SCENARIO EXAMPLE. Case study of an implementation of Swiss SafeLab M.ID with Citrix. Redundancy and Scalability

Similar documents
Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Using SonicWALL NetExtender to Access FTP Servers

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Citrix Receiver for Mobile Devices Troubleshooting Guide

A Guide to New Features in Propalms OneGate 4.0

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

How to configure the Panda GateDefender Performa explicit proxy in a Local User Database or in a LDAP server

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Scenario: IPsec Remote-Access VPN Configuration

App Orchestration 2.5

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

App Orchestration 2.0

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Connecting an Android to a FortiGate with SSL VPN

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Access to Webmail services via a Non Trust Computer

ADVANCED TWO-FACTOR AUTHENTICATION VIA YOUR MOBILE PHONE

Securing Citrix with SSL VPN Technology

Accessing the Media General SSL VPN

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Quick Guide of HiDDNS Settings (with UPnP)

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Coillte IT has recently upgraded the Remote Access Solution to a new platform.

External Authentication with Citrix Access Gateway Advanced Edition

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

What is the Barracuda SSL VPN Server Agent?

Get Success in Passing Your Certification Exam at first attempt!

Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

Citrix Access on SonicWALL SSL VPN

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Access Your Cisco Smart Storage Remotely Via WebDAV

DIVAR IP 3000 / Video Management Appliance and Bosch Video Security Mobile APP

1. Accessing the LONZA network from a private PC or Internet Café

Ignify ecommerce. Item Requirements Notes

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Deploying NetScaler Gateway in ICA Proxy Mode

Virtual Appliance Setup Guide

Exam : 1Y Citrix Access Gateway 8.0 Enterprise Edition: Administration. Title : Version : DEMO

Using Remote Web Workplace Version 1.01

1 Outlook Web Access. 1.1 Outlook Web Access (OWA) Foundation IT Written approximately Dec 2010

Dell SonicWALL SRA 7.5 Citrix Access

Preparing for GO!Enterprise MDM On-Demand Service

Remote Access Instructions

DDNS Management System User Manual V1.0

Two Factor Authentication in SonicOS

WHITE PAPER Citrix Secure Gateway Startup Guide

F-Secure Messaging Security Gateway. Deployment Guide

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

How to Set Up an IPsec Connection with RADIUS Authentication (with SIP)

ZyWALL OTPv2 Support Notes

Hosted Microsoft Exchange Client Setup & Guide Book

Scenario: Remote-Access VPN Configuration

Security Provider Integration Kerberos Authentication

Owner of the content within this article is Written by Marc Grote

How To Configure SSL VPN in Cyberoam

Configuring Global Protect SSL VPN with a user-defined port

Virtual Desktop and SSL VPN access with OnDemand tokencode. User Guide

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

SSL-VPN 200 Getting Started Guide

RSA Authentication Manager 8.1 Planning Guide. Revision 1

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Hosted Microsoft Exchange Client Setup & Guide Book

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

How do I use Citrix Staff Remote Desktop

BlackShield ID Best Practice

WHITE PAPER Citrix XenDesktop XenDesktop Planning Guide: Load Balancing Web Interface with NetScaler

Clientless SSL VPN End User Set-up

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

Accessing TP SSL VPN

REMOTE ACCESS USER GUIDE

Integration Guide. Swivel Secure Authentication

Multi-Homing Dual WAN Firewall Router

Integration Guide. Duo Security Authentication

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

XenApp/Citrix Program Neighborhood Installation

Install FileZilla Client. Connecting to an FTP server

Server Software Installation Guide

DMH remote access. Table of Contents. Project : remote_access_dmh Date: 29/05/12 pg. 1

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for SonicWALL SSL-VPN

The steps will take about 4 hours to fully execute, with only about 60 minutes of user intervention. Each of the steps is discussed below.

Transcription:

SCENARIO EXAMPLE Case study of an implementation of Swiss SafeLab M.ID with Citrix Redundancy and Scalability

Informations about the following case study The following example shows an installation of Swiss SafeLab M.ID with Citrix components. Swiss SafeLab M.ID can be implented in a redundant way with a multitude of other products of other producers as well. Citrix components where simply used for this case study. Citrix is not required for the use of Swiss SafeLab M.ID! All the ports mentioned on the following pages can be customized as needed. Default ports are used in this scenario. All communication can be encrypted with SSL if needed. The most common scenario was used in this case study. The following example shows a redundant installation of the components. Swiss SafeLab M.ID components are very easy, quick, and without interruption to extend and scale. As many M.ID agents and M.ID services as needed can be added with a minimal effort at any desired time. In this case study the following Swiss SafeLab components are installed twice for redundancy reasons: - Swiss SafeLab M.ID Agent on Citrix Web Interface Servers - Swiss SafeLab M.ID Service Further redundant components of the following example: - Citrix Access Gateway - Citrix Web Interface - Citrix Terminal Server (Citrix Farm) - Domain Controller

Recommended placement of the components WAN DMZ LAN CITRIX Webinterface M.ID Server 1 Domain Controller 1 Gateway 1 Load Balancer Citrix Farm Gateway 2 Domain Controller 2 CITRIX Webinterface 2 M.ID Server 2

Legend (Components description) Components in the DMZ: Load Balancer in this scenario a hardware load balancer ensures the load balancing and failover of multiple Citrix Access Gateway Appliances and of multiple Citrix Webinterface Servers. Citrix Webinterface 1+2 incl. M.ID Agent The Citrix Web Interface enables web based access for users to applications of a Citrix farm. The Web Interface is installed on two different servers with exactly the same configuration for redundancy and load balancing reasons. The load balancing for the Citrix Web Interface is enabled by the hardware load balancer as well. The M.ID agent is installed on the Web Interface servers too, to enable the additional 2 factor authentification via SMS. Alternatively there can be set up a RADIUS communication to the M.ID service, in that case no M.ID Agent is needed on the web interface (from web interface version 5.0). Citrix Access Gateway 1+2 The CAG is a hardware appliance that enables SSL Proxy functionality for HTTP/HTTPS and ICA/SSL on the one hand and on the other hand it is also a SSL VPN appliance with enpoint security capabilities. The Access Gateway ist used to secure communication with SSL from the client to the webinterface and to secure ICA sessions to Citrix servers as well. The CAG is installed twice in this example for load balancing and failover reasons. Components on the LAN: M.ID Service 1+2 The M.ID Service is placed on the LAN and can be installed on any desired server or pc. The M.ID Service enables additional 2 factor authentification over SMS (short message service). The service is used to authentificate users, to generate and send passcodes via SMS. For redundancy reasons the M.ID Service is installed on at least two different servers. You can operate as many M.ID Services as desired. Domain Controller 1+2 The DC s are used by the M.ID service to verify the users usernames, phone numbers and M.ID pin codes. For reliability reasons there are also at least 2 domain controllers configured. Of course it s possible to use more domain controllers. Citrix Farm The Citrix Presentation Server Farm delivers centraly published applications and desktops to users over terminal server remote connections. Applications in a Citrix Server Farm are available for users from nearly any place or over any connection like home office, internet café, remote office etc... For load balancing und failover reasons a Citrix Server Farm should consist of at least 2 or more servers.

Communication of M.ID and components in a redundant installation (Case study of a connection process A - Z) WAN DMZ LAN Gateway 1 7 CITRIX Webinterface STA :80 - ICA :1494 M.ID Server 1 Domain Controller 1 1 SSL :443 7 SSL: 443 SSL :443 HTTP :80 2 7 Citrix Farm Load Balancer HTTP :80 2 5 6 XML:80 - STA :80 3 M.ID :81 4 LDAP :389 Domain Controller 2 Gateway 2 CITRIX Webinterface 2 M.ID Server 2

Legend Connection process of a Citrix ICA Session from A Z with redundant components at a glance On the following lines you ll find a description of the communication process from calling up the web interface web site until a Citrix session is successfully established. Step 1 The user types the Citrix Access Gateways URL in a web browser to connect over the load balancer to the web interface. The HTTPS connection to the web interface is established over the Citrix Access Gateway. In this case there are used at least 2 Access Gateways. A hardware load balancer decides in this example which Citrix Access Gateway appliance is used for the connection. Step 2 The Access Gateway establishes the desired connection to the web interface. At that point the Access Gateway communicates again over the load balancer, that decides to which web interface server the connection will be made. In this case there are at least 2 web interface servers used with the very same configuration. Step 3 The user logs on at the web interface using his username, password and M.ID pin. The web interface communicates with the M.ID service on the LAN over the port 81 to verify the username and the M.ID pin in the LDAP and to send an SMS with a passcode to the user. Multiple SMS providers can be configured to ensure the delivery of the SMS s. There are multiple M.ID Service installations on the LAN for redundancy reasons. If an M.ID Service is not available, the Citrix Web Interface automatically uses the next available M.ID Server. Step 4 The User receives a passcode via SMS and puts it on a second login mask on the Citrix Web Interface. The SMS passcode is verfied by the M.ID Service.

Step 5 After the user filled in a valid SMS passcode at the previous step, the process continues with the login at the Citrix Farm level over XML port 80. After the user was successfully authentificated at the Citrix Farm, the applications available for that user are queried over the XML service. This group of applications is communicated to the Citrix Web Interface. The web interface generates the web site including the available applications for this specific user. Step 6 The user can click on the desired application to start it. At this time the web interface identifies over XML port 80 which server with the least load is available for the chosen application and what port should be used for the ICA connection. This informations are placed over port 80 in the STA (Secure Ticketing Authority) and a connection ticket is generated. The web interface generates an ICA file that consists of all connection informations to the Citrix Access Gateway and the connection ticket generated by the STA. This ICA file is needed to establish the Citrix connection and it is sent to the client. Step 7 (pink arrow) The Citrix client on the client device reads the ICA file and establishes a connection to the Citrix Access Gateway over SSL 443. At this point it s again the load balancer that makes the decision to which Citrix Access Gateway the connection will be made. The connection ticket from the STA is passed from the ICA file to the Citrix Access Gateway. The Citrix Access Gateway passes the connection ticket to the STA and receives the connection information for the designated Citrix server. The Citrix Access Gateway uses the ICA connection information to establish an ICA session. The client communicates exclusively with the Citrix Access Gateway over SSL 443. The access gateway has the role of an SSL proxy server and communicates on one side with the client over SSL and on the other side the access gateway establishes the connection to the designated Citrix server. There are no direct connections from the client, neither to the web interface nor to the Citrix servers.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information