Securing VSPEX Citrix XenDesktop End- User Computing Solutions with RSA

Similar documents
Virtualized Exchange 2007 Local Continuous Replication

EMC Data Domain Management Center

VMware/Hyper-V Backup Plug-in User Guide

EMC SYNCPLICITY FILE SYNC AND SHARE SOLUTION

EMC VSPEX END-USER COMPUTING

Virtualized Exchange 2007 Archiving with EMC Xtender/DiskXtender to EMC Centera

Nasuni Filer Virtualization Getting Started Guide. Version 7.5 June 2016 Last modified: June 9, Nasuni Corporation All Rights Reserved

Virtual Appliance Setup Guide

EMC VSPEX END-USER COMPUTING

Goliath Performance Monitor Prerequisites v11.6

Citrix XenDesktop Modular Reference Architecture Version 2.0. Prepared by: Worldwide Consulting Solutions

RSA Authentication Manager 8.1 Setup and Configuration Guide. Revision 2

simplify monitoring Environment Prerequisites for Installation Simplify Monitoring 11.4 (v11.4) Document Date: January

VMware Workspace Portal Reference Architecture

QuickStart Guide vcenter Server Heartbeat 5.5 Update 2

Veeam Cloud Connect. Version 8.0. Administrator Guide

RSA SecurID Ready Implementation Guide

NETWRIX EVENT LOG MANAGER

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

DameWare Server. Administrator Guide

EMC NetWorker Module for Microsoft for Windows Bare Metal Recovery Solution

VMware vsphere Data Protection 6.1

Installing and Configuring vcloud Connector

Interworks. Interworks Cloud Platform Installation Guide

SonicWALL SRA Virtual Appliance Getting Started Guide

Netwrix Auditor for Exchange

PHD Virtual Backup for Hyper-V

XenDesktop Implementation Guide

Virtual Appliance Setup Guide

Virtual Web Appliance Setup Guide

Getting Started with ESXi Embedded

Installing and Configuring vcenter Multi-Hypervisor Manager

Frequently Asked Questions: EMC UnityVSA

IronKey Enterprise Server 6.1 Quick Start Guide

Netwrix Auditor for Active Directory

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

Veeam Backup Enterprise Manager. Version 7.0

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

VMWARE PROTECTION USING VBA WITH NETWORKER 8.1

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Server Software Installation Guide

Quick Start Guide for VMware and Windows 7

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

VMware Data Recovery. Administrator's Guide EN

Thinspace deskcloud. Quick Start Guide

Server Installation ZENworks Mobile Management 2.7.x August 2013

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

Netwrix Auditor for SQL Server

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Genetec Omnicast Client Applications

Virtual Managment Appliance Setup Guide

Netwrix Auditor for Windows Server

vsphere Upgrade vsphere 6.0 EN

RSA SecurID Software Token 1.0 for Android Administrator s Guide

RSA SecurID Ready Implementation Guide

Citrix Systems, Inc.

GRAVITYZONE HERE. Deployment Guide VLE Environment

VMware Identity Manager Administration

VMware vsphere Examples and Scenarios

How to Backup and Restore a VM using Veeam

EMC VSPEX END-USER COMPUTING

1. Server Microsoft FEP Instalation

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

Netwrix Auditor. Virtual Appliance Deployment Guide. Version: 8.0 8/1/2016

Netwrix Auditor for SQL Server

Quick Start Guide for Parallels Virtuozzo

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

EMC BACKUP-AS-A-SERVICE

Windows Server ,500-user pooled VDI deployment guide

Backup Exec 15. Quick Installation Guide

Copyright 2012 Trend Micro Incorporated. All rights reserved.

F-Secure Internet Gatekeeper Virtual Appliance

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

EMC Business Continuity for VMware View Enabled by EMC SRDF/S and VMware vcenter Site Recovery Manager

Deploying NetScaler Gateway in ICA Proxy Mode

IBM TSM DISASTER RECOVERY BEST PRACTICES WITH EMC DATA DOMAIN DEDUPLICATION STORAGE

RSA Authentication Manager 8.1 Planning Guide. Revision 1

Desktop Virtualization Made Easy Execution Plan

Implementation Guide for EMC for VSPEX Private Cloud Environments. CloudLink Solution Architect Team

DESIGN AND IMPLEMENTATION GUIDE EMC DATA PROTECTION OPTION NS FOR VSPEXX PRIVATE CLOUD EMC VSPEX December 2014

Design Guide: Remote Access to Windows Apps XenApp 7.6 Feature Pack 2 vsphere 6

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Virtual Appliance Setup Guide

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

Managing Multi-Hypervisor Environments with vcenter Server

Isilon OneFS. Version OneFS Migration Tools Guide

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Business Process Desktop: Acronis backup & Recovery 11.5 Deployment Guide

Acronis Backup & Recovery 10 Advanced Server Virtual Edition. Quick Start Guide

Dell One Identity Cloud Access Manager Installation Guide

Product Version 1.0 Document Version 1.0-B

Enterprise Manager. Version 6.2. Administrator s Guide

VMware Identity Manager Connector Installation and Configuration

CMB 207 1I Citrix XenApp and XenDesktop Fast Track

simplify monitoring Consolidated Monitoring, Analysis and Automated Remediation For Hybrid IT Infrastructures

EMC Integrated Infrastructure for VMware

How To Install An Aneka Cloud On A Windows 7 Computer (For Free)

Understanding EMC Avamar with EMC Data Protection Advisor

Microsoft Dynamics GP SQL Server Reporting Services Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Transcription:

Design Guide Securing VSPEX Citrix XenDesktop End- User Computing Solutions with RSA VMware vsphere 5.1 for up to 2000 Virtual Desktops EMC VSPEX Abstract This guide describes required components and a configuration overview for deploying RSA SecurID two-factor authentication in the VSPEX Citrix XenDesktop end user computing proven infrastructures. This guide and its associated Implementation Guide are designed to be used as addtions, or overlays, to one of the specific VSPEX Citrix XenDesktop proven infrastructures documents. January, 2013

Copyright 2013 EMC Corporation. All rights reserved. Published in the USA. Published January 2013 EMC believes the information in this publication is accurate of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC 2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the EMC online support website. Design Guide Part Number H11376 2

Contents Chapter 1 Introduction... 9 Purpose... 10 Business value... 10 Scope... 11 Audience... 11 Chapter 2 Before You Start... 13 Essential reading... 14 Chapter 3 Solution Overview... 15 Overview... 16 External request authentication... 16 Internal request authentication... 16 High Availability... 17 Existing infrastructure... 17 Key components... 17 RSA SecurID with Authentication Manager... 17 Citrix NetScaler... 18 Citrix Storefront... 18 EMC VSPEX... 18 Backup and recovery... 18 Solution architecture... 19 High-level solution architecture... 19 Architecture overview... 19 Application access control flow... 21 RSA SecurID authentication control flow... 21 Chapter 4 Solution Design Considerations And Best Practices... 23 Overview... 24 Network design considerations... 24 Overlay design considerations... 24 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 3

Contents Sizing and scaling information for RSA Authentication Manager... 25 Sizing and scaling information for Citrix NetScaler VPX... 26 Sizing and scaling information for Citrix Storefront... 26 Storage layout and design considerations... 26 Virtualization design considerations... 26 Backup and recovery implementation... 26 Chapter 5 Solution Validation Methodologies... 27 Baseline hardware validation methodology... 28 Functional validation methodology... 28 Key metrics... 28 Define the test scenarios... 28 Appendix A References... 31 References... 32 4

Figures Figure 1. Authentication control flow for XenDesktop access requests originating on an external network... 16 Figure 2. Authentication control flow for XenDesktop requests originating on local network... 17 Figure 3. Logical architecture: generalized VSPEX Citrix XenDesktop proven infrastructure with RSA SecurID, Citrix NetScaler, and Citrix Storefront components overlaid in a redundant configuration.... 19 Figure 4. Remote Access login screen... 22 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 5

Figures 6

Tables Table 1. Baseline compute and storage requirements for SecurID overlay... 25 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 7

Tables 8

Chapter 1 Introduction This chapter presents the following topics: Purpose... 10 Business value... 10 Scope... 11 Audience... 11 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 9

Introduction Purpose This document describes security enhancements provided and infrastructure components required for the deployment of RSA SecurID two-factor authentication in a new or existing VSPEX Citrix XenDesktop end user computing infrastructure. Business value EMC VSPEX End-User Computing Solutions for Citrix XenDesktop and VMware vsphere provide proven, best-of-breed solutions for end user computing. Customers requiring additional access protection for remotely-available or sensitive XenDesktop environments can enable RSA SecurID two-factor authentication as a highly-effective additional layer of virtual desktop access protection. In addition to Active Directory credentials, accessing a SecurID-protected resource requires a personal identification number and a constantly-changing code from a hardware or software-based token. Credentials based on something the user knows (the PIN) and something the user has (the token code) is the basis of two-factor authentication and is a standard in access security. The following components are used to implement SecurID in the VSPEX XenDesktop infrastructures: RSA Authentication Manager (version 7.1 SP4 or higher) Citrix NetScaler network appliance (version 10 or higher) Citrix Storefront (version 1.2, also known as CloudGateway Express) RSA Authentication Manager manages SecurID hardware or software tokens and their assignment to users as well as the actual authentication process. For this design, Authentication Manager uses Active Directory as its source of users ( identity store ). Citrix NetScaler enables seamless integration of RSA SecurID functionality into the VSPEX XenDesktop environment as well as provision of enhanced management and availability features and a streamlined user experience. Citrix Storefront provides a set a set of service interfaces used by NetScaler and Citrix clients to access XenDesktop. It is important to note that the NetScaler and Storefront configuration used in this design is only one of many possible usage scenarios. These components offer a tremendous amount of additional functionality well beyond the scope of this solution; they are used here to support the primary goal of adding SecurID authentication to the VSPEX XenDesktop infrastructures. Presence of these components in the environment provides a foundation on which EMC channel partners can build many other service enhancements for the customer. As described in their individual infrastructure documentation, VSPEX Citrix XenDesktop end user computing solutions provide predefined infrastructures with proven, tested performance, scalability and functionality for up to 250 desktops (using EMC VNXe storage) or up to 2000 desktops (using EMC VNX storage). This overlay enhances the value proposition by strengthening access security, especially for remote connections. 10

Introduction Scope The access and security enhancements presented in this guide are assembled as an overlay to the Citrix XenDesktop VSPEX solutions. This document briefly describes SecurID and Authentication Manager, illustrates their integration into the predefined VSPEX solution, and presents a configuration framework. The overlay is not intended as a standalone solution; infrastructure services built into the VSPEX solutions (notably Active Directory, SQL Server, and DNS) are used to support the extended functionality described here. This guide is intended to be used in conjunction with the proven infrastructure document for the referenced VSPEX solutions. Familiarity with the relevant documents is considered as a minimum prerequisite for using this guide. Audience This guide is targeted to EMC internal staff and channel partners. It is not intended for external distribution or the VSPEX end user. Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 11

Introduction 12

Chapter 2 Before You Start This chapter presents the following topics: Essential reading... 14 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 13

Before You Start Essential reading Read the following materials before you start to use this guide. EMC VSPEX End-User Computing: Citrix XenDesktop 5.6 and VMware vsphere 5.1 for up to 250 Virtual Desktops Enabled by EMC VNXe, and EMC Next Generation Backup EMC VSPEX End-User Computing: Citrix XenDesktop 5.6 and VMware vsphere 5.1 for up to 2000 Virtual Desktops Enabled by EMC VNXe, and EMC Next Generation Backups RSA SecurID Two-Factor Authentication for EMC VSPEX End-User Computing Solutions for Citrix XenDesktop 5.1: Implementation Guide Citrix CloudGateway Express 2.0 Proof of Concept Implementation Guide Citrix CTX131908: How to Configure Access to Citrix Receiver Storefront 1.0 through Access Gateway Enterprise Edition 14

Chapter 3 Solution Overview This chapter presents the following topics: Overview... 16 Key components... 17 Solution architecture... 19 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 15

Solution Overview Overview This overlay adds RSA SecurID functionality for remote access and associated security to the four VSPEX end user computing solutions for Citrix XenDesktop and VMware vsphere 5. For requests originating on an external or public network, the user is authenticated with both RSA SecurID and Active Directory. Requests arriving from the internal network authenticate against Active Directory only. The supporting infrastructure positions the customer for a variety of other services and enhancements beyond the scope of the overlay. External request authentication For requests arriving from an external or public network, Citrix NetScaler s Access Gateway Enterprise Edition presents the authentication challenge, acts as an authentication agent to RSA Authentication Manager for SecurID two-factor authentication, runs secondary authentication against Active Directory, and provides a single sign-on experience to XenDesktop as shown in Figure 1. Figure 1. Authentication control flow for XenDesktop access requests originating on an external network Internal request authentication XenDesktop access requests originating on the local network are authenticated against Active Directory only, omitting the SecurID layer used for external requests. The user s request is routed to Storefront through a load balancer configured on NetScaler; Storefront retrieves the desktop from XenDesktop (which also performs authentication) and passes it back to the client, shown in Figure 2. 16

Solution Overview Figure 2. Authentication control flow for XenDesktop requests originating on local network High Availability All components are configured in redundant pairs, providing high availability operation. NetScaler is configured in an active-passive pair setup where the secondary node automatically takes over if the primary node becomes unreachable. RSA Authentication Manager is deployed as a simple redundant pair. NetScaler Access Gateway authentication policy directs traffic to a designated primary node; if this node becomes unreachable, Access Gateway sends the authentication request to the secondary server. Citrix Storefront is similarly configured as a redundant pair. NetScaler s load balancing capability is configured to monitor Storefront server availability and route access requests to available nodes. Existing infrastructure It is expected that the XenDesktop environment and supporting infrastructure services such as Active Directory and SQL Server are or will be configured per the appropriate VSPEX end user computing proven infrastructure document. Compute and storage resource for the components added in this overlay may be added for the purpose or consumed from the solution pool as described later. Key components RSA SecurID with Authentication Manager SecurID functionality is managed by RSA Authentication Manager, which for this overlay is installed on redundant Windows Server 2008 R2 virtual servers. While both nodes are active, NetScaler will direct traffic to a single node as long as that primary node is responsive; in the event of primary node failure, NetScaler will utilize the secondary node until the primary returns to operational status. Built-in Authentication Manager features provide backup and synchronization services. Note Authentication Manager 7.1 is also available as a physical appliance. Access Gateway Enterprise Edition requires use of a RADIUS server on each Authentication Manager node to listen for and process SecurID requests; native RSA authentication is not supported by this edition. RADIUS does not require RSA Authentication Agent software to be installed on the protected XenDesktop hosts. Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 17

Solution Overview Note that NetScaler Access Gateway is explicitly registered as an Authentication Client during RADIUS setup. For this overlay, Authentication Manager is integrated with Citrix NetScaler to streamline the user experience. Many companies deploy SecurID to authenticate access to a corporate network from a connection on a public network. When accessing XenDesktop from a public network, the user is challenged for both SecurID and domain credentials. Upon successful authentication, the user is logged in without further challenge. For XenDesktop access from within the local network, the user is authenticated only at the domain level. Citrix NetScaler Citrix NetScaler is a highly versatile network appliance which can deliver a variety of cloud control services such as data compression, content caching, load balancing, application acceleration, etc. Deployed in the network demilitarized zone (DMZ), NetScaler s Access Gateway Enterprise Edition (AGEE) provides secure access to XenDesktop and other resources within the secure network from external or public networks. AGEE is used in this solution to control primary (SecurID) and secondary (Active Directory) authentication for users accessing XenDesktop outside the secure network. NetScaler s load balancing capabilities are used to provide High Availability (HA) as well as load-balanced access to redundant Citrix Storefront instances. Citrix Storefront EMC VSPEX Storefront provides authentication and desktop delivery services for web and mobile versions of the Citrix client. For access attempts from Windows or Mac OS X, Storefront facilitates the download and installation of Citrix Receiver if the client is not already installed. After validating a user s credentials, the Storefront authentication service ensures that all subsequent interactions are processed without repeating the logon sequence. Storefront then records details of the application subscription and associated shortcuts and locations, enabling a consistent user experience across sessions and devices. VSPEX validated and modular architectures are built with proven best-of-breed technologies to create complete virtualization solutions that enable you to make an informed decision in the hypervisor, compute and networking layers. VSPEX eliminates desktop virtualization planning and configuration burdens. VSPEX accelerates your IT Transformation by enabling faster deployments, greater choice, efficiency, and lower risk. For more detailed information on performance and scalability testing, refer to the virtual infrastructure documents cited in Essential reading on page 14 for the solution sized for your requirements. Backup and recovery Backup and recovery are covered at the infrastructure level in the documentation for the VSPEX solution. Note that RSA recommends the use of its native toolset for backup and restoration of the Authentication Manager internal database. 18

Solution Overview Solution architecture High-level solution architecture Figure 3 shows the generalized logical architecture of the VSPEX Citrix XenDesktop infrastructure, with the overlay infrastructure added. The VNX with Fibre Channel variant is shown. NFS and VNXe variants are described in the Citrix XenDesktop VSPEX proven infrastructure documents. Note While this diagram shows SecurID infrastructure hosted on separate vsphere servers for clarity, these components can be placed on existing infrastructure hosts if sufficient capacity is available, as shown in Table 1. Figure 3. Logical architecture: generalized VSPEX Citrix XenDesktop proven infrastructure with RSA SecurID, Citrix NetScaler, and Citrix Storefront components overlaid in a redundant configuration. Architecture overview The SecurID overlay architecture consists of the following components. EMC VSPEX End-User Computing Solution with Citrix XenDesktop 5.6 and VMware vsphere 5.1 for [250, 500, 1000, 2000] Virtual Desktops The foundation infrastructure supports XenDesktop and provides Active Directory, DNS, and SQL Server services, which are also utilized by the overlay. Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 19

Solution Overview RSA Authentication Manager 7.1 SP4 In addition to managing SecurID token assignment to users, Authentication Manager controls the RADIUS server which listens for incoming authentication requests. Authentication Manager is deployed on redundant nodes for high availability. The following configuration notes are important: The solution overlay described here uses Citrix Access Gateway Enterprise Edition (AGEE), which is incorporated with Citrix NetScaler 10 (described below). AGEE only supports SecurID authentication via RADIUS. While out of scope for this overlay, it should be noted that the (standalone) Standard and Advanced editions of Access Gateway must use the native RSA authentication API. Citrix Secure Gateway is not supported. Authentication Manager s installation wizard provides easy setup of primary and secondary nodes. After setup, both nodes are active and equal; the primary-secondary relationship refers to synchronization: changes made to the primary are then ported to the secondary. While the secondary Authentication Manager node is easily synchronized with the primary, a RADIUS server must be manually configured on the secondary: the sync process will not port the server setup. Duplicate NetScaler AGEE policies are required for high availability, as described below. Citrix NetScaler 10 network appliance While NetScaler offers a wide variety of functionality to control and accelerate network services and cloud-based applications, two primary subcomponents are used in this overlay. Access Gateway Enterprise Edition (AGEE) Deployed in the network DMZ, AGEE provides a gateway for external traffic to access XenDesktop resources on a protected network. Users enter credentials in a single authentication dialog, and AGEE policies control primary authentication against RSA SecurID and secondary authentication against Active Directory. Note o o For this solution, the primary authentication policy is actually comprised of duplicate SecurID authentication policies supporting high availability: The first SecurID policy points to the primary Authentication Manager node. The second SecurID policy is identical to the first, but with a lower priority setting, and points to the secondary AM node. If the primary node becomes unreachable, AGEE detects the first policy execution failure and runs the second policy. Load Balancing Virtual load balancers are configured to provide high availability access to Citrix Storefront s redundant nodes. A secondary Storefront host does not have the capability of listening for requests sent to a failed primary; therefore, NetScaler load balancing is configured to monitor Storefront node availability and route requests accordingly. NetScaler is deployed in this solution as an active-passive pair. If the primary becomes unreachable, the secondary automatically takes over and services all traffic that was explicitly destined for the primary instance. In this configuration, only the 20

Solution Overview active instance services traffic. While NetScaler supports clustering, wherein both instances serve traffic at the expense of increased configuration and network overhead, the Access Gateway subcomponent is not supported in that configuration. NetScaler is available as a physical appliance or downloadable VMware OVF file which is quickly and easily loaded onto a VMware vsphere host as a virtual appliance (VPX). Configuration and management are identical, although VPXs are more limited in scalability. Licensing determines which capabilities are enabled on the appliances and at what service levels. Customer consultation to ascertain traffic load and appropriate NetScaler model is strongly advised. Citrix Storefront 1.2 - Storefront is the replacement for Citrix Web Interface, whose primary purposes in this solution are to: Present user desktops to web-based or mobile Citrix client, Provide authentication services for local-network user access, Simplify internal / external access configuration in the XenDesktop environment. User subscription information, stored in a backend SQL Server database, provides consistent desktop or other application experience across user sessions and differing client devices. Citrix Receiver Software client providing optimal access to XenDesktop and other Citrix published resources. The client is available for most mobile devices; for Windows and Mac OS X, the user will be prompted for automatic download and installation of the client on first browser access of the environment. In context of this solution, the user client is considered a generic user endpoint, so versions of the Receiver client and options and optimizations for them are not addressed. Application access control flow All XenDesktop access requests, whether they originate on a local or external network, are routed through NetScaler to Storefront and then XenDesktop. Requests originating outside the local network are directed to AGEE, which is deployed in the network DMZ and authenticates the user via RSA SecurID (primary authentication) and Active Directory (secondary authentication). Then the request is handed off to Storefront through a NetScaler load balancer which monitors node availability and routes requests. Storefront then enumerates the user s desktops to his/her client device, the user selects the one desired, and AGEE proxies a logon to that desktop. The Citrix user client can make the determination as to whether it is inside or outside the local network and determines its connection route accordingly. Local requests are routed to Storefront through a separate NetScaler load balancer. Storefront then authenticates the user against Active Directory and his/her desktops are retrieved and presented as described above. RSA SecurID authentication control flow As described above, requests originating outside the local network are handled by NetScaler s Access Gateway, which authenticates the user with RSA SecurID and Active Directory. Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 21

Solution Overview Figure 4 shows the default logon screen presented to the user. The user enters the following credentials: User Name: A non-qualified ID; that is, ID of the form MyUserID as opposed to MyDomain\MyUserID Password 1: User s Active Directory password Password 2: User s SecurID passphrase (PIN plus one-time pass code from SecurID token) Figure 4. Remote Access login screen When the user clicks the Log On button, AGEE first authenticates against SecurId and then against Active Directory. Incorrect credentials in any field results in a generalized incorrect credentials error message; the user is given no information about which field is incorrect. 22

Chapter 4 Solution Design Considerations And Best Practices This chapter presents the following topics: Overview... 24 Network design considerations... 24 Overlay design considerations... 24 Storage layout and design considerations... 26 Virtualization design considerations... 26 Backup and recovery implementation... 26 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 23

Solution Design Considerations And Best Practices Overview The overlay is designed to run as a part of the relevant VSPEX end user computing infrastructure. Only the new overlay components are discussed; foundation components such as XenDesktop and supporting infrastructure are addressed in the applicable proven infrastructure document. Network design considerations This overlay fits into the network layout described in the relevant VSPEX Citrix XenDesktop proven infrastructure documents. Refer to those documents for more detail on individual component networking. Overlay design considerations Authentication Manager, NetScaler, and Storefront can be hosted on new VMware ESXi hardware dedicated to the purpose or on existing infrastructure servers described in appropriate reference architectures if capacity is sufficient. In order to maintain high availability, ensure that VMware guests running nodes of redundant pairs are placed on separate physical servers. Table 1shows minimum CPU, memory, and disk space values for VMware guests hosting Authentication Manager, NetScaler VPX, and Storefront. Large or high-traffic deployments may require additional resource, especially for NetScaler. EMC channel partners should work with customer to ascertain throughput requirements in order to insure adequate capacity. 24

Best Practices Table 1. Solution Design Considerations And Baseline compute and storage requirements for SecurID overlay CPU (cores) Memory (GB) Disk (GB) SQL Database* Reference RSA Authentication Manager 2 8** 60 n/a RSA Authentication Manager 7.1 Performance and Scalability Guide Citrix NetScaler 2 4 40 n/a Citrix NetScaler VPX Getting Started Guide Citrix Storefront 2 2 20 3.5 MB per 100 users * It is expected that this capacity can be drawn from existing SQL Server defined in the VSPEX Citrix XenDesktop reference architectures. ** RSA recommends an 8 GB minimum for VMware-based deployments. A 4 GB or even 2 GB configuration is acceptable on standalone servers. Sizing and scaling information for RSA Authentication Manager The installation used in this overlay places Authentication Manager and associated RADIUS server on the same host. According to the RSA Authentication Manager 7.1 Performance and Scalability Guide, a small current-generation server with a single dual-core processor and 2 GB RAM can process 40 SecurID authentications per second. Thus, an entire user database for a 2,000 desktop VSPEX environment can be authenticated in under a minute (RSA testing performed on dedicated hardware with no antivirus, security, or other software installed). Note Deployment of Authentication Manager on VMware guests carries specific requirements and restrictions: Allocated memory should be set to 8 GB for 64-bit operating systems Cloning, physical-to-virtual conversion, and virtual-to-physical conversion are supported. Snapshots, vmotion, High Availability, and several other VMware virtualization features are not supported. RSA recommends that Authentication Manager built-in features be used for these types of services. See Authentication Manager 7.1 Service Pack 4 Release Notes (available on RSA SecurCare Online) for more information. Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 25

Solution Design Considerations And Best Practices Sizing and scaling information for Citrix NetScaler VPX Sizing and scaling information for Citrix Storefront This overlay uses the NetScaler virtual appliance (VPX), a lower-cost solution targeted toward the SMB customer as compared to the enterprise-oriented physical appliance series. The most likely bottleneck to be encountered with a VPX in the overlay environment is network bandwidth. A throughput baseline of 150 kbs per session can be used for sizing approximation; environments supporting heavy multimedia use can consume 600 kbs. Consult NetScaler sizing documentation for guidance on insuring adequate capacity. Storefront server requirements are satisfied by the standard infrastructure server footprint described in the proven architecture document. Storage requirements for Storefront s SQL Server subscription database are minimal. The database stores information allowing a consistent user experience across multiple sessions and client devices; browser-based access generates no database entry at all. Storage layout and design considerations Table 1 shows that total disk storage requirement for the SecurID infrastructure is 125 GB or less. It is expected that this capacity can be drawn from storage allocated for the relevant end user computing infrastructure. Virtualization design considerations This overlay fits into the virtualization design described in the relevant VSPEX Citrix XenDesktop proven infrastructure document. Consult that document for more detail on individual component networking. Backup and recovery implementation Backup and recovery services for the overall solution are described in the relevant VSPEX XenDesktop proven infrastructure document. It should be notred that RSA recommends the use of its built-in tools for backup and recovery of the Authentication Manager internal database. 26

Chapter 5 Solution Validation Methodologies This chapter presents the following topics: Baseline hardware validation methodology... 28 Functional validation methodology... 28 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 27

Solution Validation Methodologies Baseline hardware validation methodology Hardware validation is beyond the scope of this document. Refer to the VSPEX Citrix XenDesktop proven infrastructure documents for more information. Functional validation methodology Proper operation of the following functions must be tested: Authentication: For external access, improper credentials, whether Userid, AD password, or SecurID passphrase, generates a generic error message that does not identify which value is incorrect. For internal access, only Active Directory credentials are required and similarly validated. Single sign-on: After authentication, user login takes place with no additional challenge at the desktop. Key metrics Beyond proper operation at the VSPEX proven infrastructure increments of up to 250 desktops (using EMC VNXe storage) or up to 2000 desktops (using EMC VNX storage), no metrics were generated for the overlay. SecurID has no effect on XenDesktop performance after authentication is complete. Define the test scenarios Authentication Manager Authentication success: Presentation of the authentication dialog prompting for SecurID name and passcode and subsequent successful authentication is the de facto success criterion. If more information is desired, the following steps can be taken. a. On Authentication Manager s Security Console, open Reporting Realtime Activity Monitors Authentication Activity Monitor. If desired, enter the user name to be verified in the Search field. b. Click Start Monitor. c. Log into a desktop through the Access Gateway client, shown in Figure 4. d. On the monitor dialog box, verify that SecurID credentials are validated. e. Close the monitor. High Availability: Using VMware vsphere, edit settings for the primary Authentication Manager node to disconnect the guest s virtual NIC, or shut down the guest. Verify SecurID authentication is successful. Reconnect the primary node virtual NIC. Repeat the preceding steps with secondary node virtual NIC disconnect or shutdown. 28

NetScaler Solution Validation Methodologies Normal operation is verified by ability to successfully log in to desktops. High Availability (for active-passive configuration): a. Disconnect the primary NetScaler from the network or shut it down b. Log in to the secondary node and navigate to SystemHigh Availability, where primary/secondary status is displayed. (Note: login to a nonprimary node results in a dialog warning that configuration changes will not be propagated.) c. Verify that user logins via internal and external paths work as expected. d. Reconnect or restart the primary node. e. Repeat the test for the secondary node. Note Storefront Once failover has occurred, the new primary node will remain primary when the failed host is brought back online unless a forced failover returns the two hosts to the original settings. Normal operation is verified by the ability to successfully log in to desktops. High Availability: a. Using VMware vsphere, edit settings for the primary Storefront node to disconnect the guest s virtual NIC, or shut down the guest. b. Verify successful login to user desktop through internal and external path. c. Reconnect the primary node virtual NIC or restart the guest. d. Repeat the preceding with secondary node virtual NIC disconnect. Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 29

Solution Validation Methodologies 30

Appendix A References This appendix presents the following topics: References... 32 Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, 31

References References RSA Authentication Manager 7.1 Installation and Configuration Guide RSA Authentication Manager 7.1 Administrator s Guide RSA Authentication Manager 7.1 Performance and Scalability Guide The following documents were referenced in Essential reading above. EMC VSPEX End-User Computing: Citrix XenDesktop 5.6 and VMware vsphere 5.1 for up to 250 Virtual Desktops Enabled by EMC VNXe, and EMC Next Generation Backup EMC VSPEX End-User Computing: Citrix XenDesktop 5.6 and VMware vsphere 5.1 for up to 2000 Virtual Desktops Enabled by EMC VNXe, and EMC Next Generation Backup Securing VSPEX Citrix XenDesktop 5.6 End-User Computing Solutions with RSA, - Implementation Guide Citrix CloudGateway Express 2.0 Proof of Concept - Implementation Guide Citrix CTX131908: How to Configure Access to Citrix Receiver Storefront 1.0 through Access Gateway Enterprise Edition 32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information