Citrix Access Gateway Enterprise Edition Technical

Download Report

Transcript Citrix Access Gateway Enterprise Edition Technical

Citrix Access Gateway
Enterprise Edition
Technical Overview
Seceidos GmbH&Co. KG
Robert Hochrein
[email protected]
Citrix Access Gateway
SSL VPN Remote Access
2
Simple and Cost
Effective Secure
Remote Access
Advanced Access
Control and Device
Flexibility
Complex and
Demanding
Environments
Access
Gateway
Access
Gateway
Access
Gateway
Standard
Edition
Advanced
Edition
Enterprise
Edition
best for
best for
best for
Small-to-Midsized
Customers
Presentation Server
Environments
Enterprise
Deployments
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Access Gateway Enterprise Edition
Features & Benefits
Feature
Description
Benefit
Traffic Acceleration
Speed access to applications and
resources with SSL offload, web
compression, and TCP
optimization.
•Provide the optimal remote access
experience for users over low bandwidth,
high latency connections.
High Availability
Configuration
Link master and backup appliances
to create a redundant cluster which
ensures sessions will remain active
if the master fails.
•Keep remote access available for users
even in the case of an appliance failure.
Global Server Loadbalancing (GSLB)
Route client connections to the
best site based on site availability,
health, proximity, and
responsiveness.
•Improve the remote user’s access
experience by connecting them to the best
performing site.
•Implement a disaster recovery and
business continuity strategy.
3
Roles-based
Administration
Create and manage administrative
users and groups that can each
have unique management
privileges.
•Define security policies to ensure
administrators only perform the minimal set
of operations required by their role.
Enterprise-class
Auditing
Monitor and log all operations
requested by end users and
administrators.
•Gain full visibility into all operations to
ensure services and data remain secure.
Quarantine Groups
Provide limited access rights for
clients which fail the end-point
analysis scans.
•Create remediation sites to allow clients to
install the most recent anti-virus pattern
files, operating system patches, etc. prior to
connecting to the protected resources.
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Access Gateway Enterprise Edition
Features & Benefits (continued)
Feature
Description
Benefit
Browser Cleanup
Remove objects and data stored on
the browser while the SSL VPN
session was open.
•Prevent sensitive corporate information
from inadvertently being leaked to mobile
laptops and home PCs.
Denial of Service
Prevention
Protect resources from common
denial of service attacks such as
SYN attacks and HTTP GET floods.
•Ensure continued service to legitimate
users by protecting the organization’s
servers.
Access Interface
Allow users to setup bookmarks
and access files through a web
browser.
•Give users a quick and easy way to access
frequently used resources
Extensive
Authentication Support
Provide authentication from a wide
variety of typical enterprise
authentication systems (including
smart cards).
•Allow administrators to easily integrate
their SSL VPN into their existing
environment.
Security Certifications
•Enterprise Edition has been
independently certified by ICSA
Testing Labs (v2.0).
•Customers have independent verification
of the security and capabilities of the
Enterprise Edition.
•A FIPS 140-2 Level 2 certified
cryptographic module is available
as an option for the model 9000
platform as a hardware option.
•US Government organizations and
contractors may require FIPS 140-2
certified cryptography.
Support 802.1q packet tagging to
route packets to the correct VLAN
segment.
Allow administrators to quickly deploy the
SSL VPN to work in networks with existing
VLAN topologies.
VLAN Support
4
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Access Gateway Enterprise Edition
Appliance Options
7000
9000
Enterprise
Enterprise
Form Factor
1U
2U
FIPS Option
─
●
Redundant power
supplies
─
●
2,500
5,000
Software editions
supported
Maximum VPN users
5
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Methods of Initial Configuration
• Command-line Interface (CLI)
• Java Configuration Utility (GUI)
6
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Basic Configuration – cli method
To access the configuration utility using supplied console cable and
terminal emulation of 9600,N,8,1
•
•
•
•
•
•
•
•
•
•
•
•
•
•
REVIEW CONFIGURATION PARAMETERS MENU
-----------------------------------This menu allows you to view and/or modify the NetScaler's configuration.
Each configuration parameter displays its current value within brackets
if it has been set. To change a value, enter the number that is displayed
next to it.
-----------------------------------1. NetScaler's IP address: [192.168.100.1]
2. Netmask: [255.255.0.0]
3. Advanced Network Configuration.
4. Time zone.
5. Cancel all the changes and exit.
6. Apply changes and exit.
Select a menu item from 1 to 6 [6]
Tech 1
7
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Accessing the Administration Portal
A open web browser to the default IP (http://192.168.100.1)
8
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Configuration Utility Login
- Accept the certificate warning
-Login with default user “nsroot”
-Default password is “nsroot”
9
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Administration Traffic
Administrator
Workstation
Management traffic uses
port 3010 and an
encrypted protocol
10
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Quick Start with the
SSL VPN Wizard
Start the Wizard
Set the IP address
Set the SSL certificate
Select a DNS server
Point to a AAA server
And you’re done!
11
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Define Multiple Virtual Servers
• Each virtual server has a unique:
–
–
–
–
IP address and FQDN
SSL certificate
Authentication configuration
Policy set
• Policies can optionally derive from a global policy set
Vpn1.company.com (10.10.10.1)
Vpn2.company.com (10.10.10.2)
Vpn3.company.com (10.10.10.3)
12
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Dashboard Utility
13
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Authentication
•
Supports Major Authentication Methods
–
–
–
–
–
–
–
–
•
14
Active Directory
LDAP
NTLM
RADIUS (with challenge-response support)
RSA SecurID
TACASC+
Local
Client Certificates
Supports Cascading Authentication
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Authorization
•
Policy Driven Access
–
–
–
–
•
Wide Variety of Criteria
–
–
–
–
•
Policy based on network information
Policy based on application access
Policy based on client certificate parameters
Policy based on client configurations
Highly Granular Access Control
–
–
–
15
Authentication by Policy
Authorization by Policy
Session control by Policy
Auditing by Policy
Users/Groups up to Global policies
HTTP authorization based on URL
TCP/IP authorization based on address and port
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Auditing
•
Full Administrative Audit Trail
–
•
16
All System Events
•
Support for External
Syslog Servers
All management operations logged
Full User Audit Trail
–
–
•
All session activity (login, logout, timeout)
All network flows (not just web)
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Client Security
•
Session Policies can control:
–
–
–
–
•
•
End Point Analysis
–
Built-in support for Antivirus checks
–
Built-in support for Firewall checks
–
Host identification
Client Side Clean Up
–
–
–
17
Internal and Partner Use Only
Split tunneling
Forward proxy definitions
Session timeout values
Client security
Clean browser cache, history, autocompletion files, plug-ins, etc.
Control with session policies
Administrator can mandate
© 2005 Citrix Systems, Inc.—All rights reserved.
Denial of Service Protection –
SYN Attacks
Client
Server
Normal TCP Sequence
Client
Server
SYN Flood
Enterprise Edition avoids memory consumption with packet cookies
18
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Other Denial of Server Protections
request
• Other Prevented Attacks:
– Packet Floods
– HTTP GET Floods
– SSL Floods
request
request
– Idle Connection Floods
19
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Security
Web Email
Web Portal
Quarantined
Quarantined
Quarantined
• User Quarantine
– Users assigned to a quarantine group when end-point analysis fails
– Differentiated session and resource authorization policies
– Use to grant limited access to remediation sites
20
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Client Support
• All Windows Platforms
– Windows 98/ME
– Windows NT/2000/XP/SP2
– Windows CE and PocketPC
• MacOS X and Linux
– Java Based Client
• Reliable Application Access
– No application content modification
• Enforces Client Security
21
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Navigation Homepage
• Bookmarks
– Customize global bookmarks
– Per-User bookmarks
– Filesystem bookmarks
• Themes
– Custom style sheets supported
– Logo update
– End user can pick their own colors
• Integrated File Manager
– Web based file access
• Unicode Support
22
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Server-Initiated Requests
Source IP = Client IP
Source IP = Mapped IP
Client connects and is assigned a unique Mapped IP address
Servers can use this Mapped IP address to establish server-initiated connections back to the client.
23
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
High Availability Pairing
Master
Network health-check
packets are
exchanged
Vpn.company.com (10.10.10.1)
Backup
Two appliances can be linked to form an active / passive cluster. Health-checking packets are constantly
exchanged between the pair. When the master fails, the backup assumes the IP address. All
connections from the client are broken and must be re-established.
24
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Global Server Load Balancing (GSLB)
•
•
•
•
25
Distributes network traffic across multiple sites
Route client connections to the nearest site
Distributes server load across multiple sites
Implement Disaster recovery
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Includes NetScaler Capabilities
5x Faster
Internet
26
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.
Access Gateway Enterprise Edition
Access
Gateway
Enterprise
Edition
The best solution for the complex and demanding enterprise!
27
Internal and Partner Use Only
© 2005 Citrix Systems, Inc.—All rights reserved.