DV4 - Citrix CloudGateway: Access and control Windows, SaaS and web applications Rob Sanders Oliver Lomberg Systems Engineer, Citrix Systems Systems Engineer, Citrix Systems GmbH
Corporate PC Corporate Apps & Storage
BYO Phone Corporate Apps & Storage SaaS Apps BYO Tablet Corporate PC Data Mobile Apps
Enterprise Mobility for All Apps, Data & Devices Mobile Container App Store Cloud Container Identity Windows Mobile Policy Web/SaaS Data Corp Data Security
Unified Storefront
PC Mac Smartphone Tablet Thin Client Access Gateway services Storefront services Content controllers
Storefront Services
Single server deployment Internet DMZ LAN Access Gateway (optional) Storefront Services XenApp/ XenDesktop
High availability deployment Internet DMZ LAN SQL Server Access Gateway (optional) Load Balancer Storefront Services XenApp/ XenDesktop
Initial multi-server deployment
Components Storefront Services
Authentication Service Access Gateway Store Services Storefront Services Browser Web Receiver 3 2 Storefront Services Tier List My Apps XML Service Adaptor XenApp farms XenDesktop farms Thin Clients Mobile Devices 3 rd Party Web 1 Launch App List All Apps Subscribe Password Future Citrix Adaptors 3rd Party Adaptors App Controller ShareFile Web apps SaaS apps Mac and Windows OTP Smartcard Kerberos... Value Adds Mobile Applications 3 rd Party Apps Update Service (Merchandising Server)
Authentication Service 1 Password Authentication OTP Smartcard Kerberos... Allows Single Sign-on ᵒ Between different Storefront services ᵒ To other Citrix services Extends in many directions ᵒ Federation-In (SAML protocol) ᵒ Access Gateway SSO ᵒ SSO to AppController
Authentication Flow Current Internet Web Interface Server XML Server Active Directory Server
Authentication Flow New Internet Storefront Services Server Active Directory Server XML Server
Authentication methods Three authentication methods available on Storefront Services ᵒ User name and password e.g. Explicit ᵒ Domain pass-through e.g. Pass-through ᵒ Pass-through from Citrix Access Gateway e.g. Authentication at Access Gateway No 2-factor authentication (RADIUS, tokens and OTP) available ᵒ Use Access Gateway to provide this functionality No support for Kerberos, smart cards and federation at this time Domain pass-through only available with: ᵒ Domain-joined Windows devices ᵒ Native Citrix Receiver installed with /IncludeSSON parameter
Store Services 2 List My Apps Launch App Store Service List All Apps Subscribe REST Services ᵒ XML messages over HTTP(S) protocol ᵒ Authentication via a token header token Designed to be a public SDK ᵒ Currently not published Root service is Resources ᵒ This then references images, Windows icons, etc.
Web Receiver 3 rd Party Web 3 Receiver for Web Logically a Receiver like any other ᵒ Talks to Storefront Services over HTTPS Our implementation ᵒ Static HTML + CSS + JavaScript Rich UI ᵒ Same UI as all other receivers ᵒ Designed to be modular & customizable
Enabling remote access Storefront Services
Storefront Services & Access Gateway integration Supported Access Gateway 5.0.3 or later Access Gateway Enterprise 9.3 or later Access Gateway Enterprise 10.0 preferred Not supported Access Gateway Standard / Advanced Editions 4.x Secure Gateway 3.2
Where in the world is Carmen SanDiego?? Or how beacons are used Beacons are used to determine the location of user Each beacon is a URL ᵒ Internal: Only accessible from the LAN ᵒ External: Public website (e.g. www.citrix.com or www.google.com) Receiver sends GET request to each beacon ᵒ HTTP Response Status 200-399 is success Possible results ᵒ NONE: No network connection ᵒ VPN: Access Gateway plug-in detected and connection active ᵒ LAN: Internal beacon success, no Access Gateway needed ᵒ OUTSIDE: Internal beacon unreachable, Access Gateway needed ᵒ HOTSPOT: Multiple external beacons connect to same proxy
Provisioning files Configuring Citrix Receiver made easy! Store Service Auth Service itdevstores.citrite.net ftlagx.citrix.com sjcagx.citrix.com lonagx.citrix.com Store = https://itdevstores.citrite.net/showcase Gateway = ftlagx.citrix.com, US-East Gateway = sjcagx.citrix.com, US-West Gateway = lonagx.citrix.com, EMEA Default = lonagx.citrix.com Beacons Internal = http://mycitrite.net External = http://www.citrix.com External = http://www.google.com
Customizations Storefront Services
Citrix ICA Client control ActiveX control, Firefox extension and Chrome plug-in Must be installed and enabled to detect the client Used to determine to install or upgrade Citrix Receiver and for Workspace Control Configure behavior in web.config file
Modifying the web.config file Advanced configuration for Citrix Receiver for Web Workspace Control ᵒ Workspace Control is available for both native Receiver and Receiver for Web ᵒ Auto-reconnect to active / disconnected sessions enabled by default ᵒ By default Native Receiver will disconnect all applications on exit Receiver for Web will terminate all applications on exit Connect and Disconnect buttons are not available in Receiver for Web Client Deployment ᵒ Installation of Citrix Receiver when no Receiver present enabled by default ᵒ Upgrade of Citrix Receiver to new version disabled by default
Modifying the web.config file Advanced configuration for Citrix Receiver for Web Workspace Control ᵒ Workspace Control is available for both native Receiver and Receiver for Web ᵒ Auto-reconnect to active / disconnected sessions enabled by default ᵒ By default Native Receiver will disconnect all applications on exit Receiver for Web will terminate all applications on exit Connect and Disconnect buttons are not available in Receiver for Web Client Deployment ᵒ Installation of Citrix Receiver when no Receiver present enabled by default ᵒ Upgrade of Citrix Receiver to new version disabled by default
Customization No customization options in console All files for customization are in \StoreWeb\contrib folder CSS customization ᵒ custom.style.css JavaScript customization ᵒ custom.script.js String customization ᵒ custom.wrstrings.<lang-code>.js ᵒ New language pack ᵒ Load extra culture files in custom.script.js
CloudGateway Enterprise
Communication Flow Client Device 1 Storefront Services 4 5 3 2 AppController
Publishing your first SaaS application
Connector Types
Native connector AppController connects using Java API s User Credentials submitted over SSL Use for non-saml apps
FormFill connector AppController fills in user credentials AppController sends a redirect to user s browser Use FormFill for apps that do not support SAML protocol
SAML connector AppController connects to Web apps supporting SAML AppController supports SAML 1.1 and 2.0
How the SAML connector works Identity Provider Citrix AppController
How the SAML connector works Identity Provider Citrix AppController
How the SAML connector works Identity Provider Citrix AppController
Role-based access A role is a group of users to which we can assign applications Roles are formed of one or more AD groups Important! Only groups inside the root of your Base DN are exposed in AppController (fixed in AppController 2.0) When adding multiple AD groups to a role, only users that are a member of all groups get assigned the application
sync Data Active Directory Administration AppController Automatically create user accounts within the ShareFile platform Configure SAML configuration using basic admin input Publish data capability to user Receivers
Active Directory sync Mobile Apps Administratio Administration n AppController AppController App Preparation Tool Wrap native mobile apps into Citrix Mobile Application packages Import applications to AppController Push native mobile applications to user devices
Mobile Controller Native Mobile App Native Mobile App ios/ Android kernel ios/ Android Platform
Allgemeine Informationen
Besuchen Sie die Partner in der Ausstellung
Nutzen Sie unsere Zusatzangebote! Citrix Expert Desks: Unsere Produkt-Spezialisten beantworten Ihre individuellen Fragen und geben Ihnen Einblick in aktuelle Projekte Citrix Tech Lounge: Lernen Sie die wichtigsten Funktionen von Citrix XenClient live kennen - bei einem Hands-On-Test in unserer Tech Lounge Meet the Architects: Buchen Sie an der Info einen Kurz-Workshops mit Citrix- Consulting und erarbeiten Sie eine Zielarchitektur für Ihr Unternehmen Citrix Datentankstelle: Lassen Sie sich auf Ihren mobilen Endgeräten einen Citrix Receiver mit Demozugang einrichten Citrix Education Desk: Informieren Sie sich über die aktuellen Trainingsangebote Citrix Test Center: Die Plätze sind ausgebucht. Es besteht die Möglichkeit über die Warteliste noch kurzfristig einen Platz zu bekommen
Feedback und Präsentationen Ihre Meinung ist uns wichtig! Bitte nehmen Sie sich einige Minuten Zeit, unseren Online Feedbackbogen auszufüllen. Den Link dazu erhalten Sie einige Tage nach der Veranstaltung Im Anschluss an den Fragebogen haben Sie Zugriff auf die Downloadseite der Präsentationen
Bitte vormerken: Citrix Synergy 2012 The premier event on cloud computing, virtualization and networking 17.- 19. Oktober 2012 im International Convention Centre Barcelona Weitere Infos: http://www.citrixsynergy.com/barcelona
Work better. Live better.