Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition
| | ||
| | ||
| | ||
As the designated replacement for the legacy SG/WI solution, the Citrix Access Gateway (CAG) is a quantum leap in secure access center technology, combining the benefits of an SSL proxy for Citrix ICA traffic with universal SSL VPN technology to provide secure access to Citrix services, internal Web resources, and a "desktop-like" user experience similar to a traditional IPSEC VPN connection, but without the configuration and deployment headaches .
Benefits and Capabilities
Features offered by the Citrix Access Gateway include
-
– Secure Gateway Replacement Citrix Access Gateway replaces Secure Gateway to provide secure access to resources through Advanced Access Control. The pending CAG release (Access Gateway Enterprise, hosted on the same hardware platform as the NetScaler) adds increased scalability and performance for the most demanding and complex enterprise environments, will be certified to meet the highest government and commercial security standards such as FIPS-140 and ICSA, and offers optional integrated disaster recovery.
-
– SmartAccess for Web Interface Support for SmartAccess capabilities when accessing published applications through Web Interface. Advanced Access Control policy information is now accessible to Citrix Presentation Server when accessing published applications through a Presentation Server site.
-
– Enhanced authentication support In addition to RSA SecurID, Secure Computing SafeWord, and RADIUS, Advanced Access Control now supports LDAP (such as Active Directory or Novell eDirectory) authentication. You can require users to provide both Active Directory credentials and RADIUS, RSA, or Safe-Word authentication.
-
– Entire network access The new predefined Entire Network resource in policies to give your users access to all servers on the network.
-
– Centralized logging and trend reporting Provides sophisticated usage data for troubleshooting and planning.
-
– Built-in Web server load balancing Previous versions of Advanced Access Control included load balancing for the agent server and HTML Preview components . This release includes built-in load balancing for the Web Server component as well.
-
– Multiple logon points hosted on a single Access Gateway Multiple logon points are available on a single gateway appliance, with different users authenticating through different logon points.
-
– Extended Citrix license server support When Access Gateway is configured with Advanced Access Control, licenses for both components are maintained by the license server. In this scenario, Access Gateway relies on Advanced Access Control to acquire a license and validate the session.
-
– Client software consolidation and improved user experience The Secure Access Client replaces the Gateway Client and Advanced Gateway Client. In addition, the Secure Access Client is downloaded on an as-needed basis to improve the end user's overall experience.
-
– Simplified access to Citrix Presentation Server published applications Citrix Presentation Server published applications are accessible as a Presentation Server site from within the Advanced Access Control's navigation page, allowing users to quickly access and launch published applications.
-
– Built-in Continuous Endpoint Analysis Scans The basic CAG (without AAC) provides continuous endpoint scanning.
-
– Registry A registry entry that matches the path , entry type, and value that you specify.
-
– File A file that matches the path, filename, and date that you specify. You can also specify a checksum for the file.
-
– Process A running process that you specify. You can also specify a checksum for the file.
-
– Advanced Endpoint Analysis Scans (with AAC) AAC supports scanning for the properties listed in Table 16-1. CME selected AAC primarily because of the need for granular control of access based on affiliation , role, and security parameters.
| Type | Scan Package | Creates Scan to Detect If |
|---|---|---|
| Antivirus | Citrix Scans for McAfee VirusScan | McAfee VirusScan software is running on the client device at a minimum required engine version number. |
| Citrix Scans for McAfee VirusScan Enterprise | McAfee VirusScan Enterprise On-Access software is running on the client device at required minimum levels for engine version and pattern file. | |
| Citrix Scans for Norton AntiVirus Personal | Norton AntiVirus Personal Edition software is running on the client device at required minimum levels for engine version, pattern file number, and most recent system scan. | |
| Citrix Scans for Symantec AntiVirus Enterprise | Symantec AntiVirus Enterprise software is running on the client device at required minimum levels for engine version and pattern file number. | |
| Citrix Scans for Trend OfficeScan | Trend OfficeScan software is running on the client device at required minimum levels for engine version and pattern file number. | |
| Browser | Citrix Scans for Internet Explorer | Internet Explorer software on the client device is at a required minimum version level. |
| Citrix Scans for Internet Explorer Update | Internet Explorer software is present on the client device at required update or hotfix version levels. | |
| Citrix Scans for Netscape Navigator | Netscape Navigator software on the client device is at the required minimum version level. | |
| Firewall | Citrix Scans for McAfee Desktop Firewall | McAfee Desktop Firewall software is running on the client device at a required build version level. |
| Citrix Scans for McAfee Personal Firewall Plus | McAfee Personal Firewall software is running on the client device at a required version level. | |
| Citrix Scans for Microsoft Windows Firewall | Microsoft Windows Firewall or Internet Connection Firewall is running on the client device. | |
| Citrix Scans for Norton Personal Firewall | Norton Personal Firewall software is running on the client device at a required version level. | |
| Citrix Scans for ZoneAlarm | Zone Labs ZoneAlarm software is running on the client device with a required minimum version level. | |
| Citrix Scans for ZoneAlarm Pro | Zone Labs ZoneAlarm Pro software is running on the client device with a required minimum engine version. | |
| Machine Identification | Citrix Scans for Domain Membership | The client device belongs to a specified domain or Windows NT LAN group . (Use this package for clients running Windows NT 4.0, Windows 2000, or Windows XP.) |
| Citrix Scans for MAC Address | MAC address of the network adapter on the client device belongs to a specified group. | |
| Operating System | Citrix Scans for The operating system software on the Windows Service Pack client device is running at a required minimum service pack level. | |
| Citrix Scans for Windows Update | A Microsoft Windows operating system is running on the client device with required updates or hotfixes. |
Topologies
As with most solutions, there are a variety of deployment topologies for the Citrix Access Gateway. Common scenarios are depicted in Figure 16-1. Each of these scenarios has specific pro and con aspects with respect to complexity and capabilities.
-
– The parallel installation provides an access methodology insulated from firewall failures and simplifies "rules" for network address translation and data transport, particularly with regard to hybrid VPN connectivity and URL-rewrite through the CAG. Conversely, it requires a more complex routing structure in the external LAN segment, and exempts traffic from filtering or IPS/IDS processing by the firewall.
-
– The external filtered configuration retains most of the benefits of the Parallel Installation and reduces the complexity of external routing structuresthe CAG is "just another DMZ SSL host". On the down side, the CAG is dependent upon the firewall for access to the Internet and external users.
-
– The internal filtered configuration restores the ability of the firewall to inspect and filter traffic destined to CME's internal LAN, but it is again firewall-dependent as well as requiring the same external routing changes as the Parallel install. The "price" for internal filtering is significant complexity with regard to mapping both Citrix and SSL VPN traffic correctly to the internal hosts using the CAG to securely access a file share on an internal host may require large ranges of ports open through the firewall.
-
– The "One-Armed" implementation simplifies installation and addressing and allows all traffic to/from the CAG to be inspected by the firewall, but it inherits every dependency and complexity of all other implementations except the external routing changes.