extranet provides On-Line Registration (OLR)
services which you may wish to implement depending on your
system configuration and the functional requirements of your
organization.
RC4: Is a stream cipher developed by RSA Data Security, Inc.
This variable key-size stream cipher uses byte-oriented
operations to perform random permutations. The typical cipher
period is greater than 10100. Since eight to sixteen machine
operations are required per output byte, the cipher runs very
quickly in software. It is commonly used for secure
communications, such as encrypting secure web site traffic using
the SSL protocol.
VCAT Token: Identical to the FIPS Token, except that it stores
your private information (authentication key) in an encrypted file
system, rather than a single file.
Virtual Private Network (VPN): A private network created
over a public network (e.g., the Internet) by using encryption,
where exclusive client and host communications can occur.