Citrix Secure Gateway - Partner
Download
Report
Transcript Citrix Secure Gateway - Partner
Citrix Secure Gateway
v1.1
Technical Presentation
August 2002
What is Citrix Secure Gateway?
Citrix Secure Gateway is a secure Internet
gateway between MetaFrame® servers and
ICA Client workstations that allows
customers to simply and securely deliver
applications across the Internet, on demand,
to any device
2
2
Typical Layout
Secure Connectivity
Authentication
3
Access Mgmt.
Internet
3
Citrix
NFuse
Classic
DMZ
Firewall
Client
Workstations
Firewall
Citrix
Secure
Gateway
Citrix MetaFrame
XP and/or
MetaFrame for
Unix
Internal Network
CSG traffic flow
4
DMZ
ICA/SSL
443
ICA Client
CSG
Server
ICA/1494
MetaFrame
Server Farm
.ICA file
Web
Browser
443
Secure Web
Server
HTTP/S
NFuse
XMLHTTP/80
Optional 3rd Party
Authentication
4
Citrix XML
Service
CSG for Windows Gateway Service 5
Windows 2000 native Service
Runs in DMZ, does not require IIS installed
Multi-threaded design (utilizes IO Completion Ports)
for high efficiency and throughput.
Utilizes Microsoft S-Channel for SSL/TLS functions
Server certificate required for SSL server
authentication
Build large CSG arrays for scalability and fault
tolerance using industry standard external network
load balancer.
GUI configuration tool.
Small benefit from PCI based SSL accelerators
5
CSG for Solaris daemon
Solaris on SPARC v8 supported
Multithreaded Solaris daemon
Includes certificate management tools
Embedded OpenSSL for SSL/TLS functions
Server certificate required for SSL server
authentication
Build large CSG arrays for scalability and
fault tolerance using industry standard
external network load balancer.
6
6
Secure Ticketing Authority
Implemented as ISAPI DLL
Microsoft IIS WWW Service required
Extremely lightly loaded service
Redundant STAs can be defined
Service should not be reachable from
outside DMZ
Communicates to CSG and NFuse via XML
protocol over HTTP. Port configurable
Links to CSG and NFuse can be secured by
Windows 2000 Server to Server VPN
GUI configuration tool
7
7
CSG Ticketing
8
DMZ
4. ICA/SSL
ICA Client
3. ICA File
Web
Browser
3. ICA
File
5. ICA/1494
CSG
Server
Secure Web
Server
5. Ticket
Verification
Secure
Ticketing
Authority
Production
MetaFrame Farm
2. Ticket Generation
NFuse
1. Standard NFuse XML
1. Standard ICA Name Resolution
2. Requested CSG ticket on application launch
3. CSG ticket is delivered to ICA client as the part of ICA file.
4. CSG ticket is delivered to CSG server
5. CSG server verifies ticket and opens ICA connection.
8
XML Service
Encryption and Connectivity
Secures ICA Traffic only
SSL v3.0 or TLS v1.0 with 128-bit encryption
CSG Service uses single Server Certificate
Single CSG IP address is exposed to
internet
Ease of firewall traversal (uses port 443
only)
9
9
Authentication
Authentication provided by NFuse Classic Web
server; users must first authenticate to an NFuse
Classic web server before using CSG.
NFuse Classic supports various authentication
methods:
–
–
–
Microsoft NT Domain and Active Directory
Novell NDS
SmartCard
Use whatever security mechanisms you wish to
protect your web server from unauthorized access
(e.g RSA SecurID®, SafeWord™ PremierAccess™)
Authentication process is further secured using an
HTTPS configured NFuse Web server
10
10
Deployment with Citrix Secure
Gateway
Citrix Secure Gateway is highly scalable
Build fault tolerant CSG arrays with industry
standard load balancers.
Multiple redundant STAs can be configured.
CSG supports MetaFrame v1.8 and higher.
CSG Supports MetaFrame for UNIX on Sun
Solaris, HPUX and IBM AIX.
Supported ICA Clients available for all
Windows platforms as well as Windows CE,
Java, Solaris, Unix, and Macintosh.
11
11
Deployment Issues
Citrix v6.30 Windows & Java ICA clients can
traverse a number of industry standard
“secure” proxy servers.
CSG to STA and NFuse links do not have
native encryption capabilities – use
Windows 2000 server to server VPN.
No client auto-reconnect. This feature is
often not required across the Internet, for
security reasons.
12
12
Citrix Security Solutions
13
SSL Solutions
SecureICA™
SSL
Relay
Citrix
Secure
Gateway
VPN Solution
CSG is a simple and secure, ICA only solution
13
When to use SecureICA or SSL Relay 14
Use SecureICA when:
–
Internal LAN / WAN / Intranet
– Secure DOS or Win 16 access is necessary
– Have older devices/ ICA clients that cannot be
upgraded
– Risk of “man-in-the-middle” attack is acceptable
Use SSL Relay when:
–
Small number of MetaFrame servers to support (<5)
– No need to secure access at DMZ
– No need to hide server IP addresses, or NAT is used
– Need end-to-end encryption of data between client
and server
14
When to use CSG or VPN
Use Citrix Secure Gateway when:
–
–
–
–
–
Large number of servers to support
Want to hide internal network addresses
Want to secure from DMZ
Need two-factor authentication (in conjunction with NFuse)
Need non-intrusive client install i.e. access from Internet
cafes
Use a Virtual Private Network (VPN) when:
–
–
–
–
–
–
15
Need two-factor authentication
Need to create a secure pipeline for full (beyond ICA)
network access
Need to create secure tunnels between sites
Want to secure from within DMZ
Access is normally via same workstation i.e. OK to install
additional client
Want to use IPSEC
15
“Internet Café” Solution
Build a complete, Java applet-based
solution, which assumes nothing preinstalled on clients.
MetaFrame XPe
Citrix NFuse Classic 1.7
Citrix Secure Gateway
Replaceable authentication (e.g. RSA
SecureID, SafeWord™ PremierAccess™)
Citrix ICA Java Client, running in Applet
mode (included with NFuse Classic 1.7)
16
16
What’s new in CSG v1.1
Windows 2000 certification
List of IP addresses not to log (e.g. network
load balancer)
All CSG logging to Windows system log
TLS v1.0 and SSL v3.0 (exclusive)
GOV, COM, or ALL crypto selection
FIPS 140-1 certified crypto modules
No NFuse Extensions – NFuse Classic v1.7
natively supports CSG
Solaris platform Edition
17
17
CSG v1.1 availability
CSG v1.1 Windows (English) available on
MetaFrame FR2 Components CD
CSG v1.1 Windows (English) is fully
internationalized for operation on nonEnglish Windows 2000.
CSG v1.1 Windows (Japanese) available on
MetaFrame FR2 (J) Components CD
CSG v1.1 Solaris available from Citrix
Secure Portal for Subscription Advantage
Customers
18
18
For More Information…
For More Information
–
Contact a local member of the Citrix Solutions
Network™
– Connect to Citrix Web site at:
www.citrix.com/products/securegateway
19
19