SCENARIO EXAMPLE. Case study of an implementation of Swiss SafeLab M.ID with Citrix. Redundancy and Scalability

Transcription

1 SCENARIO EXAMPLE Case study of an implementation of Swiss SafeLab M.ID with Citrix Redundancy and Scalability

2 Informations about the following case study The following example shows an installation of Swiss SafeLab M.ID with Citrix components. Swiss SafeLab M.ID can be implented in a redundant way with a multitude of other products of other producers as well. Citrix components where simply used for this case study. Citrix is not required for the use of Swiss SafeLab M.ID! All the ports mentioned on the following pages can be customized as needed. Default ports are used in this scenario. All communication can be encrypted with SSL if needed. The most common scenario was used in this case study. The following example shows a redundant installation of the components. Swiss SafeLab M.ID components are very easy, quick, and without interruption to extend and scale. As many M.ID agents and M.ID services as needed can be added with a minimal effort at any desired time. In this case study the following Swiss SafeLab components are installed twice for redundancy reasons: - Swiss SafeLab M.ID Agent on Citrix Web Interface Servers - Swiss SafeLab M.ID Service Further redundant components of the following example: - Citrix Access Gateway - Citrix Web Interface - Citrix Terminal Server (Citrix Farm) - Domain Controller

3 Recommended placement of the components WAN DMZ LAN CITRIX Webinterface M.ID Server 1 Domain Controller 1 Gateway 1 Load Balancer Citrix Farm Gateway 2 Domain Controller 2 CITRIX Webinterface 2 M.ID Server 2

4 Legend (Components description) Components in the DMZ: Load Balancer in this scenario a hardware load balancer ensures the load balancing and failover of multiple Citrix Access Gateway Appliances and of multiple Citrix Webinterface Servers. Citrix Webinterface 1+2 incl. M.ID Agent The Citrix Web Interface enables web based access for users to applications of a Citrix farm. The Web Interface is installed on two different servers with exactly the same configuration for redundancy and load balancing reasons. The load balancing for the Citrix Web Interface is enabled by the hardware load balancer as well. The M.ID agent is installed on the Web Interface servers too, to enable the additional 2 factor authentification via SMS. Alternatively there can be set up a RADIUS communication to the M.ID service, in that case no M.ID Agent is needed on the web interface (from web interface version 5.0). Citrix Access Gateway 1+2 The CAG is a hardware appliance that enables SSL Proxy functionality for HTTP/HTTPS and ICA/SSL on the one hand and on the other hand it is also a SSL VPN appliance with enpoint security capabilities. The Access Gateway ist used to secure communication with SSL from the client to the webinterface and to secure ICA sessions to Citrix servers as well. The CAG is installed twice in this example for load balancing and failover reasons. Components on the LAN: M.ID Service 1+2 The M.ID Service is placed on the LAN and can be installed on any desired server or pc. The M.ID Service enables additional 2 factor authentification over SMS (short message service). The service is used to authentificate users, to generate and send passcodes via SMS. For redundancy reasons the M.ID Service is installed on at least two different servers. You can operate as many M.ID Services as desired. Domain Controller 1+2 The DC s are used by the M.ID service to verify the users usernames, phone numbers and M.ID pin codes. For reliability reasons there are also at least 2 domain controllers configured. Of course it s possible to use more domain controllers. Citrix Farm The Citrix Presentation Server Farm delivers centraly published applications and desktops to users over terminal server remote connections. Applications in a Citrix Server Farm are available for users from nearly any place or over any connection like home office, internet café, remote office etc... For load balancing und failover reasons a Citrix Server Farm should consist of at least 2 or more servers.

5 Communication of M.ID and components in a redundant installation (Case study of a connection process A - Z) WAN DMZ LAN Gateway 1 7 CITRIX Webinterface STA :80 - ICA :1494 M.ID Server 1 Domain Controller 1 1 SSL :443 7 SSL: 443 SSL :443 HTTP : Citrix Farm Load Balancer HTTP : XML:80 - STA :80 3 M.ID :81 4 LDAP :389 Domain Controller 2 Gateway 2 CITRIX Webinterface 2 M.ID Server 2

6 Legend Connection process of a Citrix ICA Session from A Z with redundant components at a glance On the following lines you ll find a description of the communication process from calling up the web interface web site until a Citrix session is successfully established. Step 1 The user types the Citrix Access Gateways URL in a web browser to connect over the load balancer to the web interface. The HTTPS connection to the web interface is established over the Citrix Access Gateway. In this case there are used at least 2 Access Gateways. A hardware load balancer decides in this example which Citrix Access Gateway appliance is used for the connection. Step 2 The Access Gateway establishes the desired connection to the web interface. At that point the Access Gateway communicates again over the load balancer, that decides to which web interface server the connection will be made. In this case there are at least 2 web interface servers used with the very same configuration. Step 3 The user logs on at the web interface using his username, password and M.ID pin. The web interface communicates with the M.ID service on the LAN over the port 81 to verify the username and the M.ID pin in the LDAP and to send an SMS with a passcode to the user. Multiple SMS providers can be configured to ensure the delivery of the SMS s. There are multiple M.ID Service installations on the LAN for redundancy reasons. If an M.ID Service is not available, the Citrix Web Interface automatically uses the next available M.ID Server. Step 4 The User receives a passcode via SMS and puts it on a second login mask on the Citrix Web Interface. The SMS passcode is verfied by the M.ID Service.

7 Step 5 After the user filled in a valid SMS passcode at the previous step, the process continues with the login at the Citrix Farm level over XML port 80. After the user was successfully authentificated at the Citrix Farm, the applications available for that user are queried over the XML service. This group of applications is communicated to the Citrix Web Interface. The web interface generates the web site including the available applications for this specific user. Step 6 The user can click on the desired application to start it. At this time the web interface identifies over XML port 80 which server with the least load is available for the chosen application and what port should be used for the ICA connection. This informations are placed over port 80 in the STA (Secure Ticketing Authority) and a connection ticket is generated. The web interface generates an ICA file that consists of all connection informations to the Citrix Access Gateway and the connection ticket generated by the STA. This ICA file is needed to establish the Citrix connection and it is sent to the client. Step 7 (pink arrow) The Citrix client on the client device reads the ICA file and establishes a connection to the Citrix Access Gateway over SSL 443. At this point it s again the load balancer that makes the decision to which Citrix Access Gateway the connection will be made. The connection ticket from the STA is passed from the ICA file to the Citrix Access Gateway. The Citrix Access Gateway passes the connection ticket to the STA and receives the connection information for the designated Citrix server. The Citrix Access Gateway uses the ICA connection information to establish an ICA session. The client communicates exclusively with the Citrix Access Gateway over SSL 443. The access gateway has the role of an SSL proxy server and communicates on one side with the client over SSL and on the other side the access gateway establishes the connection to the designated Citrix server. There are no direct connections from the client, neither to the web interface nor to the Citrix servers.